Pwndrive

Introduction

This is an easy and the write is going to be short and easy too. the machine was vulnerable to Eternal blue exploit (MS17-010) due to the use of SMBv1.

Enumeration 

From the Nmap Scan result below we can see a handful of open ports and services.

I decided to check out the webpage first, checked the login page form, surprising the first default/common credentials I used worked. admin:admin, unbeknownst to me, the web service was a rabbit hole

As seen below, I used the file upload feature, tried uploading a php reverse shell but no luck after several attempts and tweaking.

I used Nmap to check if the services running on port 139 and 445 are vulnerable to CVE-2017-7494 (Eternal Blue) and indeed it was indeed vulnerable as seen below

I decided to use Metasploit framework since it has the exploit payload

After setting the required options and running the exploit, the flag was easily caught