Legacy - Christopher Boedicker's - Cyber Security Professional Resume

Recon and Information Gathering:

nmap -Pn -sCV -p139,445 -oN nmap/Basic_10.10.10.4.nmap 10.10.10.4

PORT STATE SERVICE VERSION

139/tcp open netbios-ssn Microsoft Windows netbios-ssn

445/tcp open microsoft-ds Windows XP microsoft-ds

Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp

Host script results:

|_clock-skew: mean: 5d00h28m22s, deviation: 2h07m16s, median: 4d22h58m22s

|_nbstat: NetBIOS name: LEGACY, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:b9:1d:3c (VMware)

| smb-os-discovery:

| OS: Windows XP (Windows 2000 LAN Manager)

| OS CPE: cpe:/o:microsoft:windows_xp::-

| Computer name: legacy

| NetBIOS computer name: LEGACY\x00

| Workgroup: HTB\x00

|_ System time: 2020-06-12T06:27:29+03:00

| smb-security-mode:

| account_used: guest

| authentication_level: user

| challenge_response: supported

|_ message_signing: disabled (dangerous, but default)

|_smb2-time: Protocol negotiation failed (SMB2)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

# Nmap done at Sat Jun 6 21:29:58 2020 — 1 IP address (1 host up) scanned in 59.28 seconds

Vulnerability Scan:

nmap -Pn -sV –script vuln -p139,445 -oN nmap/Vulns_10.10.10.4.nmap 10.10.10.4

Pre-scan script results:

| broadcast-avahi-dos:

| Discovered hosts:

| 224.0.0.251

| After NULL UDP avahi packet DoS (CVE-2011-1002).

|_ Hosts are all up (not vulnerable).

Nmap scan report for 10.10.10.4

Host is up (0.11s latency).

PORT STATE SERVICE VERSION

139/tcp open netbios-ssn Microsoft Windows netbios-ssn

|_clamav-exec: ERROR: Script execution failed (use -d to debug)

445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds

|_clamav-exec: ERROR: Script execution failed (use -d to debug)

Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp

Host script results:

|_samba-vuln-cve-2012-1182: NT_STATUS_ACCESS_DENIED

| smb-vuln-ms08-067:

| VULNERABLE:

| Microsoft Windows system vulnerable to remote code execution (MS08-067)

| State: VULNERABLE

| IDs: CVE:CVE-2008-4250

| The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2,

| Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary

| code via a crafted RPC request that triggers the overflow during path canonicalization.

| Disclosure date: 2008-10-23

| References:

| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250

|_ https://technet.microsoft.com/en-us/library/security/ms08-067.aspx

|_smb-vuln-ms10-054: false

|_smb-vuln-ms10-061: ERROR: Script execution failed (use -d to debug)

| smb-vuln-ms17-010:

| VULNERABLE:

| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)

| State: VULNERABLE

| IDs: CVE:CVE-2017-0143

| Risk factor: HIGH

| A critical remote code execution vulnerability exists in Microsoft SMBv1

| servers (ms17-010).

| Disclosure date: 2017-03-14

| References:

| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143

| https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/

|_ https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

Looking at the vulnerability scan I can see that this system is vulnerable smb ms17-010

Exploitation:

I’m choosing to use Metasploit to attack this machine. I go to search for ms17-010:

Sure enough Metasploit confirmed that this machine is vulnerable to smb:

Going back to our scan notes, I noticed that system I’m trying to access is Windows XP.

So going back to Metasploit I choose the exploit netapi:

Internal System Gathering:

We have SYSTEM which for windows that is root level.

Finding root.txt: