> For the complete documentation index, see [llms.txt](https://viperone.gitbook.io/pentest-everything/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://viperone.gitbook.io/pentest-everything/writeups/hackthebox/windows-machines/windows-bastion-wip.md).

# Bastion

## Nmap

We can start of by quickly checking for alive ports with `nmap -p- -T4` and then after the results have returned I executed a more intensive scan on the ports that I believe to be interesting

```
nmap 10.10.10.134 -p 22,445,5985,47001 -T4 -A

PORT      STATE SERVICE      VERSION
22/tcp    open  ssh          OpenSSH for_Windows_7.9 (protocol 2.0)
| ssh-hostkey: 
|   2048 3a:56:ae:75:3c:78:0e:c8:56:4d:cb:1c:22:bf:45:8a (RSA)
|   256 cc:2e:56:ab:19:97:d5:bb:03:fb:82:cd:63:da:68:01 (ECDSA)
|_  256 93:5f:5d:aa:ca:9f:53:e7:f2:82:e6:64:a8:a3:a0:18 (ED25519)
445/tcp   open  microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds
5985/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
47001/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: OSs: Windows Server 2008 R2 - 2012, Windows; CPE: cpe:/o:microsoft:windows
                                                                                                                                                                                                                                           
Host script results:                                                                                                                                                                                                                       
|_clock-skew: mean: -39m37s, deviation: 1h09m15s, median: 21s                                                                                                                                                                              
| smb-os-discovery:                                                                                                                                                                                                                        
|   OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)                                                                                                                                                              
|   Computer name: Bastion                                                                                                                                                                                                                 
|   NetBIOS computer name: BASTION\x00                                                                                                                                                                                                     
|   Workgroup: WORKGROUP\x00                                                                                                                                                                                                               
|_  System time: 2020-10-08T15:03:22+02:00                                                                                                                                                                                                 
| smb-security-mode:                                                                                                                                                                                                                       
|   account_used: guest                                                                                                                                                                                                                    
|   authentication_level: user                                                                                                                                                                                                             
|   challenge_response: supported                                                                                                                                                                                                          
|_  message_signing: disabled (dangerous, but default)                                                                                                                                                                                     
| smb2-security-mode:                                                                                                                                                                                                                      
|   2.02:                                                                                                                                                                                                                                  
|_    Message signing enabled but not required                                                                                                                                                                                             
| smb2-time:                                                                                                                                                                                                                               
|   date: 2020-10-08T13:03:21                                                                                                                                                                                                              
|_  start_date: 2020-10-08T12:41:1
```

## Legion

Since we have a few ports open and some SMB shares I will take this opportunity to run `Legion` against this machine. `Legion` comes pre-installed on Kali and can be run with using `sudo legion`. Once started add the host IP address into legion and fire away with default settings.

![Adding the target to legion](/files/-MJ7P2RCZKieI9VhAtY6)

Wait a short while for `legion` to finish running and we can check the results. If we look under the smbenum tab (445/tcp) we can see some interesting results regarding SMB shares.

![smbenum on port 445](/files/-MJ7PRkMBaXw1I-oANZO)

From the above output I connected to the Backups share using `smbclient`. We can see from the output above we have read access to this share. When specifying the `-N` switch and not defining a username we are attempting to logon to SMB with a null session.

![](/files/-MJ7Pv922XOj9Xe5dNkD)

I downloaded the note.txt file with the `get` command which contained the following information:

![note.txt](/files/-MJ7S-HbtFgVqH9mFIJ8)

When we inspect the shares we notice that we come across some VHD files. Initially I tried downloading these files over the VPN connection however, as per the note above this was much too slow.

![](/files/-MJ7SN_fliWqFiP8YMZK)

## Mounting VHD files to Linux

The next best option for us given the speed constraints and the size of the backup VHD's would be to mount them to our system so we can browse the files within.

First ensure the following tools are installed:

```
apt-get install libguestfs-tools
apt-get install cifs-utils
```

After this create a directory in the /mnt/ directory using the `mkdir` command.

![](/files/-MJCHg4DBGvN5cfsfKqo)

We can then mount the remote share to the directory we just created.

```
sudo mount -t cifs -o username=NULL //10.10.10.134/Backups/WindowsImageBackup  /mnt/bastion -o rw
```

When prompted for a password just hit enter so we can authenticate with a NULL session. As you can see we are now browsing the attached SMB share from our mount point. Make a note of the full path of the VHD file as we will be mounting the VHD directly next.

![](/files/-MJCI3i_6oF25P1bU3te)

Now create a new mount point ready for the VHD to be mounted. I had some issues with using /mnt/ directory for this as I was not running directly as root. I had better results mounting in a new folder in my home directory.

```
mkdir /home/kali/Desktop/files
```

After the new directory has been created run `guestmount` with the following command. Replacing both paths where appropriate.

```
guestmount --add "/mnt/bastion/L4mpje-PC/Backup 2019-02-22 124351/9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd" --inspector --ro /home/kali/Desktop/files -v
```

If you have issues with `libguestfs-tools` process dying you may need to purge the install for it and then reinstall and then perform a `apt-get update && apt-get` upgrade on the system to get the tool to work correctly. I had two do this twice on two different machines running the latest version of Kali.

## User

We are going to be going after the Security Account Manager (SAM) file. Usually this file is protected from access when the operating system is running and can be further protected by disk encryption from physical attacks. As we have direct access to the VHD we simply have read access to the system files.

We can use a tool called `samdump2` which comes pre-installed on Kali to extract the local account hashes from the SAM file. Navigate to the following path to find the SAM file `/Windows/System32/config` we can then run the following command to extract the hashes to a specified file s`amdump2 SYSTEM SAM > /home/kali/Desktop/hash.txt`

![](/files/-MJDU1UvetZWbKGfz2L3)

I have removed the disabled accounts from the hash.txt file. You can either run this against John the Ripper to attempt to crack the hashes or in this instance I will be using [http://crackstation.net](https://crackstation.net) to find the password. with NTLM hashes you always attempt to crack the second hash in the line.

![](/files/-MJDUUJ4QTtMrCGfAsOO)

We have the following password "bureaulampje".

From the `nmap` results earlier we recall having SSH running on port 22. We can attempt to login with `ssh L4mpje@10.10.10.134` with the password we cracked.

Once logged in we can grab the user.txt flag.

![](/files/-MJDVOycyjO74eP5smHq)

## Privilege Escalation

For privilege escalation we will be looking into the installed programs to identify anything unusual. In `C:\Program Files (x86)` we can see the directory mRemoteNG directory. After researching the application name on Google. mRemoteNG is a connection manager for various connection protocols such as SSH, RDP and Telnet to name a few.

When searching for a relevant exploit I came across the following post:

{% embed url="<https://cosine-security.blogspot.com/2011/06/stealing-password-from-mremote.html>" %}

The post mentions a `metasploit` module.. Going back to Google and searching for other ways to decrypt the password we come across a python script that can decrypt for us:

{% embed url="<https://github.com/haseebT/mRemoteNG-Decrypt>" %}

Download the python script and store it for later. We need to now go and hunt down the password string.

The blog post from cosine-security mentions the passwords being stored in an XML file in AppData. Going back to the SSH connection we can start looking about AppData. We come to this interesting file which contains the information we need. Reading through the first line we can see stored information for the Administrator account. Take the password string and copy it so we can run it through the python script downloaded from github.

![confCons.xml](/files/-MJLnzcwujDRBLqMjZJt)

Running the python script:

## Root Flag

![](/files/-MJLoCeHQMZhmIkvM_5S)

We can take this password and login to SSH with it under the Administrator account. From here we can grab the root.txt flag.

![](/files/-MJLoaC-3AQiI5bNY2p-)


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://viperone.gitbook.io/pentest-everything/writeups/hackthebox/windows-machines/windows-bastion-wip.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
