Hack the Box (HTB) machines walkthrough series — Nest, part 2 – Digitalmunition




Featured Hack-the-Box-HTB-machines-walkthrough-series-—-Nest-part.png

Published on August 3rd, 2020 📆 | 5156 Views ⚑

0

Hack the Box (HTB) machines walkthrough series — Nest, part 2

Today, we will be continuing with our exploration of Hack the Box (HTB) machines, as seen in previous articles. This walkthrough is of an HTB machine named Nest. This is the second half of the walkthrough; you can look at part 1 to see the beginning of this walkthrough, and I highly recommend doing so.

HTB is an excellent platform that hosts machines belonging to multiple OSes. It also has some other challenges as well. Individuals have to solve the puzzle (simple enumeration plus pentest) in order to log into the platform and download the VPN pack to connect to the machines hosted on the HTB platform.

Note: Only write-ups of retired HTB machines are allowed. The machine in this article, named Nest, is retired.

The walkthrough

As shown in Part 1 of this article series, we have reached the point where we have a .sln file and username (c.smith) and a password hash.

  1. Since this is a VB Project file, I could see that there are encrypt and decrypt functions. I modified the script a bit to only work with the decrypt function. The first parameter to this function was the hash, so I pasted in the hash we have recovered earlier and returned the password to the screen. [CLICK IMAGES TO ENLARGE]
  2. Now let’s try the recovered password for c.smith and perform enumeration again.
  3. As you can see, we can now retrieve the user.txt file.
  4. Let’s now again perform enumeration from this user to escalate privileges. There is a “HQL Reporting” folder and under that, we have some interesting files.
  5. Looking into the xml file reveals some interesting contents. There is a possible service on port 4386. If you look into the Nmap scan results in part 1, it also confirmed the existence of this (Read more…)

Source link

Tagged with:



Leave a Reply

Your email address will not be published. Required fields are marked *


loading...