---

Network Enumeration

To begin our exploration of the network, let’s initiate an nmap scan in order to identify all open ports.

---

Web Enumeration

Run a gobuster scan to find for hidden directories.

Port 80

Click on the Login as guest link and we will be directed to a support page.

Found some credentials in the attachment file.

Before the passwords there are digits that indicate the type of hashing mechanism used.

Cisco uses various hashing algorithms for password protection, including Type 7, MD5, and SHA-256. Type 7 is a weak and proprietary algorithm used in older versions, while MD5 and SHA-256 are stronger algorithms used in newer versions. The specific algorithm used depends on the device and software version.

---

Cracking Cisco Hashes

There are two types of Cisco password algorithm 5 and 7. We can try reversing type 5 salted MD5 hash with John.

Type 7 which is a Vigenère cipher . There are multiple tools online to crack type 7 Cisco passwords.

Type	Cisco Hash	Cracked
5	$1$pdQG$o8nrSzsGXeaduXrjlvKc91	stealth1agent
7	0242114B0E143F015F5D1E161713	$uperP@ssword
7	02375012182C1A1D751618034F36415408	Q4)sJu\Y8qz*A3?d

Based on the info in the attachment we have three potential usernames.

Usernames

rout3r

admin

hazard

---

SMB / RPC enumeration

Let’s try enumerating SMB with the potential passwords and users.

Looks like we can read IPC$.

Enumerate IPC$ with rpcclient.

We are able to get SID IDs of users.

In Windows, a Security Identifier (SID) is a unique alphanumeric identifier assigned to each user, group, and computer account that is used to control access to resources on a Windows network.

Let’s use the Impacket lookupsid tool.

lookupsid.py is a Python script in Impacket that can be used to retrieve the unique Security Identifier (SID) of a user or group on a remote Windows system by querying its Security Account Manager (SAM) database.

After some text manipulation we now have a list of user names.

---

Initial Access

Use crackmapexec to password spray the list of users.

We are able to remote into the chase user.

Grab the first flag in the desktop of the user.

---

Privilege escalation

After some manual and automated enumeration I found an usual program for CTF in the directory.

I check the processes for the machine and firefox is running.

We can use procdump to dump out the firefox process.

ProcDump is a command-line tool developed by Microsoft for creating process dumps of running applications on Windows. It allows system administrators and developers to capture snapshots of an application’s state at a specific time for diagnostic and troubleshooting purposes. ProcDump can capture dumps of both user-mode and kernel-mode processes and supports various dump formats.

Transfer the file to your local machine and use strings with grep to find for passwords.

We can now use the password to gain a shell as admin.

The final flag is in the desktop.