Failed Pentesting Windows server 2003 Service pack 2

Hi,

I am currently doing a pentest project for a company. I have owned some windows 2008 servers. There are some windows 2003 Service Pack 2 servers, I thought it will be easy to own these (because of unsupported OS, but I was wrong!) I have enumerated these servers and tried a lot of exploits and none of them work, I’m very confused. Is there something that is blocking my exploits or something? Come on Its windows server 2003 SP 2, it should be easy to own. Can you guys maybe help me by pointing me in the right direction? I have included my Nessus scan and the open ports here below:

PORT STATE SERVICE
21/tcp open ftp
25/tcp open smtp
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
1052/tcp open ddt
1058/tcp open nim
1059/tcp open nimreg
1061/tcp open kiosk
1066/tcp open fpo-fns
1067/tcp open instl_boots
1069/tcp open cognex-insight
1081/tcp open pvuniwien
1433/tcp open ms-sql-s
1801/tcp open msmq
2103/tcp open zephyr-clt
2105/tcp open eklogin
2107/tcp open msmq-mgmt
2301/tcp open compaqdiag
2381/tcp open compaq-https
3306/tcp open mysql
3389/tcp open ms-wbt-server
8099/tcp open unknown
9090/tcp open zeus-admin
27000/tcp open flexlm0

Nessus scan:

Already used these exploits:
Iis_webdav_scstoragepathfromurl
Ms06_001_wmf_setabortproc
Esteemaudit
Rras
Smb_ms17_010
Fb_cnt_group
Efs_fmws_userid_bof
Ms08_067_netapi
Ms07_029_msdns_zonename
Ms03_026_dcom
Ms04_011_llas
Ms04_011_pct
Ms04_007_killbill
Ms04_045_wins
Ms06_025_rasman_reg
Ms06_025_rras

We are not here to do your personal inside Job for your own company, de-facto be a responsible penetration tester and try harder.

hi @Frey , its not my company or for my job, im a student doing a project and trying to learn and expand my knowledge :slight_smile:

While it was bluntly put, @Frey has a valid point. Try harder is really the right answer here.

The question you are asking is fairly challenging for people to answer because we dont have access to the environment. Its not as simple as saying “ah SMB is open therefore Eternal Blue” (and you’ve tried that).

There are millions of ports open and the pentest needs to consider how each one is configured and how inspirational you can be with exploits.

For example, what does the FTP service expose? Is it the file system? Is it a restricted area? etc.

You need to do this for each port in a methodological manner. If you are just trying automated exploits in MSF, then save yourself a lot of time and run a hail mary in Armitage.

Looking at Nessus - you can try to exploit the HTTP server, but you’d need to craft an overflow. PHP is vulnerable, so experiment with what it does and how you can interact with it. Have you enumerated port 80 to see if PHP is running? What scripts/apps are in play? (etc)

Strive to move away from simply using searchsploit and trying each thing one after another. There is already automated tooling for that. Be a human and think about the problems to see if you can find a solution.

@Ismail
i Am Not pretty Sure
But For 445 You Can Ise ODAT