Bastion is a Windows based machine, located at 10.10.10.134. It’s been recently retired, so let’s take a look.
First thing is trusty nmap/Zenmap to check what ports are open and some basic OS fingerprinting. I like to start with privileged ports first (0–1024), working on those results while doing a longer scan for remaining ports.
nmap -sC -sV -p 0–1024 10.10.10.134
We start on port 445 and the SMB protocol. Let’s continue with nmap and check for samba shares with nmap’s built in script.
A readable share called “Backups” is definitely something worth looking into. Lets connect to that using smbclient with the -N switch
Explore the share..
A quick read of the file note.txt using the “more” command. It gives a good hint to not download the whole backup locally. I think we are on the right track.
Following the path all the way down the .vhd files, which is something we are expecting to see in a Backups folder. These are worth looking into as there is a whole bunch of potential juicy information in there such as username and passwords.
Now keeping in mind our hint about not needing to transfer the file, and not knowing a single thing about mounting files remotely, a quick Google led me to this helpful guide.
Your final mount command should look a bit like the following. I mounted the larger of the two;
guestmount — add /mnt/remote/WindowsImageBackup/L4mpje-PC/’Backup 2019–02–22 124351'/9b9cfbc4–369e-11e9-a17c-806e6f6e6963.vhd — inspector — ro /mnt/vhd -v
Once I had successfully mounted the .vhd, I had a quick browse around the desktop and user areas looking for any low hanging fruit such as .txt files containing passwords. I even looked for the user.txt flag here 🙂
I then decided to dump the SAM and SECURITY hives using pwdump. Navigate to the config folder and use pwdump with the following;
Ignoring the hashes starting with “aad3b” and “31d6c”, which are blank passwords, we can concentrate on the NTLM portion of the below. I dumped it straight into crackstation.com
I’ve now got a user. So I try to connect with smbmap using my new found credentials. Nothing really new here, except write access to the Backups folder.
After poking around for way too long, I remembered that the ssh port was open (rookie error, didn’t properly note down my findings, lessons learned) I tried connecting via ssh using the credentials;
ssh -l L4mpje 10.10.10.134
..and then enter the password (bureaulampje). Bingo!
I navigated straight to the desktop and found the flag for the user.
With the user flag now submitted. I looked towards getting root. A quick search around the machine located something interesting.
mRemoteNG warrants further investigation and some quick Googling let me know that it’s had a lot of security issues in the past. It’s a Windows based application, so I jumped over to a Windows VM and downloaded a copy of the app.
The area we are concentrating on, according to Google and some Reddit discussion, is the confCons.xml file located at the following path, under AppData.
I downloaded a copy of the confCons.xml file from the server to my local VM. To do this jump out of the SSH session and from an elevated command prompt, and using the SCP, use the following command
I then went back into the AppData area of my install, and appended the current and default confCons.xml with .old. I then transferred the .conf file from the bastion host into the folder and booted up the program. The profile’s were already populated.
The Hostname and protocol were not defaulted to what we want, so I changed it to 10.10.1.134 and SSH Version 2.
And we get root shell. You can actually decrypt the password if you wish, however it’s not necessary.
And the root.txt flag sitting on the desktop.
And that’s that!