Experience Vulnyx (Very Easy- Windows)

Escaneo de puertos

nmap -p- --open -sS --min-rate 5000 -vvv -n -Pn <IP>
nmap -sCV -p<PORTS> <IP>

Info:

Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-24 03:08 EDT
Nmap scan report for 192.168.5.65
Host is up (0.0017s latency).

PORT    STATE SERVICE      VERSION
135/tcp open  msrpc        Microsoft Windows RPC
139/tcp open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp open  microsoft-ds Windows XP microsoft-ds
MAC Address: 08:00:27:8D:14:A0 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp

Host script results:
|_nbstat: NetBIOS name: EXPERIENCE, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:8d:14:a0 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
|_smb2-time: Protocol negotiation failed (SMB2)
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_clock-skew: mean: 13h29m59s, deviation: 4h56m59s, median: 9h59m59s
| smb-os-discovery: 
|   OS: Windows XP (Windows 2000 LAN Manager)
|   OS CPE: cpe:/o:microsoft:windows_xp::-
|   Computer name: experience
|   NetBIOS computer name: EXPERIENCE\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2025-07-24T10:08:42-07:00

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.65 seconds

Veremos que tiene varios puertos abiertos en concreto el SAMBA y el RPC, pero vamos a comprobar antes de nada que el SAMBA no sea vulnerable a un ataque de eternal blue con unos scripts de nmap.

Info:

Veremos que efectivamente es vulnerable, por lo que vamos a conectarnos a metasploit para explotarlas desde ahi.

Metasploit

Una vez dentro buscaremos el siguiente modulo:

Ahora vamos a pasar a la configuracion/Ejecuccion del mismo:

Info:

Con esto ya veremos que seremos NT AUTHORITY\SYSTEM directamente el mayor rando dentro de un equipo Windows.

Por lo que vamos a leer las flags de usuario y de root.

user.txt

root.txt

PreviousVulnyxNextEternal Vulnyx (Very Easy- Windows)

Last updated