Bastion

Published: May 19, 2025

Enumeration

Scan

Starting off by scanning with rustscan and nmap 

TARGET=10.10.10.134; rustscan -r 1-65535 --scripts none -a $TARGET | tee scans/fast.rustscan | grep '\->' | awk -F'[' '{print $2}' | sed 's/]//' | read PORTS; nmap -sC -sV -oN scans/detailed.nmap -p $PORTS $TARGET

SMB

Looking at SMB with guest authentication, we find a “Backups” share that we can read and write to: 

nxc smb 10.10.10.134 -u 'something' -p 'something' --shares

We can explore the share using smbclient 

smbclient -U 'a%a' //10.10.10.134/Backups

After some looking around, we find what looks to be a backup of L4mpje’s PC. The .vhd files are especially interesting.

Virtual Hard Disk file

Let's switch over to a Windows VM to take a look at the backup virtual hard disk.
Steps: Win + R > Type “\\10.10.10.134\Backups” to connect to the share > Navigate to the backup > Right click the larger .vhd file > Mount

Now the backup is mounted as the E drive on my VM, and we can take a look around.

Foothold

Credential Dump

After taking a look around the backup filesystem, there isn't anything that stands out, so let's proceed to dump the hashes stored in the SAM database file. To do this, navigate to E:\Windows\System32\config, then grab the SAM and SYSTEM files.

Now, I will move these files to my kali box to dump the NTLM hashes using Impacket’s secretsdump 

impacket-secretsdump -sam SAM -system SYSTEM LOCAL

Note that the Administrator and Guest have empty passwords (31d6...). Let’s try to crack L4mpje’s password using CrackStation:

From our initial scans, we know that SSH is on the box, so let’s get logged in with L4mpje:bureaulampje and get user.txt!

Privilege Escalation

Enumeration

With some basic enumeration, we find out that “mRemoteNG” is installed on this machine, which is a remote management tool.

mRemoteNG Credential Theft

With some googling, we can find tools for decrypting the passwords stored by this tool. I will be using this one:
https://github.com/kmahyyg/mremoteng-decrypt
First, grab the base64 encoded string found in C:\Users\L4mpje\AppData\Roaming\mRemoteNG\confCons.xml for an RDP connection with the “Administrator” user:

Then, decrypt it using the github tool: 

python3 mremoteng_decrypt.py -s <b64 string>

Now we can SSH in as the Administrator (with password thXLHM96BeKL0ER2) and get root.txt!