Bastion – HackTheBox Walkthrough

Machine Name: Bastion
Starting with nmap scan, got the following results:

As per nmap scan result, smb was discovered which can be logged in as guest. So I tried to checked for the directories and found a Backup folder.

I browsed inside the Backups folder and found 2 vhd files. One of them was very huge in size around 5GB.


Virtual hard disk (VHD) is a disk image file format for storing the complete contents of a hard drive. The disk image, sometimes called a virtual machine, replicates an existing hard drive and includes all data and structural elements. It can be stored anywhere the physical host can access.

I searched about vhd files and found some useful information on how to use them or open them.

I had linux installed on my system and this was a Windows machine so I was facing problems mounting the VHD into my system. 


I decided to complete this machine on Windows OS itself and installed Windows on Virtualbox.

I mounted the drive into my Windows VM successfully.

Then I opened the vhd file using 7zip and I was able to read all the contents inside the vhd file. I couldn’t find anything useful as such, so I downloaded the SAM and SYSTEM files into my system.

I searched on google about how to crack the SAM files to get password from them and found a tool for Windows i.e. Pwdump :

I used the tool and was able to get the password hashes. Now I had to crack these hash to get the passwords in plain text.

I found an online password hash cracker and it easily gave me the password in clear text.

I tried another hash but it gave me no result maybe because it wasn’t a proper valid hash.

Using the password I was able to login through ssh.

So finally, I got the user shell now!

I looked for installed programs on the system and found mRemote was the only software installed in the program files directory.


I had no idea what this software was about as I never heard about it before so I searched for some common vulnerabilities on this program and found this article:

Using the method provided in the article I could view the stored passwords. And to do this I had to download the config file, in which the passwords and other details are saved.

I installed mRemote software in my WIndows VM and followed the article step-by-step and it gave me the password.

According to the stored credentials, DC was the username but it didn’t work when I tried to login using ssh. I already had the user so root was left so I tried Administrator as username which successfully logged me in as root user and finally I got the root flag!

Leave a Comment