Enumeration
First we run a generic nmap scan against the box to see what ports and services are available:
We see that SMB is open, let's do some enumeration against that:
Running a vulnerability check using nmap, we see that the host is vulnerable to two CVEs. Let's focus on exploiting the latter (MS08-067).
Exploit
Use the following exploit from GitHub: https://github.com/jivoi/pentest/blob/master/exploit_win/ms08-067.py (this is already compatible with python3)
Generate shellcode to place inside the exploit and replace the existing shellcode in the exploit with this output (make sure to leave off the semicolon):
Start a netcat listener on the port you provided in the payload generation:
Run the exploit:
Your listener should have an established privileged connection to the box.
Resources
Jivoi GitHub Exploit (Python3): https://github.com/jivoi/pentest/blob/master/exploit_win/ms08-067.py
HackTricks Pentesting SMB: https://book.hacktricks.xyz/network-services-pentesting/pentesting-smb
Information on MS08-067
Microsoft Security Bulletin: https://learn.microsoft.com/en-us/security-updates/securitybulletins/2008/ms08-067
Dev[.]to's Technical Analysis of MS08-067: https://dev.to/er_dward/delving-into-ms08-067-a-deep-technical-analysis-with-code-snippets-2bb
Comments