HackTheBox Writeup — Heist

Hello Guys , I am Faisal Husaini. My username on HTB is “kNgF” . Also join me on discord.

This box is created by my good friend MinatoTW

The IP of this box is

Port Scan

We get 5 open ports , running NMAP Scan against them , we get

We see that we have Web Service , Microsoft RPC running , so we move onto the web part first

Port 80

Trying random creds , we get returned with an error page

We also saw that the login page had a Login as Guest option , we click on it and get redirected to issues.php page and see

We see that a user Hazard has sent an attachment telling an issues to the Support Admin , looking into the attachment

We see that its a Cisco Router config file and also it has two creds having Type 5 hash along with a Type 7 secret hash , so we now move onto cracking the Type 5 hashes which can be cracked online easily

The first hash cracked and got the result , now for the second one

So , the second hash also got cracked and now for the Type 7 Secret hash , I will use hashcat to crack

So we successfully cracked the Type 7 hash and now we randomly tried every creds with each other and the one which worked

We see that the user hazard has Read Only Access to IPC$ , searching on Google , we lastly moved onto getting the SIDs using the creds above , and the tool which I used is lookupsid from Impacket

We get more users from the query above and also we saw from the port that Port 5985 was open , upon searching on Google , we came to know that the port is for WS-Management and Powershell remoting , also we have a ruby script to get connected to Powershell using the creds , so I tried the creds randomly with each other and the one which worked for me

Here is the content of the ruby script where we put the credentials and then save it and run it

We see that we got connected and got a Powershell prompt and also confirmed that we are user Chase , now we move on getting the user flag which is usually stored under the Desktop folder of the user as User.txt

Now we move onto the PrivEsc part

Privelege Escalation

We see the contents of the login.php and find out that the password is encrypted is SHA256 format

I tried cracking it from Hashcat but it failed , so I went on to crack it only and it got successfully , upon checking the password I felt that how this is available online , so when I asked the creator , I came to know that some faggot uploaded the password for hash online which we would got from somewhere else

So this was the UNINTENTED WAY of getting the password for Administrator

Now we will go for the INTENTED WAY of solving the box

We check the running processes and find something odd that firefox is running , which is odd for me on a server machine

So I will dump the process file using a tool named procdump which I will get into the box using the command below

So we see that the tool was successfully uploaded on the box

Now we run the procdump against the firefox process

We see that wes sucessfully dumped the process into a file

As we saw there were 4 more firefox processes running , so we dump each one of them into the same directory

All the dumps are saved here

I uploaded another tool named strings and use it to see the contents of the dump files , so we use findstr the grep alternative to windows to only see the parts with passwords

We got the password and here you can see that how that idiot had uploaded the password for that hash online which was very unprofessional as the box was not retired yet , so now we use the creds for administrator same as we did before

We are set ready to go and run the script

So we ran the script and saw that we got access as Administrator , so now we move onto getting the root flag under the Desktop folder of Administrator

So here’s the box completed and I thank my friend MinatoTW for creating such a wonderful box from which I learned so many things :) This clearly teaches why we should not store any credentials when we are prompted to save it while login


Hacker | Bug Hunter | Python Coder | Gamer | Reverse Engineering Lover