NEST-HTB-WALKTHROUGH

Posted by on

 

1. PORTSCAN

Starting with the Nmap scan. I found only port is open that is 445. Windows uses this port for SMB(file sharing).



 2. USER

2.1 SMB-ENUMERATION

I used smbclient to check the shared files. I found two files that are accessible by any anonymous user.
1. "Maintainance Alert.txt"(Data/Shared/Maintainance/)
2.  "Welcome Mail.txt"(Data/Shared/Templates/HR)

  • smbclient -L //10.10.10.178/
  • smbclient //10.10.10.178/Data



In "Welcome Email.txt" I found the credentials of one of the users(TempUser). I save them in  "cred_tempuser.txt" file. And then logged in as TempUser.





  • smbclient -A creds_tempuser.txt //10.10.10.178/Data

I found a file "RU_config.xml" that contains the creds of another user("c.smith") and also another file "config.xml" under dir "notepadplusplus". The password of c.smith is encrypted.

1. RU_config.xml(/Data/IT/Configs/"RU Scanner")
2. config.xml(Data/IT/Configs/Notepadplusplus/)

 





This config.xml file contains the path of VB script file named "utils.vb" under the user carl. This VB file is the key to decrypt the password of c.smith.



2.2 REVERSING

Then I copied the decrypt function from the utils.vb and compiled it on online compiler - https://dotnetfiddle.com.(tip: just pass the encoded password while calling the decrypt function from the main() function.)

Through successful execution, we get the password of c.smith. Adding the username and password to "creds_csmith.txt" file and then try to login through smbclient.

password: xRxRxPANCAK3SxRxRx


Now we can grab the user.txt flag.

3 ROOT

3.1 SMB-ENUMERATION


As the file, "Debug Mode Password.txt" shows nothing or 0 bytes but it contains something(ADS FILE STREAM). using allinfo on this file it shows it contains data of 15 bytes.

  • Allinfo "Debug Mode Password.txt".

Reading the ADS data as:
  • get "Debug Mode Password.txt:PASSWORD:$DATA"

Password: WBQ201953D8w


The file "HQK_Config_Backup.xml" has information of a port 4386. So, I used to make a connection.


3.2 TELNET-ENUMERATION


On typing "help" I notice some options and there is one option DEBUG that requires a password. Remember we found a password in "Debug Mode Password.txt". I used that password and it hits correctly. And result, I unlocked more options to execute some queries.



I found two interesting files.
1.HqkLdap.exe
2.Ldap.conf

3.3 REVERSING


The ldap.conf file contains the creds of Administrator but the password is encoded. Using the same approach as I did for c.smith user. I decompile the
HqkLdap.exe file with JustDecompile tool and I found a C# code that decrypts and encrypts the ciphertext and plaintext respectively.

Using the same online compiler I decrypted the encrypted password.

Now, I have the password of the administrator. So I simply logged in using smbclient and finally grabbed the root.txt flag.



Hacker,Developer,Human

Comments

Post a Comment