Cookie Consent by
Posts Hack the Box - Heist

Hack the Box - Heist


Heist was an easy difficulty box that combined credential harvesting, spraying, dumping a process to capture further credentials and a final spray to get Administrator access. OVerall it was a good box Windows box with a few fundamentals that could be practiced.

Initial Recon

As usual, let's kick it off with an NMAP scan.

root@kali:~# nmap -sV -sV -p-
Starting Nmap 7.70 ( ) at 2019-10-19 15:26 EDT
Nmap scan report for
Host is up (0.11s latency).
Not shown: 997 filtered ports
80/tcp   open  http          Microsoft IIS httpd 10.0
135/tcp  open  msrpc         Microsoft Windows RPC
445/tcp  open  microsoft-ds?
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 31.23 seconds

SMB did not reveal anything public so let's take a look at the web service running.

Looks like there is a guest login option. Let's pop in as guest and see what we can find.

Oooh, an attachment? Don't mind I do!

Ok excellent, we're starting our credentials list. Cracking the type-5 and type-7 cisco hashes we now have a list of:


The first pairing of hazard/stealth1agent was a guess based on the username in the issues post. I dumped all potential passwords and usernames into corresponding files and used the smb_login module to spray them for validity.

User exploitation

Unfortunately at this point Hazard was not able to log in using winrm so took a different angle and tried dumping more information with the valid credentials.

root@kali:~/Desktop/HTB/Heist# python hazard:stealth1agent@
Impacket v0.9.15 - Copyright 2002-2016 Core Security Technologies

Brute forcing SIDs at
Trying protocol 445/SMB...
500: SUPPORTDESK\Administrator (SidTypeUser)
501: SUPPORTDESK\Guest (SidTypeUser)
503: SUPPORTDESK\DefaultAccount (SidTypeUser)
504: SUPPORTDESK\WDAGUtilityAccount (SidTypeUser)
513: SUPPORTDESK\None (SidTypeGroup)
1008: SUPPORTDESK\Hazard (SidTypeUser)
1009: SUPPORTDESK\support (SidTypeUser)
1012: SUPPORTDESK\Chase (SidTypeUser)
1013: SUPPORTDESK\Jason (SidTypeUser)

Great, we have a few more users to add to our user file. Let's re-run the smb_login module with the expanded list now.

We have an extra hit, excellent! This time chase was able to leverage winrm and we got ourselves a shell. I went between evil-winrm and the ruby iteration of winrm to try different angles.

And now with shell access we are able to get our user flag. User down!

Root exploitation

Unfortunately my notes were a little skimp during this part. Checking the login.php code we saw that there was an admin hash listed.

if( isset($_REQUEST['login']) && !empty($_REQUEST['login_username']) && !empty($_REQUEST['login_password'])) {
        if( $_REQUEST['login_username'] === 'admin@support.htb' && hash( 'sha256', $_REQUEST['login_password']) === '91c077fb5bcdd1eacf7268c945bc1d1ce2faf9634cba615337adbf0af4db9040') {
                $_SESSION['admin'] = "valid";
                header('Location: issues.php');
                header('Location: errorpage.php');
else if( isset($_GET['guest']) ) {
        if( $_GET['guest'] === 'true' ) {
                $_SESSION['guest'] = "valid";
                header('Location: issues.php');

Also checking the todo file in Chase's home directory we can assume he is periodically logging in to check any ongoing issues.

PS > cat todo.txt
Stuff to-do:
1. Keep checking the issues list.
2. Fix the router config.

1. Restricted access for guest user.

Armed with this information let's dump the browser's (firefox) process and look any stored passwords in memory. Getting the dump file over to our own host we do a quick check.

root@kali:~/Desktop/HTB/Heist# strings firefox.exe_191020_085813.dmp | egrep 'password'

Perfect! Now let's expand our smb_logon files to validate the password.

Bam! Let's use our trusty evil-winrm to log on.

There we go! Thanks everyone, until next time!

This post is licensed under CC BY 4.0 by the author.