Exploiting MS08-067 without Metasploit (HTB Legacy Walkthrough)

z3r0day_504
Sep 4, 2023
1 min read

Enumeration

First we run a generic nmap scan against the box to see what ports and services are available:

We see that SMB is open, let's do some enumeration against that:

Running a vulnerability check using nmap, we see that the host is vulnerable to two CVEs. Let's focus on exploiting the latter (MS08-067).

Exploit

Use the following exploit from GitHub: https://github.com/jivoi/pentest/blob/master/exploit_win/ms08-067.py (this is already compatible with python3)

Generate shellcode to place inside the exploit and replace the existing shellcode in the exploit with this output (make sure to leave off the semicolon):

Start a netcat listener on the port you provided in the payload generation:

Run the exploit:

Your listener should have an established privileged connection to the box.

Resources

Jivoi GitHub Exploit (Python3): https://github.com/jivoi/pentest/blob/master/exploit_win/ms08-067.py
HackTricks Pentesting SMB: https://book.hacktricks.xyz/network-services-pentesting/pentesting-smb

Information on MS08-067

Microsoft Security Bulletin: https://learn.microsoft.com/en-us/security-updates/securitybulletins/2008/ms08-067
Dev[.]to's Technical Analysis of MS08-067: https://dev.to/er_dward/delving-into-ms08-067-a-deep-technical-analysis-with-code-snippets-2bb

Exploiting MS08-067 without Metasploit (HTB Legacy Walkthrough)

Enumeration

Exploit

Resources

Information on MS08-067

Recent Posts

Comments