Legacy Writeup
Without Metasploit
Reconnaissance
Initial Nmap Scan to find open ports, using treat all hosts as online (-Pn)
Detailed Nmap Scan :‌
Command Breakdown:‌
(-sV): Service version
(-sC): Default nmap scripts
(-p): Specifying ports 139,445,3389
(-oN nmap): Saving it into a files called nmap
Enumeration
SMB is a command service with vulnerabilities, lets use a nmap script specific to smb to find vulnerabilities.
We can see that it is vulnerable to CVE-2008-4250 (MS08-067) and CVE-2017-0143 (ms17-010) , two commonly known vulnerabilities
Exploitation
The vulnerability that we will be exploiting is called Eternal Blue, a vulnerability that exploits Microsoft's implementation of Server Message Block (SMB) protocol. If an attacker sends a payload, the attacker would be allowed to execute arbitrary code on the target machine.
There is a great article explaining this vulnerability and how to exploit it.
First let us download the exploit from GitHub
Now we have to use MSF Venom to create a reverse shell payload
Now lets start a listener on our machine
Lets run the exploit
And we have a reverse shell
Now if we try using the whoami command to find what privileges we have on the system, it does not work, so I just went looking for both the flags, and found out that I can read both of them which means we are NT AUTHORITY\SYSTEM.
Last updated