This box was an easy level windows box on HTB created by ch4p, it started with finding that the box is running a vulnerable samba server and the OS version of the box, then we use ms08-067 exploit to get a shell on the box.
As always let’s start off with nmap script nmap -sC for default scripts Alright, if it isn’t obvious yet I am a IPPSEC fanboi. Aight, firing up nmap to scan all open ports on the box.
And here is our nmap result
Open services SSH on port 22 and webserver on port 80. As there aren’t many attacks possible on ssh so I am gonna shift my focus on the web server.
The nmap is detecting OS version, Windows XP. Windows XP is pretty old and so the services running probably have some vulnerability. Samba seems like our attack vector so let’s enumerate Samba.
And seems like the smb server is vulnerable to smb-vuln-ms08-067.
The exploit script requires three arguments, target box IP, the port of vulnerable service and the OS info from a list of [1-8] menu it present to us. 6 option is for Windows XP English so I will be trying that first tho before that, we need to create a payload to get a reverse shell using msfvenom and replace it with the shellcode in the exploit.
Replace the shell code in the script and start a netcat listner using rlwrap nc -lvnp 9889. Note : If this exploit fails better reset the box.
Checking our netcat listner.
Now we can read both user.txt and root.txt.
Hope you learned something new, if you face any issues / have any query, feel free to contact me on social media.