In this article, we will discuss a proposed solution to pwn the Heist machine from HackTheBox.
The first thing to do was to initiate a Nmap port scan which returned us some catchy results.
Port 80 suggests that we are dealing with a web application and the
presence of ports 135/445 shows us that Samba protocol is running on our
Also, the port 5985 indicates the fact that WinRM (Windows Remote
Management) is active, which is basically a remote Powershell.
Let’s navigate to the website.
We’ve got a login form, but no problem because we also have a “Login as
guest” button so let’s enter.
If we login as a guest we get this conversation between Hazard and
Support Admin containing an attachment, so let’s investigate that file.
no service pad
isdn switch-type basic-5ess
security passwords min-length 12
enable secret 5 $1$pdQG$o8nrSzsGXeaduXrjlvKc91
username rout3r password 7 0242114B0E143F015F5D1E161713
username admin privilege 15 password 7 02375012182C1A1D751618034F36415408
ip ssh authentication-retries 5
ip ssh version 2
router bgp 100
network 192.168.0.0Â mask 300.255.255.0
timers bgp 3 9
ip route 0.0.0.0 0.0.0.0 192.168.0.1
access-list 101 permit ip any any
dialer-list 1 protocol ip list 101
no ip http server
no ip http secure-server
line vty 0 4
authorization exec SSH
transport input ssh
It is clearly a configuration file from a Cisco router containing three encoded
02375012182C1A1D751618034F36415408 are Cisco type 7 passwords,
but $1$pdQG$o8nrSzsGXeaduXrjlvKc91is md5 hash.
Decrypting them we got:
Let’s get back to our conversation, if we read it we can extract the
information that there is an account created for Hazard on the machine.
I wanted to enumerate the Samba protocol using tools like smbmap,
smbclient and enum4linux but received authorization failed so I tried using
smbmap with the username “Hazard” and let’s choose one password from
the list, for example, the “stealth1agent” one.
And here we go!
This validates the credentials Hazard:stealth1agent.
Tried to enter the shares but there are no files on them, so I decided to try
enumerating using enum4linux with this command enum4linux -u Hazard -p stealth1agent 10.10.10.149, probably we will get some users for the other
two passwords (rout3r and admin aren’t working).
And… I’ve got exactly two more users, Chase and Jason.
I’ve tried username:password combinations on the Samba protocol but
unluckily none of them worked so I’ve decided to try on the WinRM port too
For connecting to the WinRM I’ve used a ruby shell from the Internet
After some login attempts I’ve found the valid credentials for the user which
When trying to escalate privileges you must enumerate how much it is
possible, try to understand the output and then see if something is not
While enumerating this machine I’ve noticed something very weird, the
firefox process was running which means that there is an active browser
The good thing about the evil-winrm shell is that we have options of
download and upload files so we can easily download locally a tool from Microsoft named ProcDump and then upload it on the machine.
This tool can extract valuable information about a process running on a
Don’t forget the -ma flag which is the “Extract all” mode of the tool.
The dump will be saved to a file with .dump extension, now we have to
download it locally to analyze it better.
Locally I’ve started to analyze the strings inside the dump looking for
something like “Administrator”, “SSH” and “Password”.
Using grep “password” I’ve been able to get a plaintext credential.
Using that I’ve tried to login to the Administrator account and it WORKED!!
So the valid credentials are:
In conclusion, it was a fun and beginner-friendly machine that can teach
somebody the basics of penetration testing against Windows boxes.