The article reveals the process of traversing the Nest virtual machine on the HackTheBox platform. The reader learns how to use modern network scanning tools (nmap, masscan), explore SMB resources, analyze hidden data in alternative NTFS streams, and reverse engineer C# applications. The article also shows in detail how the information found can be used to escalate privileges and gain access to closed resources.
The article details the process of exploring SMB resources, working with alternative NTFS streams, and analyzing an application written in C#.
A VPN is used to connect to the lab. Using a work computer or device with sensitive data is not recommended, as the connection is to a private network where information security experts are present.
This machine has an IP address of 10.10.10.178, which we add to /etc/hosts.
10.10.10.178 nest.htb
First, a scan is performed for open ports. To speed up the process, masscan is used for the initial scan, as nmap takes much longer to complete this task. All TCP and UDP ports are scanned through the tun0 interface at a rate of 500 packets per second.
masscan -e tun0 -p1-65535,U:1-65535 10.10.10.178 --rate=500
Now, to get more detailed information about the services running on the ports, let’s run the scan with the -A option.
nmap -A nest.htb -p445,4386
First of all, let’s pay attention to the SMB resource. Let’s try to log in as a guest.
Available resources are identified, and then a recursive scan of all accessible content is performed.
Of the above files, the most interesting is the note “Welcome Email.txt”. Let’s connect to the resource and save this file to our local machine.
All content of the resource, but using the found credentials.
In this case, special attention should be paid to configuration files, as they often contain resource names, service names, or credentials. Therefore, a reconnect to the resource is performed to load all configuration files.
And in one file we find the name of the closed resource “Secure$”, and in the other – the user’s credentials.
However, the specified password does not match, it is probably encrypted. However, using the found credentials, it was possible to access the detected resource.
Viewing the contents of the IT directory is not available, but thanks to the information from the configuration file, one of the existing subdirectories is known. The entire contents of the path \Secure$\IT\Carl are viewed.
The specified directory contains a project written in Visual Basic. For further analysis, the project folder was copied to the local machine via Explorer.
We open the project and find the place where the password is read from the config and decrypted.
No in-depth study of the encryption principle was done. Instead, the project was uploaded to Visual Studio, where the code was modified to detect the password during debugging.
This way we learn the user’s real password. We connect and collect the token.
Let’s look further into the user’s working directory.
From the configuration file it becomes clear that the work is carried out through the second port.
But after connecting and looking at help, we realize that a password is required.
We go to the directory and download the program, perhaps by analyzing it we will be able to find the password.
Fortunately, the application is written in C#, which makes it possible to easily decompile the entire project using the dnSpy tool.
Thus, the program accepts a configuration file as input, from which it obtains certain parameters.
But nothing useful could be found in the project. A considerable amount of time was spent searching until it became obvious to pay attention to an empty file called “Debug Mode Password.txt”. After that, a connection to the network resource is made.
Now let’s look at all the streams of the file. And we determine that the Password stream stores 15 characters.\
After reading the file, I was able to find the password for debug mode. Despite the missing detail, this information became the key to further work.
We connect again, enter the password and view the help.
Next, it was worth wandering around the application a bit, because you need to find some config for the decompiled project.
Judging by the name of the program, we are going to LDAP.
These are the parameters that are processed by the application. For further analysis, there is a decryption function, which is modified: the output of the value to the console before returning it is added.
Well, let’s change one of the conditions so that the program does not stop when checking for the presence of a file.
Let’s recompile the project and run the application, specifying the config as an argument.
The administrator password is obtained, after which a successful connection to the system is made using the psexec utility.