Bastion machine is a vulnerable machine with Windows operating system among retired machines.
We perform a network scan with nmap to recognize the target system.
Classic scan

Full port scan

As a result of port scanning, we encountered a lot of ports, let’s focus on the important ports “22/tcp ssh OpenSSH for_Windows_7.9 (protocol 2.0), 135/tcp msrpc Microsoft Windows RPC, 139/tcp netbios-ssn Microsoft Windows netbios-ssn, 445/tcp Windows Server 2016 Standard 14393 microsoft-ds”.
We provide enumeraiton over smb ports.

Smbmap gave an error when we entered without a user here, we entered a fictitious user name and it showed us the shared files

We see the directories ADMIN$, Backups, C$, IPC$, the ones starting with $ are the default ones and Backups was created by admin.

First we pull note.txt. Let’s see what’s inside

Here we understand not to transfer the file, so let’s mount the smb share here on our local machine.

I perform a mount operation as in the example given at https://www.linode.com/docs/guides/linux-mount-smb-share/
mkdir /mnt/smb_share
mount -t cifs // /mnt/smb_share

We logged in by entering the password requested

The vhd files here are remarkable, both in size and in name, they are very likely to be backup.
(.vhd : A host file system is accessed to host VHD files on it. These have the characteristics of a hard image of a protective disk that allows the user to access a file allocated to a specific virtual disk size. These VHD files can be easily switched from the virtual hard disk to the host file system).
Since this is a virtual disk we can connect to it directly.
We mount it according to the reference given at https://linux.how2shout.com/mount-virtual-hard-disk-vhd-file-ubuntu-linux/.
guestmount –add 9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd –inspector –ro -v /mnt/disk1/

Here we could see the files
Here we have the file system, we know that the credential information of the users is kept in the registry records, let’s pull these files and get the credentail hash information in them.
We get the SAM and SYSTEM registry hive files in the /Windows/System32/config file.

Let’s get the hash value of the users with the samdump2 tool

Let’s look after cracktation to crack this hash value

We have broken the hash value of the user L4mpje, let’s try to make an ssh connection with it

We have established a connection where we were able to obtain the user flag but not the root flag, so we are providing local emueration.

We have seen that the mRemoteNG tool is used when providing local enumeration, we know that credential information is kept in this tool. We are looking at the config file to see this credential information.

Here we saw the password information, it looked like base64 but we couldn’t decode it

I googled it and saw a python code.

We dowloand and tried to crack its password but it asked us for the config file, so we get the config file from the ssh connection using scp.

We found the use after one or two attempts

Using the credentials we obtained, we established a sssh connection and logged in as admininsitrator.

We obtained this as root flag.


  1. Pingback: OSCP Prep – HTB all Windows Machine – Muhammed AYGÜN

  2. Hollyann

    Howdy are using WordPress for your blog platform? I’m new to the blog world but I’m trying
    to get started and set up my own. Do you require any html
    coding expertise to make your own blog? Any help would be greatly

  3. Shareef

    Its such as you learn my mind! You appear to understand so much
    approximately this, like you wrote the e book
    in it or something. I believe that you just could
    do with a few p.c. to drive the message home a bit, but
    other than that, this is great blog. A great read.
    I will certainly be back.

  4. Angelette

    That is really interesting, You are a very professional blogger.
    I have joined your feed and look ahead to searching for more of your fantastic
    post. Also, I’ve shared your web site in my social networks

  5. Bobby

    I think this is among the most important info for me. And i’m glad reading your article.
    But wanna remark on few general things, The site style is perfect, the
    articles is really great : D. Good job, cheers

  6. Kenyetta

    Hi there, just became aware of your blog through Google, and found that it’s truly informative.
    I’m gonna watch out for brussels. I’ll be grateful if you continue this in future.
    Lots of people will be benefited from your writing.

  7. Sloane

    My family members all the time say that I am wasting
    my time here at web, but I know I am getting
    experience all the time by reading such good content.

  8. Chistina

    Hello would you mind sharing which blog platform you’re using?
    I’m going to start my own blog soon but I’m having a difficult time selecting between BlogEngine/Wordpress/B2evolution and Drupal.
    The reason I ask is because your design seems different then most blogs and I’m looking for something unique.
    P.S My apologies for being off-topic but I had to ask!

  9. Edwina

    Howdy! I simply want to offer you a huge thumbs up for your excellent information you have here on this post.
    I am returning to your blog for more soon.

  10. Chemere

    Excellent blog here! Additionally your website loads up fast!
    What web host are you using? Can I am getting your associate link in your host?
    I desire my site loaded up as fast as yours lol

  11. Oralia

    Hi my friend! I wish to say that this post is
    amazing, great written and include approximately all important infos.
    I would like to look more posts like this .

  12. Keyona

    Hello! Quick question that’s totally off topic. Do you know how to
    make your site mobile friendly? My weblog looks weird when browsing
    from my iphone. I’m trying to find a theme or plugin that might be able to resolve this problem.
    If you have any suggestions, please share. With thanks!

  13. Aoife

    Heya i’m for the first time here. I found this board and I find It really useful & it helped me
    out much. I hope to give something back and help others like you aided me.

  14. Jalynn

    Hi, i think that i noticed you visited my site thus i got here to return the desire?.I am attempting to find issues to improve my
    web site!I assume its adequate to make use of a few of your

  15. Rastrear Celular

    Você pode usar o software de gerenciamento dos pais para orientar e supervisionar o comportamento dos filhos na Internet. Com a ajuda dos 10 softwares de gerenciamento de pais mais inteligentes a seguir, você pode rastrear o histórico de chamadas de seu filho, histórico de navegação, acesso a conteúdo perigoso, aplicativos que eles instalam etc.

  16. Scrapebox List

    Hey there! Do you know if they make any plugins to assist with SEO?
    I’m trying to get my site to rank for some targeted keywords but I’m not seeing very good success.
    If you know of any please share. Many thanks! I saw
    similar art here: Link Building

Bir yanıt yazın

E-posta adresiniz yayınlanmayacak. Gerekli alanlar * ile işaretlenmişlerdir