HTB is an excellent platform that hosts machines belonging to multiple OSes. It also has some other challenges as well. Individuals have to solve the puzzle (simple enumeration plus pentest) in order to log into the platform and download the VPN pack to connect to the machines hosted on the HTB platform. Note: Only write-ups of retired HTB machines are allowed. The machine in this article, named Nest, is retired.
The walkthrough
As shown in Part 1 of this article series, we have reached the point where we have a .sln file and username (c.smith) and a password hash.
Since this is a VB Project file, I could see that there are encrypt and decrypt functions. I modified the script a bit to only work with the decrypt function. The first parameter to this function was the hash, so I pasted in the hash we have recovered earlier and returned the password to the screen. [CLICK IMAGES TO ENLARGE]
Now let’s try the recovered password for c.smith and perform enumeration again.
As you can see, we can now retrieve the user.txt file.
Let’s now again perform enumeration from this user to escalate privileges. There is a “HQL Reporting” folder and under that, we have some interesting files.
Looking into the xml file reveals some interesting contents. There is a possible service on port 4386. If you look into the Nmap scan results in part 1, it also confirmed the existence of this port.
The .txt file initially looked empty, but in its ADS, we can see some bytes. Downloading those reveals a string, which can be a password.
Now, since service in port 4386 is mentioned, let’s connect to it via Telnet. We can do that successfully. Running the help command reveals some interesting commands and, and the debug command has a password option. Running that command with the recovered password and listing out help gives some more options.
Change directories using the SETDIR command and go to the LDAP directory. Under that, we’ve got LDAP.conf, which reveals the administrator hash.
In the same directory, we have an .exe file as well. After downloading it on a local machine, since it is a compiled file, we have to disassemble it. After doing that, under the LDAP directory, we can see some more encryption and decryption functions. These functions were similar to what we saw in part 1.
I used the existing VB class and changed the parameters as mentioned above, along with the administrator hash.
Once we recovered the password, we can access the SMB shares using the administrator password and can obtain the root flag.
This machine was purely based on just enumeration and shows the importance for the same. Thanks for following along with me today. We will continue this series with more in the way of interesting HTB machines.