Nest
Gaining Access
Nmap scan:

Only SMB is open it appears. Port 4386 is for a service called HQK, which I could not do much with at this point.
SMB Shares
enum4linux
reveals quite a few shares that are open:

The Users
one had the most information and was the only one accessible, so I connected and recursively downloaded all possible files:

Within the files downloaded, we can find a Welcome Email.txt
file.

We can then check the permission of shares again with these credentials using smbmap
.

Now we could read the Data
share, so I went in and recursively downloaded all files:

Within the files downloaded, the RU_config.xml
file contained this encrypted password for a user on the machine:

Also, within the contents of that file, was a .NET VB project files.
Password Decryption
What I did was port all the files over to a Windows VM and then compiled it. Afterwards, I opened it up in DnSpy to see how the binary works:

So the binary uses the RU_config.xml
file and decrypts the password. We can set a breakpoint at that line highlighted and then view the variable contents to see the password after clicking 'Step Over' once. This reveals the password of xRxRxPANCAK3SxRxRx
.
C.Smith Creds
With these credentials, I can access the directory of the user through SMB, but I did not manage to get a shell. Doesn't really matter because we can still grab the user flag. Within the user's directory there some intresting files I downloaded:

The Debug Mode Password.txt
was empty for some reason, and I found that weird. As such, I used allinfo
on SMB to view whether there were alternate data streams present for the file:

This confirms the presence of the alternate data stream, and we can use cat
to extract the information:

Cool, now we have the HQK password.
HQK
Now that we have credentials, we can connect to the HQK port via telnet
and enter DEBUG mode.

With this, I was able to extract the administrator hash.

Within this, we also can find another binary being used:

Similar to the previous time, we can load the binary in dnSpy and set a breakpoint to view the password. We would need to use all 3 files, and create an ldap.conf
file that is passed in as a parameter to the main function. Then, we can view the contents of variables to see the password.

Afterwards, we would have full access to the C Drive:
