Nest is an easy difficulty machine running Window. It tests your knowledge in basic enumeration and code analysis to gain access to user and root.
Be sure to checkout the Basic Setup section before you get started.
Like always, enumeration is our first port of call. Let’s take a look at the machine and see what we are dealing with.
The Unknown Port
When we get an unknown port that scratches the part of our brain that makes use wonder what is behind that mysterious black hole. Let’s check it out with netcat remembering that it is a Windows machine so we will use the CRLF flag!
Connecting with netcat we find a prompt:
Typing in help we see a list of commands. We don’t seem to be able to do much so we can assume we need the DEBUG password. Trying a bunch of default passwords returns no results. Let’s continue on and keep an eye out for some passwords.
Taking a look at port 445 with smbclient we find the following shares:
None of which seem to be writable when we use our smb-check.sh:
Navigating through the SMB shares we come across something interesting in //10.10.10.178/Data/Shared/Templates/Marketing we come across the file Welcome Email.txt that contains the following:
Using the credentials we have found let’s start by mounting shares so we can search them a lot easier.
Let’s start with Data since this is where we found the credentials in the first place:
And then we will search for usernames and passwords:
Looks like we have found some more creds however the password looks like a hash. On further inspection the string doesn’t seem to be any known hash:
We have some more searching to do to see if we can find any hints as to what this password string is encoded as.
Searching through the files found in the shares we have access to we find a file called config.xml in Data/IT/Configs/NotepadPlusPlus. Within we find <File filename="\\HTB-NEST\Secure$\IT\Carl\Temp.txt" />.
Listing the Carl directory we find that we have access:
Looking further we find a Visual Basic project folder:
Loading the project in Visual Studio we can navigate to the Utils.vb and set a breakpoint at line 114. Running the debug we find the password xRxRx....xRxRx:
Using the password against the users we have found so far we find that we can connect to the c.smith user via smb.
Having a look in the C.Smith folder we find our user flag:
Let’s move on to root.
In the C.Smith folder we also find the HQK Reporting directory which we know is from the unknown port we enumerated earlier.
Since I want to work on my Win-foo we will move over to a Windows VM and mount the share.
Taking a look at the folder we find a directory and a couple of files:
Looks like we have potentially found our DEBUG password for the unknown port. We also find a config file as well as another .exe file called HqkLdap.exe.
Executing HqkLdap.exe we get the following output:
We are most likely going to need to analyze this file but for now let’s look in to our DEBUG password!
Taking a look at the file we see that it seems empty. Bit of *Stego maybe? Let’s copy the file to a writable location so we can investigate further:
Since we are in Windows and Nest is a Windows machine let’s take a stab in the dark and check for file streams.
Recently saw this used in a CTF so let’s give it a crack…
We can check for file streams in Windows with PowerShell using the Get-Item cmdlet or we can use Command Prompt with the command dir /R:
Here we find the data stream Password and can view the contents with the cat command:
There is our DEBUG password… hopefully! Let’s go check it out with good ‘ol telnet:
Nice! Checking options with the HELP command we find that we can navigate directories with the SETDIR command. Let’s change to the parent directory and see what we can find:
We recognise HQK_Config.xml as we have the backup of it in the HQK reporting share directory. Viewing it’s contents and comparing to the backup we find the backup is missing the DebugPassword setting:
Let’s add that in to our backup as we may need it later with HqkLdap.exe.
Looking in to the LDAP directory we find our HqkLdap.exe and a .conf file that we haven’t seen before:
Viewing the file we see another encrypted pasword:
Let’s add the username and password to our RU_Config.xml and see if we can decrypt it.
When attempting to decrypt we get a padding error! I think it’s about time we take a look at HqkLdap.exe and see what it does.
On inspection we see it does a few things but something that catches our eye is the encryption function:
This looks familiar. It looks a lot like the inputs in the Decrypt function of DbPof.exe.
Let’s go see:
Sure enough in Utils.vb we see the Decrypt function being called with six inputs which is the exact amount of inputs as the CR.RD function. Let’s change the inputs for DbPof.exe and execute to our breakpoint again:
Sure enough we uncover the password XtH....nGX.
Now, using this password we can access the C$ share and grab the flag from there…
But I have missed an interactive shell throughout this machine so let’s finish off with one:
Nest was an interesting machine. It was quite a CTF’y machine, but I enjoyed it. Some people don’t like that, but I feel that it get’s you thinking at least. I wouldn’t mind hearing what you thought about this box so find me on the various social media’s and hit me up!