Image for post
Image for post

Target Experience:

My observations while working this target:

Tools:

The recommended tools for this machine were:

Vulnerabilities:

The following vulnerabilities were found:

Information Gathering:

Using Nmap, I performed a SYN scan on all TCP ports for service version detection as well as default safe scripts.

Image for post
Image for post
Nmap Scan
Image for post
Image for post
Nikto Scan

Web Enumeration:

Reviewing the findings from Nmap and Nikto, I decided to launch a browser to further investigate TCP Port 80.

Image for post
Image for post
Login Page
Image for post
Image for post
Issues Page
Image for post
Image for post
Router Configuration File

Password Cracking:

Based on my networking background, I identified that both Type 5 and Type 7 passwords were present. Like many times in the past, I used axceron’s cisco_pwdecrypt Python script to crack the Type 7 hashes and then Hashcat (on my cracking rig) to crack the Type 5 (MD5) hash.

Image for post
Image for post
Cracked: Type 7 Hashes
Image for post
Image for post
Cracked: Type 5 Hash

SMB Enumeration:

I returned to using Nmap and Enum4Linux to assist with enumeration of usernames and shared directories. However, neither yielded any interesting results.

Image for post
Image for post
Crackmapexec: Authenticated User
Image for post
Image for post
smbmap: Authenticated User
Image for post
Image for post
Failed Nmap Enumeration
Image for post
Image for post
lookupsid.py
Image for post
Image for post
Crackmapexec: Authenticated User
Image for post
Image for post
smbmap: Authenticated User

Foothold:

Having no luck with SMB, I decided to research TCP Port 5985 from the Nmap scan. Based on my findings, I could connect to this port via Powershell. However, I did not have Powershell installed on my attacker system. So, I was able to find an alternative that would run as a Ruby script on Kali named evil-winrm.

Image for post
Image for post
User Flag

Privilege Escalation:

After obtaining the User Flag, I decided to review the contents of the todo.txt file.

Image for post
Image for post
todo.txt
Image for post
Image for post
Get-Process
Image for post
Image for post
Procdump: Upload
Image for post
Image for post
Powerdump: Firefox
Image for post
Image for post
Select-String: Credentials
Image for post
Image for post
Authenticated Administrator
Image for post
Image for post
chase.ps1
Image for post
Image for post
Root Flag

References:

https://docs.microsoft.com/en-us/windows/win32/wmisdk/wmi-start-page

Disclaimer:

This article is made available for educational purposes only!!! In addition, this article provides general information on cyber security topics used for “Ethical Hacking”.

Cyber Security Enthusiast

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store