Nest was a fun CTF style Windows HTB machine, now retired. It’s not an unrealistic scenario despite being CTF style, the weaknesses exploited in SMB Security and File Share\System permissions together with an all too common practice of passwords in plaintext.
Nmap running a SYN scan (-sS) without ping (-Pn) and all ports (-p-)With just the two ports, I was very interested to see what TCP:4386 had to offer, so I ran another nmap scan with the -sC parameter and just the two ports specified. No luck on getting anymore detail on that port.After connecting to it we can see there’s a service waiting, at this point I disconnected and turned my attention to SMBTwo shares I can connect to, “Everyone” really does mean it 🙂 I had a look around and pulled copies of all the files, there weren’t many but one in particular was very useful and sadly not an uncommon thing to find in the real world. Free loot 🙂Using our new account details we can just go ahead and pull the contents of the /Data share as TempUserMore loot found in RU_config.xml and NotepadPlus history.Decrypting the hash is fun and something you can find for yourself but once you have it sorted, c.smith gives us the user flag and more!After pulling the data, I checked the obvious “Debug Mode Password.txt” to find no password, going back to it on the remote machine over SMB to get more detail.Nice!!! I love this! NTFS Filestreams 🙂
Locally on Kali I just needed to read the stream data Cat Debug\ Mode\ Password.txt:Password
Now we can turn our attention to the reporting service on TCP:4386A few commands to play with, we have the debug password and can see we just need to enter it after the DEBUG command.I can’t help but want to see what it does if I don’t obey the syntax 🙂 but when I do, we get debug mode, let’s see if that gives us anything new. Again the “help” command shows us a bunch of new commands we can play withThe “list” command brings more to look at, there was little of interest here but the LDAP folder was far more helpfulAnd there we have it, the hash is easy enough, after that grab the root flag
Ants Lab 
You must be logged in to post a comment.