OSCP PREPROTİONS – HTB Heist

Heist machine is a vulnerable machine with Windows operating system among retired machines and it is expected to obtain user and root flags using these vulnerabilities.
We perform a network scan with nmap to recognize the target machine.
Classic Scan

Full port scan

As a result of network scanning, 80/tcp http Microsoft IIS httpd 10.0, 135/tcp msrpc Microsoft Windows RPC, 445/tcp microsoft-ds ports are open.
First, we provided smb enumeration but we could not get a valid result because there was no username and passowrd.
We try enumeration over port 80.

In the source code of the page, we did not find any results in developer mode, there is a button to enter as a guest, we saw that a request was opened by clicking on it on the lat side

briefly in the request we click on the attachment that goes we understand that it says that it is having problems with the cisco router and that the old admin config file is attached.

We found 3 hashed passwords, let’s see what kind of encryption algorithm they use

I understand that they are related to Cisco, let’s see if there is a tool to decrytp them on githbub

3 different cisco ciphers were used, 5 7 and the last one was used and we showed that we could break them onlien.

I tried to crack the password $1$pdQG$o8nrSzsGXeaduXrjlvKc91 on the same website but it took a long time and john cracked it immediately

$1$pdQG$o8nrSzsGXeaduXrjlvKc91:stealth1agent
0242114B0E143F015F5D1E161713:$uperP@ssword
02375012182C1A1D751618034F36415408:Q4)sJu\Y8qz*A3?d
Now we have 3 passwords, when we look at the usernames, we have rout3r, admin, hazard usernames, instead of trying them one by one, we will try smb bruteforce using crackmapexec.
hazard:stealth1agent credential information detected

After the smb connection, we realize that there is no result because there are shares starting with $. Now let’s try to connect to this machine with evil-winrm

We received an error while connecting “Remote Management Users” may not be a group. However, since our credential information is valid, we can provide network enuemration on Windows system.
Therefore, let’s try to find username by brute forcing RIDs on Windows. RID stands for Relative Identifier, which is part of the SID (Security Identifier) used to uniquely identify a user or service on a Windows system.

RIDs are unique on the local system, so we can find users by trying this.

500: Administrator
501: Guest
503: DefaultAccount
504: WDAGUtilityAccount
1008: Hazard
1009: support
1012: Chase
1013: Jason
We’ve identified his users.
It was able to detect three additional usernames: support, Chase and Jason. Let’s use the passwords we used before and check withcrackmapexec if one of them is valid for the usernames we found.

chase:Q4)sJu\Y8qz*A3?d
We have detected the credential information. Let’s try to connect with evil-winrm here

We were able to log in successfully.
Since we cannot access the administartor user here, we will do local enumeration and provide privilege escalation.

We have provided a lot of enumeration here, there was only the task list we found in todo.txt, if the admin user logged in via firefox from this task list, we can get the password.
We will use the procdump tool to dump these firefox processes.
First, we downloaded it from sysinternals to our locale, then we uploaded the target machine by uploading and got the dump of firefox

We forwarded the budara dmp file to our locale and then pulled it with the strings command.

Here we have obtained the password of the admin user.
We tried to use admin, but we saw from the net user that it was not admin, we were able to log in as adminsitartor

This is how we got the root flag.