The first thing we should do is map the box’ IP address to the box’ name .htb in the
Next up we will run a standard NMAP scan. We get results back for 2 ports: 445 Microsoft-ds open and 4386 unknown open.
Port 445 will most likely be SMB, if we look closer at port 4386 we can see it runs some sort of Reporting Service which allows us to run queries against databases using the legacy HQK format. A list of available commands is also provided.
Since we can’t immediatly do something useful with port 4386, let’s have a look at port 445 SMB first. We can enumerate SMB with tools like smbclient or smbmap.
smbmap -H 10.10.10.178 -u root
We can see a
Data and a
Users share to which we have read access.
Let’s mount the SMB filesystem so we can browse it more easily via our terminal, we can do this using the Common Internet File System (CIFS).
mount -t cifs //10.10.10.178/Data /mnt/smb/
With the filesystem mounted we can now freely browse around. If we check the
HR directory we find a file called
'Welcome Email.txt'. The emails tells us we can find our home folder in
\\HTB-NEST\Users\<USERNAME> and also contains some default credentials
Armed with some credentials, we can try to remount the
Data share using the credentials we found.
mount -t cifs //10.10.10.178/Data /mnt/smb/ -o username=TempUser
Continuing with our search, we find a file called
RU_config.xml. The file contains a new username
c.smith and password
fTEzAfYDoz1YzkqhQkH6GQFYKp1XY5hm7bjOP86yYxE= and a reference to port 389, which is commonly used by the LDAP protocol.
If we have a quick look at the password, it seems to be base64 encoded. This however is not the case, we will come back to this later. When we base64 decode the password we find
}13=XJBAX*Wcf?βc, but online decoders fail to successfully decode the password.
With some more enumeration we also stumble upon a file called
Notepadplusplus which contains the notepad++ history. The file references a hidden SMB share called
HTB-NEST to the
10.10.10.178 HTB-NEST nest.htb
Now we can mount the hidden share using the TempUser credentials.
mount -t cifs \\\\HTB-NEST\\Secure$\\IT\\Carl /mnt/smb -o username=TempUser
In the secret share we find a Visual Basic Project called RU in
temp/'VB Projects'/WIP/RU. Let’s copy the project
cp -R tmp/'VB Projects'/WIP and move it to a Windows machine, because it is a lot easier to work with .NET code in a proper IDE like Visual Studio.
Decrypting C.Smith credentials with RU Scanner
After copying over all the files and the
RU_config.xml file we have the following structure on our Windows machine:
After opening the solution in Visual Studio we modify the code to read and decrypt the password from the
We make sure to add the
RU_Config.xml file to the project and set the Copy to Output Directory property to
Now if we build and run the project using the CTRL + F5 shortcut, it outputs the decrypted password
Getting user through SMB enumeration of the Users share
With the newly decrypted credentials, we can mount the Users share
mount -t cifs //10.10.10.178/Users /mnt/smb/ -o username-C.Smith
and grab the user flag.
We also find
HQK_Config_Backup.xml. The config file gives us a path to the directory where all queries are stored and a reference to port 4386 which we found earlier using nmap. Let’s leave SMB alone and explore port 4386.
Using Telnet we can connect to the service on port 4386. We can list available queries and files with the
LIST command and traverse directories upwards using
Finding the debug password
To be able to view the contents of files and use the full functionality on port 4386, we need to find a debug password. During our earlier SMB enumeration of the
Users share we found a file called
Debug Mode Password.txt in
\C.Smith\HQK Reporting\ which appeared to be empty. A common technique used on Windows to hide information in files, is to use the alternate data stream (ADS). There are a couple of ways to check if a file has an ADS. Because I prefer to do Windows things on a Windows machine, I’ll be switching back to my Windows box. However I’ll also cover how you can find and read the ADS in Linux below.
On Windows we can open a command prompt and run it as the
runas /netonly /user:C.Smith cmd xRxRxPANCAK3SxRxRx
Next we can use
/R parameter to call
FindNextStreamW on each file and directory in the listing.
dir /R "\\10.10.10.178\Users\C.Smith\HQK Reporting\Debug Mode Password.txt"
As expected, we find an ADS called
Password. We can read the ADS using
type and specifiying the name of the ADS after the filename with a semi-colon.
type "\\10.10.10.178\Users\C.Smith\HQK Reporting\Debug Mode Password.txt:Password"
We find the debug password
To achieve the same in Linux, we can use a tool called smbclient.
smbclient -U C.Smith "//10.10.10.178/Users/" -c 'allinfo "\C.Smith\\HQK Reporting\\Debug Mode Password.txt"'` smbclient -U C.Smith "//10.10.10.178/Users/ -c 'get "\C.Smith\\HQK Reporting\\Debug Mode Password.txt:Password"'
Using debug mode to find the administrator credentials
Now that we have the debug mode password, we can go back to our service on port 4386 and enable debug mode.
In debug mode we have access to some new queries, with the
showquery command we can list the contents of files.
Browsing around the filesystem, we navigate up to the
HQK directory, and into the
LDAP directory. If we do a
LIST we can see there are two files inside, namely
HqKLdap.exe which we also found earlier on the SMB shares, and
Ldap.conf. We can use the
showquery 2 command to view the contents of
Ldap.conf. The configuration file contains the encrypted password for the Administrator account on the
Inspecting and decompiling HqkLdap.exe to decrypt the Administrator password
We will move the
HqkLdap.exe file we found in the SMB share over to our Windows machine and throw it into Ghidra to look at the defined strings. We are looking for values to use in the decryption routine
Utils.Decrypt in the
RU Scanner project.
HqkLdap.exe with dotPeek gives us a better idea of what we are looking for.
We can now adapt our
RU Scanner project to decrypt the Administrator password using the values we found. We find
Getting root through SMB and psexec.py
We can now mount the SMB
C$\Users share with Administrator privileges.
mount -t cifs //10.10.10.178/C$/Users /mnt/smb/ -o username=Administrator
Using impacket’s psexec.py we can escalate to nt authority\system, which is Window’s equivalent of root.
From there on it is easy to grab root flag!