Heist is an easy-rated HackTheBox machine. I did password cracking and username enumeration. Privilege escalation was very common firefox dump credentials. I would recommend this box to everyone.
As always I run NMAP to check out which ports or services are running on the victim machine. “-p-” switch can take some time but it is always good to put it.
nmap -sC -sV -A -p- <targetip>
On port 80 , we have a website that needs a credentials but we don’t know credentials so first step that we need to follow is log in as guest and see what attachment has inside.
We have 3 passwords right here. I have never seen this kind of passwords. I did some research to find identify these passwords. They are Cisco passwords. I crack them and make a note of outputs.
For the last password, I use Hashcat to crack it but the question is, who owns this password?
I go back to the login as guest page and see a user here. The username is Hazard.
I thought I find the password for Hazard but there is no ssh service running on the victim. “Evil-winrm” is one of the best tools to use when windows machines don’t run ssh. I tried to log in as a Hazard user to the victim machine but “evil-winrm” did not work. I don’t know the reason. At this moment I got stuck a little bit. Then I started looking for other users because I have 2 more passwords to try.
“lookupsid.py” is a very good python script to brute force usernames. I’m using it because I have credentials for one of the users.
Then I try the other 2 passwords that I have in the previous enumeration and of them, it worked!
I might be the worst person about Windows Privilege Escalation but first thing first I always run the “ps” command to see running services. I saw firefox and I think it must be useful for dump some creds.
I use procdump.exe to dump some credentials from firefox. After I dump the “.dmp” file I transfer this file and look at it.
The “strings filename | grep pass” command can give you very good results to find some credentials.