Tag: nest

Nest – No Metasploit

Definitely learned a new thing or two with this box. Anyway, let’s fire off nmap:

Okay… so let’s go look at port 4386 to try to see what it is.

HQK Reporting Service? Erm. Ok. Port 445 was open so let’s run smbclient to list the shares and smbmap to list the contents:

kaliö)hyd3 . —/TooIs/AutoRecon/resuIts/1ø.1ø.1ø.178/scans$ cat smbclient.txt WARNING: The "syslog" option is deprecated Sharename ADMIN$ c$ Data IPC$ Secure$ Users Type Disk Disk Disk 1 pc Disk Disk Commen t Remote Admin Default share Remote IPC
ADMIN$ c$ Data dr--r--r 5 17 dr--r--r 7 15:07:51 7 15:07:51 7 15:07:51 7 15:07:33 7 15:07:33 7 15:07:33 7 15:07:32 •55:36 dr--r--r dr--r--r-- •56: 02 Wed Wed Wed Mon Mon Wed Wed Wed Wed Wed Wed Wed Wed Wed Wed Wed Wed Wed Wed Wed Sat Sat Fri Sun Thu Thu Wed Aug Aug Aug Aug Aug Aug Aug Aug Aug Aug Aug Aug Aug Aug Aug Aug Aug Aug Aug Aug Jan Jan Aug Jan Aug Aug Aug 25 25 26 8 8 7 18. 7 18. 7 18. 02 . 13. 7 18. •53 •53. 13 : 29 • 02 . : 46 • 46 • 41 : 44 •56 2019 2019 2019 2019 2019 2019 2019 2019 2019 2019 2019 2019 2019 2019 2019 2019 2019 2019 2019 2019 2020 2020 2019 2020 2019 2019 2019 NO ACCESS NO ACCESS READ ONLY IT Production Reports Shared Maintenance Templates Remote Admin Default share dr--r--r-- dr--r--r-- dr--r--r- dr--r--r-- . \Data dr--r--r-- dr--r--r-- dr--r--r-- dr--r--r-- dr--r--r-- dr--r--r-- fr--r--r-- dr--r--r-- dr--r--r-- dr--r--r-- dr--r--r-- dr--r--r-- dr--r--r-- fr--r--r-- IPC$ Secure$ Users dr--r--r-- dr--r--r- dr--r--r- dr--r--r-- dr--r--r- 48 425 Maintenance Alerts. txt HR Marketing Welcome Email . txt NO ACCESS NO ACCESS READ ONLY Administrator C. Smi th L. Frost R. Thompson TempUser Remote IPC

What’s in Welcome Email.txt?

Cool. So we got a password. No… don’t go trying to use it just yet. Continue enumerating.

Looking at NotepadPlusPlus config.xml:

Looking at RU_config.xml:

… and that’s why we continue to enumerate FIRST.

Okay so, trying the creds that we’ve found so far… we figure out a couple things.

TempUser can get access with welcome2019

So can L.Frost!, but L.Frost can only login with welcome2019, not list shares for some reason (access denied)

Same with R.Thompson…

User: C.Smith and Password: fTEzAfYDoz1YzkqhQkH6GQFYKp1XY5hm7bjOP86yYxE= can list contents in Secure$\IT\Carl\ directory with TempUser

kaliöhyd3 . —/TooIs/AutoRecon/resuIts/1ø.1ø.1ø.178/scans$ smbclient -U TempUser WARNING: The "syslog" option is deprecated Enter WORKGROUP\TempUser's password : Try "help" to get a list of possible commands. smb: recurse on smb: Is 7 15 : 40: 13 7 15 : 42: 14 7 15 : 42 7 15 7 15 7 15 7 15 : 44: 16 Finance HR IT \Finance NT STATUS NT STATUS NT STATUS ACCESS ACCESS ACCESS DENIED DENIED DENIED listing listing listing smb: cd smb: Is Docs Reports VB Projects \Docs ip.txt MC . txt \Reports 56 73 Wed Wed Wed Wed Thu Wed Wed Wed Tue Tue Wed Wed Wed Wed Tue Aug Aug Aug Aug Aug Aug Aug Aug Aug Aug Aug Aug Aug Aug Aug 8 6 6 6 09 10 7 15:43 09 06:59:25 : 45 : 41 : 45 : 40 : 55 : 42 : 40 2019 2019 2019 2019 2019 2019 2019 2019 2019 2019 2019 2019 2019 2019 2019

With the encrypted password, RUScanner had vb files (Module1.vb) with an example of how to decrypt the password

kaliöhyd3 . —"Documents/htb/nest/smb/secure/wscanner$ cat Modulel.vb Module Modulel Sub Main() Dim Config As ConfigFiIe ConfigFi1e.LoadFromFiIe( "RU_Config.xm1") Dim test As New Ssolntegration With {.Username Config. Username, . Password End Sub End Module Utils . Decryptstring(config.password)}
'kaliöhyd3 : "Documents/htb/nest/smb/secure/wscanner$ cat Ssolntegration .vb Public Class Ssolntegration Public Property Username As String Public Property Password As String End Class
kaliö)hyd3 . —"Documents/htb/nest/smb/secure/RUScanner$ cat ConfigFiIe.vb Public Class ConfigFi1e Public Property Port As Integer Public Property Username As String Public Property Password As String Public Sub SaveToFiIe(path As String) Using File As New 10. FileStream(Path, 10. FileMode.Create) Dim Writer As New XmI.SeriaIization Writer .Seria1ize(Fi1e, Me) End Using End Sub Public Shared Function LoadFromFi1e(ByVa1 FilePath As String) As ConfigFi1e Using File As New 10.FiIeStream(Fi1ePath, 10.FiIeMode.Open) Dim Reader As New Xml. Serialization Return DirectCast(Reader. Deseria1ize(Fi1e), ConfigFi1e) End Using End Function End Class

Utils.vb had the actual code to decrypt the password

kaliöhyd3 . —"Documents/htb/nest/smb/secure/RUScanner$ cat Utils . vb "N3st22", "88552299", 2, "464R5DFA5DL6LE28% 256) Imports System. Text Imports System. Security .Cryptography Public Class Utils Public Shared Function GetLogFi1epath() As String Return 10. Path .Combine(Environment .CurrentDirectory , End Function "Log. txt") Public Shared Function Decryptstring(EncryptedString As String) As String If String.IsNu110rEmpty(EncryptedString) Then Return String. Empty Else Return Decrypt(EncryptedString, End If End Function Public Shared Function Encryptstring(PIainString As String) If String.IsNu110rEmpty(P1ainString) Then As String Return String. Empty Else Return Encrypt(PIainString, End If End Function Public Shared Function Encrypt(ByVa1 plainText As String, _ ByVa1 passPhrase As String, _ ByVaI saltVa1ue As String, _ ByVaI passwordlterations As BvVa1 initVector As String. "N3st22", "88552299", 2, "464R5DFA5DL6LE28% 256) Integer, _

So I needed a nudge on this because this is all REALLY out of my brain capacity (but wouldn’t be for long!)… this involved A LOT of trial and error:

Cutting and pasting the code on .net Fiddle  (https://dotnetfiddle.net) and removing all the unnecessary (non encrypting related functions) and adding Imports System at the top (to get rid of the errors and import necessary classes/modules/etc to make the code work) and adding  Console.WriteLine(plainText) before the decrypt function returns gave us this code:

That last portion was used to just decrypt the actual string that we found earlier. This returned the password:

Sub Yarn ( ) 21m test As New Ssclntegratlcn Kith End sub End Class s xRxRx { . Username = "c. sm.1 th", . Password Utils . DecryptStr1ng ( Last Run: 10:00:46 pm

The password is: xRxRxPANCAK3SxRxRx

Using this, we can try to access the share with C.Smith’s username:

kalijhyd3 . —"Documents/htb/nest/smb/secure/RUScanner$ smbclient WARNING: The "syslog" option is deprecated Enter WORKGROUP\c . smith's password: Try "help" to get a list of possible commands. -U c.smith smb: recurse ON smb: dir Administrator C. Smi th L. Frost R. Thompson TempUser \Administrator NT_STATUS_ACCESS DENIED listing XC. Smi th HQK Reporting user. txt Sat Sat Fri Sun Thu Thu Wed Sun Sun Thu Thu Jan Jan Aug Jan Aug Aug Aug Jan Jan Aug Aug 25 25 26 8 8 02 . 7 18:55 13 : 03 : 01 13 : 50 : 56 26 26 8 8 02 02 . : 21 19:06:17 : 44 : 44 32 2020 2020 2019 2020 2019 2019 2019 2020 2020 2019 2019

We can then just download user.txt and read it:

smb : smb : type: smb : \ > cd C.Smith\ type user. txt command not found get user. txt /home/kaIi/Documents/htb/nest/user. txt getting file of size 32 as /home/ka1i/Documents/htb/nest/user.txt (0.2 KiloBytes/ sec) (average 0.2 KiloBytes/sec)

Now onto root. Looking around, we see some interesting files in HQK Reporting

smb: 7 19 : 41: 16 dir AD Integration Module Debug Mode Password . txt xmI Reporting\AD HqkLdap. exe A Module 249 Integration Thu Thu Fri Thu Thu Fri Fri Wed Aug Aug Aug Aug Aug Aug Aug Aug 8 8 8 8 9 9 08. 08. 9 08. 19:06:17 19:06:17 19:08:17 19 : 09 : 05 .18. .18. 42 • 42 A 17408 2019 2019 2019 2019 2019 2019 2019 2019

HQK_Config_Backup.xml contents:

Looking a bit at Debug Mode Password.txt, it looks interesting. After looking for hours, I remembered about using alternate data streams to hide stuff in files.

smb: alt-name: DEBUGM-I.TXT create time: access time: write time: change_time: Thu Aug 8 Thu Aug 8 Thu Aug 8 Thu Aug 8 allinfo PM PM PM PM bytes "Debug Mode Password . txt" 2019 EDT 2019 EDT 2019 EDT 2019 EDT -attributes: A (20) stream: [ : :$DATA], bytes stream: [ : Password : $DATA] , 15

Interesting… so there’s a stream called Password!

smb: Smith\HQK get "Debug Mode Password . txt" :Password /home/kaIi/Documents/htb/nest/ -c . smith/passwordhidden . txt getting file Smith\HQK Reporting\Debug Mode Password .txt:Password of size 15 as /home/ka1i/Docum ents/htb/nest/c. smith/passwordhidden. txt (0.1 KiloBytes/sec) (average 24.8 KiloBytes/sec)

Okay, so we know this is associated with the HQK service on port 4386. Let’s try to telnet with these creds:

Reading the manual for HQK Reporting Service, we can figure out the commands used to enumerate what is on the service.

>SETDIR . Current directory set to HQK >LIST Use the query ID numbers below with the RUNQUERY command and the directory names with the SETDIR co man d QUERY FILES IN CURRENT DIRECTORY [DIR] [DIR] [DIR] [1] [2] [3] ALL QUERIES LDAP Logs HqkSvc . exe HqkSvc . InstallState HQK_Con fi g. xm1 Current Directory: HQK
Current >SETDIR Current >list Use the man d Directory: HQK LDAP directory set to LDAP query ID numbers below with the RUNQUERY command and the directory names with the SETDIR co QUERY FILES IN CURRENT DIRECTORY [1] HqkLdap. exe [2] Ldap. conf Current Directory: LDAP
>SHOWQUERY 2 Domain-nest .10ca1 Port-389 BaseOu=OU=WBQ Users , DC-nest , DC-Iocal User-Administrator

To be continued…