HTB : Bastion

Network Enumeration

To begin our exploration of the network, let’s initiate an nmap scan in order to identify all open ports.

SMB Enumeration

We can view the Backups share as a guest.

Head to the share and get the txt file.

There is a backup file in the shares but we need to find another way to retrieve it.

While exploring through the shares there will be vhd file.

I used this article to mount the shares on my local machine.

Follow the commands below:

mkdir /mnt/backups

mount -t cifs -o 'rw,username=guest' // backups

mkdir /mnt/bastion

guestmount --add /mnt/backups/WindowsImageBackup/L4mpje-PC/Backup\ 2019-02-22\ 124351/9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd --inspector --ro /mnt/bastion -v

In exploring the vhd files we find the SAM & SYSTEM files in windows/system32/config directory.

The SYSTEM and SAM files are important components in the Windows Registry that hold critical system and security information. The SYSTEM file stores hardware and software settings, while the SAM file stores user account names, passwords, and security policies.

We can use these files to dump some hashes with secretsdump.

Secretsdump.py is a tool used to extract user account credentials from the SAM database on Windows systems. To use secretsdump.py, access to both the SAM and SYSTEM files in the Windows Registry is required.

Once the hahses are generated let’s use crackstation to crack the password.

Initial Access

We can then SSH into the user as the SSH port is open from our nmap scan.

The user.txt file can be found in the desktop.

While trying to enumerate the system I cant find or use most tools as we don’t have any permissions. While manually enumerating I found mRemoteNG program in the program files folder.

mRemoteNG is a free, open-source remote connections management tool for Windows that allows users to manage various types of remote systems from a single interface. It supports multiple protocols and provides a tabbed interface for easy switching between connections. mRemoteNG is highly customizable and includes features such as session and credential management, SSH key management, and scripting support.

Privilege escalation

I found a useful article on how to exploit this program. Here

We need to find a xml config file that has the password in base64 format.

We aren’t able to just decode the password. We need to use the following program to do it.


Once the password is found we can SSH as the admin user and get the final flag.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Comments (



Create a website or blog at WordPress.com

%d bloggers like this: