Overview

Reconnaissance

Nmap

$ nmap -Pn -n -A -T5 -p1-65535 10.10.10.178
Starting Nmap 7.70 ( https://nmap.org ) at 2020-05-02 17:04 CEST
Nmap scan report for 10.10.10.178
Host is up (0.017s latency).
Not shown: 65533 filtered ports
PORT     STATE SERVICE       VERSION
445/tcp  open  microsoft-ds?
4386/tcp open  unknown
| fingerprint-strings: 
|   DNSStatusRequestTCP, DNSVersionBindReqTCP, Kerberos, LANDesk-RC, LDAPBindReq, LDAPSearchReq, LPDString, NCP, NULL, RPCCheck, SMBProgNeg, SSLSessionReq, TLSSessionReq, TerminalServer, X11Probe: 
|     Reporting Service V1.2
|   FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, RTSPRequest, SIPOptions: 
|     Reporting Service V1.2
|     Unrecognised command
|   Help: 
|     Reporting Service V1.2
|     This service allows users to run queries against databases using the legacy HQK format
|     AVAILABLE COMMANDS ---
|     LIST
|     SETDIR <Directory_Name>
|     RUNQUERY <Query_ID>
|     DEBUG <Password>
|_    HELP <Command>
|
Host script results:
|_clock-skew: mean: 3m21s, deviation: 0s, median: 3m21s
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2020-05-02 17:11:33
|_  start_date: 2020-05-02 16:23:34

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 261.12 seconds

Nmap scan reveals 2 open ports : 445 (probably SMB) and 4386 (unknown).
We got some interesting information about port 4386. It looks like there was a service called “Reporting Service v1.2” running on it.

This service allows users to run queries against databases using the legacy HQK format

However I was not familiar with it so I started messing around with port 445, which should be SMB.

SMB

Firing up the Metasploit Framework, I used auxiliary/scanner/smb/smb_enumshares and got a pretty nice output.

smb_enumshares

smb_enumshares

As expected, trying to connect to ADMIN and C shares resulted in an error. However DATA was accessible using anonymous:anonymous as login pair.

SMB Shares

SMB Shares

Only few folders were accessible by user anonymous. While browsing, I found a file named Welcome Email.txt.

Mail

Mail

Enumeration

Config files

After login with user TempUser, I got access to more folders. Therefore I started scrapping any file I could looking for more information.
2 of them caught my attention.
The first one, Data/IT/Configs/RU Scanner/RU_Config.xml, contained a username, a crypted password and a port.

RU_config.xml

RU_config.xml

The second one was interestring because at the first look I missed, then I read it again and saw that there was a folder Carl in Secure\IT\. When I was browsing through shares I couldn’t list the IT directory, however I was able to cd into Carl.

Carl folder

Carl folder

VB Project

Inside this directory, 2 folders : Docs (nothing special there) and VB Project (a whole Visual Basic project).
I’ve never used VB but since I’m not that bad at programming I could understand the code.
I was doing this box with my team and it was actually DarkPPT who discovered this so big up to him !

Exploitation

The main function was using RU_config.xml (file previously found). Also there was a function named “DecryptString” in the project. After analyzing the code, I’ve decided to print the output of this function using a “MsgBox” and passing the crypted password as parameter.

Decrypted password

Decrypted password

Looks like it worked :)

Privilege Escalation

ADS

Now that I owned c.smith:xRxRxPANCAK3SxRxRx, next step was to get the Administrator account. So here we go again for some enumeration…
The HQK Reporting inside C.Smith’s User folder contained some interesting files. The one that caught my attention was Debug Mode Password.txt. I grabbed on my machine but it was empty. Kinda strange.

allinfo

allinfo

Actually Debug Mode Password.txt wasn’t empty. There were 15 bytes in another stream.

Alternate Data Stream (ADS) is the ability of an NTFS file system (the main file system format in Windows) to store different streams of data, in addition to the default stream which is normally used for a file. 1

Now that I knew that this file got an alternate data stream, I had to find a way to get the other stream.
Searching on internet lead me to a Stack Exchange post describing how to get the alternate data stream of a file.

Alternate Data Stream

Alternate Data Stream

$ cat Debug\ Mode\ Password.txt:Password:\$DATA 
WBQ201953D8w

Cool :) Found a new password now need to find where to use it.

Debug Mode

“Debug Mode” remembered something so I checked the Nmap scan.

Reporting Service V1.2
| This service allows users to run queries against databases using the legacy HQK format
| AVAILABLE COMMANDS —
| LIST
| SETDIR <Directory_Name>
| RUNQUERY <Query_ID>
| DEBUG
|_ HELP 2

I tried several ways to access this service and finally succeed through telnet.

Telnet Reporting Service v1.2

Telnet Reporting Service v1.2

I used the Debug mode (some kind of privileged mode according to help menu) to browse through directories. Debug mode allowed me to use command SHOWQUERY to print content of a file.
Running this command against Ldap.conf in C:\Program Files\HQK\ldap printed some nice output.

Ldap.conf

Ldap.conf

Executing HqKLdap.exe with RUNQUERY failed with the following message.

>list

Use the query ID numbers below with the RUNQUERY command and the directory names with the SETDIR command

 QUERY FILES IN CURRENT DIRECTORY

[1]   HqkLdap.exe
[2]   Ldap.conf

Current Directory: ldap
>runquery 1

Invalid database configuration found. Please contact your system administrator
>

Reverse

However I was pretty sure that this binary was supposed to help me escalate privileges. So I decided to reverse it. I grabbed it through SMB, saw it was a .NET binary and used dnSpy to reverse it easily.
After analyzing the code, I found out that I need to remove some lines blocking the execution. I commented them and added another one to display the password.

.NET disassembled

.NET disassembled

Admin password

Admin password

That’s it ! Now just use this password to connect to SMB as Administrator :)

Conclusion

Despite the fact that this box is categorised as easy, I found it more difficult than other ones I’ve done before. In fact the box creator posted on the forum that he should have categorised it as a medium box. I totally aggree. However I appreciated doing it and it was really rewarding specially when I had to edit the VB projet and reverse the .NET binary. Navigating through SMB shares was a really fun part of it. Also I learned to grab the alternate stream of a file. The only negative was the use of the “Reporting Service v1.2” for which I could not find any documentation.
Shoutout to léco ! You can find his Nest writeup in french right here.

  1. https://www.deepinstinct.com/2018/06/12/the-abuse-of-alternate-data-stream-hasnt-disappeared/ ↩︎

  2. https://atsika.info/posts/htb-nest/#nmap ↩︎