# Hack The Box - Heist

## Quick Summary

Hey guys, today Heist retired and here’s my write-up about it. It’s an easy Windows machine and its ip is 10.10.10.149, I added it to /etc/hosts as heist.htb. Let’s jump right in !

## Nmap

As always we will start with nmap to scan for open ports and services:

We got smb and http on port 80, I also ran another scan on port 5895 to see if winrm is running and it was:

Anonymous authentication wasn’t allowed on smb:

So let’s check the web service.

## Web Enumeration

After getting in as guest I got this issues page:

A user called hazard posted an issue that he’s having some problems with his Cisco router and he attached the configuration file with the issue.

For the type 7 passwords I used this online tool to crack them:

And for the other hash I cracked it with john:

## Enumerating Users –> Shell as Chase –> User Flag

So far we have hazard and rout3r as potential usernames and stealth1agent, \$uperP@ssword, Q4)sJu\Y8qz*A3?d as potential passwords.
I tried different combinations and I could authenticate to smb as hazard : stealth1agent, however there weren’t any useful shares:

I used lookupsid.py from impacket to enumerate the other users:

Then I could authenticate to winrm as chase : Q4)sJu\Y8qz*A3?d:

After enumerating the box for a while I noticed that Firefox was installed on the box which is unusual:

And there were some Firefox processes running:

I uploaded procdump.exe and dumped one of these processes:

Then I uploaded strings.exe and used it on the dump and saved the output to another file:

I searched for the word “password” and found Administrator’s credentials exposed in some GET requests:

And we owned root !
That’s it , Feedback is appreciated !