Flags - root - ff548eb71e920ff6c08843ce9df4e717 user - 4c546aea7dbee75cbd71de245c8deea9
Nmap Results ->
PORT STATE SERVICE VERSION 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP) 49152/tcp open msrpc Microsoft Windows RPC 49153/tcp open msrpc Microsoft Windows RPC 49154/tcp open msrpc Microsoft Windows RPC 49155/tcp open msrpc Microsoft Windows RPC 49156/tcp open msrpc Microsoft Windows RPC 49157/tcp open msrpc Microsoft Windows RPC
So as we can seee the smb port is open again and we can get its version by using smb_version module Also its very unsecure because message_sigining is disabled which is dangerous.
Ennumeration -> smb-os-discovery: OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional
OS CPE: cpe:/o:microsoft:windows_7::sp1:professional Computer name: haris-PC NetBIOS computer name: HARIS-PC\x00 Workgroup: WORKGROUP\x00
smb-security-mode: account_used: guest authentication_level: user
Exploit -> Works with a bind shell tho not reverse shell -> https://www.rapid7.com/db/modules/exploit/windows/smb/ms17_010_eternalblue Gives us a shell that we can use to get root.txt and user.txt easy peasy
Microsoft Windows 7/8.1/2008 R2/2012 R2/2016 R2 - 'EternalBlue' SMB Remote Code Execution ->https://www.exploit-db.com/exploits/42315