One of VBScripts boxes on windows focuses heavily on reversing applications to crack credentials.
Run Nmap
Only 445 is open? Lets run again with the -p- flag to confirm, feeling like another evil-winrm box.
Foothold Enumeration
Running a quick nmap scan for vulnerabilities doesn’t give us anything.
We get the hostname.
Enum4Linux doesn’t get us much, access is denied for most checks.
Smbclient gives us the directories so lets play around and see whats here.
We can access secure but not the actual files.
We don’t have access to any of the Users directories.
And SMBmap doesn’t give us anything to work with.
We switch to windows and map a drive to quickly run through it and we find the foothold credentials in the Data folder.
And we have our foothold with the TEMPUSER user.
User enumeration
We have greater access with tempuser so lets keep going through files.
In the Notepad++ config we can see C.Smith has a history file in \Secure$\
We cant list the IT folder but we know Carl\ exists..
We take a chance at trying to go to Carls directory and awesome we have some permissions to this directory.. lets see whats in here…
first few files are useless but it looks like carl has hardcoded some of his credentials for a VB program in RU_Config.xml.
We can see many Public Property Username/password references in different files but nothing we can use..
We find the RU_Config.xml file in the Data fileshare.
Sure enoughh we find the user and a hashed or encrypted password. None of the files we saw earlier had extra information for us but we did find some interesting vb files that seem relevant. We go through them and find some interesting cryptography functions;
Key pieces of information we will need are
dim cipherText As String="fTEzAfYDoz1YzkqhQkH6GQFYKp1XY5hm7bjOP86yYxE="
dim passPhrase As String="N3st22"
dim saltValue As String="88552299"
dim passwordIterations AS INTEGER=2
dim initVector As String="464R5DFA5DL6LE28"
dim keySize AS INTEGER=256
So we now have the information we need, we know how the tool encrypts and decrypts passwords and we have the hardcoded default salts etc. We build the below code in visual studio, using the RU-Scanner code as the base.
Imports System
Imports System.IO
Imports System.Text
Imports System.Security.Cryptography
Imports System.Text.Encoding
Imports Microsoft.VisualBasic
Module Program
Sub Main()
Dim cipherText As String = "fTEzAfYDoz1YzkqhQkH6GQFYKp1XY5hm7bjOP86yYxE="
Dim passPhrase As String = "N3st22"
Dim saltValue As String = "88552299"
Dim passwordIterations As Integer = 2
Dim initVector As String = "464R5DFA5DL6LE28"
Dim keySize As Integer = 256
Dim initVectorBytes As Byte()
initVectorBytes = System.Text.Encoding.ASCII.GetBytes(initVector)
Dim saltValueBytes As Byte()
saltValueBytes = System.Text.Encoding.ASCII.GetBytes(saltValue)
Dim cipherTextBytes As Byte()
cipherTextBytes = System.Convert.FromBase64String(cipherText)
Dim password As New Rfc2898DeriveBytes(passPhrase, saltValueBytes, passwordIterations)
Dim keyBytes As Byte()
keyBytes = password.GetBytes(CInt(keySize / 8))
Dim symmetricKey As New AesCryptoServiceProvider
symmetricKey.Mode = CipherMode.CBC
Dim decryptor As ICryptoTransform
decryptor = symmetricKey.CreateDecryptor(keyBytes, initVectorBytes)
Dim memoryStream As IO.MemoryStream
memoryStream = New IO.MemoryStream(cipherTextBytes)
Dim cryptoStream As CryptoStream
cryptoStream = New CryptoStream(memoryStream, decryptor, CryptoStreamMode.Read)
Dim plainTextBytes As Byte()
ReDim plainTextBytes(cipherTextBytes.Length)
Dim decryptedByteCount As Integer
decryptedByteCount = cryptoStream.Read(plainTextBytes, 0, plainTextBytes.Length)
memoryStream.Close()
cryptoStream.Close()
Dim plainText As String
plainText = Encoding.ASCII.GetString(plainTextBytes, 0, decryptedByteCount)
Print(plainText)
End Sub
End ModuleRunning this we see the password as xRxRxPANCAK3SxRxRx
We have the user flag.
Enumerating User 2
Now we have user 2 lets go back to enumerating the SMB shares. SMB is still the only tool we can use, the box is fun but very CTFish.
Looks like there is a port open for HQK queries that our NMAP missed.
Running strings against the HQKLDAP.exe file we found doesn’t give us much information but when we disassemble it, we see the version is 1.2.0 but googling suggests this isn’t a real tool so we shouldn’t expect public exploits.
Decompiling the exe and going through the code doesn’t give us any answers.
Our Nmap scan on the port gives us feedback including commands we can post to the server on that port. Maybe telnet is the answer here?
So it looks like we have a simple interface with this service through telnet, We have an option to debug the service but will need a password to do so. Carls password isn’t helping us, so we go back to the empty text file we found and see if it has the password.
After poking around with the file we find a handy smb command, allinfo which shows us 2 streams, including 1 password stream with 15 bytes.
We try to get this stream and we have potentially gotten a password; WBQ201953D8w . Lets try it with telnet first and if it isn’t accepted we will need to check the exe code to see what we need to do.
It is accepted. We have 3 new commands, Service, Session and ShowQuery.
So we can see some info for the queries but nothing that helps us, we also cannot leave the 1-3 range of the app.
We cant seem to run any of these queries.
We also cant navigate to the network location. Lets review the decompiled .exe we found in carls home directory again. We see a cryptography section in the code that mimics the functionality we used to get user but the method it uses, IV and salt etc are slightly different but even if we know how to decrypt this password and we still need to find the password hash.
After scratching our head for awhile we realise we can use the showquery, list and setdir commands to navigate around the application director and doing this we find the administrator credentials including an encrypted password= yyEq0Uvvhq2uQOcWG8peLoeRQehqip/fKdeG/kjEVb4=
using System;
using System.IO;
using System.Security.Cryptography;
using System.Text;
namespace Decrypt
{
class decrypt
{
static void Main(string[] args)
{
string cipherText = "yyEq0Uvvhq2uQOcWG8peLoeRQehqip/fKdeG/kjEVb4=";
string passPhrase = "667912";
string saltValue = "1313Rf99";
int passwordIterations = 3;
string initVector = "1L1SA61493DRV53Z";
int keySize = 256;
byte[] bytes1 = Encoding.ASCII.GetBytes(initVector);
byte[] bytes2 = Encoding.ASCII.GetBytes(saltValue);
byte[] buffer = Convert.FromBase64String(cipherText);
byte[] bytes3 = new Rfc2898DeriveBytes(passPhrase, bytes2, passwordIterations).GetBytes(checked((int)Math.Round(unchecked((double)keySize / 8.0))));
AesCryptoServiceProvider cryptoServiceProvider = new AesCryptoServiceProvider();
cryptoServiceProvider.Mode = CipherMode.CBC;
ICryptoTransform decryptor = cryptoServiceProvider.CreateDecryptor(bytes3, bytes1);
MemoryStream memoryStream = new MemoryStream(buffer);
CryptoStream cryptoStream = new CryptoStream((Stream)memoryStream, decryptor, CryptoStreamMode.Read);
byte[] numArray = new byte[checked(buffer.Length + 1)];
int count = cryptoStream.Read(numArray, 0, numArray.Length);
memoryStream.Close();
cryptoStream.Close();
string v = Encoding.ASCII.GetString(numArray, 0, count);
string plaintext = v;
Console.WriteLine(v);
}
}
}
We put together this C# code using the decompiled source code as a base, and run it.
Success, password for admin is XtH4nkS4Pl4y1nGX.
We login with this credential and are able to get the key!
The big lessons learned here that cost me alot of time was firstly to enumerate all thing things and make note of findings that might not be used till later, and secondly to learn more about the applications i am using, even custom applications as that can help with enumeration.
Adams In-Security 