Hackthebox - Bastion

From nmap, there are many service.

We can access Backups share in the smb server. One of the directory contains two .vhd files.

I mount it with guestmount --add xxx.vhd --inspector --ro -v /mnt/vhd. In the directory /Windows/System32/config/ from 9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd, I got SAM. I use impacket-secretsdump to get hashes.

With crackstation, I get L4mpje’s password. I can use ssh to connect to the server.

I got user.txt. In C:\Program Files (x86), there is a directory mRemoteNG.

Go to C:\Users\L4jpie\AppData\Roaming\mRemoteNG, we can see many files.

From confCons.xml, I got encrypted password.

I use mRemoteNG-Decrypt to decrypt it, and get the password.

Now, I can login as Administrator.