HACKTHEBOX – HIEST
Hello today HACKTHEBOX Heist box retired , it was funny and Unusual box cuz we will not use the web attacks and there is no ssh :0 I am solving it with Linux(Kali) , Lets start with ip : 10.10.10.149 As.
As usual we will start with Nmap : [email protected] > nmap -sV -sC 10.10.10.149
We have http , smb , msrpc and wsman
– We know that we can use smbclient for smb and evil-winrm for wsman
– Lets first dive in web to enumerate it π
– We have login.php thatβs ask for credential and in the bottom right we can see login as guest its seems interested .
– After login as guest we have this page that is conversation between Hazard and the Support admin and its contain an Attachment π
– the attachment contains users and encrypted password Cisco type 7 and type 5
Cracking the passwords:
– for the Cisco type 7 I used online tool to crack the passwords
– for the Cisco type 7 I used online tool to crack the passwords – for the Cisco type 5 I used John the ripper tool with rockyou.txt wordlist and the result was stealth1agent
– now we have these creds 2 users and 3 passwords on of them dose not have username so by guessing it must be for Hazard right ? π – smbclient works good with Hazard creds but the connection failed no workgroup available
SMBclient :
– smbclient works good with Hazard creds but the connection failed no workgroup available
– I tried to login evil-winrm tool but no success – at this moment we must find another users or password to continue cuz no one of the users and password help us to gain shell So lets digging again ! π
IMPACKET and MSRPC : – we have MSRPC port open in our machine so we can use it to enumerate more users via IMPACKET lookupsid.py script : this script allow us to brute force windows SID through MSRPC interface .
– Now we have 9 users π lets try evil-winrm with these users and the 3 passwords
– Chase with the second
password is correct so we have a beautiful powershell and user.txt π
PrevEsc :
– upload netcat.exe and gaining another shell –
– after enumerate the box to find a valid exploit and see what process is running with Get-process , there is lots of Firefox π¦ and thatβs seems a little weird π , lets dump these process
– get procdump.exe and start dumping all Firefox process to analyzing them and digging for useful data π
– after analyzing the process on of them contains admin request in login.php lets try these creds in evil-winrm tool
– all things works good , we have Administrator shell and we got root.txt
