Ok, so this is my first blog for hackthebox retired machine. As we all know, Hackthebox is a great platform to test your penetration testing skills, and it’s machines are differnt from other penetration testing platforms. I have selected Bastion as my first htb blog machine which is windows based.
Let’s Start. The IP of bastion is 10.10.10.134.
As always,I started with Nmap.
nmap -sC -sV 10.10.10.134
After Scanning I found on port 445 smb is running.
smbclient -L //10.10.10.134
Let’s enumerate Backup.
smbclient //10.10.10.134/Backup
Let’s Mount the backup.
mount -t cifs //10.10.10.134/Backups /root/htb/smb if you are receiving error like this: mount: /root/htb/smb: bad option; for several filesystems (e.g. nfs, cifs) you might need a /sbin/mount. helper program. Install these utilities. nfs-common,cifs-utils
Now let’s use guestmount utility;
guestmount --add 9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd --inspector --ro -v /root/htb/smb/gmnt/
I copied the SAM, SECURITY & SYSTEM and pass them through pwdump
After decrypting hash of L4mpje user and then ssh.
Furthur enumerating, I found mRemoteNG installed which is vulnerable .
To decrypt its password I will use this. Using google-fu, I found the location of encrypted password at c:\Users\\AppData\Roaming\mRemoteNG\confCons.xml
After getting Administrator password,I ssh to get shell and gets root.txt.
Visit: Azure Skynet CosmicSkills