Michael Thelen

NinjaCat - Security Analyst - Cyber Security Enthusiast

16 Feb 2019

Hack The Box Write-Up Legacy

Estimated read time: ~4 minutes

Hack The Box is an online platform that hosts virtual machines that are vulnerable by design to sharpen one’s penetration testing and security skills. While Legacy is an older machine there is still a lot to learn if the exploitation phase is attempted without the use of the Metasploit framework. The vulnerability on this machine is very well known and is often used to teach beginners the basics of penetration testing.

Tools Used

  • Nmap
  • Searchsploit
  • Python
  • Msfvenom
  • Ncat
  • Locate
  • Impacket smbserver.py
  • Copy
  • Whoami.exe

Enumeration: Nmap

Running an initial scan with Nmap reveals ports 139 and 445 are open. Nmap also specifically mentions port 3389 is closed. “Nmap Initial Scan”

Running a targeted service scan against ports 139, 445 and 3398 reveals the Microsoft Windows netbios-ssn and Windows XP microsoft-ds services. Furthermore, the service scan and script results reveal the target operating system is Windows XP. “Nmap Service Scan”

Because Windows XP is an older operating system it is highly likely it is vulnerable to a well-known exploit. Running an Nmap script scan for the MS08-067 vulnerability reveals this is indeed the case. “Nmap Vulnerability Scan”

John Lambert’s story about this vulnerability is a worthy read and can be found here.

Enumeration: Searchsploit

Using searchsploit with the search parameter ms08-067 reveals several public exploits. “Searchsploit ms08-067”

As Python is my language of choice I copy the Python exploit from the local exploit database to investigate and modify it where necessary. “Copy the Python Exploit”

Running the exploit reveals it needs two parameters, the targets IP address and a number for the target’s operating system version. “Running the exploit”

Inspecting the exploits code reveals there are several operating system versions to choose from. Selecting the correct version is important because the exploit needs to know the return address in memory that is different for each operating system version. “Inspecting the Exploit Code”

Enumeration: Nmap Continued

The Nmap script scan revealed the target’s operating system was Windows XP but the exact version is still a mystery. Running an Nmap service scan with operating system detection reveals that Nmap guesses with 94% certainty that the target operating system is Windows XP SP3. “Nmap OS Detection”

Exploitation: Initial Shell

Inspecting the exploit code again reveals that Windows XP SP3 is supported with the parameter 6. “Inspecting the Exploit Code”

Further investigation of the exploit comments reveals the initial shellcode needs to be replaced, furthermore it notes that the payload size is 380 bytes long. “Exploit Comments”

Msfvenom can be leveraged to generate new shellcode and replace the other parameters embedded within such as the IP address and port. Furthermore, the Meterpreter payload needs to be replaced because Ncat cannot handle the currently embedded staged payload. Running the first Msfvenom command to determine how large the payload size will become with a new stageless payload sell_reverse_tcp. “Msfvenom Shellcode Generation”

A good article on staged versus stageless payloads can be found here.

The final payload size of the Msfvenom command is 348 bytes but the exploit expects a payload of 380 bytes. This can be solved by adding a Nopsled of 32 bytes with Msfvenom. Note the –nopsled 32 command at the end that adds an extra 32 bytes to the payload making the final payload size 380 bytes. “Msfvenom Shellcode with Nops”

Replacing the initial shellcode with the newly generated shellcode from Msfvenom leaving the first three lines of the initial shellcode which are NOP’s in place. “Replacing the Exploit Shellcode”

Preparing a Ncat listener on port 443 to catch the connection. “Prepare Ncat Listener on Port 443”

Launching the modified Python exploit against the targets IP address using parameter 6 which contains the Windows XP SP3 return address. “Launching the Python Exploit”

The exploits succeeds and connects back to the Ncat listener creating an initial shell on the target. “Initial Reverse Shell”

Privilege Escalation (Sort of)

The target operating system does not seem to have the whoami command available to determine the username of the current session. Luckily Kali Linux has a whoami.exe executable built in. This executable can be transferred to the target over an SMB connection as this functionality is built into Windows operating systems by default. “Locating whoami.exe”

Leveraging the Impacket smbserver.py Python script to create an SMB share on the attacking machine. “Prepare Impacket Smbserver”

Initiating the transfer of the whoami.exe executable on the target machine. “Copy whoami.exe”

The Impacket smbserver.py script allows the connection and the whoami.exe file is transferred to the target. “Impacket Smbserver Transfer”

Exploitation: Root

Executing the whoami.exe executable reveals the initial shell has SYSTEM privileges resulting in a full compromise of the machine. “Root”

Conclusion

As stated before Legacy is an old machine with a very well-known vulnerability. Using Metasploit to exploit the machine is a valid and above all fast solution, it does however not allow one to learn all the lessons this machine has to offer if you are a beginning penetration tester.

My recommendation is to first exploit the machine with Metasploit and then manually exploit it solidify one’s knowledge of what is really going on under the hood and learn a thing or two in the process.

*

Related Posts