HQK Reporting Service V1.2
Nmap wasn’t able to identify exactly what type of service is running on the target port 4386
It returned the string “Reporting Service V1.2”
┌──(kali㉿kali)-[~/archive/htb/labs/nest]
└─$ nc $IP 4386
HQK Reporting Service V1.2
>Help
ls
pwd
id
When connected via nc, it prints out “HQK Reporting Service V1.2” and then just hangs and nothing happens..
I couldn’t find any information about it online as well
┌──(kali㉿kali)-[~/…/htb/labs/nest/c.smith]
└─$ telnet $IP 4386
Trying 10.10.10.178...
Connected to 10.10.10.178.
Escape character is '^]'.
HQK Reporting Service V1.2
>HELP
This service allows users to run queries against databases using the legacy HQK format
--- AVAILABLE COMMANDS ---
LIST
SETDIR <Directory_Name>
RUNQUERY <Query_ID>
DEBUG <Password>
HELP <Command>
But it works if I connect to it via Telnet It seems to be a custom application.
It says that the service run queries against DBs in the legacy HQK format searching the legacy HQK format show no relevant results.
At least, I see a list of 5 available commands to interact with.
>HELP LIST
LIST
Lists the available queries in the current directory, along with an ID number for each query. This number can be used with the RUNQUERY or SHOWQUERY commands.
To change the current directory use the SETDIR command
>LIST
Use the query ID numbers below with the RUNQUERY command and the directory names with the SETDIR command
QUERY FILES IN CURRENT DIRECTORY
[DIR] COMPARISONS
[1] Invoices (Ordered By Customer)
[2] Products Sold (Ordered By Customer)
[3] Products Sold In Last 30 Days
current directory: ALL QUERIES
Providing the LIST command shows 3 pre-defined queries.
It also points out that the current directory is set to All QUERIES and I can change it with the SETDIR command
This was shown in one of the files during the SMB enumeration
>HELP RUNQUERY
RUNQUERY <Query_ID>
Runs the specified database query and displays the results. Use the LIST command to view available queries, making note of the ID number next to the query you want to run, then use the RUNQUERY command with that ID number.
examples:
RUNQUERY 7 Runs the query with ID number 7
>RUNQUERY 1
Invalid database configuration found. Please contact your system administrator
>RUNQUERY 2
Invalid database configuration found. Please contact your system administrator
>RUNQUERY 3
Invalid database configuration found. Please contact your system administrator
The RUNQUERY command doesn’t seem to be working.
Based on the error, I suspect that the DB wasn’t configured correctly
>SHOWQUERY 1
Debug mode must be enabled to run this command
I tried the SHOWQUERY command to see it, but it requires the debug mode enabled
Enabling Debug Mode
>Debug WBQ201953D8w
Debug mode enabled. Use the HELP command to view additional commands that are now available
The debug mode required password and it is enumerated the Debug\ Mode\ Password.txt file. The file name said it all.
This appears to have unlocked some additional commands.
>HELP
This service allows users to run queries against databases using the legacy HQK format
--- AVAILABLE COMMANDS ---
LIST
SETDIR <Directory_Name>
RUNQUERY <Query_ID>
DEBUG <Password>
HELP <Command>
SERVICE
SESSION
SHOWQUERY <Query_ID>3 additional commands are unlocked via the debug mode;
SERVICESESSIONSHOWQUERY
>HELP SERVICE
SERVICE
Shows information about the HQK reporting service that is serving this client.
>SERVICE
--- HQK REPORTING SERVER INFO ---
Version: 1.2.0.0
Server Hostname: HTB-NEST
Server Process: "C:\Program Files\HQK\HqkSvc.exe"
Server Running As: Service_HQK
Initial Query Directory: C:\Program Files\HQK\ALL QUERIESThe SERVICE command revealed a number of information
- The executable is located at
C:\Program Files\HQK\HqkSvc.exe - It’s running as
Service_HQK C:\Program Files\HQK\ALL QUERIESis the initial query directory.
>HELP SESSION
SESSION
Shows information about the current network session established with the HQK reporting service
>SESSION
--- Session Information ---
Session ID: a77ae65f-6d8c-4f9c-b671-a135f7146676
Debug: True
Started At: 1/13/2023 12:03:27 AM
Server Endpoint: 10.10.10.178:4386
Client Endpoint: 10.10.14.6:56156
Current Query Directory: C:\Program Files\HQK\ALL QUERIESThe SESSION command just prints out some information about the current session
This command doesn’t seem all that helpful.
>SHOWQUERY 1
TITLE=Invoices (Ordered By Customer)
QUERY_MODE=VIEW
QUERY_TYPE=INVOICE
SORTBY=CUSTOMER
DATERANGE=ALL
>SHOWQUERY 2
TITLE=Products Sold (Ordered By Customer)
QUERY_MODE=VIEW
QUERY_TYPE=PRODUCT
SORTBY=CUSTOMER
DATERANGE=ALL
>SHOWQUERY 3
TITLE=Products Sold In Last 30 Days
QUERY_MODE=VIEW
QUERY_TYPE=PRODUCT
DATERANGE=LAST30
The queries in the default directory doesn’t seem all that interesting.
>SETDIR ..
Current directory set to HQK
>LIST
Use the query ID numbers below with the RUNQUERY command and the directory names with the SETDIR command
QUERY FILES IN CURRENT DIRECTORY
[DIR] ALL QUERIES
[DIR] LDAP
[DIR] Logs
[1] HqkSvc.exe
[2] HqkSvc.InstallState
[3] HQK_Config.xml
Current Directory: HQKI was able to change the working directory to the parent directory, which is HQK
I see a configuration file.
>SHOWQUERY 3
<?xml version="1.0"?>
<ServiceSettings xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<Port>4386</Port>
<DebugPassword>WBQ201953D8w</DebugPassword>
<QueryDirectory>C:\Program Files\HQK\ALL QUERIES</QueryDirectory>
</ServiceSettings>I decided to check the file with the SHOWQUERY command, and it printed out the content.
This suggests me that the commands in this program is likely using the OS commands type or Get-Content and dir or Get-ChildItem
>SETDIR LDAP
Current directory set to LDAP
>LIST
Use the query ID numbers below with the RUNQUERY command and the directory names with the SETDIR command
QUERY FILES IN CURRENT DIRECTORY
[1] HqkLdap.exe
[2] Ldap.conf
Current Directory: LDAPI wanted to check the directory named, LDAP, which contains a binary and a configuration file.
I am assuming that this must have been set for Active Directory integration based on a file name that I enumerated earlier
>SHOWQUERY Ldap.conf
Error: Input string was not in a correct format.
>SHOWQUERY 2
Domain=nest.local
Port=389
BaseOu=OU=WBQ Users,OU=Production,DC=nest,DC=local
User=Administrator
Password=yyEq0Uvvhq2uQOcWG8peLoeRQehqip/fKdeG/kjEVb4=Checking the Ldap.conf file revealed the administrator’s credential
The password may be encrypted as was for the C.Smith user
PS C:\Users\User\source\repos\crypto\bin\Release\netcoreapp3.1> .\crypto.exe
Please enter 1 to Encrypt or 2 to Decrypt:
2
Please enter the string:
yyEq0Uvvhq2uQOcWG8peLoeRQehqip/fKdeG/kjEVb4=
Unhandled exception. System.Security.Cryptography.CryptographicException: Padding is invalid and cannot be removed.
at Internal.Cryptography.UniversalCryptoDecryptor.DepadBlock(Byte[] block, Int32 offset, Int32 count)
at Internal.Cryptography.UniversalCryptoDecryptor.UncheckedTransformFinalBlock(Byte[] inputBuffer, Int32 inputOffset, Int32 inputCount)
at Internal.Cryptography.UniversalCryptoTransform.TransformFinalBlock(Byte[] inputBuffer, Int32 inputOffset, Int32 inputCount)
at System.Security.Cryptography.CryptoStream.ReadAsyncCore(Byte[] buffer, Int32 offset, Int32 count, CancellationToken cancellationToken, Boolean useAsync)
at System.Security.Cryptography.CryptoStream.Read(Byte[] buffer, Int32 offset, Int32 count)
at Utils.Decrypt(String cipherText, String passPhrase, String saltValue, Int32 passwordIterations, String initVector, Int32 keySize) in C:\Users\User\source\repos\crypto\Program.cs:line 82
at Utils.DecryptString(String encryptedString) in C:\Users\tacticalgator\source\repos\crypto\Program.cs:line 21
at Program.Main(String[] args) in C:\Users\User\source\repos\crypto\Program.cs:line 106Validating the password string against the my program fails. This tells me that the password was not encrypted the same way
┌──(kali㉿kali)-[~/archive/htb/labs/nest]
└─$ echo 'yyEq0Uvvhq2uQOcWG8peLoeRQehqip/fKdeG/kjEVb4' | base64 -d
�!*�K�@�^.��A�j���)׆�H�U�base64: invalid inputNeither it is in the base64 format
>SETDIR ..
Current directory set to C:
>DIR
Unrecognised command
>LIST
Use the query ID numbers below with the RUNQUERY command and the directory names with the SETDIR command
QUERY FILES IN CURRENT DIRECTORY
[DIR] $Recycle.Bin
[DIR] Boot
[DIR] Documents and Settings
[DIR] PerfLogs
[DIR] Program Files
[DIR] Program Files (x86)
[DIR] ProgramData
[DIR] Recovery
[DIR] Shares
[DIR] System Volume Information
[DIR] Users
[DIR] Windows
[1] bootmgr
[2] BOOTSECT.BAK
[3] pagefile.sys
[4] restartsvc.bat
Current Directory: C:Directory traversal to the system root
>SHOWQUERY 2
File over size limit. Are you sure this is a HQK query file?
The SHOWQUERY command appears to have a limited output size
>SETDIR Users
Current directory set to Users
>LIST
Use the query ID numbers below with the RUNQUERY command and the directory names with the SETDIR command
QUERY FILES IN CURRENT DIRECTORY
[DIR] Administrator
[DIR] All Users
[DIR] C.Smith
[DIR] Default
[DIR] Default User
[DIR] Public
[DIR] Service_HQK
[DIR] TempUser
[1] desktop.ini
Current Directory: Users
>SETDIR administrator
Error: Access to the path 'C:\Users\administrator\' is denied.
I could not access C:\Users\administrator\
The error response suggests that the program is not being run as system
I went over pretty much everywhere I that I had access to, but was unable to find any entry point.
HqkLdap.exe
>LIST
Use the query ID numbers below with the RUNQUERY command and the directory names with the SETDIR command
QUERY FILES IN CURRENT DIRECTORY
[1] HqkLdap.exe
[2] Ldap.conf
Current Directory: LDAP
I kept falling back to the C:\Program Files\HQK\LDAP. There lies the executable for the planned LDAP service
Then I remember downloading the HqkLdap.exe file from the \\$IP\\Users\C.Smith\HQK Reporting\AD Integration Module\
┌──(kali㉿kali)-[~/…/htb/labs/nest/c.smith]
└─$ file HqkLdap.exe
HqkLdap.exe: PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS WindowsThe binary is PE32 executable .NET compiled
I will have to open up the binary..