# Bastion

## Gaining Access

Nmap scan revealed a lot of ports:

<figure><img src="https://1617468840-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqpzdj1tPRpELJdvxuVYh%2Fuploads%2Fgit-blob-f208dc87af9a51f79f5470b46371eacdd01f5d3a%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

### Windows Backup

When checking the SMB shares, we fnd that the Backups share does not require credentials to access.

<figure><img src="https://1617468840-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqpzdj1tPRpELJdvxuVYh%2Fuploads%2Fgit-blob-1a3bc7ea1ce6b40669f6d80e850ad9ae43ab718e%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

When checking the files, we can see that there's a WindowsImageBackup directory within it.

<figure><img src="https://1617468840-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqpzdj1tPRpELJdvxuVYh%2Fuploads%2Fgit-blob-0464a34c87e5cbc428ebab6fcddf16c402df831f%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

Within it, there was a few .vhd files.

<figure><img src="https://1617468840-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqpzdj1tPRpELJdvxuVYh%2Fuploads%2Fgit-blob-2ac3f514233cfa8fa8094e43e5376b23a9dbf88e%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

These file can actually be mounted and they do not requrie credentials at all!

<figure><img src="https://1617468840-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqpzdj1tPRpELJdvxuVYh%2Fuploads%2Fgit-blob-1142dcf094bf707a508645c452bbbc38cf9a6f6f%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

From here, because this is a Windows backup, we can directly go to the `C:\Windows\System32\config` file to use the SYSTEM and SAM registry folders and dump the credentials via `samdump2`.

<figure><img src="https://1617468840-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqpzdj1tPRpELJdvxuVYh%2Fuploads%2Fgit-blob-dd66e7c065eafef8e25169b465166bb7cbef2b19%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

Then, this hash is easily cracked using hashcat.

<figure><img src="https://1617468840-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqpzdj1tPRpELJdvxuVYh%2Fuploads%2Fgit-blob-0af8e229742d964973abc89f5e56b4e84edc73d9%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

Afterwards, we can SSH in as the L4mpje user.

## Privilege Escalation

### mRemoteNG

In the user's directory, I enumerated all the directories that I could using `dir /all`.

<figure><img src="https://1617468840-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqpzdj1tPRpELJdvxuVYh%2Fuploads%2Fgit-blob-58da6af8404d8844dabe7a98d3e945ca8dcae4bb%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

Within the `AppData\Roaming` folder, we can find some files related to mRemoteNG.

<figure><img src="https://1617468840-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqpzdj1tPRpELJdvxuVYh%2Fuploads%2Fgit-blob-9d2d97ab5816bd1c9a5cb4f60f8217815b425a7a%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

Checking the confCons.xml file, we can find an encrypted password for the Administrator.

<figure><img src="https://1617468840-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqpzdj1tPRpELJdvxuVYh%2Fuploads%2Fgit-blob-56b49f63e159422f41781d9f70ced9c1e2be328f%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

mRemoteNG passwords can be decrypted using this repository:

{% embed url="<https://github.com/haseebT/mRemoteNG-Decrypt>" %}

<figure><img src="https://1617468840-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqpzdj1tPRpELJdvxuVYh%2Fuploads%2Fgit-blob-dde56a0d05134ec4cd10d373d8c2ab81f3283227%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

Then, we can SSH in as the administrator using this password.