Hello fellow hackers, today I’m going to solve HEIST box on hack the box platform
So let’s get started !!!
I started with a full port scan using nmap
namp -A -v -sT -p- 10.10.10.149
So the box have 3 services running on it :
- Microsoft IIS 10 running HTTP on port 80
- SMB on port 135 and 445
- Windows remote management on port 5985
Let’s check it out !!!
Starting on port 80 it seems to host some kind of ticketing system
I tried to login with some default users and password but nothing worked, then I noticed that there is a (login as guest) option and it logged us in
Inside the ticketing system there is a discussion between hazard and the support admin it appears like hazard is having an issue with the router and he attached the router configuration file in the discussion, seems interesting, let’s check it out
Cool !!! the configuration file contains 2 users and and there type 7 encrypted passwords
And a MD5 hash
Let’s try to crack them,,,
I cracked the type 7 passwords using an online cisco password cracking website
As for the MD5 hash i cracked it using hashcat
hashcat -a 0 -m 500 ‘$1$pdQG$o8nrSzsGXeaduXrjlvKc91’ - -force
Now we have 2 cracked passwords for 2 users :
one password with no user and one user with no password
Does not make sense till now, but let’s make use of these credentials
Since the smb service is available let try to login to it using the creds we have
I tried rout3r user and admin user with their creds but nothing worked then i tried the user hazard with the cracked MD5 and boom, It worked!!!
smbclient -L 10.10.10.149 --user=hazard
Unfortunately I don’t have access to the shared files, so i decided to enumerate the users that are using smb i tried several metasploit scripts but for sum reason it refuses the credentials I have so I looked up for a python script to enumerate the users
I found a great script from Impacket collection called lookupsid.py
For those who don’t know, Impacket is a collection of Python classes for working with network protocols from SecureAuth Corporation you can find it on GitHub
python lookupsid.py WORKGROUB/hazard:firstname.lastname@example.org
After running the script we got some new users, so I tried to connect smb with the new users but it didn’t work,but luck for us windows remote management is running
In order to brute force the WINRM i used metasploit module
I but all the users in file and the passwords in a file and ran the module
Lets run the module!!!
And we have a match!!!
[+] 10.10.10.149:5985 - Login Successful: WORKGROUB\Chase:Q4)sJu\Y8qz*A3?d
I tried to connect to WINRM using metasploit but for some reason it keeps throwing an error
So I searched for a scripts to connect to WINRM and i found a ruby tool called evil-winrm
You can install from GitHub
evil-winrm -i 10.10.10.149 -u Chase -p 'Q4)sJu\Y8qz*A3?d'
And we are in as Chase user !!! and we have the user flag
I found an interesting note inside Chase Desktop todo.txt
1. Keep checking the issues list.
2. Fix the router config.
1. Restricted access for guest user.
It looks like Chase is the admin of the ticketing system, since he wants to check the issue list and fix the router config , and he has access to restrict the guest user
Knowing that let’s get started on our enumeration
I started with checking the windows version for any local exploits but i found nothing
Then I checked the running processes I noticed something unusual running that normally you don’t find running on a CTF box
There is a FireFox process running on the box and since Chase’s todo list noted that he wants to keep checking the issue list that means his creds must be cached in the browser
So I searched for a power shell script that dumbs the firefox history and cached data
Lucky for me evil-winrm allows you to run a powershell scripts on the remote machine
So I downloaded the script and put inside a directory and run it through evil-winrm and it gave me two files that contain the dumbed data
Since the files are too big I need to filter the output of them s oi used the following command
Get-ChildItem -Path C:\Users\Chase\Documents -Recurse -File | Select-String password
Going through the filtered output i found this string email@example.com&login_password=4dD!5}x/re8]FBuZ
Containing the password for the admin!!!
Now lets try to login again to WINRM using the admin creds
evil-winrm -i 10.10.10.149 -u Administrator -p ‘4dD!5}x/re8]FBuZ’
And we are in as Administrator!!!
SMT Red Team