Hack The Box : Legacy Write-up #3
For my third blog, Since I have been pawning linux boxes, I have decided to move to windows and explore its complexity. I worked on a retired HTB Machine in reference to TJ Null guideline in preparation to OSCP.
As usual, I will start by scanning my target with nmap tool .
-A: Enable OS detection, version detection, script scanning, and traceroute
-p- : all ports from 0–65535 , you can exclude ephemeral ports by setting to -p T:range_start-range_end U:range_start-range_end
From the above snapshot , One can notice we have WinXP box running smb over tcp layer (Port 139 & Port 445). We will try and exploit the same.
We will now proceed to vulnerability enumeration, we will use common nmap scripts as shown below.
Our target is vulnerate to CVE-2008–4250(smb-vuln-MS08–067) & CVE-2017–0143 (smb-vuln-ms17–010)
Exploitation w/ Metaspoilt:
searching with MS08–067 , I found a corresponding exploit that can be used for RCE and It worked smoothly. set RHOSTS to your target and set RHOST as your attack machine. N.B: to get an interactive shell, I’ve used ‘execute -f cmd.exe -i -H ‘ , as a meterpreter command . Once inside the box, locate the flag and its done.
Exploiting w/o Metaspoilt :
I will use the same exploit “CVE-2008–4250 MS08–067”as I did with Metaspoilt. I will start off by downloading the the MS08_067 Python Exploit Script.
Now, we will have to upload the the payload to the exploit code which will be generated manually , which is done automatically within Metaspoilt framework. With the use of msfvenom tool, A shellcode will be generated as shown below.
Copy the generated shellcodes in the downloaded script, then run it as prescribed.
At this stage, we need a plan to catch the shell once a connection is established.
Note that the payload passed is unstaged, which will help in having an interactive shell. On the contrary when we use a staged shell, we will catch a shell which will die instantly. Considering the payload provided, it will form a staged payload , we will need metaspoilt multi handler exploit which I heard is allowed on the exam to engage with our target.
Below is what happens when we try to catch the shell from an staged payload running on a target.
We will proceed with waking the multi handler exploit from msfconsole, which will catch a shell after the establishment of the exploit on the target.
Afterwards, the Flags can be acquired after digging through the box.
- Thorough understanding of msfvenom tool usage
- While installing some libraries of Python, Don’t use python3 as a command
- SMB not updated will result into a compromise of the device it is run on.