Bastion | HTB Writeup
Start with Nmap scan found 4 ports are open
I used smbmap to view, which all shares are accessible.
I can read & write in Backups share.
In that share, I got a note.txt file.
I downloaded that,In that it tells that “don’t transfer entire backup in locally”
So i started to check backup files and I got 2 virtual machine files.
I chose the file which has large size for further testing
Then I searched for how to mount the vhd file and I got this in StackOverflow.
I used this method and I got the folders.
After some enumerations, I found the 2 important files which are SAM and SYSTEM files are accessible.
I used secretdump to get hash from the file.
I used crackstation to crack the password, Because I need to find the password for SSH.
I got the password of the l4mpje user.
Using that credentials I can log in to SSH and I got the user flag.
Then I checked for the programs which all are installed and got the mRemoteNG program.
I just checked whether any exploits are available or not and I got an exploit.
In that, they mentioned a path to the confCons.xml file.
Also, they mentioned a repository for the python script.
As mentioned in that blog, I checked for the file and by reading that file I got a password.
And using the python script I decrypted the password hash.
That was the password for Administrator and I got the root flag.