基本信息

端口扫描

windows服务器,两个端口,没有web:

445

enum4linux没什么结果,smb能直接匿名连接:

发现两个txt文件:

下载下来查看内容,得到一组账号密码:

1
2
Username: TempUser
Password: welcome2019

TempUser

使用TempUser登录,查看信息, 下载文件:

config

能够发现两个config文件:

1
2
IT/Configs/NotepadPlusPlus/config.xml
IT/Configs/RU Scanner/RU_Config.xml

密码是加密的,还需要进一步的信息去解密

根据config中的history,能够看到Secure$目录相关,我们把这个目录也下载下来

Secure$

这里IT目录是没有权限的,只看Carl就可以:

在VB项目目录发现是对前面的RU_config做加解密操作的代码:

decrypt

代码里加一行输出,自己用VS运行解密操作或者直接用这个在线的:

https://dotnetfiddle.net/

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
Imports System.Text
Imports System.Security.Cryptography
Public Class Utils
Public Class ConfigFile
Public Property Port As Integer
Public Property Username As String
Public Property Password As String

Public Sub SaveToFile(Path As String)
Using File As New System.IO.FileStream(Path, System.IO.FileMode.Create)
Dim Writer As New System.Xml.Serialization.XmlSerializer(GetType(ConfigFile))
Writer.Serialize(File, Me)
End Using
End Sub

Public Shared Function LoadFromFile(ByVal FilePath As String) As ConfigFile
Using File As New System.IO.FileStream(FilePath, System.IO.FileMode.Open)
Dim Reader As New System.Xml.Serialization.XmlSerializer(GetType(ConfigFile))
Return DirectCast(Reader.Deserialize(File), ConfigFile)
End Using
End Function

End Class
Public Shared Function DecryptString(EncryptedString As String) As String
If String.IsNullOrEmpty(EncryptedString) Then
Return String.Empty
Else
Return Decrypt(EncryptedString, "N3st22", "88552299", 2, "464R5DFA5DL6LE28", 256)
End If
End Function

Public Shared Function Decrypt(ByVal cipherText As String, _
ByVal passPhrase As String, _
ByVal saltValue As String, _
ByVal passwordIterations As Integer, _
ByVal initVector As String, _
ByVal keySize As Integer) _
As String
Dim initVectorBytes As Byte()
initVectorBytes = Encoding.ASCII.GetBytes(initVector)
Dim saltValueBytes As Byte()
saltValueBytes = Encoding.ASCII.GetBytes(saltValue)
Dim cipherTextBytes As Byte()
cipherTextBytes = System.Convert.FromBase64String(cipherText)
Dim password As New Rfc2898DeriveBytes(passPhrase, _
saltValueBytes, _
passwordIterations)
Dim keyBytes As Byte()
keyBytes = password.GetBytes(CInt(keySize / 8))
Dim symmetricKey As New AesCryptoServiceProvider
symmetricKey.Mode = CipherMode.CBC
Dim decryptor As ICryptoTransform
decryptor = symmetricKey.CreateDecryptor(keyBytes, initVectorBytes)
Dim memoryStream As System.IO.MemoryStream
memoryStream = New System.IO.MemoryStream(cipherTextBytes)
Dim cryptoStream As CryptoStream
cryptoStream = New CryptoStream(memoryStream, _
decryptor, _
CryptoStreamMode.Read)
Dim plainTextBytes As Byte()
ReDim plainTextBytes(cipherTextBytes.Length)
Dim decryptedByteCount As Integer
decryptedByteCount = cryptoStream.Read(plainTextBytes, _
0, _
plainTextBytes.Length)
memoryStream.Close()
cryptoStream.Close()
Dim plainText As String
plainText = Encoding.ASCII.GetString(plainTextBytes, _
0, _
decryptedByteCount)
System.Console.WriteLine(plainText)
Return plainText
End Function

Public Class SsoIntegration
Public Property Username As String
Public Property Password As String
End Class

Sub Main()
Dim test As New SsoIntegration With {.Username = "c.smith", .Password = Utils.DecryptString("fTEzAfYDoz1YzkqhQkH6GQFYKp1XY5hm7bjOP86yYxE=")}
End Sub
End Class

解出来密码 xRxRxPANCAK3SxRxRx

user flag

使用c.smith账号登录,得到user.txt:

提权信息

注意到还有个HQK目录,下载下来,两个可能有用的文件:

但需要注意直接下载下来的password大小是0,查看是空,搜索资料发现是AlternateData Streams,config中4386端口就是前面nmap结果中有的, HQK服务:

1
2
3
4
5
6
7
8
➜  HQK Reporting cat Debug\ Mode\ Password.txt:Password:\$DATA
WBQ201953D8w
➜ HQK Reporting cat HQK_Config_Backup.xml
<?xml version="1.0"?>
<ServiceSettings xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<Port>4386</Port>
<QueryDirectory>C:\Program Files\HQK\ALL QUERIES</QueryDirectory>
</ServiceSettings>

HQK

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
telnet 10.10.10.178 4386
Trying 10.10.10.178...
Connected to 10.10.10.178.
Escape character is '^]'.

HQK Reporting Service V1.2

>help
This service allows users to run queries against databases using the legacy HQK format
--- AVAILABLE COMMANDS ---
LIST
SETDIR <Directory_Name>
RUNQUERY <Query_ID>
DEBUG <Password>
HELP <Command>
>DEBUG WBQ201953D8w
Debug mode enabled. Use the HELP command to view additional commands that are now available
>help
This service allows users to run queries against databases using the legacy HQK format
--- AVAILABLE COMMANDS ---
LIST
SETDIR <Directory_Name>
RUNQUERY <Query_ID>
DEBUG <Password>
HELP <Command>
SERVICE
SESSION
SHOWQUERY <Query_ID>
>setdir ..
Current directory set to HQK
>list
Use the query ID numbers below with the RUNQUERY command and the directory names with the SETDIR command
QUERY FILES IN CURRENT DIRECTORY
[DIR] ALL QUERIES
[DIR] LDAP
[DIR] Logs
[1] HqkSvc.exe
[2] HqkSvc.InstallState
[3] HQK_Config.xml
Current Directory: HQK
>setdir LDAP
Current directory set to LDAP
>list
Use the query ID numbers below with the RUNQUERY command and the directory names with the SETDIR command
QUERY FILES IN CURRENT DIRECTORY
[1] HqkLdap.exe
[2] Ldap.conf
Current Directory: LDAP
>showquery 2
Domain=nest.local
Port=389
BaseOu=OU=WBQ Users,OU=Production,DC=nest,DC=local
User=Administrator
Password=yyEq0Uvvhq2uQOcWG8peLoeRQehqip/fKdeG/kjEVb4=

得到Administrator用户的密码密文

1
2
3
4
5
Domain=nest.local
Port=389
BaseOu=OU=WBQ Users,OU=Production,DC=nest,DC=local
User=Administrator
Password=yyEq0Uvvhq2uQOcWG8peLoeRQehqip/fKdeG/kjEVb4=

反编译 解密

同目录还有个exe,这个是解密用的,对其进行反编译, 注意这个文件路径,不需要考虑通过HQK下载文件,前面已经得到了:

反编译工具

https://github.com/0xd4d/dnSpy

这里需要windows机器进行操作,查看代码找到解密的功能后,在return之前插入代码, 输出明文密码。运行时需要同目录下需要有一个名为HqkDbImport.exe

1
password : XtH4nkS4Pl4y1nGX

root flag

使用这个密码登录Administrator账号,得到root.txt:

参考资料