As usual, we can start with an Nmap scan:
Take note that port 5985 for winrm
is available, meaning that we can potentially use evil-winrm
to gain remote access to the computer if we can find credentials.
Within the web page on port 80, there was a login page:
Weak credentials did not work, so I proceeded to login as a guest. In there, we can see some posts on a forum page of some sort.
Within the attachment were some Cisco Router commands for configurations, and hashes:
There are 2 Level 7 passwords located here, with different usernames. They can be cracked online with this website:
The Bcrypt password could also be cracked using john
.
With some passwords and potential usernames from the forum, we could begin brute-forcing SMB authentications with different combinations. hazard
was the user on the forum that also requested for a Windows account for him, so I tried guessing his password first with crackmapexec
.
Worked, but with checking the shares available with smbmap
, there was nothing of interest:
However, we can use these credentials to enumerate other users that are present on the machine. I used a Metasploit module to do so:
Now we have found more users, we can start brute-forcing again. The password we found earlier works with the chase
user.
We can run WinPEAS within this machine to check for easy vectors. This would pickup that some Firefox credentials have been left behind:
There are tools online to dump the hashed passwords for this. But first, I wanted to see if Firefox was running on this machine, then we can useprocdump.exe
to potentially dump the credentials out:
Firefox is indeed running, then we can use procdump.exe
to dump one of them and analyse the contents on Kali. I used strings
on the .dmp files and found this password here:
With this password, we can evil-winrm
as the admin: