Hack The Box - Nest - Write-up

Welcome to my blog!

Today Nest is just retired on Hack The Box. In this post, I will write about my way to root this box, the first Windows machine I own. Although, the author determined that it's an easy box, many players and me feel that Nest's difficulty should be medium due to heavy enumeration and a somehow forgotten feature on Windows.
As you could guess, Nest indicates the nested enumerating works needed to go through this box.

Port scanning

First of all, I use nmap to scan all TCP ports of Nest.

As you see, only 2 ports are opening. Port 445 is definitely SMB and the other seams to be a customized service. I try to search for "HQK format" on Google but find nothing. So, I decided to enumerate the SMB service first.

Initial access

First, I use enum4linux to enumerate the service on port 445. There is only one thing useful: the server allows anonymous login on the SMB service.

Here we can use smbclient or smbmap to access port 445. In this post, I will use smbclient to manually attack the box.

In the image above, I list all shared folders on Nest. There is a few folders I can access with the anonymous user, among them is Data. I then download all files I can access on the shared folder Data to my local machine by using smbclient (you can use smbmap as well). So, I can find some juicy information locally.

My guess is true, there is an email template file contains credentials of the user TempUser.

Own user

With the first credentials, I try to re-enumerate all shared folders of Nest and found another pair of credentials inside Data.

Unfortunately, the password seems to be an encrypted password, not a simple base64 encode. I tried to log in directly with that password but no luck. I think we must find a way to decrypt it and the key may be in another file here or another shared folder. Then I re-check all files I have now and found a Notepad++ config file with the history of opened files. It refers to a file in the shared folder Secure$.

Turn back to Secure$, at first glance it seems that we both C.Smith and TempUser don't have any authorization here. But who knows that the subfolders maybe have looser access control? It turns out that I'm true and we can access the folder IT/Carl/.

Inside this folder is the source code of RU Scanner, which has the config file with the encrypted password of C.Smith above. After downloading all files inside Secure$/IT/Carl/, I find a decrypt function inside Utils.vb.

We don't need to analyze the VB code or install tools to run it on Linux. I copy the decrypt function and run it on online tools with the encrypted password and now we have C.Smith's credentials.

With C.Smith's password, we can grab the user flag in the shared folder Users, and see something interesting.

Own root

The folder "HQK Reporting" makes me remember about the service on port 4386 of Nest. Actually, it contains the backup of some config files and source code.

The file HqkLdap.exe is coded by C#. To fully decompile it, I recommend using dotPeek though this tool must be installed on Windows.
Unfortunately, after reading the source code of HqkLdap.exe, I don't find out anything useful except the decrypt function looks like the one in RU Scanner above.
Return to port 4386, I try each provided command. The command SETDIR help us move to another folder, however, we can't read files. The command DEBUG needs a password and I think it must be the key point.

Back to the folder "HQK Reporting", there is a file named "Debug Mode Password.txt". I think it may contain the password to debug. But how if its always empty! I'm stuck for a bit and search on Google for how we can hide data on Windows. Fortunately, I found an article about Alternate Data Streams. It's a feature on Windows allows you to create hidden files that we can only access if we know their name. To list all streams hidden in a file by smbclient, I use the command allinfo and now you can see something behind the empty file.

We have the debug password, let's use it on the service on port 4386. Some new commands provided, especially the command SHOWQUERY allows us to read files.

Using SETDIR, LIST and SHOWQUERY, I can find the Administrator's credentials. However, the password looks familiar. Oh, another encrypted password!

Don't worry! We had the decrypt function for this password when decompiling the file HqkLdap.exe. Let's run it and get the decrypted password.

I have the Administrator's credentials now, the only thing left is taking the root flag.

Such a long write-up for an easy box!
By the way, it's a wonderful box to learn to enumerate and prepare for OSCP. You get credentials, you re-enumerate and get other credentials, enumerate again and again.

If you have any questions, please don't hesitate to ask me on Twitter or leave a comment.
Thank you for reading!