Nest - HackTheBox

基本信息

• https://www.hackthebox.eu/home/machines/profile/225

• 10.10.10.178

端口扫描

windows服务器，两个端口，没有web：

445

enum4linux没什么结果，smb能直接匿名连接：

发现两个txt文件：

下载下来查看内容，得到一组账号密码：

Username: TempUser
Password: welcome2019

TempUser

使用TempUser登录，查看信息, 下载文件：

config

能够发现两个config文件：

IT/Configs/NotepadPlusPlus/config.xml
IT/Configs/RU Scanner/RU_Config.xml

密码是加密的，还需要进一步的信息去解密

根据config中的history，能够看到Secure$目录相关，我们把这个目录也下载下来

Secure$

这里IT目录是没有权限的，只看Carl就可以：

在VB项目目录发现是对前面的RU_config做加解密操作的代码：

decrypt

代码里加一行输出，自己用VS运行解密操作或者直接用这个在线的：

https://dotnetfiddle.net/

Imports System.Text
Imports System.Security.Cryptography
Public Class Utils
	Public Class ConfigFile
    Public Property Port As Integer
    Public Property Username As String
    Public Property Password As String

    Public Sub SaveToFile(Path As String)
						Using File As New System.IO.FileStream(Path, System.IO.FileMode.Create)
            Dim Writer As New System.Xml.Serialization.XmlSerializer(GetType(ConfigFile))
            Writer.Serialize(File, Me)
        End Using
    End Sub

    Public Shared Function LoadFromFile(ByVal FilePath As String) As ConfigFile
        Using File As New System.IO.FileStream(FilePath, System.IO.FileMode.Open)
            Dim Reader As New System.Xml.Serialization.XmlSerializer(GetType(ConfigFile))
            Return DirectCast(Reader.Deserialize(File), ConfigFile)
        End Using
    End Function
  
End Class
    Public Shared Function DecryptString(EncryptedString As String) As String
        If String.IsNullOrEmpty(EncryptedString) Then
            Return String.Empty
        Else
            Return Decrypt(EncryptedString, "N3st22", "88552299", 2, "464R5DFA5DL6LE28", 256)
        End If
    End Function

    Public Shared Function Decrypt(ByVal cipherText As String, _
                                   ByVal passPhrase As String, _
                                   ByVal saltValue As String, _
                                    ByVal passwordIterations As Integer, _
                                   ByVal initVector As String, _
                                   ByVal keySize As Integer) _
                           As String
        Dim initVectorBytes As Byte()
        initVectorBytes = Encoding.ASCII.GetBytes(initVector)
        Dim saltValueBytes As Byte()
        saltValueBytes = Encoding.ASCII.GetBytes(saltValue)
        Dim cipherTextBytes As Byte()
		cipherTextBytes = System.Convert.FromBase64String(cipherText)
        Dim password As New Rfc2898DeriveBytes(passPhrase, _
                                           saltValueBytes, _
                                           passwordIterations)
        Dim keyBytes As Byte()
        keyBytes = password.GetBytes(CInt(keySize / 8))
        Dim symmetricKey As New AesCryptoServiceProvider
        symmetricKey.Mode = CipherMode.CBC
        Dim decryptor As ICryptoTransform
        decryptor = symmetricKey.CreateDecryptor(keyBytes, initVectorBytes)
				Dim memoryStream As System.IO.MemoryStream
				memoryStream = New System.IO.MemoryStream(cipherTextBytes)
        Dim cryptoStream As CryptoStream
        cryptoStream = New CryptoStream(memoryStream, _
                                        decryptor, _
                                        CryptoStreamMode.Read)
        Dim plainTextBytes As Byte()
        ReDim plainTextBytes(cipherTextBytes.Length)
        Dim decryptedByteCount As Integer
        decryptedByteCount = cryptoStream.Read(plainTextBytes, _
                                               0, _
                                               plainTextBytes.Length)
        memoryStream.Close()
        cryptoStream.Close()
        Dim plainText As String
        plainText = Encoding.ASCII.GetString(plainTextBytes, _
                                            0, _
                                            decryptedByteCount)
	System.Console.WriteLine(plainText)
	Return plainText
    End Function

Public Class SsoIntegration
    Public Property Username As String
    Public Property Password As String
End Class
    
    Sub Main()
		Dim test As New SsoIntegration With {.Username = "c.smith", .Password = Utils.DecryptString("fTEzAfYDoz1YzkqhQkH6GQFYKp1XY5hm7bjOP86yYxE=")}
    End Sub
End Class

解出来密码 xRxRxPANCAK3SxRxRx：

user flag

使用c.smith账号登录，得到user.txt:

提权信息

注意到还有个HQK目录，下载下来，两个可能有用的文件：

但需要注意直接下载下来的password大小是0，查看是空，搜索资料发现是AlternateData Streams，config中4386端口就是前面nmap结果中有的, HQK服务：

• windows - Read alternate data streams over SMB with Linux - Super User
  https://superuser.com/questions/1520250/read-alternate-data-streams-over-smb-with-linux

➜  HQK Reporting cat Debug\ Mode\ Password.txt:Password:\$DATA
WBQ201953D8w
➜  HQK Reporting cat HQK_Config_Backup.xml
<?xml version="1.0"?>
<ServiceSettings xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
  <Port>4386</Port>
  <QueryDirectory>C:\Program Files\HQK\ALL QUERIES</QueryDirectory>
</ServiceSettings>

HQK

telnet 10.10.10.178 4386
Trying 10.10.10.178...
Connected to 10.10.10.178.
Escape character is '^]'.

HQK Reporting Service V1.2

>help
This service allows users to run queries against databases using the legacy HQK format
--- AVAILABLE COMMANDS ---
LIST
SETDIR <Directory_Name>
RUNQUERY <Query_ID>
DEBUG <Password>
HELP <Command>
>DEBUG WBQ201953D8w     
Debug mode enabled. Use the HELP command to view additional commands that are now available
>help
This service allows users to run queries against databases using the legacy HQK format
--- AVAILABLE COMMANDS ---
LIST
SETDIR <Directory_Name>
RUNQUERY <Query_ID>
DEBUG <Password>
HELP <Command>
SERVICE
SESSION
SHOWQUERY <Query_ID>
>setdir ..
Current directory set to HQK
>list
Use the query ID numbers below with the RUNQUERY command and the directory names with the SETDIR command
 QUERY FILES IN CURRENT DIRECTORY
[DIR]  ALL QUERIES
[DIR]  LDAP
[DIR]  Logs
[1]   HqkSvc.exe
[2]   HqkSvc.InstallState
[3]   HQK_Config.xml
Current Directory: HQK
>setdir LDAP
Current directory set to LDAP
>list   
Use the query ID numbers below with the RUNQUERY command and the directory names with the SETDIR command
 QUERY FILES IN CURRENT DIRECTORY
[1]   HqkLdap.exe
[2]   Ldap.conf
Current Directory: LDAP
>showquery 2
Domain=nest.local
Port=389
BaseOu=OU=WBQ Users,OU=Production,DC=nest,DC=local
User=Administrator
Password=yyEq0Uvvhq2uQOcWG8peLoeRQehqip/fKdeG/kjEVb4=

得到Administrator用户的密码密文

Domain=nest.local
Port=389
BaseOu=OU=WBQ Users,OU=Production,DC=nest,DC=local
User=Administrator
Password=yyEq0Uvvhq2uQOcWG8peLoeRQehqip/fKdeG/kjEVb4=

反编译 解密

同目录还有个exe，这个是解密用的，对其进行反编译, 注意这个文件路径，不需要考虑通过HQK下载文件，前面已经得到了：

反编译工具

https://github.com/0xd4d/dnSpy

这里需要windows机器进行操作,查看代码找到解密的功能后，在return之前插入代码, 输出明文密码。运行时需要同目录下需要有一个名为HqkDbImport.exe

password ： XtH4nkS4Pl4y1nGX

root flag

使用这个密码登录Administrator账号，得到root.txt:

参考资料

• windows - Read alternate data streams over SMB with Linux - Super User
  https://superuser.com/questions/1520250/read-alternate-data-streams-over-smb-with-linux
• https://github.com/0xd4d/dnSpy
• Hackthebox——Nest
  https://mp.weixin.qq.com/s/4UM3HIb9mp1--e7jO8esFQ
• Hack the Box Walkthrough: Nest | attactics - offensive security
  https://attactics.org/walkthroughs/hack-the-box-walkthrough-nest/