What exploit to use for this target?

[orangetan]

Hi, I am trying to complete a hacking tutorial in a virtual environment.

The target is 172.19.19.2 and is a Accounts computer.

I have also done a nmap scan on 172.19.19.2 using kali linux with the command: nmap -sS -A -O 172.19.19.2: see nmap scan result 01.PNG and nmap scan result 02.PNG.

It is confirm the Accounts computer is under domain iptlabs.com and I can do a remote desktop connection to 172.19.19.2, but I
do not have username and password. The host is confirm to be running windows 7 ultimate. There appears to be administrator account enabled but i do not know the password to enter it.

I am using kali linux, metasploit to see how I can get into the account computer to get the information that I want.
I have also use Nessus to scan the target 172.19.19.2 and export the result in nessus format. Then use msfconsole to import the nessus file and display the vulnerabilities: see the vuln capture screen 01 and vuln capture screen 02.

I have looked through but fail to find any exploits to gain into the 172.19.19.2 host especially RDP vulnerabilites.

Can anymore advice on this?  I need advice to do the following:

1) Get into the Account computer and get a file
2) Find the password for user name Arnold - confirm there is a user name Arnold.

Please advice

[white-knight]

If you are trying to learn don't just scan and jump to find easy hack button exploits , keep enumerating the open ports to get more and more info. then search how to get even more info.

Have you tried to get more information on ports 21 , 80 .

Also look into using nmap scripts to help you enumerate them.
You can search google to find common vulnerabilities per port / service  and so on.

But if you want a quicky maybe try ncrack and some word lists on the RDP and google win 7 smb vulns u might find something.

 good luck

[th31nitiate]

Try to further enumerate the ftp service and try to login in as anonymous users. It might be vuln ftp or lead might give you important information. Try get version number since they maybe an exploit for it.

Try login in to smb service i see in nessus out put login that its possible, once in try get more user accounts so that you can ncrack the RDP service to brute force the user's u find including alda user name , also try login in with user name specified in all the service's.

Dont forget user a guest also, if you get in as guest there is a privilege escalation exploit listed in the nessus out put so you can you that to get you where you need to be.

[orangetan]

th31nitiate,

I have tried to do test FTP port 21 connections on 172.19.19.2, but i got the following: see the picture below.

When is the service 421 not available, what can I do to gain access to this ftp?

Thanks

regards

[KOR]

Nmap has several handy scripts one being --vuln which scans for vulnerabilities against the versions it finds. Might be an idea to use that as well as nessus. Though 7 Ultimate is mostly patched so finding something open might be harder than usual. Maybe an infected pdf with meterpreter might be better?

[iikibT]

Hey!

In virtual lab you normally don't need to stay hidden or do things quickly, so its a good idea to scan all ports (in nmap that's -p- or -p1-65535). Also don't forget to scan UDP ports.

I see there is tcp port 80 open. Did you check what's there? You can start with the browser and see if there is any web app (you can check for the usual folders like /phpmyadmin, /administrator, /uploads etc.). If you don't find anything you can try to brute force folder names with tools like wfuzz (cli) or dirbuster (gui).

As white-knight mentioned, HTTP (usually 80) and FTP (usually 21) are a good place to start and both seem to be open in your case, so check these first and see if you can find any information that will help you with other services.

[KOR]

Alright, so I checked through your vuln pictures and there are a couple of things you can do. But I'm not going to tell you. In fact, I'm going to make you look them up yourself.

I will, however, tell you that if something says it might or may be vulnerable then you need to check the message that comes with it for some code or CVE that might allow you to Google the answer and see which exploit to use.