Last updated
Last updated
Scope
IP Address: 10.10.10.149
Nmap Scan
SMB
We can see that SMB enumeration failed, switching to RPC, but also failed
RPC
HTTP
web page at http://10.10.10.149/login.php
I tried to supply default credentials, but the login button didn't send any request to the backend server, However Login as guest took my attention and click it
It took me to http://10.10.10.149/issues.php as shown above.
From this page I could extract some useful information:
http://10.10.10.149/attachments/config.txt
If you configured Cisco router before, you would be familiar with this syntax and commands. We can extract additional information:
My plan was to create a list of usernames and passwords after cracking it and brute forcing SMB protocol.
I had to know the hash type to be able to crack it
Sense this hash is obtained from router configuration, the hash type should be Cisco-IOS(MD5)
The command username <user> password 7 <hash> reveals that the encryption type is 7 which I can search about
I got a tool that can decrypt type-7 hash:
Now, I'm going to create a passwords list and then brute force SMB
I tried to enumerate SMB with the credentials I've found but nothing interesting found
No options available now for me except enumerating RPC with hazard credentials. I tried several commands to enumerate the machine but these only two worked
So, the domain SID is S-1-5-21-4254423774-1266059056-3197185112 and RID is added to the end I wanted to enumerate users on the machine but enumdomuers failed, however lookupnames & lookupsids can be used for that purpose.
The user SID contain two parts:
SID of the domain
RID of the user
I knew from previous experience that RID count starts with 500 which is the administrator RID and regular users start for 1000, So I will generate a wordlist {500:510} for admins accounts & {1000:1100} for regular users.
Loop with the two wordlists and redirect the output to results.txt and then read the files
I created a wordlist for newly-discovered users and then bruted force the SMB again
We got a hit :)
I will try now to test winrm connection with crackmapexec to see if we can login with user Chase
User Flag: 7ec14ed02a46043fc7cxxxxxxxxxxxxx
evil-winrm is too slow, So I will upload nc and get a shell instead of it
I didn't find many interesting things since I landed as Chase, So I run Winpeas.exe and it highlighted these files as read:
Unfortunately, after I extracted the secrets from these files, it didn't reveal anything useful.
Next, I got a hint from community to change my mind and dump Firefox process from memory, Let's see how I did it.
I uploaded procdump.exe from Sysinternals suite, got the process-ID of Firefox and began to dump it
Start smbserver and copy the dump to my attack host
The dmp file is a binary file, So using grep will work only with strings command
The Credentials found:
I will try to test these creds with crackmapexec
And we gained administrator account :)
Root Flag: 906f0e1ac412590d0xxxxxxxxxxx
