Bastion - HackTheBox

Bastion is a simple Windows machine that involves Windows backups and bad tools configurations.

As always, let's run a port scan using our trusty nmap:

Samba let's us authenticate as guest user, let's check what's on it: The command smbclient takes the user password after the % symbol, but with guest user no password is needed.

Let's mount the Backups share and explore it:

The share contains a folder named WindowsImageBackup, which is created by Windows backup utility. The backups are contained in .vhd (virtual hard disk) files. After installing the software that allows us to mount those files (sudo apt install libguestfs-tools) let’s search them:

There are two .vhd files. Let’s mount them:

The first drive (9b9cfbc3-369e-11e9-a17c-806e6f6e6963.vhd) is the backup of the boot partition and it doesn’t contain anything useful.

Mounting the second drive (9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd), we find out that it’s the backup of the entire system:

After a bit of searching, we find that SAM and SYSTEM files are accessible, therefore we can use samdump and the good old john the ripper to bruteforce the user password:

Let’s ssh into the box and get the flag:

User flag

9bfe57d5c3309db3a151772f9d86c6cd

After exploring the file system, we find a recently installed program called mRemoteNG, which is used to manage remote connections.

A quick Google search tells us that this program saves the connections passwords in a configuration file in %APPDATA% and encrypts them with AES using the MD5 hash of the string "mR3m" as key. Let’s search the configuration file:

After printing the file content with the command type confCons.xml we find the encrypted password:

aEWNFV5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAowVRdC7emf7lWWA10dQKiw==

Let’s use a tool to decrypt the password:

Let’s ssh into the box as administrator and get the flag:

Root flag

958850b91811676ed6620a9c430e65c8