Heist

I’m stuck at root, I tried to get the password from the k**4.d*. Can someone give me a nudge or dm me some hints?

I like this box; great job author.

I’d say there’s a number of misleading hints in this thread leading to a rabbithole(s). Don’t rely on tips in here and figure it out on your own.

Hi,

i want to use this script with a password i found in the attachement. There’s a “)” in the password and the script igive me errors. Any idea?

If you want to use a value with a “)” or similar in it enclose the value in quotation marks. E.g. “aaaa)aaaa”.

Thank you.

I’m honestly embarrassed about how long it took me to look in that directory to get root. Spent hours fumbling around nearby. But, I’m better with that interface and those search commands than I was.

Overall, it was a fun box. Now I’ve gotta go delete some things from my Windows box…

Type your comment> @bergi said:

I’m stuck at root, I tried to get the password from the k**4.d*. Can someone give me a nudge or dm me some hints?

Watch the processes, you will find something interesting.

Type your comment> @ivnnn1 said:

Stuck on cracking $1 pass, any hint?

use hashcat and choose the format of hash correctly

any one online? I have 3 passwords… I can authenticate on 445 with a username and password… but can’t seem to use the winrm shell etc to progress… even after using the ruby code. any help appreciated

@Seepckoa said:

Watch the processes, you will find something interesting.

I already tried but didn’t find anything, because I am not really sure what I am even looking for. :confused:

Rooted in a different way than the “process way”. Would be curious to hear how others did using the “process way”. Feel free to PM for discussion or nudges.

Banging my head against a wall the l*****.*y tool. Cannot get it to return anything…

Disregard! Onto user!

Nice machine!

Some hints:
User: after get the first user, use it to enumerate more users.
Root: where user apps information is stored in windows?

Just to clear the “process way” is the real way. The other way is due to some idiot doing stupid stuff online.

Hey can I get a hint about “Heist”? I found password then I cracked. I have usernames and passwords. But I don’t know how can i use this informations? I couldn’t find the user account inside the machine what should I do ? Please PM…

Stuck on user
successes:

  • using l*******d enum
  • cracking 3 passwords
    failures:
    -using evil-winrm (used all users with passwords cracked)

Info: Starting Evil-WinRM shell v1.6
Info: Establishing connection to remote endpoint
Error: Can’t establish connection. Check connection params
Error: Exiting with code 1

Can someone please DM me to help with using the ruby code?

@krypt0cat said:

Stuck on user
successes:

  • using l*******d enum
  • cracking 3 passwords
    failures:
    -using evil-winrm (used all users with passwords cracked)

Info: Starting Evil-WinRM shell v1.6
Info: Establishing connection to remote endpoint
Error: Can’t establish connection. Check connection params
Error: Exiting with code 1

Can someone please DM me to help with using the ruby code?

Evil-WinRM works fine too. You just have to find the right combo of your obtained information about the users and the cracked passwords. Try every combination, there are not so many

Type your comment> @DameDrewby said:

Type your comment> @Dreadless said:

Stupid question but do i need to be cracking the $1$ I have decrypted the other 2 passwords but can’t seem to crack the other!

Yes

Read the note again n find where the password originated from…every word from that guy matters… good Luck

If you believe you’ve found what you’re supposed to be looking for, when attempting to escalate, make sure to check what you’re sending with the script previously posted with what it sends. Just spent 2 hours not realizing that using double quotes instead of single quotes can alter what it will try to authenticate with.

Type your comment> @L1vra said:

Type your comment> @StevenKennyIT said:

Quick question for anyone who has the time:

Am I meant to be able to successfully login/authenticate to the wm service using the hd account? Or, am I meant to do password guessing against the users obtained from l******d.py ? Any help is appreciated

To help you, there is a module on metasploit, which let you test usernames-passwords on the remote system to see if you can login. It also gives you the option to make a file of user-pass combinations and use it to test all of these and see what and how many combinations are correct.
PS: That module do not let you login , but finds the right combination

Thanks @L1vra and @icedmana. Rooted

Hi, I’ve found two passwords in the “file”. I think the username could be Hd, rr or a***n.

I tried with smbclient, I failed.
I tried witn WM, I failed.
I tried with lo
***d.py I failed.
I tried with Metasploit, I failed.

I tried many other tools but nothing worked. I can’t access the shares or connect to a service.

Don’t know what to do…