This is a Windows host that has an smb version that is vulnerable to the eternalblue exploit with the IP address 10.10.10.40. This was leveraged to gain a shell as nt authority\system.
The first step is the processes of reconnaissance by doing Nmap scan to check for the open ports.
As SMB is an easier way to exploit, we try finding the particular exploit for the SMB.
It seems that this box is running Windows 7, and it’s vulnerable to ms170–010 / CVE-2017–0143. A quick searchsploit search shows us several popular exploits.
We now execute Metasploit and search modules for ms17–010. We choose the eternalblue exploit, and we set the correct options to run it.
The meterpreter shell starts and we find the path for the directory.
Upon navigation, to the home C directory, we find the Users folder.
We find a name Haris who may be a user in the system.
Upon navigation into the desktop folder, we find the user.txt file.
Yipeeeee!! We have obtained the user flag!!!
Now we had got another directory called Administrator. Navigating into the directory, we have finally got the root flag as well.
