From 6e9756f1eeec494d366e97e5dbef3fe32c9f4495 Mon Sep 17 00:00:00 2001 From: ARZ <60057481+AbdullahRizwan101@users.noreply.github.com> Date: Thu, 13 May 2021 02:11:04 +0500 Subject: [PATCH] Add files via upload --- HackTheBox/Legacy.md | 111 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 111 insertions(+) create mode 100644 HackTheBox/Legacy.md diff --git a/HackTheBox/Legacy.md b/HackTheBox/Legacy.md new file mode 100644 index 0000000..13e87a8 --- /dev/null +++ b/HackTheBox/Legacy.md @@ -0,0 +1,111 @@ +# HackTheBox-Legacy + +## NMAP + +```bash + +PORT STATE SERVICE VERSION +139/tcp open netbios-ssn Microsoft Windows netbios-ssn +445/tcp open microsoft-ds Windows XP microsoft-ds +3389/tcp closed ms-wbt-server +Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp +Host script results: +|_clock-skew: mean: 5d00h31m36s, deviation: 2h07m16s, median: 4d23h01m36s +| nbstat: NetBIOS name: LEGACY, NetBIOS user: , NetBIOS MAC: 00:50:56:b9:cc:42 (VMware) +| Names: +| LEGACY<00> Flags: +| HTB<00> Flags: +| LEGACY<20> Flags: +| HTB<1e> Flags: +| HTB<1d> Flags: +|_ \x01\x02__MSBROWSE__\x02<01> Flags: +| smb-os-discovery: +| OS: Windows XP (Windows 2000 LAN Manager) +| OS CPE: cpe:/o:microsoft:windows_xp::- +| Computer name: legacy +| NetBIOS computer name: LEGACY\x00 +| Workgroup: HTB\x00 +|_ System time: 2021-05-18T01:01:14+03:00 +| smb-security-mode: +| account_used: guest +``` + +## PORT 139/445 (SMB) + +Let's see if we can access any shares on the machine + + + +Seems like we can't so knowing this is a windows xp machine , it might be vulnerable to SMB exploit since this is a very old windows operating system , so let's run nmap `vuln` script to confirm the vulnerability. + +```bash +nmap -p 445 --script vuln 10.10.10.4 +Starting Nmap 7.80 ( https://nmap.org ) at 2021-05-13 01:02 PKT +Nmap scan report for 10.10.10.4 +Host is up (0.19s latency). + +PORT STATE SERVICE +445/tcp open microsoft-ds +|_clamav-exec: ERROR: Script execution failed (use -d to debug) + +Host script results: +|_samba-vuln-cve-2012-1182: NT_STATUS_ACCESS_DENIED +| smb-vuln-ms08-067: +| VULNERABLE: +| Microsoft Windows system vulnerable to remote code execution (MS08-067) +| State: VULNERABLE +| IDs: CVE:CVE-2008-4250 +| The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, +| Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary +| code via a crafted RPC request that triggers the overflow during path canonicalization. +| +| Disclosure date: 2008-10-23 +| References: +| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250 +|_ https://technet.microsoft.com/en-us/library/security/ms08-067.aspx +|_smb-vuln-ms10-054: false +|_smb-vuln-ms10-061: ERROR: Script execution failed (use -d to debug) +| smb-vuln-ms17-010: + +``` + +This confirms that this machine is vulnerable to smb exploit so here I'll show case using with and without metasploit + +## Metasploit + +This CVE for this exploit is MS08-067 + + + + + +Configure the options in the exploit + + + + + +## Without Metasploit + +Download the POC for MS 08-067 + + + +Here we can see that it's using a shell code of msfvenom reverse shell payload so we need to generate one + + + +Replace the shellcode which is in the script + + + +Now let's run the script + + + +Here it says it needs the target IP and port also the version of windows xp so I ran the aggressive scan to know which version of windows xp is this and chances were that it is XP 3 + + + + +And we get a shell \ No newline at end of file