Hack The Box Write-Up Legacy

How I obtained system access on the Legacy machine from Hack The Box.

Introduction

Hack The Box is an online platform that hosts virtual machines that are vulnerable by design to sharpen one’s penetration testing and security skills. While Legacy is an older machine there is still a lot to learn if the exploitation phase is attempted without the use of the Metasploit framework. The vulnerability on this machine is very well known and is often used to teach beginners the basics of penetration testing.

Tools Used

  • Nmap
  • Searchsploit
  • Python
  • Msfvenom
  • Ncat
  • Locate
  • Impacket smbserver.py
  • Copy
  • Whoami.exe

Enumeration: Nmap

Running an initial scan with Nmap reveals ports 139 and 445 are open. Nmap also specifically mentions port 3389 is closed. 800x400

Running a targeted service scan against ports 139, 445 and 3398 reveals the Microsoft Windows netbios-ssn and Windows XP microsoft-ds services. Furthermore, the service scan and script results reveal the target operating system is Windows XP. 800x400

Because Windows XP is an older operating system it is highly likely it is vulnerable to a well-known exploit. Running an Nmap script scan for the MS08-067 vulnerability reveals this is indeed the case. 800x400

NOTE: John Lambert’s story about this vulnerability is a worthy read and can be found here.

Enumeration: Searchsploit

Using searchsploit with the search parameter ms08-067 reveals several public exploits. 800x400

As Python is my language of choice I copy the Python exploit from the local exploit database to investigate and modify it where necessary. 800x400

Running the exploit reveals it needs two parameters, the targets IP address and a number for the target’s operating system version. 800x400

Inspecting the exploits code reveals there are several operating system versions to choose from. Selecting the correct version is important because the exploit needs to know the return address in memory that is different for each operating system version. 800x400

Enumeration: Nmap

The Nmap script scan revealed the target’s operating system was Windows XP but the exact version is still a mystery. Running an Nmap service scan with operating system detection reveals that Nmap guesses with 94% certainty that the target operating system is Windows XP SP3. 800x400

Exploitation: Initial shell

Inspecting the exploit code again reveals that Windows XP SP3 is supported with the parameter 6. 800x400

Further investigation of the exploit comments reveals the initial shellcode needs to be replaced, furthermore it notes that the payload size is 380 bytes long. 800x400

Msfvenom can be leveraged to generate new shellcode and replace the other parameters embedded within such as the IP address and port. Furthermore, the Meterpreter payload needs to be replaced because Ncat cannot handle the currently embedded staged payload. Running the first Msfvenom command to determine how large the payload size will become with a new stageless payload sell_reverse_tcp. 800x400

NOTE: A good article on staged versus stageless payloads can be found here.

The final payload size of the Msfvenom command is 348 bytes but the exploit expects a payload of 380 bytes. This can be solved by adding a Nopsled of 32 bytes with Msfvenom. Note the –nopsled 32 command at the end that adds an extra 32 bytes to the payload making the final payload size 380 bytes. 800x400

Replacing the initial shellcode with the newly generated shellcode from Msfvenom leaving the first three lines of the initial shellcode which are NOP’s in place. 800x400

Preparing a Ncat listener on port 443 to catch the connection. 800x400

Launching the modified Python exploit against the targets IP address using parameter 6 which contains the Windows XP SP3 return address. 800x400

The exploits succeeds and connects back to the Ncat listener creating an initial shell on the target. 800x400

Privilege Escalation (Sort of)

The target operating system does not seem to have the whoami command available to determine the username of the current session. Luckily Kali Linux has a whoami.exe executable built in. This executable can be transferred to the target over an SMB connection as this functionality is built into Windows operating systems by default. 800x400

Leveraging the Impacket smbserver.py Python script to create an SMB share on the attacking machine. 800x400

Initiating the transfer of the whoami.exe executable on the target machine. 800x400

The Impacket smbserver.py script allows the connection and the whoami.exe file is transferred to the target. 800x400

Exploitation: Root

Executing the whoami.exe executable reveals the initial shell has SYSTEM privileges resulting in a full compromise of the machine. 800x400

Conclusion

As stated before Legacy is an old machine with a very well-known vulnerability. Using Metasploit to exploit the machine is a valid and above all fast solution, it does however not allow one to learn all the lessons this machine has to offer if you are a beginning penetration tester.

My recommendation is to first exploit the machine with Metasploit and then manually exploit it solidify one’s knowledge of what is really going on under the hood and learn a thing or two in the process.


© 2018. All rights reserved.