From nmap, there are some service opened.
With further scanning, I found that port 5985 and 49668 are opened as well.
This is the web page.
Login as guest, we are redirected to
hazard could be a username.
config.txt from the
Attachment. There are some credentials encrypted. One is md5, I use hashcat to decrypt it.
Since they mentioned
cisco router in
issues.php, I used
ciscot7.py to decrypt cisco type 7 password.
Now I got 3 usernames and 3 passwords, I used
crackmapexec to see which pair can login to smb.
I can login to rpc with this credential as well, so I use
lookupsid.py to get more usernames.
winrm_login module in msf, trying to find the credential pair for winrm.
I got connected as
C:\inetpub\wwwroot\login.php to find the credential for the web portal.
I cracked the password from a cracking website, and get login as
administrator with this password using