Hack The Box Heist Walkthrough – 10.10.10.149

Hack The Box Heist Walkthrough

Heist is a easy windows box in the Hack The Box CTF series.

As usual I added 10.10.10.149 to etc/hosts as heist.htb.

INITIAL ENUMERATION

I started with nmap port-scan using nmap -v -sV -sC -oN nmap.scan heist.htb command.

The NMAP result was as below:

NMAP revelead a couple of ports open, so the SMB (445) and IIS (80) are interesting here. Since the machine has SMB v2 installed, I’m not looking at it now, so I moved forward to look into webserver for enumeration.

Looking at the default webpage I found a website hosted on IIS, the webpage is a login page seems to be a login page to report issues. There is an option to login as guest which lists an open issue related to CISCO router with an attachment.

The attachment is just a txt file that contains running configuration of a cisco IOS with admin and a user -rout3r’s encrypted passwords.

It is very easy to decrypt CISCO 7 passwords these days, I used an online CISCO password decryptor to decrypt the encrypted password from the txt file in the attachment. But, we have a problem here, the type 5 password isn’t easy to decrypt, I had to use hashcat for this purpose. Hashcat decrypted the password in a few minutes and the password is stealth1agent

As I now have all the passwords obtained, let me see where I can use it. For the users, I tried “rout3r” and “admin”, but those didn’t work, then I realized there was a user called “hazard” in the “issues” page. Now I’m going to try the user “hazard” against the SMB login. However, I logged in successfully, but I wasn’t able to list the shares, which my user hazard has no privilege to access.

I need to find more users in the box, I understood that, I need to use impaket for this purpose. Impacket has a script called lookupsid.py (https://github.com/SecureAuthCorp/impacket/blob/master/examples/lookupsid.py) that lists the users of the Windows machine if you have basic authentication user.

The script successfully listed me a numbr support users:

Since I wasn’t able to do any further enum, I decided to use EvilWinRM (a Windows Remote Manager exploit) to see if I can get a user shell. For this, I need to make sure the port 5985 is open and running. The port 5985 is by default used to Windows RM.

Ok, the port is open, now lets try the users I have enumerated and the password I found after the decryption of the Cisco IOS configuration.

After trying couple of users, the user Chase was able to get the user shell on the box Heist.

Getting User.txt

Here I got the user.txt

PRIVILEGE ESCALATION

There are couple of ways to privesc in this box, I’m going with the intended one that is obtaining the password stored in the Firefox user profile.

So, first I will have to change the directory to the C:\Users\Chase\Appdata\Roaming\Mozilla\Firefox\Profiles\77nc64t5.default\sessionstore-backups

Using this PowerShell command:

After few initial fails, I have the password for admin:

The next step, I will use the password psexec script from Impacket and I get the Root.txt

Click to rate this post!
[Total: 0 Average: 0]

Navin

Hey there, I'm Navin, a passionate Info-Sec enthusiast from Bahrain. I started this blog to share my knowledge. I usually write on HackTheBox machines and challenges, cybersecurity-related articles and bug-bounty. If you are an HTB user and like my articles, please respect here: https://www.hackthebox.eu/home/users/profile/68523

View all posts by Navin →
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments
Sorry, that action is blocked.
0
Would love your thoughts, please comment.x
()
x
%d bloggers like this: