Cisco uses various hash algorithms across different products and software versions.
The Cisco IOS configuration file here has two different types of password hashes. I also make note of the Hazard username, this will be useful later. The webpage has a simple login page with an option to log in as guest at the bottom:Īfter logging in as guest, I find a Cisco configuration in the opened trouble tickets. Nmap done: 1 IP address (1 host up) scanned in 199.09 seconds |_ Message signing enabled but not required
|_clock-skew: mean: -3m38s, deviation: 0s, median: -3m38s Service Info: OS: Windows CPE: cpe:/o:microsoft:windows |_http-server-header: Microsoft-HTTPAPI/2.0Ĥ9668/tcp open msrpc Microsoft Windows RPC Nmap scan report for heist.htb (10.10.10.149)Ĩ0/tcp open http Microsoft IIS httpd 10.0ĥ985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) We find the administrator credentials in one of the browser request still in nmap -sC -sV -p-oA heist 10.10.10.149.There’s a Firefox process already running on the box and we can obtain a memory dump from it.Then we password spray the credentials we have and find that user chase can log in with WinRM.After cracking the three passwords from the config file, we are able to use rpcclient with one of the account to recover the list of usernames.The admin page has guest access enabled and we can find a Cisco IOS configuration file on there.Once I have a shell, I discover a running Firefox process and dump its memory to disk so I can do some expert-level forensics (ie: running strings) to find the administrator password. After cracking two passwords from the config file and getting access to RPC on the Windows machine, I find additional usernames by RID cycling and then password spray to find a user that has WinRM access. Heist starts off with a support page with a username and a Cisco IOS config file containing hashed & encrypted passwords.
0 kommentar(er)
