Hack the Box (HTB) machines walkthrough series — Nest, part 2 - Security Boulevard

Hack the Box (HTB) machines walkthrough series — Nest, part 2

Today, we will be continuing with our exploration of Hack the Box (HTB) machines, as seen in previous articles. This walkthrough is of an HTB machine named Nest. This is the second half of the walkthrough; you can look at part 1 to see the beginning of this walkthrough, and I highly recommend doing so.

HTB is an excellent platform that hosts machines belonging to multiple OSes. It also has some other challenges as well. Individuals have to solve the puzzle (simple enumeration plus pentest) in order to log into the platform and download the VPN pack to connect to the machines hosted on the HTB platform.

Note: Only write-ups of retired HTB machines are allowed. The machine in this article, named Nest, is retired.

The walkthrough

As shown in Part 1 of this article series, we have reached the point where we have a .sln file and username (c.smith) and a password hash.

  1. Since this is a VB Project file, I could see that there are encrypt and decrypt functions. I modified the script a bit to only work with the decrypt function. The first parameter to this function was the hash, so I pasted in the hash we have recovered earlier and returned the password to the screen. [CLICK IMAGES TO ENLARGE]
  2. Now let’s try the recovered password for c.smith and perform enumeration again.
  3. As you can see, we can now retrieve the user.txt file.
  4. Let’s now again perform enumeration from this user to escalate privileges. There is a “HQL Reporting” folder and under that, we have some interesting files.
  5. Looking into the xml file reveals some interesting contents. There is a possible service on port 4386. If you look into the Nmap scan results in part 1, it also confirmed the existence of this (Read more...)

*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Security Ninja. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/4Dg_7YDTj40/