Writeup: Hack The Box — Legacy

This writeup for Hack the Box’s Legacy machine is aimed at beginners, and as such there is extra time spent explaining some of the things we’re seeing, doing, and links are provided for further learning.

Reconnaissance

Let’s begin with an Nmap scan.

sudo nmap -sC -sV -O -p- [TargetIP]

With Nmap, sudo is needed to use -O, which enables OS detection.-sC runs through the default Nmap scripts, -sV checks the version of the services on any open ports, and -p- has the scan check all 65,535 possible ports. Referring to the documentation of any tools you use to familiarize yourself with what they’re capable of is always a good idea.

https://nmap.org/book/man.html

Now, for the scan results.

What stands out is it’s most likely a Windows XP machine and the SMB port is open. Extended support for Windows XP ended 7 years ago, so that’s great to see from an attacker’s perspective, and SMB is a common entry path for vulnerable machines.

Unfortunately, Nmap wasn’t able to get us the exact version of SMB being used with only the default scripts and version detection.

Enumeration

Luckily, Metasploit has a module that can help enumerate SMB. To open Metasploit you can enter msfconsole in your terminal window.

The module we want is smb_version and to use it in Metasploit, enter the command use auxiliary/scanner/smb/smb_version

Here is a link that goes into further detail about Metasploit modules and their locations:

https://www.offensive-security.com/metasploit-unleashed/modules-and-locations/

The show options command will show you what options are available for the module, and which ones are required to run the module properly; Note the “required” column. In this case, we only need to set the RHOSTS option, which refers to the target’s IP address.

Enter show options again to confirm the change was made.

Now, exploit.

It looks like the version of SMB being used is version 1, and we‘ve also learned this XP machine is on Service Pack 3.

Let’s look into these further.

Further Enumeration

We know the SMB port is open, and we know this is a Windows XP SP3 machine. Keep it simple and Google it to try and find possible exploits.

A very promising link! Rapid7 are the current developers of Metasploit (originally created by H.D. Moore), so a search resulting in something like this means this exploit is most likely available to us through Metasploit already. Let’s check the link:

https://www.rapid7.com/db/modules/exploit/windows/smb/ms08_067_netapi/

Looks to be a bit unstable on Server 2003, but should work fine on our XP SP3 machine. Let’s check out the official Microsoft security bulletin on this to find out more:

https://docs.microsoft.com/en-us/security-updates/securitybulletins/2008/ms08-067

An RCE and no authentication is needed? Let’s try it out! These Rapid7 links include steps on how to use them in Metasploit. I’ve included these steps in the next phase.

Exploitation

We begin by entering use exploit/windows/smb/ms08_067_netapi within the Metasploit console to load the exploit module described in the previous Rapid7 link, and then we enter the show options command to check what settings we may need to change.

This shows another reason why you should check show options since the LHOST (which refers to your machine’s IP) is automatically set. By default it’s your local IP. Since you’re using a VPN to use Hack The Box, you need to use your VPN IP or the VPN interface for exploits requiring the LHOST option to work properly.

For LHOST, I’ve chosen to use the VPN interface, tun0, in place of my VPN IP.

We’ve already verified our settings are correct, now we just need to run the exploit.

We’re in!

getuid shows us the user we’re running as.

NT AUTHORITY\SYSTEM has the same file permissions as an Administrator.

More in depth explanations of NT AUTHORITY\SYSTEM can be found at these links:

https://docs.microsoft.com/en-us/windows/win32/services/localsystem-account

https://superuser.com/questions/1067246/is-nt-authority-system-a-user-or-a-group

You’ll notice that even though we’re in a Windows machine, getuid isn’t a command used in a Windows environment. The exploit we used gave us an interactive shell — specifically with Meterpreter — that allows us to navigate the target’s system while also providing extra functionality. Here’s some more information about Meterpreter:

https://www.offensive-security.com/metasploit-unleashed/about-meterpreter/

https://www.offensive-security.com/metasploit-unleashed/meterpreter-basics/

For most boxes, you’ll find the root flag is usually in the administrator’s Desktop directory as root.txt, and the user flag is in the Desktop directory of a user as user.txt. Reading the second link above, “Meterpreter Basics,” we know we can use search -f root.txt and search -f user.txt to find the exact file path of the flags, and then we can use cat to read the files. Don’t forget to use quotations around the file path as there are spaces in the directory names.

Got em! I’ve intentionally obfuscated the flags; Go try the box! Reading is good for learning, but putting your hands on the keyboard will really help things stick.