HACKTHEBOX – HIEST
Hello today HACKTHEBOX Heist box retired , it was funny and Unusual box cuz we will not use the web attacks and there is no ssh :0 I am solving it with Linux(Kali) , Lets start with ip : 10.10.10.149 As.
As usual we will start with Nmap : [email protected] > nmap -sV -sC 10.10.10.149
We have http , smb , msrpc and wsman
– We know that we can use smbclient for smb and evil-winrm for wsman
– Lets first dive in web to enumerate it 😀
– We have login.php that’s ask for credential and in the bottom right we can see login as guest its seems interested .
– After login as guest we have this page that is conversation between Hazard and the Support admin and its contain an Attachment ?
– the attachment contains users and encrypted password Cisco type 7 and type 5
Cracking the passwords:
– for the Cisco type 7 I used online tool to crack the passwords
– for the Cisco type 7 I used online tool to crack the passwords – for the Cisco type 5 I used John the ripper tool with rockyou.txt wordlist and the result was stealth1agent
– now we have these creds 2 users and 3 passwords on of them dose not have username so by guessing it must be for Hazard right ? 😀 – smbclient works good with Hazard creds but the connection failed no workgroup available
– smbclient works good with Hazard creds but the connection failed no workgroup available
– I tried to login evil-winrm tool but no success – at this moment we must find another users or password to continue cuz no one of the users and password help us to gain shell So lets digging again ! 😀
IMPACKET and MSRPC : – we have MSRPC port open in our machine so we can use it to enumerate more users via IMPACKET lookupsid.py script : this script allow us to brute force windows SID through MSRPC interface .
– Now we have 9 users 😀 lets try evil-winrm with these users and the 3 passwords
– Chase with the second
password is correct so we have a beautiful powershell and user.txt 😀
– upload netcat.exe and gaining another shell –
– after enumerate the box to find a valid exploit and see what process is running with Get-process , there is lots of Firefox ? and that’s seems a little weird 😀 , lets dump these process
– get procdump.exe and start dumping all Firefox process to analyzing them and digging for useful data 😀
– after analyzing the process on of them contains admin request in login.php lets try these creds in evil-winrm tool
– all things works good , we have Administrator shell and we got root.txt