Hack the Box - Nest - Walkthrough

Introduction

Today we're going to be doing a pentest walkthrough of the Nest machine hosted at https://hackthebox.eu . For this pentest, we'll be using a Kali Linux virtual machine as our attacking system and the Nest machine as the victim system. After connecting to the Hack the Box network via VPN, we see that our target is located at 10.129.100.97

Scanning and Enumeration

We'll start by scanning for open ports with Nmap:

sudo nmap -T4 -p- 10.129.100.97


Now we'll do another Nmap scan, this time specifying the ports and picking up service names and version numbers:

sudo nmap -sV -T4 -p445,4386 10.129.100.97


There seems to be an unusual service running on port 4386.  Let's check it out using Netcat:

netcat -C 10.129.100.97 4386


After some research, we can't find any info on this service, so we assume it's a custom network app.  Specifically, accessing the service using Netcat requires the -C switch to work, since the app requires the Carriage Return to be sent with any command.  We'll leave enumeration of this app for now and move on to SMB enumeration:

We attempt to enumerate shares using SMBclient:

smbclient -L 10.129.100.97


There are three non-standard shares available: Data, Secure$, and Users.  We manually enumerate each of them with SMBclient, and we are able to anonymously login to all three shares, but the Secure$ share doesn't allow directory listing.  The Users share only allows its root directory to be listed:

smbclient \\\\10.129.100.97\\Users
input blank password
dir


We aren't able to list any of the contents in these directories, but we take note of these usernames. Lastly, we have the Data share. First we list out the directories:

smbclient \\\\10.129.100.97\\Data
input blank password
dir


We find a good file on the system in the \shared\templates\hr\ directory, so we download it and read its contents:

get “Welcome Email.txt”
from Kali system: cat ./Welcome\ Email.txt



We saw this username previously, so we authenticate as TempUser with SMBclient and access the Data share. We find interesting files in the \it\configs\RU Scanner\ and \it\configs\NotepadPlusplus\ directories:

smbclient \\\\10.129.100.97\\Data -U TempUser
password: welcome2019
get RU_config.xml
get config.xml




First off, we check out the RU_config.xml file:

cat RU_config.xml


Here we see some credentials for the C.Smith user. The password looks like it's Base64 encoded, but it doesn't decode from Base64 to anything legible. We leave these credentials alone for now, and look at the other config.xml file we downloaded:

cat config.xml



This points to a directory in the Secure$ share that we can enumerate. We access it with the TempUser account:

smbclient \\\\10.129.100.97\\Secure$ -U TempUser
password: welcome2019
dir


We can enter the \IT directory, but we can't list its contents.


However, we can access further directories, given we know their names:

cd carl
dir


While enumerating carl's directories, we find an interesting app in the \it\carl\VB Projects\wip\ru directory:


In the RUScanner directory there is a Visual Basic program, including several directories and files. We download all the files and look over the contents.

cat module1.vb


This piques our interest because it references the RU_Config.xml file that we found previously, then performs a decryption function on the password.  Since this is a Visual Basic program, we recreate all the files and directories in a Windows 10 environment.  If we want to debug the program, then we'll need to include the RU_config.xml in the program's \bin\Debug directory.  Then we open the RUScanner.sln with Visual Studio:


We want to run the decryption function in Module1.vb, so we'll debug the program one step at a time, selecting the Debug tab, then Step Into (or we can use the F11 key shortcut)


Around step 24, this message appears in the Autos window:


This is the decrypted password for the C.Smith user. Assuming that C.Smith is reusing this password, we can use the C.Smith credentials to enumerate the C.Smith directory in the SMB Users share:

smbclient \\\\10.129.100.97\\Users -U C.Smith
password: xRxRxPANCAK3SxRxRx
cd C.Smith
dir


Capturing the User Flag

Let's download the user.txt file, and then read it on our attacking system:

get user.txt
from attacking system: cat user.txt



Inside the \HQK Reporting directory, we find more interesting files, including a password file:


The password file here appears to be empty (0 bytes). When we encounter empty files like this, we should always check for Alternate Data Streams (ADS), which is possible in SMBClient with the allinfo command:

allinfo “Debug Mode Password.txt”


We can download the file as the ADS version in the following way:

get “Debug Mode Password.txt:Password”

Then read it from our attacking system:

cat Debug\ Mode\ Password.txt:Password



Meanwhile, there was an additional directory inside of the \HQK Reporting directory called \AD Integration Module.  Let's see what's there:

cd “AD Integration Module”
dir


Let's download this file and analyze it:

get HqkLdap.exe
from attacking machine: file HqkLdap.exe



It looks like we'll have to do some reverse engineering on this file.  We'll use dnSpy from our Windows machine, then open the HqKLdap.exe file:

Open dnSpy program
File, Open, HqkLdap.exe


It looks like this executable was written in C#. We find some interesting code when we look at the HqkLdap.CR method:


The format of this decryption function looks similar to the one we saw earlier, the RU Scanner:


This means we might be able to use the the HqkLdap.CR method code to decrypt another password we find.  The Ldap password is out there.  There's only one place left to look: The Hqk service we saw way back at the beginning of this exercise in Nmap, operating on port 4386:

nc -C 10.129.100.97 4386
help


After some testing, we find that this service is similar to other directory query programs, with LIST similar to cmd dir, and SETDIR similar to cmd cd. However, we are able to gain additional commands once we run the DEBUG command with the debug password we obtained earlier:

debug WBQ201953D8w


The additional commands include SHOWQUERY, which is similar to cmd type. With all these commands available, after some searching, we find interesting files in the C:\program files\hqk\ldap directory:


Let's take a look:

showquery 2


Privilege Escalation

Now that we have these credentials, we can potentially get the Administrator password by running the HqkLdap.CR method code with the encrypted Administrator password string as an argument. First we copy the HqkLdap.CR code and paste it into an interpreter website, like https://dotnetfiddle.net


Then we insert the following command on Line 10:

Console.WriteLine(HqkLdap.CR.DS("yyEq0Uvvhq2uQOcWG8peLoeRQehqip/fKdeG/kjEVb4="));
click the Run button at the top of the webpage


With the Administrator user's credentials, we can login to the C$ share as the Administrator using SMBclient:

smbclient \\\\10.129.100.97\\C$ -U Administrator


 Capturing the Root Flag

Capturing the root flag on this system will be a three-step process. First we need to navigate to the Administrator user's \Desktop directory, download the file, then read it from our Kali machine:

cd users
cd Administrator
cd Desktop
get root.txt
from Kali machine: cat root.txt



 Summary

After initial scans, we found that there was anonymous SMB login enabled on the system for certain shares, from which we were able to obtain a low-level user's SMB login credentials and continued to enumerate further SMB shares using that account. With the low-level account, we were able to find a project folder which contained code for decrypting another user's password, which we executed to gain another user's account credentials. Using that new user's account, we were able to locate a Windows binary, which we downloaded and reverse engineered to reveal its ability to decrypt an encrypted password string.

Utilizing a custom network service located on the system, we were able obtain the Administrator user's encrypted password string, which we decrypted using code from the captured Windows binary. With the Administrator credentials, we were able to capture the objective flag file from the system.

Finish









Comments

Post a Comment

Popular posts from this blog

TryHackMe - Windows PrivEsc - Walkthrough

Image
Introduction Today we're going to be doing a walkthrough for the Windows PrivEsc room hosted at https://tryhackme.com/room/w indows10privesc . For this walkthrough, we'll be using two virtual machines (VMs), a Kali Linux VM as our attacking machine, and the deployed Windows 10 client as the the victim machine. Task 1 - Deploy the Vulnerable Windows VM Press the green button here: The Windows machine should come online after a minute or two. The IP address of the machine can be found here: Of course, the actual IP address will probably be a different one from the one in the screenshot.  For the examples, however, we will use the IP address of 10.10.227.113 RDP should be available on port 3389 (it may take a few minutes for the service to start). You can login to the "user" account using the password "password321": xfreerdp /u:user /p:password321 /cert:ignore /v:10.10.227.113 Questions: Deploy the Windows VM and login using the "user" ...
Read more

TryHackMe - Reversing Elf - Walkthrough

Image
Introduction Today we're going to be doing a walkthrough for the Reversing ELF room hosted at https://tryhackme.com/room/ reverselfiles . For this walkthrough, we'll be using one virtual machine (VMs), a Kali Linux VM as our attacking machine. Task 1 - Crackme1 Questions What is the flag? Download the Task 1 Task File Copy it to your working directory Give the file executable permissions Run the file chmod +x crackme1 ./crackme1 Task 2 - Crackme2 Questions What is the super secret password ? Give the file executable permissions Run Ltrace on the file with a test string chmod +x crackme2 ltrace ./crackme2 test ./crackme2 passwordFoundInPreviousStep Task 3 - Crackme3 Questions What is the flag? Give the file executable permissions Run strings on the file Echo the base64 string you found, pipe it into Base64 decode chmod +x crackme3 strings crackme3 echo “ base64stringFoundInPreviousStep ” | base64 -d Task 4 - Crackme4 Questions What is the password ? Give the file execu...
Read more

TryHackMe - Web Enumeration - Walkthrough

Image
Introduction Today we're going to be doing a walkthrough for the Web Enumeration room hosted at https://tryhackme.com/room/ webenumerationv2 . For this walkthrough, we'll be using two virtual machines (VMs), the TryHackMe AttackBox VM as our attacking machine, and the deployed vulnerable Web clients as the the victim machines. Task 1 - Introduction Questions: Let's get started No answer needed Task 2 - Manual Enumeration Questions I gotcha! No answer needed Task 3 - 1. introduction to Gobuster Questions No questions No answer needed Task 4 - 1.1 Gobuster Modes Questions I get the hang of it! No answer needed Task 5 - 1.2 Useful Wordlists Questions No questions No answer needed Task 6 - 1.3 Practical: Gobuster (Deploy #1) Questions Run a directory scan on the host. Other than the standard css, images and js directories, what other directories are available? echo “10.10.164.99 webenum.thm” >> /etc/hosts gobuster dir -t 16 -u http://webenum.thm -w /usr/sha...
Read more