The operating system that I will be using to tackle this machine is a Kali Linux VM.
Always remember to map a domain name to the machine’s IP address to ease your rooting !
Using nmap, we are able to determine the open ports and running services on the machine.
Lets first check out the http service on port 80.
We don’t have any credentials so lets try to login as a guest.
This looks like a IT helpdesk ticketing system. It looks like Hazard is having issues with his cisco router and he has posted his configuration file.
no service pad
isdn switch-type basic-5ess
security passwords min-length 12
enable secret 5 $1$pdQG$o8nrSzsGXeaduXrjlvKc91
username rout3r password 7 0242114B0E143F015F5D1E161713
username admin privilege 15 password 7 02375012182C1A1D751618034F36415408
ip ssh authentication-retries 5
ip ssh version 2
router bgp 100
network 192.168.0.0Â mask 300.255.255.0
timers bgp 3 9
ip route 0.0.0.0 0.0.0.0 192.168.0.1
access-list 101 permit ip any any
dialer-list 1 protocol ip list 101
no ip http server
no ip http secure-server
line vty 0 4
authorization exec SSH
transport input ssh
First thing to note is
which tells us that all passwords in the configuration file are encrypted.
Next up, we get
enable secret 5 $1$pdQG$o8nrSzsGXeaduXrjlvKc91
which has a Type 5 encrypted password. To crack it, I will be using this tool.
which both contains a username and a Type 7 encrypted password. To crack them, I will be using the same tool.
With all the credentials we have collected so far, lets create 2 files to store them.
With some credentials, lets move on to the smb service on port 445. I will be using the auxiliary/scanner/smb/smb_login module in Metasploit to test the different combinations.
Using hazard:stealth1agent, lets see what we can access in the smb shares!
I guess the smb service is a dead end? Maybe not. Using Impacket’s lookupsid.py, we are able to enumerate for other users on the machine.
From this, we are able to find out that the domain is SUPPORTDESK. With these new users, lets update our user.txt.
And run the auxiliary/scanner/smb/smb_login module again.
Alright! We got another set of credentials! Lets try to access the smb shares using Chase:Q4)sJu\Y8qz*A3?d!
Still nothing? I guess the smb service really is a dead end :(
If we go back to our reconnaissance results, there is actually one more service on port 5985: wsman. After some research, the wsman service is the WinRM service on the machine. Could we possbily use it to remotely execute commands on the machine? But first, we need to know what credentials we can use by using the auxiliary/scanner/winrm/winrm_login module in Metasploit.
Okay… So the same Chase user have access to both the smb and WinRM service. To establish a shell, I used Alamot’s winrm_shell.rb with the following configuration settings:
And now we execute the WinRM shell…
When I first did this machine, I found the SHA-256 hash of the Administrator’s password which I was able to somehow crack it using an online website.
From what we know, there was a IIS web server running on port 80 so I checked out C:\inetpub\wwwroot.
I skimmed through the pages until I came across login.php.
The SHA-256 hash of the admin’s password was hardcoded in login.php. I immediately tried different online password cracking websites until I came across this website. I supplied the hash and got the password 4dD!5}x/re8]FBuZ.
Using Impacket’s psexec.py, I was able to establish a shell.
So apparently there was another or more “proper” way to solving this box by using a very certain process. But first, lets upgrade to a meterpreter shell.
To do so, we will first need to create our executable which will establish the reverse connection back to our listener. After that, move the executable into the directory that the SimpleHTTPServer is running from.
And we start our listener on port 1337…
Back to our WinRM shell, we retrieve the executable from our SimpleHTTPServer using certutil.exe and run it.
Back on our listener, we obtained a meterpreter shell.
When we list all the processes running on the box using the ps command, we noticed that firefox.exe is currently running.
Lets try to dump out the process’s memory to see if we can extract any credentials! I will be using Sysinternals’s procdump.exe. Since we already have a meterpreter shell, we can just use the upload command to transfer it over.
Next up, we spawn a cmd.exe shell and run procdump.exe on the firefox.exe process.
With that done, we exit out of our cmd.exe and use the download command to retrieve the process dump.
The final step is simply to run strings on it and grep for password. There were many lines containing password but I came across this line: