Heist Hack the box

Heist Writeup / Walkthrough Hack the box

Heist Writeup Summery

Heist Write up Hack the box
Heist Write up Hack the box

TL;DR

This writeup is about Heist, it was a windows box that starts off with a webserver we log in as a guest. There we find a config file in which we find encrypted hash’s. from there we get the password. we do a deep port scan find a winrm open we log in and get user.Root is easy firefox is running i extract passwords from it and then we get root.

Walkthrough

Scanning Network

We’ll do a Nmap scan on Heist Ip address is 10.10.10.149

# Nmap 7.70 scan initiated Mon Nov  4 05:48:18 2019 as: nmap -sC -sV -oA nmap/nmap 10.10.10.149
Nmap scan report for 10.10.10.149
Host is up (0.28s latency).
Not shown: 997 filtered ports
PORT    STATE SERVICE       VERSION
80/tcp  open  http          Microsoft IIS httpd 10.0
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
| http-title: Support Login Page
|_Requested resource was login.php
135/tcp open  msrpc         Microsoft Windows RPC
445/tcp open  microsoft-ds?
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 52s, deviation: 0s, median: 52s
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2019-11-04 05:49:56
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

we have 3 ports open in our initial scan 80, 135, 445. let’s start with port 80 and see what is running.

Heist hack the box port 80
Heist hack the box port 80

I login in as a guest at the bottom. we come to two people who are talking and the customer is probably asking to make him an account on dc.

Heist hack the box port 80
Heist hack the box port 80

there is an attachment attached to hazards issue so i opened that attachment and in there i found a file with hashes.

Heist hack the box port 80
Heist hack the box port 80

we have three usernames here rout3r, admin and secret. let’s crack these hashes.

cisco cracked hash
cisco cracked hash
cisco cracked hash
cisco cracked hash

I used http://www.ifm.net.nz/cookbooks/passwordcracker.html this password cracker for cracking the type 7 and type 5 hashes. Third hash didn’t crack from this cracker for that we’ll use hashcat.

Hashcat cracking heist creds
Hashcat cracking heist creds

The next step is trying to login. I tried to login to the web portal but hadn’t had any luck. When i was absolutely stuck I did a Full Port scan with Nmap.

# Nmap 7.70 scan initiated Tue Nov  5 01:23:54 2019 as: nmap -p- -oA nmap/Allports -vvv --max-retries 0 10.10.10.149
Warning: 10.10.10.149 giving up on port because retransmission cap hit (0).
Nmap scan report for 10.10.10.149
Host is up, received echo-reply ttl 127 (0.40s latency).
Scanned at 2019-11-05 01:23:54 EST for 311s
Not shown: 65530 filtered ports
Reason: 65530 no-responses
PORT      STATE SERVICE      REASON
80/tcp    open  http         syn-ack ttl 127
135/tcp   open  msrpc        syn-ack ttl 127
445/tcp   open  microsoft-ds syn-ack ttl 127
5985/tcp  open  wsman        syn-ack ttl 127
49668/tcp open  unknown      syn-ack ttl 127

Read data files from: /usr/bin/../share/nmap
# Nmap done at Tue Nov  5 01:29:05 2019 -- 1 IP address (1 host up) scanned in 310.45 seconds

We found more port’s port 5958, 49668 found winrm open i tried to login to the wsman service. we try to login with our credentials but we fail to log so we try to find more usernames. I am going to use a tool in impaket library called lookupsid.py to get all the username’s on Heist.

Heist User sid
Heist User sid

we got a lot of usernames from the heist machine. I tried to login with evil winrm with the credentials we found earlier and we get a successful login with creds chase:Q4)sJu\Y8qz*A3?d . The tool i used to login is evil-winrm.

evil winrm user
evil winrm user

Root

Now we enumerate heist. I checked the running processes and found that firefox was running on the machine. I thought maybe i can extract passwords from firefox.

process's on heist
the process’s on heist

I used this tool called Procdump.exe to extract the process dump of firefox to see if i can get the passwords from the process dump. the tool can be found here https://docs.microsoft.com/en-us/sysinternals/downloads/procdump transferred the tool to heist with upload utility of evil-winrm.

accepting rights of procdump
accepting rights of procdump

after accepting terms of procdump we run it on firefox.

firefox memory dump
firefox memory dump

3048 is the process id of firefox running on the machine. We found that out using ps command earlier and then we download firefox dump on our machine using evil-winrm download utility.

Download dump on to our machine
Download dump on to our machine

after downloading the dump we do strings on the dump and grep for passwords. We Got Administrator’s password now let’s try to login see if it is the right password.

got root
got root

we indeed got root on the system we were able to login as Administrator on the machine so that was heist writeup.

root heist
root heist

Take a look at other my other ctf solves here

Posts created 8

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts

Begin typing your search term above and press enter to search. Press ESC to cancel.

Back To Top