Hello everyone I hope you are doing well, in this post I will be sharing walk through for HTB Legacy machine ,which was the very first windows machine on HTB. This machine was vulnerable to MS08–067 exploit is a remote code execution via SMB , I will show you exploiting this machine with and without metasploit.
NMAP
PORT STATE SERVICE VERSION
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows XP microsoft-ds
3389/tcp closed ms-wbt-server
Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp
Host script results:
|_clock-skew: mean: 5d00h31m36s, deviation: 2h07m16s, median: 4d23h01m36s
| nbstat: NetBIOS name: LEGACY, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:b9:cc:42 (VMware)
| Names:
| LEGACY<00> Flags: <unique><active>
| HTB<00> Flags: <group><active>
| LEGACY<20> Flags: <unique><active>
| HTB<1e> Flags: <group><active>
| HTB<1d> Flags: <unique><active>
|_ \x01\x02__MSBROWSE__\x02<01> Flags: <group><active>
| smb-os-discovery:
| OS: Windows XP (Windows 2000 LAN Manager)
| OS CPE: cpe:/o:microsoft:windows_xp::-
| Computer name: legacy
| NetBIOS computer name: LEGACY\x00
| Workgroup: HTB\x00
|_ System time: 2021-05-18T01:01:14+03:00
| smb-security-mode:
| account_used: guestPORT 139/445 (SMB)
Let’s see if we can access any shares on the machine
Seems like we can’t so knowing this is a windows xp machine , it might be vulnerable to SMB exploit since this is a very old windows operating system , so let’s run nmap vuln script to confirm the vulnerability.
nmap -p 445 --script vuln 10.10.10.4
Starting Nmap 7.80 ( https://nmap.org ) at 2021-05-13 01:02 PKT
Nmap scan report for 10.10.10.4
Host is up (0.19s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
Host script results:
|_samba-vuln-cve-2012-1182: NT_STATUS_ACCESS_DENIED
| smb-vuln-ms08-067:
| VULNERABLE:
| Microsoft Windows system vulnerable to remote code execution (MS08-067)
| State: VULNERABLE
| IDs: CVE:CVE-2008-4250
| The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2,
| Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary
| code via a crafted RPC request that triggers the overflow during path canonicalization.
|
| Disclosure date: 2008-10-23
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250
|_ https://technet.microsoft.com/en-us/library/security/ms08-067.aspx
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: ERROR: Script execution failed (use -d to debug)
| smb-vuln-ms17-010:This confirms that this machine is vulnerable to smb exploit so here I’ll show case using with and without metasploit
Metasploit
This CVE for this exploit is MS08–067
Configure the options in the exploit
Without Metasploit
Download the POC for MS 08–067
Here we can see that it’s using a shell code of msfvenom reverse shell payload so we need to generate one
Replace the shellcode which is in the script
Now let’s run the script
Here it says it needs the target IP and port also the version of windows xp so I ran the aggressive scan to know which version of windows xp is this and chances were that it is XP 3
And we get a shell
