Hackthebox.eu - retired- nest
Recons
As always I start with a simple up/down scan on all TCP ports to see what is open
nmap -T4 -p- -oX ./nmapb.xml nest.htb
Then I convert that to HTML to make it pretty
That is very few ports open.
Lets scan those ports again with the -A switch to see if we can get anymore info
# nmap -T4 -p445,4386 -A -oX ./nmapf.xml nest.htb
Then convert that output to HTML also
xsltproc ./nmapf.xml -o ./nmapf.html
So looks like a windows box with SMB on 445 and something called reporting services on 44386
Let’s start with the SMB and see what we can find out
Smbclient -L \\\\nest.htb
Cool looks like we can list anonymously.
Let’s see if we can connect up to anything.
Let’s start with users that sounds very promising.
# smbclient \\\\nest.htb\\Users
We were able to connect to it anonymously and at the very least have some data leakage here, we now now some user names on the system.
Administrator
C.Smith
L.Frost
R.Thompson
TempUser
Unfortunately that’s all we get from this user folder. We get access denied when trying to list any contents for these folders
Alright what about the data drive?
We can connect to it anonymously also
We don’t have rights to list the directory for most things in here…. But we can access Shared
Under Templates/HR I found a file named Welcome Email.txt
I downloaded it and looked at the contents.
We would like to extend a warm welcome to our newest member of staff, <FIRSTNAME> <SURNAME>
You will find your home folder in the following location:
\\HTB-NEST\Users\<USERNAME>
If you have any issues accessing specific services or workstations, please inform the
IT department and use the credentials below until all systems have been set up for you.
Username: TempUser
Password: welcome2019
Thank you
HR
Some possible creds… Let's see if we can find anything else on this shared drive.
I found another file under Maintenance named “Maintenance Alerts”
It contents just said
There is currently no scheduled maintenance work
Let’s move on to exploit to see if we can use these creds for anything
Exploit
So to recap we might have creds for TempUser
Username: TempUser
Password: welcome2019
Let’s see if we can get some more info out of the users folder with these creds
smbclient \\\\nest.htb\\users -U "TempUser"
Yup there is a new text document in that folder
Well I did a “get” on the file and noticed something I might have seen earlier…
It's zero size…. Nothing in there..
Well at least we know those are good creds… and it looks like a pretty generic password I wonder if any of the other users haven’t changed their passwords.
I’ll just try to connect to the same SMB shares users with each user account and that same welcome2019 password - Although it looks like Csmith started in 2020 so I’ll try two versions for that one.
R.Thomspon hasn’t reset their password
So yay that’s two accounts we have
Well not so fast, I went into his directory and couldn’t dir the folder so maybe not. Apparently any account (Which we found out earlier with anonymous) can list this directory. Even with a bad password.
On to the next
Same story for L.frost. I can login with any password has that user and connect to the smb… do they not have passwords set?
But C.Smith won’t let me login to the smb with a password
This is weird
Administrator did the same thing. I got logon failures with bad or no passwords.
So let’s look at the other port we found open
4386
Looks kinda like its a web server let’s try pulling up the port
Eventually we get this message
HQK Reporting Service v1.2
Let’s see if we can capture anything in burpsuite
Couldn’t figure out a way to use burp to interact with this, or firefox for that matter.
What if we try to connect to that port another way?
Nc nest.htb 4386
This looks like it did something but it wouldn’t respond to anything I tried
What about telnet?
# telnet nest.htb 4386
That’s better
Ok now let’s try and figure out how to use this
I could use setdir .. to move back in the os. But couldn’t figure out much here at this path so I went back to the smb shares we found with the temp users
I connected up to \\nest.htb\data as tempuser
I went back into the IT folder and did a get command for every file I could find in this shared. Eventually I found this RUL_Config.xml in the configs/RU Scanner folder.
It contained this
<ConfigFile><Port>389</Port><Username>c.smith</Username><Password>fTEzAfYDoz1YzkqhQkH6GQFYKp1XY5hm7bjOP86yYxE=</Password></ConfigFile>
That sure looks like a password for C.smith
But what is the format? I tried straight base64 but it looked like gibberish
}13.ö.£=XÃŽJ¡BAú..X*.Wc.føÎ?ÃŽ²c.
I also found this file config.xml
Which has some recent file information towards the bottom of the file
I know we can’t get to the Secure\IT folder…. But what about Carl? Sometimes NTFS folder permissions aren’t inherited all the way down, especially when there are nested levels of folder permissions under the root folder. Sometimes the Permissions at the top of a share are more restrictive than those below.
I connected back to the smb secure$ as our tempuse
And we could CD straight to that folder. I’m just going to download all the files here, because there is most likely something here that will help us in our journey
Here is a site I found that told me how to download the whole folder in smbclient
smbclient '\\server\share'
mask ""
recurse ON
prompt OFF
cd 'path\to\remote\dir'
lcd '~/path/to/download/to/'
mget *
So modified for my purpose now
recurse ON
prompt OFF
lcd /root/Desktop/HTB/nest/Carl
mget *
In the folders we downloaded we found a project named RU
Which is probably related to the RU config file we found earlier in our search, you remember the one with the base64 looking password?
fTEzAfYDoz1YzkqhQkH6GQFYKp1XY5hm7bjOP86yYxE=
There is a utils.vb which looks like it has both and encrypt and decrypt function that reads from that XML file
Specifically this bit
Public Shared Function DecryptString(EncryptedString As String) As String
If String.IsNullOrEmpty(EncryptedString) Then
Return String.Empty
Else
Return Decrypt(EncryptedString, "N3st22", "88552299", 2, "464R5DFA5DL6LE28", 256)
End If
End Function
Which looks like it passes a string to a decrypt function along with some other data.
Here is the decrypt function
Public Shared Function Decrypt(ByVal cipherText As String, _
ByVal passPhrase As String, _
ByVal saltValue As String, _
ByVal passwordIterations As Integer, _
ByVal initVector As String, _
ByVal keySize As Integer) _
As String
Dim initVectorBytes As Byte()
initVectorBytes = Encoding.ASCII.GetBytes(initVector)
Dim saltValueBytes As Byte()
saltValueBytes = Encoding.ASCII.GetBytes(saltValue)
Dim cipherTextBytes As Byte()
cipherTextBytes = Convert.FromBase64String(cipherText)
Dim password As New Rfc2898DeriveBytes(passPhrase, _
saltValueBytes, _
passwordIterations)
Dim keyBytes As Byte()
keyBytes = password.GetBytes(CInt(keySize / 8))
Dim symmetricKey As New AesCryptoServiceProvider
symmetricKey.Mode = CipherMode.CBC
Dim decryptor As ICryptoTransform
decryptor = symmetricKey.CreateDecryptor(keyBytes, initVectorBytes)
Dim memoryStream As IO.MemoryStream
memoryStream = New IO.MemoryStream(cipherTextBytes)
Dim cryptoStream As CryptoStream
cryptoStream = New CryptoStream(memoryStream, _
decryptor, _
CryptoStreamMode.Read)
Dim plainTextBytes As Byte()
ReDim plainTextBytes(cipherTextBytes.Length)
Dim decryptedByteCount As Integer
decryptedByteCount = cryptoStream.Read(plainTextBytes, _
0, _
plainTextBytes.Length)
memoryStream.Close()
cryptoStream.Close()
Dim plainText As String
plainText = Encoding.ASCII.GetString(plainTextBytes, _
0, _
decryptedByteCount)
Return plainText
End Function
Which is really the only thing we care about here so let’s create new vb.net modifying this a bit to take this encrypted value we have and pass it through this decryption function
Here is what I ended up with, I used this website to compile and run the code
Imports System.Text
Imports System.Security.Cryptography
Imports System
Public Class Utils
Public Sub Main()
Console.WriteLine(Decrypt("fTEzAfYDoz1YzkqhQkH6GQFYKp1XY5hm7bjOP86yYxE=", "N3st22", "88552299", 2, "464R5DFA5DL6LE28", 256))
Console.WriteLine("Hello World")
End Sub
Public Shared Function Decrypt(ByVal cipherText As String, _
ByVal passPhrase As String, _
ByVal saltValue As String, _
ByVal passwordIterations As Integer, _
ByVal initVector As String, _
ByVal keySize As Integer) _
As String
Dim initVectorBytes As Byte()
initVectorBytes = Encoding.ASCII.GetBytes(initVector)
Dim saltValueBytes As Byte()
saltValueBytes = Encoding.ASCII.GetBytes(saltValue)
Dim cipherTextBytes As Byte()
cipherTextBytes = Convert.FromBase64String(cipherText)
Dim password As New Rfc2898DeriveBytes(passPhrase, _
saltValueBytes, _
passwordIterations)
Dim keyBytes As Byte()
keyBytes = password.GetBytes(CInt(keySize / 8))
Dim symmetricKey As New AesCryptoServiceProvider
symmetricKey.Mode = CipherMode.CBC
Dim decryptor As ICryptoTransform
decryptor = symmetricKey.CreateDecryptor(keyBytes, initVectorBytes)
Dim memoryStream As IO.MemoryStream
memoryStream = New IO.MemoryStream(cipherTextBytes)
Dim cryptoStream As CryptoStream
cryptoStream = New CryptoStream(memoryStream, _
decryptor, _
CryptoStreamMode.Read)
Dim plainTextBytes As Byte()
ReDim plainTextBytes(cipherTextBytes.Length)
Dim decryptedByteCount As Integer
decryptedByteCount = cryptoStream.Read(plainTextBytes, _
0, _
plainTextBytes.Length)
memoryStream.Close()
cryptoStream.Close()
Dim plainText As String
plainText = Encoding.ASCII.GetString(plainTextBytes, _
0, _
decryptedByteCount)
Return plainText
End Function
End Class
Here is the output
xRxRxPANCAK3SxRxRx
Hello World
So it looks like xRxRxPANCAK3SxRxRx is the password for C.Smith
So I tried that on smb for c.smith and
We got in
So now we have c.smith’s creds too
Username: c.smith
Password: xRxRxPANCAK3SxRxRx
Let’s connect up to the user share and see if there is anything in Chris’ folder
smbclient \\\\nest.htb\\users -U c.smith
There is the user.txt
I did a get on the file
User hash down.
Let's keep looking.
Under HQK Reporting there is a file named “Debug Mode Password” with a zero file size
Another file with zero size… What can that mean?
Well it could be the data is in an alternate data stream which is possible with an NTFS formatted drive.
‘
I found this posting which we can use to see if there is an alternate data stream on a file
https://superuser.com/questions/1520250/read-alternate-data-streams-over-smb-with-linux
smbclient -U USER //IP/Share -c 'allinfo "ADS_FILE"'
So modified to work in our scenario
smbclient -U c.smith \\\\nest.htb\\users\\ -D "C.Smith\\HQK Reporting\\" -c 'allinfo "Debug Mode Password.txt"' xRxRxPANCAK3SxRxR
And we see this
There is an alternate data stream…. What about that file New Text Document we found in the tempuser folder earlier?
# smbclient \\\\nest.htb\\users\\ -U "TempUser" -D "TempUser" -c 'allinfo "New Text Document.txt"'
Nope that was actually just an empty document. Good to know
Ok back to Debug Mode Password.txt
After verifying they were using an ADS to hide some data in the file I connected back up to SMB
# smbclient \\\\nest.htb\\users -U C.Smith
Went to the folder and changed my Get to include the stream
get "Debug Mode Password.txt:Password:$DATA"
Which gave me this file
Which I guess is the Debug password for the HQK service we found earlier
WBQ201953D8w
At first I just put in junk for the password to see if that would give an error for wrong password and it did
Then when I supplied the right password it said invalid number of arguments
Sooooo…. I was stuck here for literally hours… turns out my copy paste of the password included a space at the end..
Yay new things!
I remembered from poking around earlier an LDAP folder so I did
Setdir .. to back a folder level and into the ldap folder
Then did showquery on 2
Domain=nest.local
Port=389
BaseOu=OU=WBQ Users,OU=Production,DC=nest,DC=local
User=Administrator
Password=yyEq0Uvvhq2uQOcWG8peLoeRQehqip/fKdeG/kjEVb4=
Also got this Debug password again.
I wonder if we can just feed that new hash we found into that same decyption program we used earlier… Surely this programmer would not go through the trouble of inventing new decryption processes for a different program right?
Well apparently they did
Poking around on C.smith on SMB there is an executable named HqkLdap.exe under the AD Integration Module
I downloaded that file to a windows machine and use this decompiler to take a look under the hood
https://www.jetbrains.com/decompiler/
I saw this function in the code which was very similar to the other function
Well I wonder if I just need to change these values in the decrypt function of our modified vb from earlier?
Yup that is exactly what we need to do.
XtH4nkS4Pl4y1nGX
According to the XML file for ldap we found earlier this should be the password for the admin account.
Let’s connect up to smb using administrator and this password and see if we can get the root hash.
It worked!!
Let’s get that hash
659**********************************
That was fun, I liked having to modify that VB code, and decompile the other one.
Fun box!!
Comments
Post a Comment