Wow, this has been a long while in coming, but I've finally pwned my second box in the PWK labs. It's been a few weeks, between finishing the course book exercises, recovering from a short illness and slacking off to "The 100" (thanks for introducing me to the show Mike!).
My second host caught my eye during the exercises in chapter 14, where we're doing password and hash attacks on Windows boxen. The hostname reminds me of juvy gangs, hence the book cover on the left. :D
The book asks us to use Metasploit to exploit one of the SMB servers, in order to grab a hashdump through Meterpreter. One of those servers stood out, as it could fall prey to the famous MS08-067. Because it's such a well-known bug, I wanted to replicate the attack manually instead of just using Metasploit. Not literally "manually", because I can't code that well, but by tweaking one of the pre-existing POCs such as 7132.py or 40279.py.
It got frustrating and I bumped my head quite a few times, only to finally find out what I was doing wrong by reading a suggestion on the OffSec forums:
"Well, consider how the malicious packet in 7132 is created, and where exactly the shellcode is inserted. If a shellcode of different size is substituted, how would that affect the rest of the items in the malicious packet?"
I hadn't accounted for my smaller payload size, which would mess up the execution of the whole exploit! After recalculating the NOP slide it was clear sailing and I now have admin on the box.
I'm not satisfied though! I see the host is also vulnerable to another famous bug from 2005, which I've already confirmed with Metasploit. Now I want to make the relevant POC C-code also work in my situation :) This is fun stuff!
View or add comments (curr. 0)
All content, with exception of "borrowed" blogpost images, or unless otherwise indicated, is copyright of Thomas Sluyter. The character Kilala the cat-demon is copyright of Rumiko Takahashi and used here without permission.