HTB’s Heist:A Walkthrough
Hello readers,
It was just recently that I got around getting my hands dirty with HTB’s Windows boxes and I seriously had no clue on what to expect.This is the walkthrough of ‘Heist’,a retired box on HTB and one of the first boxes I played,with help from fellow bloggers.
The credits for creating this box goes to MinatoTW.Massive thanks.
Let’s start
RECONNAISANCE
Having downloaded the VPN pack,set up Openvpn and connected,I was good to go,You too.
IP Address of box=10.10.10.149
Running a full port,stealth scan over the target,
NOTE: It takes a while and I am doing it for clarity
ENUMERATION
The HTTP Port interests us.Let’s make our way there
After some tinkering,an alert box informs us that the ‘username’ field is in fact, a field to enter email addresses.Since we didn't have any,it would be unwise to bruteforce endlessly.
Then we noticed the option to login as guest.We click on the option and thankfully are not required to present any credentials.We are met,with this,a chat log
Clicking on the attachment,we find
We take up the task to decrypt or uncover the hashed passwords
- Password 1 — ‘stealth1agent’
- Method to crack=JohnTheRipper or Hashcat
Command — john — wordlist=/usr/share/wordlists/rockyou.txt Hash
NOTE:’Hash’ is the name of the file,in which I stored the first hash.
Upon research,the other two passwords are pretty unique to Cisco Type 7 routers,so we make use of an online decryptor to do the job
Password -2
Password -3
What do we have now? 3 passwords and 3 usernames.DONT forget to count in ‘Hazard’.
9 different credential combos to log on to RPC Client residing on port 135
NOTE:Anonymous login is not possible on this RPC Server
We strike gold with ‘Hazard’: ‘stealth1agent’
- Command-rpcclient -u ‘Hazard’ -p ‘stealth1agent’ 10.10.10.149
I couldn't find anything.Enumerating users brought nada results.In all, 35 server privileges.
SMBClient also proved to be a dead end.Was expecting some interesting shares here.
Approach
I came across a tool called ‘Impacket’,hosted on GitHub,by SecureAuthCorp.It supposedly has a lookupsid.py script to enumerate users on SMB,using their unique SID’s.
Steps to install it
- Command 1-git clone https://github.com/SecureAuthCorp/impacket.git
- ‘cd’ into /impacket
- Command 2-pip install -r requirements.txt
- Command 3- python3 setup.py install (I had python3 installed)
Using the tool
- Command-python3 lookupsid.py hazard:stealth1agent@101.10.10.149
At least 2 new and unique user accounts pop out.
Attempting to enter RPC again,we login using ‘Chase : Q4)sJuY8qz*A3?d’ credentials.
GAINING ACCESS
Again a dead end.So now,we make use of another tool named ‘Evil-winRM’
The installation steps are given in the .README file on the repo.
What does the tool do?
It is a hacking tool,making use of port 5985,which is based on Windows Remote Management system.It provides a way to remotely hack into the system.
- Command-evil-winrm -i 10.10.10.149 -u Chase -p “Q4)sJu\Y8qz*A3?d”
We gain entry and find our user.txt flag at Desktop
Within the same directory,we find a ‘todo.txt’ file
Checking out the installed programs on C: drive,we find
Two search engines? Weird.Probably I am onto something
Taking a look at running instances using ‘ps’
An observation was that pid ‘6220’ takes up most of the CPU Load here.
What we will do now,is aim to dump the Firefox data,for analysis-for that,we use procdump tool.
So let’s download and extract ’em files.
In our case,we require procdump64.exe to create the Firefox dump.
Move the .exe file to your /opt.
Evil also provides a wonderful feature to upload files from target machine to victim machine.
Command-upload /opt/procdump64.exe.We find it uploaded after a few moments.
We take the dump of pid ‘6220',that corresponds to Firefox
Command=./procdump64.exe -ma 6220
We have a resulting 509Mb dump
From here,we have two methods to capture administrator’s credentials.
Method 1 -Grep password info from the Firefox dump (Easy)
- Command-cat firefox.exe_210704_131353.dmp |Select-String “username=”
We find,
Administrator’s password=4dD!5}x/re8]FBuZ
Bonus:We also gain the email address required to log on to the web server.
— — — — — — — — — — — — — — — — — — — — — — — — — — — -
Method 2-Create a readable file from the dump and use Select-String to grab admin credentials (Time consuming)
To analyze our dump,we have downloaded strings64.exe
Why because the dump could probably be in encrypted gibberish form.
Uploading it again on our victim’s machine using Evil,we now need to convert the dump into readable format.
- Command-cmd /c “strings64.exe — accepteula ../Desktop/firefox.exe_210704_131353.dmp > Dump.txt”
Reading contents from the file,
- Command- findstr “password” Dump.txt
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
LEVERAGING PRIVILEGES
Terminating our shell,using Ctrl+C,we open a new login attempt,using Evil,as SSH port is not available to us
- Command- evil-winrm -i 10.10.10.149 -u administrator -p ‘4dD!5}x/re8]FBuZ’
We get in! and find our flag at Desktop
REPORTING
Well,you have it now!
Conclusion:-
Well,the box is pretty good for beginners to start off with,in Windows Pentesting.It was not unlike the ‘Bastion’ box,where I had to mount VHD’s……well that’s a walkthrough for another day.
Thanks for reading this blog entry and making it till here.Until then,there must be some Windows boxes,for me to pwn out there……
Bonus:Logging onto the web server,using admin’s credentials did not offer me any secrets to uncover!
Credentials:-
Email-admin@support.htb
Password-4dD!5}x/re8]FBuZ
