Walkthrough of a Windows machine exploitation leveraging common misconfigurations.
Introduction
This is a very basic and simple to work on machine clearly just for educational purposes. Let us initate a comprehesive vulnerability Nmap script scan against the machine.
How many ports are open with a port number under 1000?
What is this machine vulnerable to?
Gaining Access
We are going to leverage this vulnerability which is also known as Eternal Blue. This exploits a weakness in the Microsoft implementation of SMBv1 allowing the attacker to run arbitrary code on the victim systems. Let’s spin up Metasploit and initiate an attack against the system.
Escalation
Let us background the existing shell with CTRL+Z and upgrade it to a Meterpreter shell as follows. Use the “post/multi/manage/shell_to_meterpreter” post module, add the IP-address of the localhost again, associate the existing session with the module and run it against the victim. As you can see below, another session is created, so all we need to do afterwards is just switching over to that session.
Let’s list out all the processes in order to migrate our current process to an elevated one which is running as NT AUTHORITY\SYSTEM. The reason behind this is even if we are system it does not necessarily mean that our current process is also at system level. Good choices of processes would be Powershell or for example cmd but we chose the Console Host process below as it houses applications that use the command line.
Cracking
We do have full control of the victim machine now, so let us dump the hashes from the SAM database from our elevated Meterpreter shell.
What is the name of the non-default user?
Let’s copy this password hash to a file and crack it. What is the cracked password?
Finding the flags
Three flags planted on this machine, let’s find them, shall we.
Thanks for reading and as always, any feedback is most welcome.