Alright my people, time for another write-up. Today we’re doing Heist from hackthebox. And probably OpenAdmin as well. I did like this box a lot because it felt really realistic involving multiple password-spraying attempts and the need to connect the dots between running processes and the actual functionality that is provided by the hosted application. Sounds good? Let’s get into it!
Don’t open this, if you really want to learn something 😉
- nmap -sC -sV -O -A 10.10.10.149
- Remember 445 (SMB)
- Remember 5895 (WinRM)
- Recognize 80
- Visit Homepage
- Login as Guest
- Note Username: Hazard
- Open Attachments
- Login as Guest
- Crack Passwords:
- john –format=md5crypt passwd.txt
- john –format=md5crypt passwd.txt
- Use scanner/smb/smb_login for password spraying
- Find Hazard:stealth1agent
- Try WinRM login see, that it fails
- Enumerate further users: python3 lookupsid.py Hazard:email@example.com
- Find Jason and Chase
- Add those to the usernames file and rerun 4
- Find Chase:Q4)sJu\Y8qz*A3?d
- evil-winrm -u Chase -p “Q4)sJu\Y8qz*A3?d” -i 10.10.10.149
- Look around
- Find that Firefox is installed: dir C:/Program Files
- Find that Firefox is running: get-process -name firefox→ Maybe the admin entered his password there?
- Dump firefox Process’ memory
- Upload the tool: ~/sysinternals/procdump64.exe
- ./procdump64.exe -accepteula
- Get-Process firefox, not the PID
- ./procdump64.exe -ma 6236
- download firefox.exe_201217_211903.dmp ~/hackthebox/machines/heist/firefox.exe_201217_211903.dmp
- Grep the password: strings firefox.exe_201217_211903.dmp | grep password 4dD!5}x/re8]FBuZ
- connect: python3 psexec.py firstname.lastname@example.org
Here is what we’ll do:
nmap and exploration
First, as always, let’s do a quick nmap scan:
The result reveals some interesting stuff. First and foremost there is a webserver running on port 80. That’ll be our first target because it usually yields lots of information and offers a good attack surface. Also, note that there are ports 445 (SMB) and 5895 (WinRM) open. Those will come in handy later.
We’re seeing a Login-Portal which allows us to login as guest. This looks like a Support-Helpdesk. Reading through the notes suggests that there might be a user “Hazard” on the box. Also, let’s have a look at the attachment-file. We find some more usernames: rout3r and admin. Furthermore we find three password hashes.
Cracking the Hashes
Let’s try and crack those. To find out which kind of hashes we’re dealing with, I just googled for “Hash-Analyzer” and came up with a site where I could enter the hashes to gain the algorithm to crack.
Seems like hash1 is md5-crypt, which we crack with johntheripper.
The other two hashes are Cisco-Type-7 passwords. For whichever reason Cisco implemented two encryption algorithms. A non-reversible-one (Type-5) and a reversible one (Type-7). Seems like the administrators of this router didn’t know that … However, we can use this flaw to use an online-tool to crack the passwords we found.
If you’re more concerned with the security of HTBs-passwords, there are also various python-scripts to decrypt the Cisco-Type-7 passwords. Take your pick 🙂
To try out the credentials, we create a user.txt containing rout3r, admin and Hazard and a password.txt containing the cracked passwords. What to do with these? nmap reveiled port 445.
Let’s go ahead and spray the credentials we found against the smb-share. I like to use metasploit for that (as it is shown in the screenshot below) but crackmapexec (cme) should work just as well. For me it didn’t though, I got some weird errors regarding some binary-mismatches, that I didn’t bother investigating further into. Anyways let’s see what we find:
Great, we found some credentials that are able to successfully log in. Since we’re also remembering port 5985 which would give us a foothold immediately we try logging in there. Doesn’t work. Probably Hazard is not in the WinRM group. SAD!
More User Enumeration
Seems like we hit a dead-end here. And what do we do if that happens? You guessed correct. MORE ENUMERATION! Now that we have credentials with access to the $IPC-share we can brute-force SIDs. This was actually the main learning I took from this box. More Details below, I don’t want to interrupt our hacking right now.
To do that we use the lookupsid.py script passing our credentials. This script should be installed on your kali-machine as part of the impacket package by default.
Seems like we found another two users: Jason and Chase. Let’s add them to our users.txt file and rerun the password-spray
This run finds us valid credentials for Chase. Spoiler-Alert: This is our initial Foothold. GREAT!
Gaining a Foothold and more enumeration
To actually gain the foothold, we use a tool called evil-winrm, which should also be pre-installed on your kali-machine. Here is the command we execute: evil-winrm -u Chase -p <PASWORD> -i 10.10.10.149
Aaaaaand we’re in. Now, let’s have a look around. Use tree /f to list all the files in all subdirectories. Nothing really of interest here. Besides the user-flag of course. And a todo.txt telling us, that the user wants to keep checking the issues. Well … What do we do with that? Maybe, we should have a look at the applications installed on this machine. Firefox is not a windows-default-application and therefore interesting by default (if that makes sense).
This could be the browser used by Chase to log into the help-desk application. At least their todo-list said they would be doing that. Let’s hope they’re dutiful.
We check whether there are running firefox-processes. If that’s the case we can dump the process’s memory and scour through the dump for yet another password. And, in fact, there are multiple firefox instances running.
Let’s hope for the best (well, we’re in the privesc section of this writeup… probably we’ll have success). To dump the process’s memory we need a tool procdump64.exe from the sysinternals-toolsuite. Download the tool-suite and upload the executable to the victim-box using winrm
Execute the tool and download the dump.
For me, this file was about 500MB in size which would’ve taken a whole while to download. Luckily within the first couple of MB we find the password. Just give the download a minute and scan through the dump.
Great, let’s try those credentials via psexec.py and see what happens.
And guess what, we are root. Congratulations!
If you’re interested in the technical details of my main-learning on this box, keep on reading. If not, happy hacking!
What is a SID?
SID is short for Security-Identifier. Every security principal (for example a user) has a life-long immutable SID assigned to it. Using such an identifier enables us to change the principal’s properties however we want without the SID being affected.
Here’s an example of a SID (shamelessly taken from the greatest online encyclopedia ever):
S: tells us, this is a SID
1: Version of SID specification (probably won’t change for a long time)
5: Authority Identifier. 5 tells us, this is a NT Authority (like NT AUTHORITY\System or any other user)
21-***-***-***: Subauthority value, 21 tells us, this is a domain
1013: Relative Id, a running number that uniquely identifies an object within a domain. 1000 will be Admin.
Quite a long thing with a bunch of information… To make it easier for yourself, you can imagine everything before the last dash as something representing the domain and the last number as the user’s Id. Even though, technically, that is not really correct.
How does the Brute-Forcing work?
Ok, how does that help us understanding lookupsid.py? How and why can we brute-force those users?
Since, in our case, we had Hazard’s credentials to log into the SMB with access to $IPC-Share, the script was able to read our own SID. Using this information it could take the whole first part representing the Domain and start brute forcing the RIDs starting by 1000 (admin) up to a specified value (4000 by default). A good question to ask now, would be “But against what are we brute-forcing”. The answer is, that SMB implements lookup-sid-RPC-Calls at port 445 that answer with information like the username when requested with a certain SID. Luckily for us, Hazard was allowed to request this rpc.
That’ll be it for today. If you like what you read, or have any feedback, please let me know @h4xil10.