Hello astonishing hackers and great penetration testers out there. Today I have pwned Pentester Academy — Windows: SMB Server CrackMapExec. This machine was fun and exciting at every other step. I have personally enjoyed exploiting this machine as I had to try various new things and I am privileged to have to learn new techniques.
Lab link : https://attackdefense.com/challengedetails?cid=1962
Enumeration
Originally I started with a quick nmap scan on the target machine
Now as we can see that port 135,139,445 and 3389 are open. As port 80 isn’t open, our next approach would be to look out for smb ports.
Let’s perform a nmap scan with service detection switch -sV enabled.
As we can see we didn’t get back any juicy information from this scan.
Forthwith let’s perform a nmap scan with -A switch that enables OS detection, version detection, script scanning, and traceroute. We avoid using this switch until it’s required because this scan could be very lousy and there are high chances of being detected.
From this, we get to know that smb version 2 is running on the target machine.
SMB Analysis
Initially let us we have a look at all smb scripts available in nmap
Now let us enumerate the smb shares using nmap script smb-enum-shares.nse
we weren’t able to retrieve any smb shares.
Now let’s run nmap smb-vulns scripts against the target to get hold of any known vulnerability.
we weren’t didn’t find any known vulnerabilities.
Let us try for eternal blue as we know it’s the widespread smb vulnerability out there. For which we will make use of metasploit here.
Startup Metasploit in quite mode using -q switch and use the eternal blue exploit.
Now, let’s configure the various option’s in this exploit.
After configuring now let’s run the exploit.
As you can see it surely didn’t work.
Our next approach would be smb login via brute force, for which we will make use of hydra.
aah I am sorry 😆, I made a mistake here of stating it as smb which defaults to smb version 1 rather than mentioning it as smb2
This time it worked flawlessly but there was no hit. so we let us try with a more magnanimous password list. After a decade and later I was able to find admin creds.
Utilizing crackmapexec
Using crackmapexec we can run various modules and perform different actions such as dumping hashes and discovering the lsa secrets.
We can also perform individual commands using -x switch
Our purpose here is to gain a shell using the credentials acquired in the early stage. There are two ways from which we can achieve our goal one of them is by using the empire agent and the other one would be metasploit. we will make use of metasploit in here as it saves much of our time.
we will make use of exploit/multi/script/web_delivery, set the required options such as SRVHOST and SRVPORT. We will be selecting the second target to make use of the powershell script.
Let us change the payload to windows/meterpreter/reverse_https and set the required options and run the exploit in the background. The exploit would start and host our script.
Now lets use met_inject module in crackmapexec to get a meterpreter shell.
We get a meterpreter session in our msfconsole.
After having to start interacting with our meterpreter we hunt for our flag.
Now its time to verify our flag on verify FLAGS section on the page where we started our lab in the beginning
Thank you everyone for reading and making up to the end and happy hacking 😄!