Decyrpting Admin password using DNSpy debug

windows, re, privesc, foothold, dotnet

Overview #

Attacker can get admin password via decompiled .NET app from a misconfigured SMB share.

Environment Setup #

Steps #

>setdir c:\program files\hqk\ldap

Current directory set to ldap
>list

Use the query ID numbers below with the RUNQUERY command and the directory names with the SETDIR command

 QUERY FILES IN CURRENT DIRECTORY

[1]   HqkLdap.exe
[2]   Ldap.conf

Current Directory: ldap
>runquery 2

Invalid database configuration found. Please contact your system administrator
>showquery 2

Domain=nest.local
Port=389
BaseOu=OU=WBQ Users,OU=Production,DC=nest,DC=local
User=Administrator
Password=yyEq0Uvvhq2uQOcWG8peLoeRQehqip/fKdeG/kjEVb4=

References #