Bastion

This walkthrough covers the Bastion machine and the path from exposed backup data to administrator compromise.

Recon

Service discovery showed a Windows host with:

SMB enumeration revealed a readable Backups share accessible without valid domain credentials.

Inside the share:

The backup directory contained VHD data. I extracted SAM and SYSTEM hives from the system image using 7z.

Example:

7z x "<backup>.vhd" Windows/System32/config/SAM -o<output_dir>
7z x "<backup>.vhd" Windows/System32/config/SYSTEM -o<output_dir>

With both hives, I dumped local account hashes:

samdump2 SYSTEM SAM

Then cracked the user hash with Hashcat (-m 1000) and recovered credentials for L4mpje.

Because OpenSSH was enabled on the target, I authenticated directly:

ssh l4mpje@<target>

This provided user-level shell access and user.txt.

On the host, mRemoteNG config files in AppData\Roaming\mRemoteNG contained encrypted saved credentials (confCons.xml).

I copied the config out, decrypted the stored credentials with an mRemoteNG decrypt script, and recovered an Administrator password.

Using recovered admin creds, I connected via WinRM:

evil-winrm -i <target_ip> -u administrator -p <password>

Then retrieved root.txt from the administrator desktop.

Backup shares should never be anonymously readable.
Exposed VHD/backups can lead to full credential compromise offline.
Stored remote-management credentials (mRemoteNG, RDP managers, etc.) are high-value targets.
Separate admin and user secrets, and avoid reusing credentials across access channels (SSH/WinRM/RDP).

Lock down SMB shares with least privilege and continuous ACL review.
Encrypt and protect backup artifacts at rest and in transit.
Disable unnecessary services (e.g., SSH on Windows servers if not operationally required).
Harden credential managers and enforce strong secrets + rotation for privileged accounts.