Bastion HackTheBox Walkthrough

Kapil Verma
4 min readSep 10, 2019

Hi Friends, Today we’re going to solve the recently retired HackTheBox Machine named “Bastion”.

IP address of “Bastion” is

Now the first step for solving any machine is enumeration.

Well in Enumeration too the very first step to know is what are the ports that are open, what services are running, is there vulnerability already available for that exploit.

Cool, Let’s do a nmap scan for getting the ports info.

command: nmap -sC -sV

So, From the nmap scan we can deduce that there are 4 ports that are open 22,135,139,445.

Now 445 ports has smb running by default and as we can see from the nmap scan, smb service is running on port 445.

SMB. Stands for “Server Message Block.” SMB is a network protocol used by Windows-based computers that allows systems within the same network to share files.

Let’s login into SMB using the command smbclient -L // -N

Here we can see Backups directory, well most of the time if port 445 is open we can get some credentials or any juicy info from here to SSH ino the machine if port 22 is open.

Let’s see what’s inside this directory.

command for that would be smbclient //

Now, after surfing through all the directories I came across a 5.1 gb VHD means virtual hard disk file as can be seen in below screenshot.

Now it would be a really bad idea to download the whole 5.1 gb and then surf inside.

For that I searched for ways to mount VHD on kali, and I came across this very beautifully written blog on medium by Samuel Whang with title “Mounting VHD file on Kali Linux through remote Share.

I would Suggest you all to go through his blog for getting an idea on how to mount that vhd file remotely.

Link for the blog:

The mounting process may take some time. After it completes, navigate to the location where you mounted the .vhd file and the contents should be there!

Now very basic thing after you’re inside a drive, you can use SAM file for hashdump and the crack that hash to get the access to the machine.

By doing some research online I came across some blog where they have guided complete process of samdump and hash cracking.

Dumping hash now:

Now we need to crack this Hash.

There are several tools on kali for that but to save time i went and searched online for some hashcracking online website.

Now, SSH into L4mpje user using the above cracked password.

Now cd to c:\Users\L4mpje\Desktop where you will find your user.txt flag

Bingo, Now we’ve got user flag.

Let’s go for root flag.

Upon further going and surfing in the directories.

inside the program file 86 directory i found out this meRemoteNG folder.

So after searching online i got that this mRemoteNG stores the password hashes locally in xml format.

So upon further research and surfing through directories inside that mRemoteNG folder i got the files i was looking for:

upon reading through the content i could find this password hash for Administrator in that file:

Now this mRemoteNG hashes have a step by step tutorial on how to crack them, but to save your time your fellow penetration testers have created one python script for the same.

So, I have GIT clones the script, and now let’s run it.

Cool, We have the password now, Let’s SSH into it.

cd to c:\Users\Administrator\Desktop and you will get your root flag as well.