Nest

@VbScrub Very nice box, it really teaches a lot !
For the final part I got best results using “monodis”

Type your comment> @TazWake said:

Make 100% sure you cant access it. You might be surprised.

Wow that was unexpected… thanks i was really stuck on since with no ideas, indeed one shouldn’t rely too much on tools.

try to modify the codes in online editor, but getting an error
‘AesCryptoServiceProvider’ is not declared. It may be inaccessible due to its protection level

any hints to solve it?

thanks a lot.

Rooted. Thank you @VbScrub for this great box.
I learned a Spy tool can help me to decompile the file.

Excellent box thanks @VbScrub. I’m curious for those who remained in linux only what tools you used to perform both the tasks for user and root access.

Working on root, never done this kind of investigating before. I found the .exe, xml and empty file, I found the high numbered port that we can telnet to. Which file do I decompile and what’s the recommended tool for this? Anyone have a link or resource I could study from? Do we do all this from Linux, the victim smb shell, or a windows host? How do we extract stuff from the empty file? I’ve tried strings but I dont think I got anything useful

Type your comment> @meowzilla said:

try to modify the codes in online editor, but getting an error
‘AesCryptoServiceProvider’ is not declared. It may be inaccessible due to its protection level

any hints to solve it?

thanks a lot.

I just tried it on Visual Studio. I guess you can replace this by number. But better use Visual Studio.

Gents, I’d appreciate a nudge on admin. I’m struggling to decrypt the secret. I think I know what needs to be done but I don’t have enough knowledge on the tools required to do so. If you’ve rooted this in Linux alone - even better. Otherwise I’m open ideas. Thanks!

Hint for root:
Colon is more than your friend!

Hello everyone,
I’m new here…
This is my first box, I decided to start here because it was rated easy, but now I find out is not that easy…
Anyway, I’m pretty much stuck at this point:

  • I found the telnet and shares.
  • I found the default creds for everyone new
  • With those creds I found what seems to be an ecnrypted or coded password but don’t know what algorithm it used, and john didn’t like it.

I think I wen’t through all the folders I could with the default creds but haven’t found anything to get me to the next step.

And I know how to read “empty” files, but I guess I haven’t found the right one.

Please PM me if you can help.

Thanks

@gu4r15m0 said:

Hello everyone,
I’m new here…
This is my first box, I decided to start here because it was rated easy, but now I find out is not that easy…

it really isn’t easy. You need to understand quite a few topics to get through this one but it isn’t as hard as some of the other boxes (patents for example).

Anyway, I’m pretty much stuck at this point:

  • I found the telnet and shares.
  • I found the default creds for everyone new
  • With those creds I found what seems to be an ecnrypted or coded password but don’t know what algorithm it used, and john didn’t like it.

More enumeration is required at this stage.

I think I wen’t through all the folders I could with the default creds but haven’t found anything to get me to the next step.

Chances are you have found it, but overlooked it because it looked like a reference to somewhere you couldn’t access. Try it and you will see you can access it. Then you can get what you need to decode the hash you have.

As far as I can see, you cant crack it it realistically without this information. (Obviously if you have access to a suitably powerfull computer and are awesome at crypto you might be able to, but from a CTF point of view, it isn’t “crackable.”)

And I know how to read “empty” files, but I guess I haven’t found the right one.

I dont think you can find it at this stage. When you read people’s hints and questions try not to let it make you jump ahead in your own attack.

Thanks to the hints from @emmycat and @0xccc I’ve got the password. Managed to dissamble the exe and even got the “encrypted” password now. But I have no clue yet what to do with it.
I noticed that the exe tries to connect with L*** but I don’t know how to use that yet
Should I try to connect or use that creds with L***? or is this the wrong path to go?

@TazWake said:

Chances are you have found it, but overlooked it because it looked like a reference to somewhere you couldn’t access. Try it and you will see you can access it. Then you can get what you need to decode the hash you have.

Thanks for the tips,

Totally lost, I think I went through all the shares including the $ ones and folders with the default creds I found, looked for hidden files, etc…

:neutral:

@gu4r15m0 said:

Thanks for the tips,

Totally lost, I think I went through all the shares including the $ ones and folders with the default creds I found, looked for hidden files, etc…

:neutral:

Check all the config files. Read them and see if they give anything useful. Remember some applications keep a note of what they’ve accessed.

@TazWake said:

Check all the config files. Read them and see if they give anything useful. Remember some applications keep a note of what they’ve accessed.

Thanks, I discarded that one before because I attempted to read that file directly without luck.

got a little further now. I know now that I can use the loot from the “empty” file to dig into the high port. But I don’t know where to go. There’s a lot of dirs to browse :dizzy: I also found there another IP and port. but I can’t access it

And there is still the exe. should I rather concentrate on understanding the exe?
Any advice? (also per PM)

Type your comment> @theonemcp said:

got a little further now. I know now that I can use the loot from the “empty” file to dig into the high port. But I don’t know where to go. There’s a lot of dirs to browse :dizzy: I also found there another IP and port. but I can’t access it

And there is still the exe. should I rather concentrate on understanding the exe?
Any advice? (also per PM)

you don’t need to go browsing very far from where you started. Once you find it, you’ll see how the EXE comes into it

Need a hint on how to correctly read the “empty” file. Please PM.

Type your comment> @meowzilla said:

try to modify the codes in online editor, but getting an error
‘AesCryptoServiceProvider’ is not declared. It may be inaccessible due to its protection level

any hints to solve it?

thanks a lot.

Hi, I have same error when I use the online compiler. Have you managed to solve it? please let me know. thanks

Type your comment> @5h1v4 said:

Type your comment> @meowzilla said:

try to modify the codes in online editor, but getting an error
‘AesCryptoServiceProvider’ is not declared. It may be inaccessible due to its protection level

any hints to solve it?

thanks a lot.

Hi, I have same error when I use the online compiler. Have you managed to solve it? please let me know. thanks

you need to add
the includes
the function decrypt