Heist Writeup Summery
![Heist Write up Hack the box](http://i0.wp.com/sheerazali.com/wp-content/uploads/2019/11/1-3.png?resize=538%2C341&ssl=1)
TL;DR
This writeup is about Heist, it was a windows box that starts off with a webserver we log in as a guest. There we find a config file in which we find encrypted hash’s. from there we get the password. we do a deep port scan find a winrm open we log in and get user.Root is easy firefox is running i extract passwords from it and then we get root.
Walkthrough
Scanning Network
We’ll do a Nmap scan on Heist Ip address is 10.10.10.149
# Nmap 7.70 scan initiated Mon Nov 4 05:48:18 2019 as: nmap -sC -sV -oA nmap/nmap 10.10.10.149
Nmap scan report for 10.10.10.149
Host is up (0.28s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
| http-title: Support Login Page
|_Requested resource was login.php
135/tcp open msrpc Microsoft Windows RPC
445/tcp open microsoft-ds?
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 52s, deviation: 0s, median: 52s
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2019-11-04 05:49:56
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
we have 3 ports open in our initial scan 80, 135, 445. let’s start with port 80 and see what is running.
![Heist hack the box port 80](http://i0.wp.com/sheerazali.com/wp-content/uploads/2019/11/10.png?resize=770%2C489&ssl=1)
I login in as a guest at the bottom. we come to two people who are talking and the customer is probably asking to make him an account on dc.
![Heist hack the box port 80](http://i0.wp.com/sheerazali.com/wp-content/uploads/2019/11/11-1024x450.png?resize=770%2C338&ssl=1)
there is an attachment attached to hazards issue so i opened that attachment and in there i found a file with hashes.
![Heist hack the box port 80](http://i0.wp.com/sheerazali.com/wp-content/uploads/2019/11/12.png?resize=647%2C363&ssl=1)
we have three usernames here rout3r, admin and secret. let’s crack these hashes.
![cisco cracked hash](http://i0.wp.com/sheerazali.com/wp-content/uploads/2019/11/13.png?resize=770%2C349&ssl=1)
![cisco cracked hash](http://i0.wp.com/sheerazali.com/wp-content/uploads/2019/11/14.png?resize=770%2C328&ssl=1)
I used http://www.ifm.net.nz/cookbooks/passwordcracker.html this password cracker for cracking the type 7 and type 5 hashes. Third hash didn’t crack from this cracker for that we’ll use hashcat.
![Hashcat cracking heist creds](http://i0.wp.com/sheerazali.com/wp-content/uploads/2019/11/9-1024x51.png?resize=770%2C37&ssl=1)
The next step is trying to login. I tried to login to the web portal but hadn’t had any luck. When i was absolutely stuck I did a Full Port scan with Nmap.
# Nmap 7.70 scan initiated Tue Nov 5 01:23:54 2019 as: nmap -p- -oA nmap/Allports -vvv --max-retries 0 10.10.10.149
Warning: 10.10.10.149 giving up on port because retransmission cap hit (0).
Nmap scan report for 10.10.10.149
Host is up, received echo-reply ttl 127 (0.40s latency).
Scanned at 2019-11-05 01:23:54 EST for 311s
Not shown: 65530 filtered ports
Reason: 65530 no-responses
PORT STATE SERVICE REASON
80/tcp open http syn-ack ttl 127
135/tcp open msrpc syn-ack ttl 127
445/tcp open microsoft-ds syn-ack ttl 127
5985/tcp open wsman syn-ack ttl 127
49668/tcp open unknown syn-ack ttl 127
Read data files from: /usr/bin/../share/nmap
# Nmap done at Tue Nov 5 01:29:05 2019 -- 1 IP address (1 host up) scanned in 310.45 seconds
We found more port’s port 5958, 49668 found winrm open i tried to login to the wsman service. we try to login with our credentials but we fail to log so we try to find more usernames. I am going to use a tool in impaket library called lookupsid.py to get all the username’s on Heist.
![Heist User sid](http://i0.wp.com/sheerazali.com/wp-content/uploads/2019/11/8-1.png?resize=770%2C270&ssl=1)
we got a lot of usernames from the heist machine. I tried to login with evil winrm with the credentials we found earlier and we get a successful login with creds chase:Q4)sJu\Y8qz*A3?d . The tool i used to login is evil-winrm.
![evil winrm user](http://i0.wp.com/sheerazali.com/wp-content/uploads/2019/11/33.png?resize=770%2C126&ssl=1)
Root
Now we enumerate heist. I checked the running processes and found that firefox was running on the machine. I thought maybe i can extract passwords from firefox.
![process's on heist](http://i0.wp.com/sheerazali.com/wp-content/uploads/2019/11/55.png?resize=503%2C517&ssl=1)
I used this tool called Procdump.exe to extract the process dump of firefox to see if i can get the passwords from the process dump. the tool can be found here https://docs.microsoft.com/en-us/sysinternals/downloads/procdump transferred the tool to heist with upload utility of evil-winrm.
![accepting rights of procdump](http://i0.wp.com/sheerazali.com/wp-content/uploads/2019/11/4-1.png?resize=708%2C299&ssl=1)
after accepting terms of procdump we run it on firefox.
![firefox memory dump](http://i0.wp.com/sheerazali.com/wp-content/uploads/2019/11/3.png?resize=670%2C253&ssl=1)
3048 is the process id of firefox running on the machine. We found that out using ps command earlier and then we download firefox dump on our machine using evil-winrm download utility.
![Download dump on to our machine](http://i0.wp.com/sheerazali.com/wp-content/uploads/2019/11/6..png?resize=722%2C190&ssl=1)
after downloading the dump we do strings on the dump and grep for passwords. We Got Administrator’s password now let’s try to login see if it is the right password.
![got root](http://i0.wp.com/sheerazali.com/wp-content/uploads/2019/11/7-1024x209.png?resize=770%2C157&ssl=1)
we indeed got root on the system we were able to login as Administrator on the machine so that was heist writeup.
![root heist](http://i0.wp.com/sheerazali.com/wp-content/uploads/2019/11/17.png?resize=578%2C102&ssl=1)
Take a look at other my other ctf solves here
One thought on “Heist Writeup / Walkthrough Hack the box”