These aren't the Exploits You are Looking for ...

I appologize for my poor English but it isn't my first language and I wasn't planning on yeeting this story into an LLM and rob myself of the satisfaction of typing it up myself. This is a story that happened back in 2023. My first "Official" internal pentest. At this point I had been running Linux as my daily driver for a year and had been rigorously grinding TryHackMe and HTB.

Preface

At this point I had been working with "real" environments for a couple a year and a half. I had tested webapps, found and exploited XSS, LFI and SQLi for client webapps and mobile apps but had never worked on a "real" internal production environment. I come from a Vulnhub and CTF oriented environment which is usually more focused on solving a single machine rather than multiple. We get our rules of engagement down with the client and schedule a visit. We had a laptop with Nessus ready to go to try and potentially find some quick wins within a day or so.

Day 1

We arrived to the client's office and meetup with them and have a chat concerning our plans and the scope of the project. The environment itself wasn't all that large. The environment itself wasn't huge by any means and had around a total around 50 PCs, 10 Servers and some CISCO switches and a FortiGate firewall. The client hooked us up to the guest network and we got to work. First win is that we discover that devices on different VLANS can reach each other which makes things much easier. Me and the team agreed that Day 1 is gonna be dedicated to enumerating every possible machine and developing an attack path and so we unleashed NMAP and Nessus on the network and hoped for the best. Around the end of the day I find a Windows Server 2012 and confirmed my findings hoping to get a quick win and be a 'skiddy' and fire eternal blue and hope it was unpatched. I rescan the machine using NMAP with a detection script for Eternal Blue and it returns the target wasn't vulnerable. Rescan it with Nessus. Same thing. Rescan it with NetExec. Nothing. Well no quick win here. We round out the day and curiosity got the better of me. I had already put my laptop away at this point and asked my colleague if we could test the exploit out and maybe it would pop an easy shell. They load up Metasploit and fire Eternal Blue at the target and the exploit ... it did something ?!



It didn't pop a shell but we would get beyond the typical first stage of the exploit but we just couldn't manage to get a shell to open after multiple tries. It was a long day at this point so we decided to call it quits for now and leave for home.

Day 2

The second day rolls around and we found some promising attack paths. We had to leave one of my colleagues at the office since they were needed there. We arrive on site, hook up to the guest network and boot up Responder to try and grab some NTLM hashes off the network. We grab a few and toss them into HashCat for cracking. We find a few printers with default credentials and a few others with some low privileged users logged on. But in the back of my mind that Windows Server definetly seems like it needed to be retested. Around the end of the day I decided to boot up Metasploit and try the exploit again. Lo and behold we pop a shell after every single tool in our arsenal told us it wouldn't ...



After that it was easy to disable Windows Defender and use mimikatz to dump LSASS obtaining DA credentials. We take our screenshots, verify our findings and wrap up this engagement.

Day 3

My senior at the time goes back for day 3 while I stay at the office and start consolidating our findings. There was no point to have 3 people on site since we already have DA Privileges and we PWNED the environment.

Moral of the story ...

Sometimes you just have to listen to your intuition. Not every network is the same. Not every tool is the same. Not every target is the same. Tools can and will fail. A tool is just a tool in the end we still have to be diligent and thorough with our enumeration and not default to "ol' reliable" and take it's word as law. A lot of the time, common sense and intuition is just as important as proper tooling.