HackTheBox Legacy Writeup




Windows Privilege Escalation

Windows Privilege Escalation with Metasploit



Run the nmapAutomator.sh script to automate all of the process of recon/enumeration.We can see there are 2 pots open port 139 & 445Enumeration

from nmapautomator Vuln Scan we get to know there is 2 vulnerability MS08-067 & MS17-010 from both vulnerability we get System PrivilegeMS08-067

lets download the exploit code and generate shellcode

Now paste the shellcode into the python script

before launching the exploit we have to know which OS version it is we get to know in nmapautomator scan result

print 'Example: MS08_067.py 1 for Windows XP SP0/SP1 Universal\n'

print 'Example: MS08_067.py 2 for Windows 2000 Universal\n'

print 'Example: MS08_067.py 3 for Windows 2003 SP0 Universal\n'

print 'Example: MS08_067.py 4 for Windows 2003 SP1 English\n'

print 'Example: MS08_067.py 5 for Windows XP SP3 French (NX)\n'

print 'Example: MS08_067.py 6 for Windows XP SP3 English (NX)\n'

print 'Example: MS08_067.py 7 for Windows XP SP3 English (AlwaysOn NX)\n'


now lets run the exploit and start the listenerwe got the shell with System Privilege

Windows Privilege Escalation with Metasploit

we can exploit this vulnerability with metasploit also as shown in the below imageMS17-010

lets download the python script send_and_execute.py and mysmb.py, send_and_execute.py script will upload our exploit and execute it

Now generate payloadlets start the listener and run the exploit

User flag is in “C:\Documents and Settings\john\Desktop” directory and root flag is in “C:\Documents and Settings\Administrator\Desktop” directory.           

Leave a Reply

Your email address will not be published. Required fields are marked *