Nest HTB

Updated:November 3, 2021 pm


This box was easy at first because of unintended giving you admin access. More here

The intended way was not that easy. First you have to get some credentials on smb. Then use these credentials to grab some .config files
from different programs. After on notepad cofig file we see previously opended files paths. One path I cannot access but I can go straight to the folder and I can indeed access that.
From there I download a folder with a vb folder. Now I go into windows and run that project and use a previously found ru config file get a password back.
I use that password to access smbshare as another user. Inside that user folder I grab all the files(One file has ads).
I use the password found there to enter another service on port 4836 and then enter debug to run another command called showquery. With this command I see another password file which this time belongs to administrator. I re HqkLdap.exe using dotPeek and get some values needed to decrypt that password. After I use psexec and gain admin access.

Lessons Learned:

Take every file to your box. Maybe you will need it and you can't find it.
You can see alternative data streams on smbclient using allinfo.

smbclient -L : lists all shares.

smbclient \\\\IP\\sharename : enter the share like you are use cmd :D