HackTheBox Writeup — Heist

In this article, we will discuss a proposed solution to pwn the Heist machine from HackTheBox.

Information Gathering

The first thing to do was to initiate a Nmap port scan which returned us some catchy results.

Port 80 suggests that we are dealing with a web application and the
presence of ports 135/445 shows us that Samba protocol is running on our
machine.

Also, the port 5985 indicates the fact that WinRM (Windows Remote
Management) is active, which is basically a remote Powershell.

Let’s navigate to the website.

We’ve got a login form, but no problem because we also have a “Login as
guest” button so let’s enter.

If we login as a guest we get this conversation between Hazard and
Support Admin containing an attachment, so let’s investigate that file.

It is clearly a configuration file from a Cisco router containing three encoded
passwords.

0242114B0E143F015F5D1E161713 and
02375012182C1A1D751618034F36415408 are Cisco type 7 passwords,
but $1$pdQG$o8nrSzsGXeaduXrjlvKc91is md5 hash.

Decrypting them we got:

$1$pdQG$o8nrSzsGXeaduXrjlvKc91=stealth1agent

0242114B0E143F015F5D1E161713=$uperP@ssword

02375012182C1A1D751618034F36415408=Q4)sJu\Y8qz*A3?d

Let’s get back to our conversation, if we read it we can extract the
information that there is an account created for Hazard on the machine.

I wanted to enumerate the Samba protocol using tools like smbmap,
smbclient and enum4linux but received authorization failed so I tried using
smbmap with the username “Hazard” and let’s choose one password from
the list, for example, the “stealth1agent” one.

And here we go!

This validates the credentials Hazard:stealth1agent.

Tried to enter the shares but there are no files on them, so I decided to try
enumerating using enum4linux with this command ​ enum4linux -u Hazard -p stealth1agent 10.10.10.149, ​ probably we will get some users for the other
two passwords (rout3r and admin aren’t working).

And… I’ve got exactly two more users, Chase and Jason.

Getting User

I’ve tried username:password combinations on the Samba protocol but
unluckily none of them worked so I’ve decided to try on the WinRM port too
(5985/tcp).

For connecting to the WinRM I’ve used a ruby shell from the Internet
named Evil-WinRM.

https://github.com/Hackplayers/evil-winrm​

After some login attempts I’ve found the valid credentials for the user which
are:

Chase:Q4)sJu\Y8qz*A3?d

Getting Root

When trying to escalate privileges you must enumerate how much it is
possible, try to understand the output and then see if something is not
normal.

While enumerating this machine I’ve noticed something very weird, the
firefox process was running which means that there is an active browser
session.

The good thing about the evil-winrm shell is that we have options of
download and upload files so we can easily download locally a tool from Microsoft named ProcDump and then upload it on the machine.

https://docs.microsoft.com/en-us/sysinternals/downloads/procdump

This tool can extract valuable information about a process running on a
Windows machine.

Don’t forget the -ma flag which is the “Extract all” mode of the tool.

The dump will be saved to a file with .dump extension, now we have to
download it locally to analyze it better.

Locally I’ve started to analyze the strings inside the dump looking for
something like “Administrator”, “SSH” and “Password”.

Using grep “password” I’ve been able to get a plaintext credential.
(4dD!5}x/re8]FBuZ)

Using that I’ve tried to login to the Administrator account and it WORKED!!

So the valid credentials are:

Administrator:4dD!5}x/re8]FBuZ

In conclusion, it was a fun and beginner-friendly machine that can teach
somebody the basics of penetration testing against Windows boxes.

Cyber Security Enthusiast, Freelancer, Researcher, Bug Bounty Hunter and InfoSec Writer.