HacktheBox - Heist

Summary

Heist,a Linux box created by HackTheBox user MinatoTW, was an overall easy to medium difficulty box.Leaking cisco password hash with that we can brute SIDs to get more Users and crack other password. At last we need to dump the process to get the password for administrator

Enumeration

Scanning the Network

nmap scan

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
Nmap scan report for 10.10.10.149
Host is up (0.16s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
| http-title: Support Login Page
|_Requested resource was login.php
135/tcp open msrpc Microsoft Windows RPC
445/tcp open microsoft-ds?
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
5985/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49668/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC

Host script results:
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2019-08-10 20:29:48
|_ start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Aug 10 20:30:25 2019 -- 1 IP address (1 host up) scanned in 166.93 seconds

nmap finds RPC, SMB and WinRM open but SMB is not leaking any public shares. We’ll just have to explore the http service first, which appears to be running PHP. This is what the site looks like.

Visting the Web page we see

The site allows guest login. Check it out.

And there’s an attachment!

They is one type-5 cisco password hash and two type-7 password hashes. The type-5 is just a MD5, which can be easily cracked with hashcat or john the Ripper.

which result to stealth1agent
For the two type-7 hashes, I found an online cracker that’ll reveal the passwords instanteanously.

So, there we have it. Two-and-a-half pair of creds.

1
2
3
stealth1agent
rout3r:$uperP@ssword
admin: Q4)sJu\Y8qz*A3?d

User?

For one, we know that this credential (hazard:stealth1agent) is valid from smbmap. but we we see it only have $IPC read only so we cannot simulate a powershell with Winrm

Enter Impacket’s lookupsid.py.This nifty script, combined with hazard‘s credential will help us gather more usernames

1
2
3
4
5
6
7
8
dhazard
jason
support
chase
Administrator
None
Guest
DefaultAccount

Using msf we can crack the password for other users and Long story short, we find creds for chase as Q4)sJu\Y8qz*A3?d

now using evilrm we can get a shell as chase and can read the user.txt

Privilege Escalation

During enumeration of chase’s account, I notice the password hash of what I believe belongs to administrator in login.php.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
<?php
session_start();
if( isset($_REQUEST['login']) && !empty($_REQUEST['login_username']) && !empty($_REQUEST['login_password'])) {
if( $_REQUEST['login_username'] === 'admin@support.htb' && hash( 'sha256', $_REQUEST['login_password']) === '91c077fb5bcdd1eacf7268c945bc1d1ce2faf9634cba615337adbf0af4db9040') {
$_SESSION['admin'] = "valid";
header('Location: issues.php');
}
else
header('Location: errorpage.php');
}
else if( isset($_GET['guest']) ) {
if( $_GET['guest'] === 'true' ) {
$_SESSION['guest'] = "valid";
header('Location: issues.php');
}
}
?>

There’s also a subtle hint in todo.txt that says something like this.

1
2
3
4
5
6
Stuff to-do:
1. Keep checking the issues list.
2. Fix the router config.

Done:
1. Restricted access for guest user.

Doing get-process firefox
we see firefox is opened multiple times and constantly running

Now, if we can dump out the process memory, maybe we can search for the password from it? Long story short,`` SysInternal’s ProcDumpdidn't work for me so I went forOut-Minidump.ps1` instead.

I appended the following line to the PowerShell script like so.

1
Out-Minidump -Process (Get-Process -ID 6636) -DumpFilePath C:\Windows\Tracing

I chose to dump out process 6636 because it got the most number of handles. Next, I host it with Python’s SimpleHTTPServer and download to the machine using certutil.exe.

Time to dump it!

Lets see if we can find what we want

which give us the password of Administrator as 4dD!5}x/re8]FBuZ with which we can again do Evil-RM and get root.txt

and we have pwnd Heist

Author: Shubham Kumar
Link: https://f3v3r.in/htb/machines/retired/heist/
Copyright Notice: All articles in this blog are licensed under CC BY-NC-SA 4.0 unless stating additionally.