Offensive Security
Offensive Security
Offensive Security
Offensive Security
About me / contact me
Penetration Testing with Kali
Note taking
Master your skills
OSCP
Information gathering
Gaining Access - Vulnerability Exploitation
Privilege Escalation
HTB
Active
Retired
10.10.10.9 - Bastard
10.10.10.3 - Lame - DistCC, SMB, SSH Reuse
10.10.10.4 - Legacy - WindowsXP samba
10.10.10.5 - Devel - Windows 7
10.10.10.7 - Beep - LFI, Shellshock, SUID
10.10.10.11 - Arctic - LFI, Win2008 Priv Esc
10.10.10.27 - Calamity - php command injection
10.10.10.46 - Apocalyst
10.10.10.51 - SOLID STATE - Apache James, SUID
10.10.10.63 - Jeeves - Jenkins WebServer, SeImpersonatePrivilege
10.10.10.84 - Poison - LFI (Log Poisoning)
VulnHub
Brainpan - 1 - Buffer Overflow
Web Vulnerabilities - OWASP TOP 10
SQL Injection
XXE - XML External Entity
Command Injection
Cross Site Scripting
Broken Authentication and Session Management
Insecure Direct Object References
Cross Site Request Forgery
Security Misconfiguration
Insecure Cryptographic Storage
Insufficient Transport Layer Protection
Other Web Vulnerabilities
Remote File Upload
Remote File Inclusion
Local File Inclusion
Personal Projects
WiFi Penetration Testing
Phishing attempts
Case of executing python projects through SilentTrinity
News
Operating System philosophy
Powered by GitBook

10.10.10.4 - Legacy - WindowsXP samba

Wannacry's main ingredient.

Summary: vulnerable software : 445 WindowsXP samba system vulnerable : 10.10.10.4 vulnerability explanation : EternalBlue Samba Exploit privilege escalation: none, service running with administrative privileges severity : critical

Enumeration:

[+] Running UDP and TCP port scan
​
Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-09 23:09 GMT
Stats: 0:00:00 elapsed; 0 hosts completed (0 up), 0 undergoing Script Pre-Scan
NSE Timing: About 0.00% done
Stats: 0:02:24 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 98.23% done; ETC: 23:11 (0:00:02 remaining)
Stats: 0:02:47 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 98.23% done; ETC: 23:12 (0:00:02 remaining)
Nmap scan report for 10.10.10.4
Host is up (0.15s latency).
​
PORT    STATE SERVICE      VERSION
139/tcp open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp open  microsoft-ds Microsoft Windows XP microsoft-ds
137/udp open  netbios-ns   Microsoft Windows netbios-ns (workgroup: HTB)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows XP|2003|2000 (88%)
OS CPE: cpe:/o:microsoft:windows_xp cpe:/o:microsoft:windows_server_2003 cpe:/o:microsoft:windows_2000::sp4
Aggressive OS guesses: Microsoft Windows XP SP2 or Windows Small Business Server 2003 (88%), Microsoft Windows 2000 SP4 or Windows XP SP2 or SP3 (87%), Microsoft Windows XP SP2 (86%), Microsoft Windows XP SP2 or SP3 (85%)
No exact OS matches for host (test conditions non-ideal).
Service Info: Host: LEGACY; OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp
​

Also nmap --script=vuln detected several vulnerabilities in the Windows XP samba service:

This type of Nmap scan resulted in a denial of service on SMB port. In future it is always a good idea to probe the service manually before running this script against WindowsXP samba service.

Since port 445 and 139 is opened we can safely assume that a remote host is running Samba share service. Next step is to enumerate the content of these shares if possible or more importantly check is we have read or write access to them:

No shares found or access denied

Confirmation with smbmap:

Even though we have not found direct access to the shares, manual probing revealed named pipes and patching information:

Metasploit exploitation on MS17-010:

This module will exploit SMB with vulnerabilities in MS17-010 to achieve a write-what-where primitive. This will then be used to overwrite the connection session information with as an Administrator session. From there, the normal psexec payload code execution is done. Exploits a type confusion between Transaction and WriteAndX requests and a race condition in Transaction requests, as seen in the EternalRomance, EternalChampion, and EternalSynergy exploits. This exploit chain is more reliable than the EternalBlue exploit, but requires a named pipe. - Metasploit Information

Metasploit Exploitation of MS08-067

This module exploits a parsing flaw in the path canonicalization code of NetAPI32.dll through the Server Service. This module is capable of bypassing NX on some operating systems and service packs. The correct target must be used to prevent the Server Service (along with a dozen others in the same process) from crashing. Windows XP targets seem to handle multiple successful exploitation events, but 2003 targets will often crash or hang on subsequent attempts. This is just the first version of this module, full support for NX bypass on 2003, along with other platforms, is still in development.

Previous
10.10.10.3 - Lame - DistCC, SMB, SSH Reuse
Next
10.10.10.5 - Devel - Windows 7
Last updated 1 year ago