Hack The Box: Bastion

Summary⌗
Bastion was a relatively easy box. There is an smb share is accessible without credentials and inside there is a backup drive that we can mount and access. From the drive we can dump the SAM file and crack it to get login credentials. Once logged in we find mRemoteNG installed and extract its saved passwords to get admin access.
Enumeration⌗
I start with this nmap command to quickly find open ports.
Then run a thorough service scan on the discovered ports.
SMB⌗
Based on the open ports the best service to check out first is smb.
After running smbmap, I discover a share called Backups that I have read and write permissions as a guest user.
Since this is a windows machine I will switch to my windows vm to make my work easier.

Contents of note.txt
Sysadmins: please don’t transfer the entire backup file locally, the VPN to the subsidiary office is too slow.
Going deeper into the WindowsImageBackup folder I found a backup image which is quite big. Downloading the whole file would not be an option as the note.txt suggested. Fortunately I can mount it through the share remotely, this is the reason why I wanted to use a windows vm.

On mounting it, it appears as Local Disk (D:). After accessing the home directory of user L4mpje and looking through the folders there was no user.txt, it must have been excluded from the backup.

At this stage I was stuck for a while (I still suck at owning windows) and after some hints in the forum I figured I should look at where credentials are stored locally on windows and how to get them. Simply the equivalent of /etc/shadow or /etc/passwd on linux.
I learnt that I should be looking in C:\windows\system32\config for the SAM and SYSTEM files which I found.

Now to get the credentials!⌗
I pulled the 2 files back to my kali box and using samdump2 I got the user hash.
I then cracked the NTLM hash for L4mpje using hashcat and got the password.
Exploitation⌗
Now that I have a username and password I can login through ssh.

Now that user is owned, let’s try to escalate privileges to admin.
I switched to powershell and started looking at installed programs. mRemoteNG isn’t a default windows application so let me look into it and if it can help in privesc.

According to their website:
mRemoteNG is a fork of mRemote: an open source, tabbed, multi-protocol, remote connections manager.
I found a metasploit module that claims to extract saved passwords from mRemoteNG. Since I am logged in I don’t need metasploit so I looked at the source to see how it extracts the passwords and decrypts them.
The saved passwords are located in AppData in mRemoteNG\confCons.xml. Once I found the file the admin password was there but encrypted.

I was able to find a script on github to decrypt the password.
I can finally login as administrator and own system!
