# Nmap 7.92 scan initiated Sat Dec 17 16:04:29 2022 as: nmap -sV -sC -T4 -p- -Pn -oN nmap.txt 10.10.10.149
Nmap scan report for 10.10.10.149
Host is up (0.11s latency).
Not shown: 65530 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
| http-title: Support Login Page
|_Requested resource was login.php
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-server-header: Microsoft-IIS/10.0
135/tcp open msrpc Microsoft Windows RPC
445/tcp open microsoft-ds?
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49669/tcp open msrpc Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2022-12-17T22:08:28
|_ start_date: N/A
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled but not required
|_clock-skew: -4s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Dec 17 16:09:12 2022 -- 1 IP address (1 host up) scanned in 282.70 seconds
HTTP and Looting Cisco IOS Config
On an initial visit to the HTTP service, we see a login page. We have no creds yet, so let's keep searching. There's a guest login available, and visiting that, we see a few support messages and a Cisco config attachment. At the time, I have been attending a CCNA (Cisco Certified Network Associate) course at my college, so I was familiar with the layout of the config. Most of the config is irrelevant to us, but the security lines should catch your eye.
To understand how to identify the encrypted text, we need to first understand how Cisco IOS stores configurations. Let's take this line for example:
enable secret 5 $1$pdQG...Kc91
enable tells the router to enable a mode for PRIV EXEC mode, in this a secret password to log in. In this context, the secret word indicates that it is encrypted in Cisco Type 5, which is essentially a 1,000 iteration MD5 with a salt.
The next two lines indicate something similar to above. In this case, these configuration lines are used for SSH authentication. We see a username declaration, a password type, then the ciphered password. Instead of Type 5, we see it's using Type 7 now. Thankfully, instead of using MD5, the ciphertext is utilizing the Vigenère cipher which is essentially a simple alphabetical substitution encryption and can be decrypted easily. Let's record these usernames and decrypt/decipher these passwords.
Don't forget to record the user in the support thread we gained guest access to for his username!
Brute Forcing
Now that we have some possible credentials to test for, let's get to crackin'. Remember in the support thread, Hazard asked for a access to the Windows server. Let's use hydra to brute force SMBv2.
$ hydra -L usernames -P passwords smb2://10.10.10.149
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-12-20 10:22:09
[WARNING] Workgroup was not specified, using "WORKGROUP"
[DATA] max 12 tasks per 1 server, overall 12 tasks, 12 login tries (l:4/p:3), ~1 try per task
[DATA] attacking smb2://10.10.10.149:445/
[445][smb2] host: 10.10.10.149 login: Hazard password: ...
...
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2022-12-20 10:22:58
Now that we have some valid creds, let's record it and enumerate Windows services.
Enumeration
Logging in to SMB with these creds didn't give much, plus there weren't any shares to note. WinRM also didn't allow us in.
Let's get our hands on CrackMapExec to brute force RID's. I honestly had to take a peek at the walkthrough to get pointed in the right direction.
Now that we're in Chase, let's grab the flag in Desktop and view a todo.txt.
todo.txt
Stuff to-do:
1. Keep checking the issues list.
2. Fix the router config.
Done:
1. Restricted access for guest user.
yada yada dump firefox memory, grep for post request string, get password, pwned. I just went through the walkthrough for the end, I don't have any reason to just copy paste another walkthrough on mine.
Or: john --format=md5crypt --fork=4 --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt
To crack Type 7:
To learn more about Cisco password, view this page: