Get hands into Metasploit, and exploit EternalBlue on Windows 7 machine
Pitfalls to avoid
The EternalBlue nmap script was not run, as not being part of -sC since it is a vuln script
The IP used by Metasploit was the LAN one (192.x.x.x) instead of the VPN one (10.x.x.x)
Shell2Meterpreter post exploit was either very slow (network?) or not highly reliable
The lab details
With -sC you will have the default scripts run, not the vuln ones.
The EternalBlue script is a vuln one, so you will need to run it either specifically,
or using broader --script vuln
EternalBlue exploit using Metasploit
When running a Metasploit exploit in the TryHackMe labs,
don't forget to check the local host IP, as it may be the LAN one instead of the TryHackMe VPN one.
I think I lost quite some time because of that…
Leverage from shell to meterpreter
The post exploit may be slow. Be patient. I wasn't.
Hence why the terminal is a mess here!
You may setg LHOST 10.x.x.x so you don't have to define this option on every module:
it will be globally set (hence the "g")
Use migrate PID otherwise, or give a shot at other commands from help
I've run hashcat on another machine, but I then don't have the screenshots
Note that here, I was heading to generic (weak) passwords. I wouldn't have found the actual one from this.
It is recommanded to use the rockyou.txt passwords from the seclists package
In the hashdump result, first hash is LM (empty here) and second is NTLM (our target password).
We don't need to crack the first one using hashcat, just the second one, so that's faster.
If you're not "root" (SYSTEM), then such search might not return results,
as you may not have access to the folder where the flag is.
Also, this would fail if flag was named user.txt or root.txt