Heist - HackTheBox

I started by doing a scan with Nmap to detect the ports and services that the machine has open.

Seeing that there was a web server, I headed over to it.

I had a login panel, I looked at the source code and noticed some routes that caught my attention.

I accessed /login.php?guest=true and found a conversation between the user and the admin, the user left a link that had another route, look what it had.

I had a few hashes, I thought they might be credentials for the main page login.

Crack the first one with john the ripper.

I validated the user hazard who had a conversation with the admin and the cracked credential with crackmapexec and it turned out to be successful.

I tried different users in the login panel but no luck, I also tried to see if I had access to any shared resources with smbclient but found nothing.

I thought of another alternative, try to dump more users with the user hazard and the password cracked with john using the tool lookupsid.py.

I dumped a few of them, and with the ones I had I created a user dictionary to brute force another password cracked from another hash.

For brute force I used the crackmapexec tool, it detected that the user Chase was valid.

I authenticated with evil-winrm and I could now see the user flag.

---

ESCALADA DE PRIVILEGIOS

For privilege escalation I found Firefox processes running on the system.

I downloaded the procdump64.exe utility and dumped it into a Firefox process.

I made a string from the dump and exported it to a file called cred.txt, filtered it by login.php and it reported some credentials, I tried to validate them with crackmapexec using the Administrator user.

Dio pwned that allowed me to log in with psexec with maximum privileges.

I was also able to access it with evil-winrm.