🐦Nest
https://app.hackthebox.com/machines/225
What's the name of the service according to nmap
listening on port 4386? (Include the version in your answer)
nmap
listening on port 4386? (Include the version in your answer)It turns out that Guest authentication is enabled on SMB. How many shares is Nest showing on SMB?
What is the password of the TempUser?
We find some interesting shares with no password needed ->
Using telnet we get what seems to be a shell of some kind with a service name HQK Reporting ->
we navigate through the environment but unfortunately a lot of the files are out of our reach:
Let's go back to smb enumeration:
smbmap
: This is the command to use thesmbmap
tool from the Impacket suite.-H 10.129.212.135
: This option specifies the IP address of the SMB server to connect to (10.129.212.135
).-u null
: This option specifies the username to use when connecting to the SMB server. In this case, the username is set to "null", which can be used to attempt a null session connection to the SMB server. A null session connection is an unauthenticated connection that can be used to enumerate shares and perform other tasks, depending on the SMB server's configuration.
Okay this one blew my mind and i'm so glad to know that now:
smb: \> recurse ON
: This command enables the "recurse" option, which allows thesmbclient
tool to traverse the directory structure recursively when performing file operations.smb: \> prompt OFF
: This command disables the "prompt" option, which will prevent thesmbclient
tool from asking for confirmation before executing commands.smb: \> mget *
: This command uses the "mget" command to download all files from the current directory. The wildcard "*" is used to match all files in the directory.
If we go and read the file we get this interesting email:
We try to see what changed with those credentials:
we got READONLY on the Secure file
we tried connecting with smbclient but we can't really do anything in the folder:
Go on all the shares and do the recursive trick to mget everything on your computer with the new rights
spoiler: the interesting share is the data share with TempUser credentials
then with this command we
the RU_config.xml seems a bit weird so let's go look at it:
Authenticating on SMB as TempUser gives you read access to the share "Secure$". What is the encrypted (and encoded) password for the user c.smith that you uncovered from the files inside that share?
What's the name of the Visual Basic project that will help you decrypt the password?
Last updated