Bastion

FlewManChew · June 4, 2019, 9:31pm

yes I’m enjoying this box… hey… i think i found a password hash can someone please help me with john or hashcat?
pm please

Nekiruy · June 4, 2019, 10:19pm

Thanks to Joe on HTB Discord for the assistance, got User and Root from Kali (no Win VM required)

kxxlbhairav · June 5, 2019, 5:08am

There are 2 vhd files! Should i combine them into one? or view them separately?

Ralveng · June 5, 2019, 9:13am

Thanks @L4mpje! It is very interesting box.

qmi · June 5, 2019, 11:08am

Type your comment> @p3tj3v said:

Nice box. Root part with the help off a Windows VM.
Wondering indeed if that would be possible using Linux

Yes, it’s possible. I have got the root hash w/o using Windows VM at all and by following the tips here in the forum thread.

PM me if you need help.

qmi · June 5, 2019, 11:11am

Type your comment> @illuminatiguy said:

There are 2 vhd files! Should i combine them into one? or view them separately?

No, no need to combine them. Just look into each and seek for info. One of them will be your friend

pp123 · June 5, 2019, 3:36pm

Rooted! Nice box. If someone needs help let me know.

PP

kxxlbhairav · June 7, 2019, 4:18am

Type your comment> @qmi said:

Type your comment> @illuminatiguy said:

There are 2 vhd files! Should i combine them into one? or view them separately?

No, no need to combine them. Just look into each and seek for info. One of them will be your friend

Yeah figured that out, idk why i asked that stupid question! maybe desparation? xD

Well, anyways, mounted the right one through the share, but while browsing the files in the drive, everything looks normal.

I even tried hivexs*** to browse W*********onfig\SA but even that didnt have anything good

I am not able to find the credentials everyone’s been talking 'bout, a nudge at this point will be a great help!

Thanks and Best regards

karelchajim · June 7, 2019, 9:02am

Got it! It was very big mountain to climb on. That vhd - nice touch. I usualy do not do win machines, as I am more comfortable with Linux machines, but this was very nice one!

av3rage · June 7, 2019, 6:58pm

Currently stuck at mounting the the VHD. Based on some articles my command seems to be correct however it’s still failing to mount. I think it’s a problem with guestmount… Any help would be appreciated.

vldkak · June 8, 2019, 5:26am

rooted. Thanks for all of the hints on the forums. Super thanks to kmahyyg!

keon · June 8, 2019, 5:37am

rooted: good box need help pm

black42 · June 8, 2019, 10:48pm

nice box. took a bit of digging, but got root and user from kali.

0xklaue · June 9, 2019, 5:07pm

Was trying how to browse the files. Is it possible to view the files without using windows? Maybe kali?

HEXE · June 9, 2019, 5:55pm

Type your comment> @pzylence said:

Was trying how to browse the files. Is it possible to view the files without using windows? Maybe kali?

you mean vhd files?

guestmount, google it (I don’t want spoil too much, but there is a stackoverflow question with the right command)

then nautilus will let you browse them

vmonem · June 9, 2019, 9:13pm

got User (faced problems with samdump, as it dump blank password)

for root I got encrypted password from config file, but can’t figure out how to decrypt it.
I tried to copy xml to windows and open it from the program and failed.
I tried to decrypt the password using .rb file and .js files found online but fail with some error related to `final’: bad decrypt, when adding padding it gives me rubbish characters.
and I can’t figure out how to create the jar file. I also tried the MSF exploit related to the application and it gave me nothing

vmonem · June 9, 2019, 10:31pm

rooted thanks to 0xNoOne script

0xNoOne · June 10, 2019, 12:11am

Type your comment> @vmonem said:

rooted thanks to 0xNoOne script

Glad my script helped you out! I faced the same issues as you with the ruby script, since it was for decrypting an older version of mremoteNG. So decided to work on a Python script that would work on the version on this box.

Here’s the link to the script in case anyone else finds it useful:
secret link

Let me know if you notice any errors with the script, or if this post is breaking any rules

kxxlbhairav · June 10, 2019, 5:58am

rooted thanks to 0xNoOne script

Glad my script helped you out! I faced the same issues as you with the ruby script, since it was for decrypting an older version of mremoteNG. So decided to work on a Python script that would work on the version on this box.

Here’s the link to the script in case anyone else finds it useful:
secret link

Let me know if you notice any errors with the script, or if this post is breaking any rules

plaintext = cipher.decrypt_and_verify(ciphertext, tag)

ValueError: MAC check failed
@0xNoOne

gm0 · June 10, 2019, 7:58am

Rooted this box - thanks for creating such an enjoyable box @L4mpje.

I did this all using Kali and learned quite a lot of things that I didn’t before I started so I’ve had to update my notes.

User: It was straight forward but had a few issues getting older versions of samdump2 and bkhive installed to generate a file from S** and SY****.

Root: This can be done in quite a few different ways, I did a few of them once I had got the flag for experience and note taking, a pretty worthwhile exercise.

If you need any hints let me know.