Hello! Everyone and Welcome to yet another CTF challenge from Hack the Box, called ‘Heist,’ which is available online for those who want to increase their skills in penetration testing and Black box testing. Heist is a retired vulnerable lab presented by Hack the Box for making online penetration testing practice suitable to your experience level; they have a large collection of vulnerable labs as challenges ranging from beginner to expert level.
Level: Easy
Task: Find user.txt and root.txt in the victim’s machine
Penetration Methodologies
Scanning
· Nmap
Enumeration
· Browsing HTTP service
· Extracting and decrypting User Information from config.txt
Exploitation
· Bruteforcing more users using impacket tool
Privilege Escalation
· Using WinRm to get Root Access
· Uploading Procdump64.exe to dump process
· Capturing the flag
Walkthrough
Network Scanning
Let’s get started then!
Since these labs have a static IP, the IP address for Heist is 10.10.10.149. Let us scan the VM with the most popular port scanning tool, nmap.
nmap -sC -sV -p- 10.10.10.149
We learned from the scan that we have the port 80 open which is hosting Microsoft IIS httpd 10.0 service, and we have the port 135,445,5985,49669 open. This tells us that we have the Microsoft windows Rpc and Microsoft HTTPAPI service running on the target machine respectively.
Enumeration
For more details, we will navigate to a web browser for exploring HTTP service since port 80 is open, which has a login portal.
There’s also an option to login as a guest so let’s try that.
From the picture above, We can see while login as guest there is a user called hazard has posted an issue with his cisco router and has attached the configuration of it. Let’s open the file in browser and see what information we get.
By reading the configuration files we can see that it contains two cisco type7 and one cisco type 5 passwords.
We can decrypt type 7 passwords using a tool online tool. Following link :
So here are the credentials we have collected till now:
rout3r: $uperP@ssword
admin: Q4)sJu\Y8qz*A3?d
Also we decrypted Cisco type 5 hash using hashcat command below
hashcat -m 500 pass.txt /usr/share/wordlists/rockyou.txt --force --outfile output.txt
Which successfully cracked hash $1$pdQG$o8nrSzsGXeaduXrjlvKc91 : stealth1agent
We tried all the combinations as well as to use these credentials on login portal but we failed to login.
Coming back to nmap scan. We can see that port 5895 is open which is used by Microsoft Windows Remote Management), Which is basically a service/protocol used to manage remote systems.
So we tried to bruteforce more users with the tool Impacket. You can read more about the tool from here. And download the tool from https://github.com/SecureAuthCorp/impacket
python lookupsid.py Hazard:stealth1agent@10.10.10.149
So to try these users with the combination of passwords we got earlier. We use a very great tool available WinRm shell for hacking/pentesting.
We tried all these users with the password and the pair below worked.
“Chase:Q4)sJu\Y8qz*A3?d”
Also make sure to create ps1_scripts and exe_files directories in your home otherwise the tool won’t work. (mkdir ps1_scripts & mkdir exe_files)
evil-winrm -i 10.10.10.149 -u chase -p 'Q4)sJu\Y8qz*A3?d' -s './ps1_scripts/' -e './exe_files/'
whoami
cd ..
cd Desktop
cat user.txt
Here we managed to get user.txt as our first flag.
Privilege Escalation
Now that we had a user.txt we have to find root.txt. So, after searching for a while we found that firefox instance was running.
cd appdata\Roaming\Mozilla\firefox
upload /var/www/html/procdump64.exe
ps
After uploading procdump64.exe. We saw that there were 4 firefox process were running. So we took the having the highest CPU usage.
./procdump64.exe -ma 7024
This created a dump file and to analyse and search for sensitive information from dump file we used Winrm shell itself.
As the dump file has a lot of information so we use Select-String to filter the information as Select-String in powershell is similar to grep in linux.
Firefox.exe_191291_111009.dmp | Select-String “username=”
Here we got administrator credentials. So we try to login as administrator in WinRm shell and try to capture the root flag.
evil-winrm -i 10.10.10.149 -u administrator -p '4dD!5}x/re8]FBuZ' -s './ps1_scripts/' -e './exe_files/'
whoami
cd ..
cd Desktop
cat root.txt
