HTB - Legacy
As the Resolute root flag is proving rather difficult for my nooby skill level at the moment, I decided to take a breather and rooted Legacy tonight.
I must say it’s restored my faith in myself a bit- I’ve discovered that I’m only so slow momentarily due to a lack of knowledge (e.g. Sauna took me longer due to not being aware of how to properly enumerate a Domain Controller.)
I think Legacy took me an hour if that all together; it’s honestly not a bragging point as you simply have to utilize ms08-067 (a buffer overflow vulnerability triggered by specially crafted RPC requests, exploited by the Conficker worm detected in late 2008) which grants you the ability of arbitrary code execution on the machine.
I started off with my enum script which revealed 3 interesting ports:
We have netbios-ssn (netbios session service), microsoft ds (directory service) and ms wbt server (windows-based terminal); as the wbt server is closed, our focus will be on netbios and ds.
Googling microsoft ds brings up an obvious clue:
Obviously this is going to be our target, meaning scripts such as enum4linux, nmblookup and smbclient will come to our aid (https://www.hackingarticles.in/a-little-guide-to-smb-enumeration/ for more on this.)
Using these scripts, however, doesn’t really reveal anything- attempts to connect to the ds through smbclient time out, the same for using RPC client to connect to netbios-ssn.
Our obvious next check will be against public exploits out for Windows XP SP3 that utilize SMB or RPC. I simply Googled this; upon reflection I could have instead utilized nmap nse scripts to check for this issue:
smb-vuln-conficker smb-vuln-cve2009-3103 smb-vuln-ms06-025 smb-vuln-ms07-029 smb-vuln-regsvc-dos smb-vuln-ms08-067
By simply appending --script smb-vuln* to the standard nmap scan, all of these scripts would have been executed during the port scan of Legacy. This would have saved me 10-20 minutes of time.
Upon this discovery, there are two ways to proceed- you can either use exploit/windows/smb/ms08_067_netapi through Metasploit or you can utilize a script out for exploiting this vulnerability.
In the spirit of both OSCP and not being a complete script kiddy, I opted for the use of a publicly available Python script exploiting this b/o vulnerability (https://github.com/jivoi/pentest/blob/master/exploit_win/ms08-067.py)
root@kali:~/penetesting/legacy# nc -vlp 6969 listening on [any] 6969 ... connect to [10.10.14.47] from legacy.htb [10.10.10.4] 1031 Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp.
You simply have to replace the example shellcode with shellcode of your choosing and fire away. I chose to stick to a simple reverse shell due to the need to investigate the system after the initial foothold.
Some simple enumeration reveals we are user Network Service:
For some reason, NetworkService has the near equivalent to system privileges- with this you can grab both the root and user flags.
So Legacy was quick and sweet. Challenging? No. An achievement? No. However, I’m still glad I took the hour to do it as it’s my first time successfully using a public exploit and I also know that the vulnerable service is microsoft Directory Service, not SMB (that’s the protocol goddamnit. xD)
Reading other people’s walkthroughs has revealed that you could also use the Eternal Blue exploit against Legacy; honestly potato, potato (imagine I’m saying the second potato as potarto) :P











