Hack The Box Moncton Meetup #12.
Bastion from HTB is an easy-level Windows box that was released in April 2019. The box offers a fun experience with an interesting twist as it runs OpenSSH, which is unusual for a Windows box. The skills required for this box include Windows file share knowledge and following basic enumeration techniques. The tools that are required include nmap, smbclient or smbmap, Impacket’s secretsdump, and mremoteng-decrypt.
The first step in the process of hacking Bastion is enumeration. The nmap tool is used to scan the box to get an idea of what is running on the system. The scan results show that the system is indeed a Windows system and that it has an OpenSSH server running. This may seem unusual, but there is a server that can be installed to make this possible. The initial attack vector is to enumerate the SMB capabilities, which can be done using smbclient.
After running smbclient, the results show that there is a share called Backups. The share is then mounted and explored, revealing virtual disks. The smallest of the two disks is analyzed using 7zip, which shows that the majority of the filesystem looks like boot settings and data. For larger virtual drives, the guestmount tool is used to mount the filesystem.
Exploring the mounted filesystem, the author discovers a folder called Users, which contains a folder for the user Administrator. The folder contains a file named “ntds.dit”, which is the Active Directory database file. The Impacket’s secretsdump tool is then used to extract the password hashes from the database file. The mremoteng-decrypt tool is used to decrypt the mRemoteNG stored passwords, revealing the credentials for the Administrator account. With these credentials, the author is able to log into the system and gain full control.
In conclusion, Bastion is a fun Windows box that can be hacked by following basic enumeration techniques when using the right tools. The box offers a unique experience as it runs OpenSSH, which is unusual for a Windows box. The process of hacking the box involves enumeration, exploring the SMB share, extracting password hashes, and using the mRemoteNG decrypt tool to reveal the credentials for the Administrator account. Overall, this walkthrough is great for anyone looking to improve their Windows hacking skills.