I say “all flags” with some reservation, but here is what I found:
My nmap scan revealed there was a host with Telnet open, so I cruised over there to see what was going on. Sure enough, it was a Cisco router with a flag in the banner:
“cisco/cisco” was the magic username/password to get into this router (as we’ll see in a moment). I was at the console of a Cisco router, where I have logged MANY hours in the past.
A “show run” command gave me the contents of the router’s configuration which included the user credentials:
username dave_k privilege 5 password 7 110F15041048070D0928182F213D162D1213
username cisco privilege 3 password 7 104D000A0618
username flag1 privilege 3 password 7 020B0B48181F0020474D08140A
username flag2 privilege 3 password 7 02160D490A120A3240470F1C511A17
username flag3 privilege 3 password 7 02120D560E541C24495A011C071E000F1F
I know from experience that Cisco Type 7 passwords are easily decoded and using the tool in Kali to decrypt these passwords (don’t recall the executable name, “ciscodecrypt7” or something similar) I was able to obtain the passwords:
Everything but “cisco” were good for points. Still not satisfied that I had obtained all the points there were to be had on this router, I kept poking at it hoping it would deliver more. However, after spending too long trying every Cisco exploit I could think of (or Google), I arrived to the conclusion this may be all there is.
Recognizing that “dave_k” was the highest privileged user on the router, I logged out and back in as him but subsequent “show run” commands didn’t reveal any additional information. I also tried to pull any information out of the router where another flag might possibly be hidden such as “show version” or “show tech” but didn’t find anything.
I really needed “privilege 15” level credentials to have “root” on the router to really get at the rest of it and after spending too much time messing with it I came to the realization that if I had root on the router, I could effectively do ANYTHING to it including wiping it’s configuration — preventing others access to these flags. Surmising this was probably not part of the event, I gave up.
The flags found on this host were worth: