Network Enumeration
To begin our exploration of the network, let’s initiate an nmap scan in order to identify all open ports.
Web Enumeration
Run a gobuster scan to find for hidden directories.
Port 80
Click on the Login as guest link and we will be directed to a support page.
Found some credentials in the attachment file.
Before the passwords there are digits that indicate the type of hashing mechanism used.
Cisco uses various hashing algorithms for password protection, including Type 7, MD5, and SHA-256. Type 7 is a weak and proprietary algorithm used in older versions, while MD5 and SHA-256 are stronger algorithms used in newer versions. The specific algorithm used depends on the device and software version.
Cracking Cisco Hashes
There are two types of Cisco password algorithm 5 and 7. We can try reversing type 5 salted MD5 hash with John.
Type 7 which is a Vigenère cipher . There are multiple tools online to crack type 7 Cisco passwords.
| Type | Cisco Hash | Cracked |
| 5 | $1$pdQG$o8nrSzsGXeaduXrjlvKc91 | stealth1agent |
| 7 | 0242114B0E143F015F5D1E161713 | $uperP@ssword |
| 7 | 02375012182C1A1D751618034F36415408 | Q4)sJu\Y8qz*A3?d |
Based on the info in the attachment we have three potential usernames.
| Usernames |
| rout3r |
| admin |
| hazard |
SMB / RPC enumeration
Let’s try enumerating SMB with the potential passwords and users.
Looks like we can read IPC$.
Enumerate IPC$ with rpcclient.
We are able to get SID IDs of users.
In Windows, a Security Identifier (SID) is a unique alphanumeric identifier assigned to each user, group, and computer account that is used to control access to resources on a Windows network.
Let’s use the Impacket lookupsid tool.
lookupsid.py is a Python script in Impacket that can be used to retrieve the unique Security Identifier (SID) of a user or group on a remote Windows system by querying its Security Account Manager (SAM) database.
After some text manipulation we now have a list of user names.
Initial Access
Use crackmapexec to password spray the list of users.
We are able to remote into the chase user.
Grab the first flag in the desktop of the user.
Privilege escalation
After some manual and automated enumeration I found an usual program for CTF in the directory.
I check the processes for the machine and firefox is running.
We can use procdump to dump out the firefox process.
ProcDump is a command-line tool developed by Microsoft for creating process dumps of running applications on Windows. It allows system administrators and developers to capture snapshots of an application’s state at a specific time for diagnostic and troubleshooting purposes. ProcDump can capture dumps of both user-mode and kernel-mode processes and supports various dump formats.
Transfer the file to your local machine and use strings with grep to find for passwords.
We can now use the password to gain a shell as admin.
The final flag is in the desktop.
Persecure : my learning archive 