DerbyConCTF Flags: All? Flags On Cisco Router

October 17, 2014 — Leave a comment

I say “all flags” with some reservation, but here is what I found:

My nmap scan revealed there was a host with Telnet open, so I cruised over there to see what was going on.  Sure enough, it was a Cisco router with a flag in the banner:

Screenshot from 2014-10-13 00:30:57

“cisco/cisco” was the magic username/password to get into this router (as we’ll see in a moment).  I was at the console of a Cisco router, where I have logged MANY hours in the past.

A “show run” command gave me the contents of the router’s configuration which included the user credentials:
username dave_k privilege 5 password 7 110F15041048070D0928182F213D162D1213
username cisco privilege 3 password 7 104D000A0618
username flag1 privilege 3 password 7 020B0B48181F0020474D08140A
username flag2 privilege 3 password 7 02160D490A120A3240470F1C511A17
username flag3 privilege 3 password 7 02120D560E541C24495A011C071E000F1F

I know from experience that Cisco Type 7 passwords are easily decoded and using the tool in Kali to decrypt these passwords (don’t recall the executable name, “ciscodecrypt7” or something similar) I was able to obtain the passwords:


Everything but “cisco” were good for points.  Still not satisfied that I had obtained all the points there were to be had on this router, I kept poking at it hoping it would deliver more.  However, after spending too long trying every Cisco exploit I could think of (or Google), I arrived to the conclusion this may be all there is.

Recognizing that “dave_k” was the highest privileged user on the router, I logged out and back in as him but subsequent “show run” commands didn’t reveal any additional information.  I also tried to pull any information out of the router where another flag might possibly be hidden such as “show version” or “show tech” but didn’t find anything.

I really needed “privilege 15” level credentials to have “root” on the router to really get at the rest of it and after spending too much time messing with it I came to the realization that if I had root on the router, I could effectively do ANYTHING to it including wiping it’s configuration — preventing others access to these flags.  Surmising this was probably not part of the event, I gave up.

The flags found on this host were worth:

ImpossibleToHerd 20
lambSkinCoat 40
mossyoakcamo 30
pirateslife4me 100
time2seethebirds 100

Aaron Melton


No Comments

Be the first to start the conversation.

Leave a Reply

Text formatting is available via select HTML.

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>