This brought its usual output… lets have a look at it in a bit more detail<\/p>\n\n\n\n What do we have listed?<\/p>\n\n\n\n Port 139 and 445 which we know are SMB and port 3389 which is RDP. <\/p>\n\n\n\n We can try and enumerate SMB and we could try and attack RDP – it certainly has had a few vulnerabilities recently<\/p>\n\n\n\n Enumerating SMB didnt work<\/p>\n\n\n\n Lets have a go at RDP – Bluekeep (CVE-2019-0708) is the most recent, well publicised vulnerability so lets try that. Fire up msfconsole<\/em> and lets see if we can find an exploit for it.<\/p>\n\n\n\n It looks like there is a scanner which tells us if the system is vulnerable lets run that first<\/p>\n\n\n\n Hopefully you know that to use a particular module in metasploit <\/em>you need to tell it which one to use<\/em>. You can do that by copying the full path to the exploit or by using the number next to it in the search results, both of the commands below bring the same result.<\/p>\n\n\n\n Running the scanner brings back no results and suggests it isn’t vulnerable, go ahead and run the exploit if you like to see what happens but it didn’t succeed for me.<\/p>\n\n\n\n So what next? We’ve been unsuccessful against both protocols that are showing with the obvious checks…. this is where I had my “Oh! Its windows XP lets try\u2026.” moment.<\/p>\n\n\n\n The first exploit I was shown and that I ever had success with was MS08-067. It was also a critical vulnerability in the first proper pen test we did at work with huge numbers of vulnerable machines. It was so bad they stopped the test and called us in to discuss. We fixed it over the next 24 hours and it was the catalyst for a centralised Vulnerability Management program in that business, it has always stuck with me but in this instance it was just a guess on my part. It was something to try blindly. this is what I did. <\/p>\n\n\n\n In Metasploit<\/em> search for MS08-067, select option 0, set the options and run the exploit. It connects, returns a metepreter<\/em> session and you are running as SYSTEM.<\/p>\n\n\n\n This was the first box I pwned in anyway and to be fair it was very straight forward and done entirely by guesswork from my “knowledge” of common windows exploits, there was no clever methodology just a moment when I thought “Oh! Its windows XP lets try….” So lets try and walk through the steps […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"ocean_post_layout":"","ocean_both_sidebars_style":"","ocean_both_sidebars_content_width":0,"ocean_both_sidebars_sidebars_width":0,"ocean_sidebar":"","ocean_second_sidebar":"","ocean_disable_margins":"enable","ocean_add_body_class":"","ocean_shortcode_before_top_bar":"","ocean_shortcode_after_top_bar":"","ocean_shortcode_before_header":"","ocean_shortcode_after_header":"","ocean_has_shortcode":"","ocean_shortcode_after_title":"","ocean_shortcode_before_footer_widgets":"","ocean_shortcode_after_footer_widgets":"","ocean_shortcode_before_footer_bottom":"","ocean_shortcode_after_footer_bottom":"","ocean_display_top_bar":"default","ocean_display_header":"default","ocean_header_style":"","ocean_center_header_left_menu":"","ocean_custom_header_template":"","ocean_custom_logo":0,"ocean_custom_retina_logo":0,"ocean_custom_logo_max_width":0,"ocean_custom_logo_tablet_max_width":0,"ocean_custom_logo_mobile_max_width":0,"ocean_custom_logo_max_height":0,"ocean_custom_logo_tablet_max_height":0,"ocean_custom_logo_mobile_max_height":0,"ocean_header_custom_menu":"","ocean_menu_typo_font_family":"","ocean_menu_typo_font_subset":"","ocean_menu_typo_font_size":0,"ocean_menu_typo_font_size_tablet":0,"ocean_menu_typo_font_size_mobile":0,"ocean_menu_typo_font_size_unit":"px","ocean_menu_typo_font_weight":"","ocean_menu_typo_font_weight_tablet":"","ocean_menu_typo_font_weight_mobile":"","ocean_menu_typo_transform":"","ocean_menu_typo_transform_tablet":"","ocean_menu_typo_transform_mobile":"","ocean_menu_typo_line_height":0,"ocean_menu_typo_line_height_tablet":0,"ocean_menu_typo_line_height_mobile":0,"ocean_menu_typo_line_height_unit":"","ocean_menu_typo_spacing":0,"ocean_menu_typo_spacing_tablet":0,"ocean_menu_typo_spacing_mobile":0,"ocean_menu_typo_spacing_unit":"","ocean_menu_link_color":"","ocean_menu_link_color_hover":"","ocean_menu_link_color_active":"","ocean_menu_link_background":"","ocean_menu_link_hover_background":"","ocean_menu_link_active_background":"","ocean_menu_social_links_bg":"","ocean_menu_social_hover_links_bg":"","ocean_menu_social_links_color":"","ocean_menu_social_hover_links_color":"","ocean_disable_title":"default","ocean_disable_heading":"default","ocean_post_title":"","ocean_post_subheading":"","ocean_post_title_style":"","ocean_post_title_background_color":"","ocean_post_title_background":0,"ocean_post_title_bg_image_position":"","ocean_post_title_bg_image_attachment":"","ocean_post_title_bg_image_repeat":"","ocean_post_title_bg_image_size":"","ocean_post_title_height":0,"ocean_post_title_bg_overlay":0.5,"ocean_post_title_bg_overlay_color":"","ocean_disable_breadcrumbs":"default","ocean_breadcrumbs_color":"","ocean_breadcrumbs_separator_color":"","ocean_breadcrumbs_links_color":"","ocean_breadcrumbs_links_hover_color":"","ocean_display_footer_widgets":"default","ocean_display_footer_bottom":"default","ocean_custom_footer_template":"","jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"ocean_post_oembed":"","ocean_post_self_hosted_media":"","ocean_post_video_embed":"","ocean_link_format":"","ocean_link_format_target":"self","ocean_quote_format":"","ocean_quote_format_link":"post","ocean_gallery_link_images":"on","ocean_gallery_id":[],"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[87,2,86,3],"tags":[7,6,85,91,89,90],"class_list":["post-573","post","type-post","status-publish","format-standard","hentry","category-ctf","category-cybersec","category-hackthebox","category-training","tag-cyber-security","tag-ethical-hacking","tag-hackthebox","tag-htb","tag-ms08-067","tag-walkthrough","entry"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/pahuGk-9f","jetpack_likes_enabled":true,"jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/vroamam.com\/wordpress\/wp-json\/wp\/v2\/posts\/573","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/vroamam.com\/wordpress\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/vroamam.com\/wordpress\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/vroamam.com\/wordpress\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/vroamam.com\/wordpress\/wp-json\/wp\/v2\/comments?post=573"}],"version-history":[{"count":4,"href":"https:\/\/vroamam.com\/wordpress\/wp-json\/wp\/v2\/posts\/573\/revisions"}],"predecessor-version":[{"id":603,"href":"https:\/\/vroamam.com\/wordpress\/wp-json\/wp\/v2\/posts\/573\/revisions\/603"}],"wp:attachment":[{"href":"https:\/\/vroamam.com\/wordpress\/wp-json\/wp\/v2\/media?parent=573"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/vroamam.com\/wordpress\/wp-json\/wp\/v2\/categories?post=573"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/vroamam.com\/wordpress\/wp-json\/wp\/v2\/tags?post=573"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}![\"\"](\"http:\/\/vroamam.com\/wordpress\/wp-content\/uploads\/2020\/07\/image-41.png\")
<\/figure>\n\n\n\n![\"\"](\"http:\/\/vroamam.com\/wordpress\/wp-content\/uploads\/2020\/07\/image-42.png\")
<\/figure>\n\n\n\nmsfconsole\nsearch bluekeep<\/pre>\n\n\n\n
![\"\"](\"http:\/\/vroamam.com\/wordpress\/wp-content\/uploads\/2020\/07\/image-43.png\")
<\/figure>\n\n\n\nuse 0\nuse \/auxilliary\/scanner\/rdp\/cve_2019_0708_bluekeep<\/pre>\n\n\n\n
![\"\"](\"http:\/\/vroamam.com\/wordpress\/wp-content\/uploads\/2020\/07\/image-44.png\")
<\/figure>\n\n\n\n![\"\"](\"http:\/\/vroamam.com\/wordpress\/wp-content\/uploads\/2020\/07\/image-45.png\")
<\/figure>\n","protected":false},"excerpt":{"rendered":"