This post is a write-up for the Bastion box on hackthebox.eu
Start by enumerating the ports on the victim machine. Run
Nmap, then document the results:
masscan -e tun0 -p1-65535,U:1-65535 10.10.10.134 --max-rate=500 nmap -n -v -Pn -p80 -A --reason -oN bastion_nmap.txt 10.10.10.134
Checked port 445 with
smbmap, and noticed a readable and writable share called Backups:
Given that this is a Windows victim, at this point I usually switch over to a Windows VM. I have been using Commando VM 2.0 lately, and I cannot recommend it enough especially for the task of mounting SMB shares.
Connect to the share via windows explorer and notice it has 2 .vhd backup files in it. The .vhd backups are quite large, so to make this faster you can simply mount them over the smb share:
You should be able to read the backup of the c drive from
L4mpje. Digging through the backup did not result in anything interesting, but you can pull the
SYSTEM file from
C:\windows\system32\config to the attacking machine for some hash cracking fun:
pwdump SYSTEM SAM Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: L4mpje:1000:aad3b435b51404eeaad3b435b51404ee:26112010952d963c8dc4217daec986d9:::
Use hashkiller to bruteforce the hashed password of user
SSH into the victim machine with the credentials to get the user flag:
Enumerate the victim machine, and locate an application called
mRemoteNG manages connections (to ssh, rdp, ftp, etc.) and saves the connection details in an xml, including the encrypted saved credentials. It saves these encrypted secrets in
C:\users\l4mpje\AppData\Roaming\mRemoteNG\confCons.xml. We could attempt to bruteforce these, but that might take a long time.
Easier method: Install
mRemoteNG on the attackimg machine and copy in the
Connect as administrator to the victim machine (change the IP & Protocol accordingly).