Haxilio.com

My journey on becoming a hacker

Heist – Hackthebox Write-Up

Introduction

Alright my people, time for another write-up. Today we’re doing Heist from hackthebox. And probably OpenAdmin as well. I did like this box a lot because it felt really realistic involving multiple password-spraying attempts and the need to connect the dots between running processes and the actual functionality that is provided by the hosted application. Sounds good? Let’s get into it!

Write-Up

Don’t open this, if you really want to learn something 😉

Here is what we’ll do:

Enumeration

nmap and exploration

First, as always, let’s do a quick nmap scan:

The result reveals some interesting stuff. First and foremost there is a webserver running on port 80. That’ll be our first target because it usually yields lots of information and offers a good attack surface. Also, note that there are ports 445 (SMB) and 5895 (WinRM) open. Those will come in handy later.

We’re seeing a Login-Portal which allows us to login as guest. This looks like a Support-Helpdesk. Reading through the notes suggests that there might be a user “Hazard” on the box. Also, let’s have a look at the attachment-file. We find some more usernames: rout3r and admin. Furthermore we find three password hashes.

Cracking the Hashes

Let’s try and crack those. To find out which kind of hashes we’re dealing with, I just googled for “Hash-Analyzer” and came up with a site where I could enter the hashes to gain the algorithm to crack.

Seems like hash1 is md5-crypt, which we crack with johntheripper.

The other two hashes are Cisco-Type-7 passwords. For whichever reason Cisco implemented two encryption algorithms. A non-reversible-one (Type-5) and a reversible one (Type-7). Seems like the administrators of this router didn’t know that … However, we can use this flaw to use an online-tool to crack the passwords we found.

If you’re more concerned with the security of HTBs-passwords, there are also various python-scripts to decrypt the Cisco-Type-7 passwords. Take your pick 🙂

Password-Spraying

To try out the credentials, we create a user.txt containing rout3r, admin and Hazard and a password.txt containing the cracked passwords. What to do with these? nmap reveiled port 445.

Let’s go ahead and spray the credentials we found against the smb-share. I like to use metasploit for that (as it is shown in the screenshot below) but crackmapexec (cme) should work just as well. For me it didn’t though, I got some weird errors regarding some binary-mismatches, that I didn’t bother investigating further into. Anyways let’s see what we find:

Great, we found some credentials that are able to successfully log in. Since we’re also remembering port 5985 which would give us a foothold immediately we try logging in there. Doesn’t work. Probably Hazard is not in the WinRM group. SAD!

More User Enumeration

Seems like we hit a dead-end here. And what do we do if that happens? You guessed correct. MORE ENUMERATION! Now that we have credentials with access to the $IPC-share we can brute-force SIDs. This was actually the main learning I took from this box. More Details below, I don’t want to interrupt our hacking right now.

To do that we use the lookupsid.py script passing our credentials. This script should be installed on your kali-machine as part of the impacket package by default.

Seems like we found another two users: Jason and Chase. Let’s add them to our users.txt file and rerun the password-spray

This run finds us valid credentials for Chase. Spoiler-Alert: This is our initial Foothold. GREAT!

Gaining a Foothold and more enumeration

To actually gain the foothold, we use a tool called evil-winrm, which should also be pre-installed on your kali-machine. Here is the command we execute: evil-winrm -u Chase -p <PASWORD> -i 10.10.10.149

Aaaaaand we’re in. Now, let’s have a look around. Use tree /f to list all the files in all subdirectories. Nothing really of interest here. Besides the user-flag of course. And a todo.txt telling us, that the user wants to keep checking the issues. Well … What do we do with that? Maybe, we should have a look at the applications installed on this machine. Firefox is not a windows-default-application and therefore interesting by default (if that makes sense).

This could be the browser used by Chase to log into the help-desk application. At least their todo-list said they would be doing that. Let’s hope they’re dutiful.

Privilege Escalation

We check whether there are running firefox-processes. If that’s the case we can dump the process’s memory and scour through the dump for yet another password. And, in fact, there are multiple firefox instances running.

Let’s hope for the best (well, we’re in the privesc section of this writeup… probably we’ll have success). To dump the process’s memory we need a tool procdump64.exe from the sysinternals-toolsuite. Download the tool-suite and upload the executable to the victim-box using winrm

Execute the tool and download the dump.

For me, this file was about 500MB in size which would’ve taken a whole while to download. Luckily within the first couple of MB we find the password. Just give the download a minute and scan through the dump.

Great, let’s try those credentials via psexec.py and see what happens.

And guess what, we are root. Congratulations!

 

If you’re interested in the technical details of my main-learning on this box, keep on reading. If not, happy hacking!

SID-Brute-Forcing

What is a SID?

SID is short for Security-Identifier. Every security principal (for example a user) has a life-long immutable SID assigned to it. Using such an identifier enables us to change the principal’s properties however we want without the SID being affected.

Here’s an example of a SID (shamelessly taken from the greatest online encyclopedia ever):

S-1-5-21-3623811015-3361044348-303008201013

S: tells us, this is a SID

1: Version of SID specification (probably won’t change for a long time)

5: Authority Identifier. 5 tells us, this is a NT Authority (like NT AUTHORITY\System or any other user)

21-***-***-***: Subauthority value, 21 tells us, this is a domain

1013: Relative Id, a running number that uniquely identifies an object within a domain. 1000 will be Admin.

Quite a long thing with a bunch of information… To make it easier for yourself, you can imagine everything before the last dash as something representing the domain and the last number as the user’s Id. Even though, technically, that is not really correct.

How does the Brute-Forcing work?

Ok, how does that help us understanding lookupsid.py? How and why can we brute-force those users?

Since, in our case, we had Hazard’s credentials to log into the SMB with access to $IPC-Share, the script was able to read our own SID. Using this information it could take the whole first part representing the Domain and start brute forcing the RIDs starting by 1000 (admin) up to a specified value (4000 by default). A good question to ask now, would be “But against what are we brute-forcing”. The answer is, that SMB implements lookup-sid-RPC-Calls at port 445 that answer with information like the username when requested with a certain SID. Luckily for us, Hazard was allowed to request this rpc.

 

That’ll be it for today. If you like what you read, or have any feedback, please let me know @h4xil10.

 

Happy Hacking!

 

Share on facebook
Share on twitter
Share on linkedin

Related Articles

H4xil10

Content creator

Become a hacker they said… It’ll be fun they said … AND IT ACTUALLY IS. Even better so than I thought it might be. Therefore, I want to make my learnings and knowledge as accessible as possible and hope many will join me on a journey into the great world of itsec.

haxilio

Explore