Skip to content

Heist

Easy External Enumeration IIS Penetration Tester Level 1 Password Cracking Authentication Weak Credentials User Enumeration Memory Dump


$ nmap -sV -sC 10.129.132.228                   
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-11 10:27 WIB
Nmap scan report for 10.129.132.228
Host is up (0.13s latency).
Not shown: 997 filtered tcp ports (no-response)
PORT    STATE SERVICE       VERSION
80/tcp  open  http          Microsoft IIS httpd 10.0
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-server-header: Microsoft-IIS/10.0
| http-methods: 
|_  Potentially risky methods: TRACE
| http-title: Support Login Page
|_Requested resource was login.php
135/tcp open  msrpc         Microsoft Windows RPC
445/tcp open  microsoft-ds?
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: -1s
| smb2-time: 
|   date: 2022-06-11T03:29:01
|_  start_date: N/A
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled but not required

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 120.01 seconds

http://10.129.132.228/attachments/config.txt, from the conversation we know that user hazard use cisco router

version 12.2
no service pad
service password-encryption
!
isdn switch-type basic-5ess
!
hostname ios-1
!
security passwords min-length 12
enable secret 5 $1$pdQG$o8nrSzsGXeaduXrjlvKc91
!
username rout3r password 7 0242114B0E143F015F5D1E161713
username admin privilege 15 password 7 02375012182C1A1D751618034F36415408
!
!
ip ssh authentication-retries 5
ip ssh version 2
!
!
router bgp 100
 synchronization
 bgp log-neighbor-changes
 bgp dampening
 network 192.168.0.0Â mask 300.255.255.0
 timers bgp 3 9
 redistribute connected
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.0.1
!
!
access-list 101 permit ip any any
dialer-list 1 protocol ip list 101
!
no ip http server
no ip http secure-server
!
line vty 0 4
 session-timeout 600
 authorization exec SSH
 transport input ssh

after browsing with the keywork cisco crack password, I found https://www.ifm.net.nz/cookbooks/passwordcracker.html website to crack type 7 hash. Then I searched for crack type 5 and found https://www.ifm.net.nz/cookbooks/cisco-ios-enable-secret-password-cracker.html, but for cracking type 5 it takes a lot of time, so I looked for another solution, then I used john the ripper, and it worked

$ echo '$1$pdQG$o8nrSzsGXeaduXrjlvKc91' > hash
$ john -w=/path/to/rockyou.txt hash
Warning: detected hash type "md5crypt", but the string is also recognized as "md5crypt-long"
Use the "--format=md5crypt-long" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (md5crypt, crypt(3) $1$ (and variants) [MD5 256/256 AVX2 8x3])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
stealth1agent    (?)     
1g 0:00:00:46 DONE (2022-06-11 12:12) 0.02150g/s 75371p/s 75371c/s 75371C/s stealthxxx..ste8897
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

so the password is

hazard:stealth1agent    # guessing
rout3r:$uperP@ssword
admin:Q4)sJu\Y8qz*A3?d

(not complete yet...) :D