This was my first Hack The Box challenge and I've been waiting for so long to post this. It took a lot of work and a lot of trying to work through problems I created for myself, but in the end it was a super satisfying box to own and a great first experience.
Lets start with checking the open ports on the machine:
We see only SMB is open so we should check for shares now:
From this, we are able to determine that there is an ADMIN$, C$, Data, Secure$, and Users share. We need to log into one of these shares to poke around but we don't have any credentials yet. Let's see if it takes an anonymous login. Access is denied on the ADMIN$ share and on the C$ share, but we are able to get in on the Data share!
We'll be using the "cd" and "dir" commands to look around. From the TLD we can see there are a bunch of sub directories of interest. IT, Reports, and Production look particularly interesting. Unfortunately, we can't get into any of them, except Shared.
Templates looks interesting to me so lets take a dive into there and see what we find... HR information! Always valuable and always a great place to look for information, lets see what we got in there.
A welcome email might have some default credentials we can try, lets pull it down. It looks like we've gotten everything else we can from this directory so exit and check out whats on the other shares. We can get onto Secure$ but can't run anything on there yet.
Hopping onto the Users share, though, we see a list of some user accounts!
Unfortunately, we can't access anything on this share either. Lets hop back off and check whats in the HR letter.
This looks very promising, we got the credentials for TempUser! Using these new found credentials, we can get into only the Data share:
We can see a few folders within this share, but only two of them have sub folders:
There's going to be a lot of information in the IT folder, so lets recursively download it all:
We can exit out of SMB for now and take a look at what we've found:
Working our way through this, RU_Config is the first file we'll check:
This is very good! We've got an encrypted password for the user c.smith! Keep in mind, everything we'll need to get this password should be on this machine, so using online encryption crackers shouldn't work. Continuing to work our way back up, lets now look at the NotepadPlusPlus files:
We can see right at the bottom of the output, there's a reference to a user named carl in the Secure$ share. Let's see if we can get on with his account:
We're able to get in without supplying a password!
But unfortunately, it looks like access is denied to reading all the files on here.
Let's try this user against the Secure$ share:
We're able to get in but everything is still denied. Maybe our TempUser can navigate to the sub folder we need:
This is promising. We've got a bunch of VB project information. Again, let's recursively download all of this to save ourselves a bit of time:
There is a LOT of stuff in here. It seems we've got a project for something called RUScanner, maybe it's related to our RU_Config.xml file we got earlier? Let's take a look:
Inside the RUScanner folder, we've got a few files for a VB project. None of them have much of note, except for the Utils.vb project:
It looks like this is a decrypt function for an encrypted string. We
should be able to feed our string found in RU_Config.xml into this and get a password back. For this we'll need a compiler, and since you can't compile VB on Linux we'll use an online one.
We have to change one thing, The AES encryption method it wants to use, AesCryptoServiceProvider, won't work on a web based compiler, so let's change it to RijndaelManaged. The reason being is that AES is based on Rjindael, just restricted to 128 bits. By changing to Rjindael, we should get the same expected output.
After compiling the code with the encrypted string, it looks like we've got a password back! Next we'll try and log into c.smith with it and see if we can finally get the user flag.