![](/content/images/2019/09/image-1.png)
Bastion was a fairly easy Windows box that involved SAM files and a vulnerability in mRemoteNG.
Nmap scan:
![](/content/images/2019/09/image-2.png)
Netbios is open so let's check out available shares:
![](/content/images/2019/09/image-3.png)
'Backups' looks like a juicy target so let's check it out:
![](/content/images/2019/09/image-4.png)
That exe file looks like someone else's malware which probably means we have anonymous write access to the share. Let's confirm just in case:
![](/content/images/2019/09/image-5.png)
I downloaded the note.txt and viewed it:
![](/content/images/2019/09/image-6.png)
I continued to look through the share and found the backup files the note.txt referenced:
![](/content/images/2019/09/image-7.png)
I promptly ignored the note.txt and downloaded the VHD files. VHD = Virtual Hard Disk and these files can be mounted in Disk Management in Windows so that's what I did. I browsed around them and grabbed SYSTEM and SAM from \windows\system32\config and copied them to my Kali machine. There's a built-in utlity samdump2
which extracts hashes from the SYSTEM and SAM files:
![](/content/images/2019/09/image-8.png)
I ignored the Administrator hash because that'd be too easy if it were crackable and wrote L4mpje's hash to a file:
![](/content/images/2019/09/image-9.png)
John the Ripper and the trusty rockyou.txt wordlist were used to crack the hash:
![](/content/images/2019/09/image-10.png)
These creds worked for SSH:
![](/content/images/2019/09/image-11.png)
The user flag was found:
![](/content/images/2019/09/image-12.png)
While enumerating the system, I saw that mRemoteNG is installed:
![](/content/images/2019/09/image-13.png)
A quick Googling and I found this article detailing insecure password storage so I set up a SMB listener and copied the file to my machine:
![](/content/images/2019/09/image-14.png)
Following the steps in the article, I downloaded and installed mRemoteNG then created a new external tool in it:
![](/content/images/2019/09/image-15.png)
From there, I imported the confcons.xml file and ran 'Password Lookup' on the DC:
![](/content/images/2019/09/image-16.png)
A new command prompt window popped up with a saved password:
![](/content/images/2019/09/image-17.png)
This password works for the administrator login so a root shell and flag are found:
![](/content/images/2019/09/image-18.png)