Bastion machine is a vulnerable machine with Windows operating system among retired machines.
We perform a network scan with nmap to recognize the target system.
Classic scan

Full port scan

As a result of port scanning, we encountered a lot of ports, let’s focus on the important ports “22/tcp ssh OpenSSH for_Windows_7.9 (protocol 2.0), 135/tcp msrpc Microsoft Windows RPC, 139/tcp netbios-ssn Microsoft Windows netbios-ssn, 445/tcp Windows Server 2016 Standard 14393 microsoft-ds”.
We provide enumeraiton over smb ports.

Smbmap gave an error when we entered without a user here, we entered a fictitious user name and it showed us the shared files

We see the directories ADMIN$, Backups, C$, IPC$, the ones starting with $ are the default ones and Backups was created by admin.

First we pull note.txt. Let’s see what’s inside

Here we understand not to transfer the file, so let’s mount the smb share here on our local machine.

I perform a mount operation as in the example given at https://www.linode.com/docs/guides/linux-mount-smb-share/
mkdir /mnt/smb_share
mount -t cifs // /mnt/smb_share

We logged in by entering the password requested

The vhd files here are remarkable, both in size and in name, they are very likely to be backup.
(.vhd : A host file system is accessed to host VHD files on it. These have the characteristics of a hard image of a protective disk that allows the user to access a file allocated to a specific virtual disk size. These VHD files can be easily switched from the virtual hard disk to the host file system).
Since this is a virtual disk we can connect to it directly.
We mount it according to the reference given at https://linux.how2shout.com/mount-virtual-hard-disk-vhd-file-ubuntu-linux/.
guestmount –add 9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd –inspector –ro -v /mnt/disk1/

Here we could see the files
Here we have the file system, we know that the credential information of the users is kept in the registry records, let’s pull these files and get the credentail hash information in them.
We get the SAM and SYSTEM registry hive files in the /Windows/System32/config file.

Let’s get the hash value of the users with the samdump2 tool

Let’s look after cracktation to crack this hash value

We have broken the hash value of the user L4mpje, let’s try to make an ssh connection with it

We have established a connection where we were able to obtain the user flag but not the root flag, so we are providing local emueration.

We have seen that the mRemoteNG tool is used when providing local enumeration, we know that credential information is kept in this tool. We are looking at the config file to see this credential information.

Here we saw the password information, it looked like base64 but we couldn’t decode it

I googled it and saw a python code.

We dowloand and tried to crack its password but it asked us for the config file, so we get the config file from the ssh connection using scp.

We found the use after one or two attempts

Using the credentials we obtained, we established a sssh connection and logged in as admininsitrator.

We obtained this as root flag.


  1. Pingback: OSCP Prep – HTB all Windows Machine – Muhammed AYGÜN

Bir cevap yazın

E-posta hesabınız yayımlanmayacak. Gerekli alanlar * ile işaretlenmişlerdir