Today I will use a new port scanner that I heard about named rustscan. It will give us the same results as that of nmap and it is way more faster that nmap and gives out a detailed information about the host and the ports.
Checking out the IIS webserver
Got a CISCO configuration file containing a bunch of usernames and passwords. We can a md5crypt hash and two type 7 CISCO passwords.
Decrypting the passwords using a tool named cisco_pwdecrypt or can even use the following website.
Bruteforcing SMB Login using Metasploit
Got a valid set of credential for SMB Server. hazard : stealth1agentLet's try to list all the shares using smbmap.
I even tried winrm login for this hazard user, but didn't get any valid response. We can try to enumerate for more users using rpcclient or lookupsid.py from impacket module.
Enumerating SIDs and users using rpcclient and impacket
We have three more users to look ahead and that surely increases our scope. Now let's try using rpcclient which comes pre-installed in kali.
Creds found : chase : Q4)sJu\Y8qz*A3?d
Dumping Firefox Process using procdump
Got a password for admin on the website localhost/login.php?login_username=admin@support.htb&login_password=4dD!5}x/re8]FBuZ&login=
Check if we have READ,WRITE permissions on ADMIN Share using smbmap and if it does then we can use psexec.py to get a remote shell.
