CTF WriteupsHackthebox Writeups

HACKTHEBOX – HIEST

HACKTHEBOX

HACKTHEBOX – HIEST

 

Hello today HACKTHEBOX Heist box retired , it was funny and Unusual box cuz we will not use the web attacks and there is no ssh :0 I am solving it with Linux(Kali) , Lets start with ip : 10.10.10.149 As.

 

As usual we will start with Nmap : [email protected] > nmap -sV -sC 10.10.10.149

 

We have http , smb , msrpc and wsman

– We know that we can use smbclient for smb and evil-winrm for wsman

– Lets first dive in web to enumerate it ๐Ÿ˜€

 

 

 

– We have login.php thatโ€™s ask for credential and in the bottom right we can see login as guest its seems interested .

 

 

– After login as guest we have this page that is conversation between Hazard and the Support admin and its contain an Attachment ๐Ÿ“ 

 

 

 

– the attachment contains users and encrypted password Cisco type 7 and type 5

 

Cracking the passwords:

 

 

 

– for the Cisco type 7 I used online tool to crack the passwords

 

 

 

 

– for the Cisco type 7 I used online tool to crack the passwords – for the Cisco type 5 I used John the ripper tool with rockyou.txt wordlist and the result was stealth1agent

 

 

 

now we have these creds 2 users and 3 passwords on of them dose not have username so by guessing it must be for Hazard right ? ๐Ÿ˜€ – smbclient works good with Hazard creds but the connection failed no workgroup available

SMBclient :

 

 

 

– smbclient works good with Hazard creds but the connection failed no workgroup available

 

 

– I tried to login evil-winrm tool but no success – at this moment we must find another users or password to continue cuz no one of the users and password help us to gain shell So lets digging again ! ๐Ÿ˜€

IMPACKET and MSRPC : – we have MSRPC port open in our machine so we can use it to enumerate more users via IMPACKET lookupsid.py script : this script allow us to brute force windows SID through MSRPC interface .

 

 

 

– Now we have 9 users ๐Ÿ˜€ lets try evil-winrm with these users and the 3 passwords

 

 

 

 

Chase with the second

password is correct so we have a beautiful powershell and user.txt ๐Ÿ˜€

PrevEsc :

 

 

 

 

– upload netcat.exe and gaining another shell

 

 

 

– after enumerate the box to find a valid exploit and see what process is running with Get-process , there is lots of Firefox ๐ŸฆŠ and thatโ€™s seems a little weird ๐Ÿ˜€ , lets dump these process

 

 

 

 

 

– get procdump.exe and start dumping all Firefox process to analyzing them and digging for useful data ๐Ÿ˜€

 

 

 

after analyzing the process on of them contains admin request in login.php lets try these creds in evil-winrm tool

 

 

 

– all things works good , we have Administrator shell and we got root.txt

 

DC-5 vulnhub walkthrough
DC-4 vulnhub walkthrough
DC-3 vulnhub walkthrough
DC-2 vulnhub walkthrough
DC-1 vulnhub walkthrough
Tags

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button
Close