Hack The Box Nest Writeup – 10.10.10.178

Hack The Box Nest Writeup – 10.10.10.178

Hack the box Nest (IP: 10.10.10.178) is a new Windows-based machine recently released and owned like nothing. I believe most early users used the unintended method which confirmed by the author VBScrub himself. Some of the users even mentioned that they owned the system before they get the user flag.

However, from Discord, I come to know that the unintended way to own the box is using Metasploit is not working anymore, as the guys at HTB has patched the machine.

Last week I was a bit occupied at work so, I had no time to work on the recent Linux machine Patents. I tried a couple of times last weekend but seemed quite hard, hence I decided to discard it for a while and decided to start with the Nest windows machine that released after Patents. To be honest, after 17-18 years of working in the only Windows environment, I’m more comfortable with Windows than Linux.

Reconnaissance

I recently got to know about a tool called AutoRecon. A nice tool that performs automated enumeration of services of any given IP. This actually gives a nice report in a text format with properly categorized results in the different directories.

Before letting AutoRecon to the task, I used our good old friend nmap to initiate the scan. The scan result shows two open ports (SMB 2: 445 and port 4386).

In the next step, I used AutoRecon and here are the results:

The tool actually automated all the recon process, it ran SMBClient command and listed.

I found a lot of SMB share, in one of the shares, there is a Welcome Email.txt file that seemed to be an email template HR used to send to the newly joined employees. The Template has a default username and password, tempuser:welcome2019

Since I have a default user’s credentials, I started to enum the box, I found an interesting XML config file inside \IT\Configs\RU Scanner\. The file actually had credentials of a user C.Smith in an encrypted format.

c.smith:fTEzAfYDoz1YzkqhQkH6GQFYKp1XY5hm7bjOP86yYxE=

I spent a few minutes to decrypt the password using online tools, but nothing helped me, so I decided to spend time on the machine instead. I spent some time on the machine, as I was hinted to find helpful files inside the data/IT/Carl/VB Projects folder, so I did.

The folder NotepadPlusPlus contains two XML files. One of those is config.xml has a code snippet at the end of the file that lists the user’s file access history. The list shows that the TempUser had accessed a file called “Temp.txt” from the shared folder of another user “Carl”. When I tried to list the directories inside the IT folder, I was denied permission, however, I was able to list the contents of Carl directly.

Getting User

Since the machine is too buggy at this point, I decided to download the whole “VB Projects” folder to my machine and find out the hint. The VB project folder contains two subdirectories, Production, and WIP. The WIP contains a Visual basic project called “RUSScanner”. I copied the whole folder to my Windows host machine and open the project using MS Visual Studio.

While going through the code I noticed this program is a decrypter and possibly I will be able to decrypt the password of C.Smith I found earlier.

When I debug the project, I had the below error. There is a config file that needs to be loaded first, I couldn’t find the config file, so I disabled it and from the main module, and I add the username and password I found.

My edited main function in the Module1 looks like below. After modifying the code I added a breakpoint at End Sub so the debug stops at this breakpoint and I have the password decrypted.

I now have the password of user C.Smith:xRxRxPANCAK3SxRxRx.

Rooting Process

The user C.Smith has a directory called “HQK Reporting”, inside there are a couple of files and a folder that seemed interesting, let us download.

Alternate Data Streams (ADS):

The file “Debug Mode Password.txt” inside the HQK Reporting is an example of Windows Alternate Data Stream file attributes. In the ADS the content actually inside the $Data is always empty. If you notice the file ” Debug Mode Password.txt ” is actually a “0” size file, but the file contains the password for Debug Mode.

To open/ read the file, the file needs to be downloaded directly from Windows, if you download the file from your *nix machine, you will lose the content and the file becomes unworthy.

I used Windows drive-map feature to map the drive (//10.10.10.178/Users/C.Smith/) and directly download the file to my host machine. The below PowerShell command -Stream * will show the hidden stream name. The PowerShell command revealed the Stream name as “Password” In the next command use “type” to read the actual password. In our case, the password is: WBQ201953D8w

I used telnet to connect the machine on the second port (4386) we discovered in the initial port scan. After connecting to telnet I used to debug password to enable debug mode.

I noticed the LDAP directory and set it as my current directory. After listing the contents of the directory I noticed 2 files: [1] HqkLdap.exe and [2] Ldap.conf. I used the SHOWQUERY command to read the LDAP.conf file. Here we have the Administrator’s encrypted credentials. Another hurdle.

Compiling the binary

The Administrator password can be decrypted using the binary file inside the user C.Smith’s directory. This binary file can be download to your Windows machine using the Windows network drive mapping feature or from the “net view” command from the command prompt.

I download the file using the drive map to a folder on my desktop. The binary file can be compiled using any binary compiler.

I open the file using my debugger and start analyzing MainModule(). The two warning messages in below screenshot caught my eyes:

To run the binary we need 2 main things, else the binary will fail. We need a config file and a file called “HqDbImport.exe”. Config file was inside the LDAP directory, this can be easily copied to notepad and I can make a duplicate one. But, I couldn’t find the HqDbIport.exe, I checked the arguments of the binary files but I didn’t find anywhere this file was called after the MainModule. So I decided to make a duplicate copy of HqkLdap.exe and renamed it as HqDbImport.exe and placed it in a separate folder. I made a .config file using the content below.

So, now I have 3 files inside the new folder ready to be run to decrypt the Administrator password:

After running the binary from command prompt I got the Administrator password decrypted immediately.

Administrator:XtH4nkS4Pl4y1nGX

Now, I’m at the last step before getting into the root of the system. I use Impacket/PSExec to login to the system.

That’s it, thank you for reading. I have skipped a couple of steps as I forgot to take screenshots, those are just straight forward binary reverse which you can do it using any compiler. Edit method and recompile.

Navin

Hey there, I'm Navin, a passionate Info-Sec enthusiast from Bahrain. I started this blog to share my knowledge. I usually write on HackTheBox machines and challenges, cybersecurity-related articles and bug-bounty. If you are an HTB user and like my articles, please respect here: https://www.hackthebox.eu/home/users/profile/68523

View all posts by Navin →
Subscribe
Notify of
guest
15 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
Akashsky
Akashsky
6 months ago

One more fast way to ADS file directly from smb
~$ allinfo
it will list all data stream content.
in this case “Debug Mode Password.txt::Password:”$DATA
just remove the “:”
~$ get “Debug Mode Password.txt:Password:$DATA”
you will directly get the contents.

domedfd
5 months ago

which debugger do you recommend using to open the HqkLdap.exe file?

Domenico Delvalle
Domenico Delvalle
Reply to  Navin
5 months ago

Wow! that great!
It is very good dspy! Tanks 🙂
one more question
What compiler to use to compile in .exe? I tried to execute the command “HqkLdap.exe Ldap.conf” with the three files but it did not bring me the password, is that why we need to compile? I saw in your screenshot that your file has the name HqkLdap2.exe and also that it has a smaller size.

cyb3reagle
cyb3reagle
Reply to  domedfd
5 months ago

on Linux u can use ISLpy.

ceracas
5 months ago

HI Bro, whats prompts you to copy the exe file and name it HQKDbimport.exe ? only asking if we have the same idea why, thanks

trackback
5 months ago

[…] Hack The Box Nest Writeup – 10.10.10.178 […]

Arsenio Aguirre
Arsenio Aguirre
4 months ago

Hi, I have tested nmap to discovery open ports and it just shows 445. I dont know why it just shows a port.

Arsenio Aguirre
Arsenio Aguirre
4 months ago

For Mac, what.debugger can I use?

cyruslab
3 months ago

Hi, I just got the root of nest. For the root, the hardest was the ntfs alternate stream, I notice it when i did the allinfo in the smb shares, I downloaded the 0 byte file before but i remove it thinking that it was empty. I read the file with more by putting a colon and add the name of the stream and i got the password for debug, after that getting to root was easy; though I did the entire thing through smbclient by login as administrator, at first i went to the user share and downloaded a… Read more »

cyruslab
3 months ago

I am using ILspy for .net decompiler which can be run on my kali linux hence I do not require Win10 VM for doing dnSpy any more.

Sorry, that action is blocked.
%d bloggers like this: