Heist was an easy difficulty box that combined credential harvesting, spraying, dumping a process to capture further credentials and a final spray to get Administrator access. OVerall it was a good box Windows box with a few fundamentals that could be practiced.
As usual, let's kick it off with an NMAP scan.
SMB did not reveal anything public so let's take a look at the web service running.
Looks like there is a guest login option. Let's pop in as guest and see what we can find.
Oooh, an attachment? Don't mind I do!
Ok excellent, we're starting our credentials list. Cracking the type-5 and type-7 cisco hashes we now have a list of:
The first pairing of hazard/stealth1agent was a guess based on the username in the issues post. I dumped all potential passwords and usernames into corresponding files and used the smb_login module to spray them for validity.
Unfortunately at this point Hazard was not able to log in using winrm so took a different angle and tried dumping more information with the valid credentials.
Great, we have a few more users to add to our user file. Let's re-run the smb_login module with the expanded list now.
We have an extra hit, excellent! This time chase was able to leverage winrm and we got ourselves a shell. I went between evil-winrm and the ruby iteration of winrm to try different angles.
And now with shell access we are able to get our user flag. User down!
Unfortunately my notes were a little skimp during this part. Checking the login.php code we saw that there was an admin hash listed.
Also checking the todo file in Chase's home directory we can assume he is periodically logging in to check any ongoing issues.
Armed with this information let's dump the browser's (firefox) process and look any stored passwords in memory. Getting the dump file over to our own host we do a quick check.
Perfect! Now let's expand our smb_logon files to validate the password.