Heist

1568101124

Comments

  • Rooted.
    I spent hours not knowing what to do, but after a while, when doing something else, I learned that there is a bug in my system in one of my tools, that was necessary to get root haha... Apparently the first thing I tried was actually the right thing, but it didn't work because of that... oh well. Things like this happen. That's why its important to keep notes - otherwise I would have forgotten why I thought that that wasn't the case, and I wouldn't have tried it again after I learned about the bug.
    Anyway, feel free to PM me.

  • edited August 2019

    Guys, I found my problem thanks to @lackofgravitas . I used hashcat with the --force option in my VM, this gave me the a wrong password. So me thinking I have the correct passwords I tried to wordlist the username. This is not needed!
    TIL: don't run hashcat with --force in a VM :smiley:

  • Type your comment> @UCLogical said:

    Guys, I found my problem thanks to @lackofgravitas . I used hashcat with the --force option in my VM, this gave me the a wrong password. So me thinking I have the correct passwords I tried to enum the username. This is not needed!
    TIL: don't run hashcat with --force in a VM :smiley:

    I'm having the same issue. hashcat with vmware --force is giving me a incorrect password. john did the same. using rockyou.txt

  • That's interesting. My VM runs in Virtualbox and that's fine using the --force option. I wonder if there's some kind of bug?
  • Where's a good list of these enumeration basics everyone keeps talking about? This is what I currently use as reference:
    http://www.handgrep.se/repository/cheatsheets/postexploitation/WindowsPost-Exploitation.pdf#h.9htblqaresn8
    https://guif.re/windowseop
    https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/

    I see the process everyone is talking about for root, but do you normally just start messing with processes like this on normal pentests? How can I know what files that process uses, because it sounds like whatever root needs is in memory or on disk?

  • Quick question for anyone who has the time:

    Am I meant to be able to successfully login/authenticate to the w***m service using the h****d account? Or, am I meant to do password guessing against the users obtained from l*******d.py ? Any help is appreciated

  • edited August 2019

    @StevenKennyIT said:
    Quick question for anyone who has the time:

    Am I meant to be able to successfully login/authenticate to the w***m service using the h****d account? Or, am I meant to do password guessing against the users obtained from l*******d.py ? Any help is appreciated

    If you're using metasploit, the winrm modules don't work with the correct creds while the previously mentioned ruby scripts do work for it (like the shell version from alionder.net)

    You'll need to crack all three passwords and try the users from l*******d.py with those passwords

  • edited August 2019

    edit got it

  • edited August 2019

    Do you need to brute force the profile password after getting user?

  • Type your comment> @StevenKennyIT said:

    Quick question for anyone who has the time:

    Am I meant to be able to successfully login/authenticate to the w***m service using the h****d account? Or, am I meant to do password guessing against the users obtained from l*******d.py ? Any help is appreciated

    To help you, there is a module on metasploit, which let you test usernames-passwords on the remote system to see if you can login. It also gives you the option to make a file of user-pass combinations and use it to test all of these and see what and how many combinations are correct.
    PS: That module do not let you login , but finds the right combination

  • Complicating the root process myself. Just keep enumerate, there's no need to do it in fancy way. Pm me for hints.

  • Finally rooted and user'd
    Thanks, @MinatoTW for such an amazing experience, that's my second box, and it was really fun and kinda hard for me.
    Thanks to @jorgectf for his time and hints he provided

  • Type your comment> @L1vra said:

    Type your comment> @StevenKennyIT said:

    Quick question for anyone who has the time:

    Am I meant to be able to successfully login/authenticate to the w***m service using the h****d account? Or, am I meant to do password guessing against the users obtained from l*******d.py ? Any help is appreciated

    To help you, there is a module on metasploit, which let you test usernames-passwords on the remote system to see if you can login. It also gives you the option to make a file of user-pass combinations and use it to test all of these and see what and how many combinations are correct.
    PS: That module do not let you login , but finds the right combination

    Thanks mate, this was the best advice received from many, thanks a ton. #Happyhacking :wink:

    cycl0ps
    If you need help with something, PM me how far you've got already, what you've tried etc (I won't respond to profile comments). And remember to +respect me if I helped you ; )
    Discord-cycl0ps#5219
    Telegram-cycl0ps

  • Type your comment> @Phase said:

    Type your comment> @0x000c0ded said:

    For user:
    Does getting the right username requires guessing? I found 4 usernames and 3 passwords, tried all the combinations and none worked. (on the higher port)
    I'm trying to do a username brute force for now.

    Check out a particular script from impacket that could help enumerate usernames.....
    lo******d.p*

    Hi,

    i want to use this script with a password i found in the attachement. There's a ")" in the password and the script igive me errors. Any idea?

  • I'm stuck at root, I tried to get the password from the k**4.d*. Can someone give me a nudge or dm me some hints?

  • edited August 2019

    I like this box; great job author.

    I'd say there's a number of misleading hints in this thread leading to a rabbithole(s). Don't rely on tips in here and figure it out on your own.

  • edited August 2019

    Hi,

    i want to use this script with a password i found in the attachement. There's a ")" in the password and the script igive me errors. Any idea?

    If you want to use a value with a ")" or similar in it enclose the value in quotation marks. E.g. "aaaa)aaaa".

  • Thank you.

  • I'm honestly embarrassed about how long it took me to look in that directory to get root. Spent hours fumbling around nearby. But, I'm better with that interface and those search commands than I was.

    Overall, it was a fun box. Now I've gotta go delete some things from my Windows box...

  • Type your comment> @bergi said:

    I'm stuck at root, I tried to get the password from the k**4.d*. Can someone give me a nudge or dm me some hints?

    Watch the processes, you will find something interesting.

  • Type your comment> @ivnnn1 said:

    Stuck on cracking $1 pass, any hint?

    use hashcat and choose the format of hash correctly

  • any one online? I have 3 passwords... I can authenticate on 445 with a username and password.. but can't seem to use the winrm shell etc to progress.. even after using the ruby code. any help appreciated

  • @Seepckoa said:

    Watch the processes, you will find something interesting.

    I already tried but didn't find anything, because I am not really sure what I am even looking for. :/

  • edited August 2019

    Rooted in a different way than the "process way". Would be curious to hear how others did using the "process way". Feel free to PM for discussion or nudges.

  • edited August 2019

    Banging my head against a wall the l*****.*y tool. Cannot get it to return anything...

    Disregard! Onto user!

  • Nice machine!

    Some hints:
    User: after get the first user, use it to enumerate more users.
    Root: where user apps information is stored in windows?

  • Just to clear the "process way" is the real way. The other way is due to some idiot doing stupid stuff online.

    Hack The Box

    Don't let the box pwn you!!

  • Hey can I get a hint about "Heist"? I found password then I cracked. I have usernames and passwords. But I don't know how can i use this informations? I couldn't find the user account inside the machine what should I do ? Please PM...

  • Stuck on user
    successes:

    • using l*******d enum
    • cracking 3 passwords
      failures:
      -using evil-winrm (used all users with passwords cracked)

    Info: Starting Evil-WinRM shell v1.6
    Info: Establishing connection to remote endpoint
    Error: Can't establish connection. Check connection params
    Error: Exiting with code 1

    Can someone please DM me to help with using the ruby code?

  • edited August 2019
    @krypt0cat said:
    > Stuck on user
    > successes:
    >
    >
    > * using l*******d enum
    > * cracking 3 passwords
    > failures:
    > -using evil-winrm (used all users with passwords cracked)
    >
    > Info: Starting Evil-WinRM shell v1.6
    > Info: Establishing connection to remote endpoint
    > Error: Can't establish connection. Check connection params
    > Error: Exiting with code 1
    >
    > Can someone please DM me to help with using the ruby code?

    Evil-WinRM works fine too. You just have to find the right combo of your obtained information about the users and the cracked passwords. Try every combination, there are not so many

    trollzorftw

Sign In to comment.