Today we are working on Heist from HackTheBox.eu, a Windows box rated “Easy”. Let’s get started.
HTTP Enumeration
As I would with any box, I kicked off an nmap scan, but it was taking forever to complete, so I figured I would check some standard services. The first thing I found was a logon page for the http interface.
I unsuccessfully tried a few passwords to log on as admin, but fortunately, the “Login as guest” link gets us in.
We find a thread for a support request. “Hazard” is a possible logon for later, but the user also provides a link to a file he has uploaded. As stated, we have a partial config for a Cisco router, which excited me probably more than it should have. My experience as a network engineer has provided me with exactly zero benefit in solving CTF’s up to this point, but here we are finally in my wheelhouse! That said, you really don’t need to know anything about routers to realize we have some hashed password to try to crack.
We can crack the type 7 passwords easily with a website: https://www.ifm.net.nz/cookbooks/passwordcracker.html
Hashcat cracks the enable secret password. Remove the — show to run the command for yourself. We now have some passwords - we just need to figure out what to do with them.
By this time, my nmap scan had finally finished. Run a deeper scan for yourself, but I didn’t get any additional help from mine.
SMB/RPC
From our scan, we have SMB, RPC, and WinRM open. We can’t connect via anonymous SMB, but we know we have a potential user “hazard” and some passwords, and we are able to logon to SMB using password “stealth1agent”. Alas, we can’t connect to any of the shares, but we know we have some good creds.
Incidentally, the creds also work for rpc, however we can’t use them to get a shell with Evil-winrm.
At this point, I figured I would look through Impacket utilities to see what I could take advantage of with creds for SMB and RPC. I tried a few different Impacket scripts, but lookupsid.py came through with additional user accounts on the box.
Foothold
Now that I have additional users along with the passwords I found in my http enumeration, I tried the various combinations to get a shell with evil-winrm.
The user flag can be found on Chase’s desktop. The file todo.txt did not provide me any hints.
Privesc
I did a number of privesc checks on the box, including downloading and running WinPeas, but I’m a serious newb at Windows privesc and nothing jumped out at me. At this point I figured I would try to get Metasploit to help me out. This was a good exercise as I had never tried to get a meterpreter session after getting shell access to the box. The first step is to build a payload using msfvenom.
Next launch SimpleHTTPServer and then use the shell to to download the payload we just created.
Launch msfconsole, set up /exploit/multi/handler, and get it listening for a connection.
Back in our shell, run the executable.
And we get our meterpreter session.
Unintended Root
Run suggester to check for possible exploits.
I tried all the exploits and the last one in the list executed.
The exploit runs, but we don’t get system. A quick “getsystem” command takes care of that for us.
From there, we can read the root flag.
From looking at some other writeups, this root solution is untintended and due to the age of the box. Check out another writeup for the intented path to root. Thanks for reading!
