Heist Writeup Summery

Heist Write up Hack the box

TL;DR

This writeup is about Heist, it was a windows box that starts off with a webserver we log in as a guest. There we find a config file in which we find encrypted hash’s. from there we get the password. we do a deep port scan find a winrm open we log in and get user.Root is easy firefox is running i extract passwords from it and then we get root.

Walkthrough

Scanning Network

We’ll do a Nmap scan on Heist Ip address is 10.10.10.149

# Nmap 7.70 scan initiated Mon Nov 4 05:48:18 2019 as: nmap -sC -sV -oA nmap/nmap 10.10.10.149 Nmap scan report for 10.10.10.149 Host is up (0.28s latency). Not shown: 997 filtered ports PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 10.0 | http-cookie-flags: | /: | PHPSESSID: |_ httponly flag not set | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/10.0 | http-title: Support Login Page |_Requested resource was login.php 135/tcp open msrpc Microsoft Windows RPC 445/tcp open microsoft-ds? Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: mean: 52s, deviation: 0s, median: 52s | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2019-11-04 05:49:56 |_ start_date: N/A Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

we have 3 ports open in our initial scan 80, 135, 445. let’s start with port 80 and see what is running.

Heist hack the box port 80

I login in as a guest at the bottom. we come to two people who are talking and the customer is probably asking to make him an account on dc.

Heist hack the box port 80

there is an attachment attached to hazards issue so i opened that attachment and in there i found a file with hashes.

Heist hack the box port 80

we have three usernames here rout3r, admin and secret. let’s crack these hashes.

cisco cracked hash

cisco cracked hash

I used http://www.ifm.net.nz/cookbooks/passwordcracker.html this password cracker for cracking the type 7 and type 5 hashes. Third hash didn’t crack from this cracker for that we’ll use hashcat.

Hashcat cracking heist creds

The next step is trying to login. I tried to login to the web portal but hadn’t had any luck. When i was absolutely stuck I did a Full Port scan with Nmap.

# Nmap 7.70 scan initiated Tue Nov 5 01:23:54 2019 as: nmap -p- -oA nmap/Allports -vvv --max-retries 0 10.10.10.149 Warning: 10.10.10.149 giving up on port because retransmission cap hit (0). Nmap scan report for 10.10.10.149 Host is up, received echo-reply ttl 127 (0.40s latency). Scanned at 2019-11-05 01:23:54 EST for 311s Not shown: 65530 filtered ports Reason: 65530 no-responses PORT STATE SERVICE REASON 80/tcp open http syn-ack ttl 127 135/tcp open msrpc syn-ack ttl 127 445/tcp open microsoft-ds syn-ack ttl 127 5985/tcp open wsman syn-ack ttl 127 49668/tcp open unknown syn-ack ttl 127 Read data files from: /usr/bin/../share/nmap # Nmap done at Tue Nov 5 01:29:05 2019 -- 1 IP address (1 host up) scanned in 310.45 seconds

We found more port’s port 5958, 49668 found winrm open i tried to login to the wsman service. we try to login with our credentials but we fail to log so we try to find more usernames. I am going to use a tool in impaket library called lookupsid.py to get all the username’s on Heist.

Heist User sid

we got a lot of usernames from the heist machine. I tried to login with evil winrm with the credentials we found earlier and we get a successful login with creds chase:Q4)sJu\Y8qz*A3?d . The tool i used to login is evil-winrm.

evil winrm user

Root

Now we enumerate heist. I checked the running processes and found that firefox was running on the machine. I thought maybe i can extract passwords from firefox.

the process’s on heist

I used this tool called Procdump.exe to extract the process dump of firefox to see if i can get the passwords from the process dump. the tool can be found here https://docs.microsoft.com/en-us/sysinternals/downloads/procdump transferred the tool to heist with upload utility of evil-winrm.

accepting rights of procdump

after accepting terms of procdump we run it on firefox.

firefox memory dump

3048 is the process id of firefox running on the machine. We found that out using ps command earlier and then we download firefox dump on our machine using evil-winrm download utility.

Download dump on to our machine

after downloading the dump we do strings on the dump and grep for passwords. We Got Administrator’s password now let’s try to login see if it is the right password.

got root

we indeed got root on the system we were able to login as Administrator on the machine so that was heist writeup.

root heist

Take a look at other my other ctf solves here