HackTheBox - Heist

Rustscan results

Today I will use a new port scanner that I heard about named rustscan. It will give us the same results as that of nmap and it is way more faster that nmap and gives out a detailed information about the host and the ports.

rustscan -a 10.10.10.149 --range 1-65535 --ulimit 5000
-a       - addresses
--range  - Port range
--ulimit - Increase in open file limit increases the speed

Checking out the IIS webserver

Got a CISCO configuration file containing a bunch of usernames and passwords. We can a md5crypt hash and two type 7 CISCO passwords.

Decrypting the passwords using a tool named cisco_pwdecrypt or can even use the following website.

Bruteforcing SMB Login using Metasploit

Got a valid set of credential for SMB Server. hazard : stealth1agentLet's try to list all the shares using smbmap.

I even tried winrm login for this hazard user, but didn't get any valid response. We can try to enumerate for more users using rpcclient or lookupsid.py from impacket module.

Enumerating SIDs and users using rpcclient and impacket

We have three more users to look ahead and that surely increases our scope. Now let's try using rpcclient which comes pre-installed in kali.

Creds found : chase : Q4)sJu\Y8qz*A3?d

evil-winrm -u chase -p "Q4)sJu\Y8qz*A3?d" -i 10.10.10.149

Dumping Firefox Process using procdump

.\procdump64.exe -ma 6416

Got a password for admin on the website localhost/login.php?login_username=admin@support.htb&login_password=4dD!5}x/re8]FBuZ&login=

Check if we have READ,WRITE permissions on ADMIN Share using smbmap and if it does then we can use psexec.py to get a remote shell.

psexec.py 'administrator:4dD!5}x/re8]FBuZ'@10.10.10.149