HTB: Legacy Writeup w/o Metasploit
Recon
This was a pretty interesting box that gave me a lot of stress and headaches. As always, I started out with my nmap scans. I was able to find 3 ports open 139, 445, and 137 (udp). The screenshot below only shows the two tcp ports, but a udp nmap scan (nmap -Pn -sU 10.10.10.4 — top-ports 25) will show you the open udp port.
Enumeration
We see a few smb ports open and the services running behind them. Before looking for any exploits, I start probing these ports with netcat just to see what I can connect to. I was not able to connect to any of them but port 139. The others failed to connect. I also tried using smbclient to connect but that failed.
Exploitation
At this point, I am ready to find some exploits on these services. I did some googling for windows XP Microsoft-ds exploit and found 2 exploits. Why did I search for “windows XP Microsoft-ds exploits?” Because it was a service, we found from our nmap version scan. The two exploits we found were ms08–067, and ms17–010.
ms17–010 is also known as eternal blue. The exploit affects anything using SMBv1 (used for file sharing). ms-08–067 exploits the NetAPI dll (provides instructions and functions for Windows OS). I tried to use the ms17–010 exploit first since I am more familiar with eternal blue than ms08–067 which again exploits the NetAPI dll. Unfortunately, I was not able to get the eternal blue exploit to work due to version issues with impacket. I spent so much time trying to get that exploit to work, I forgot that the ms08–067 exploit was still an option. After pivoting my attention to the ms08–067 exploit I found a repo with a somewhat working exploit to obtain a reverse shell. Here is a link to the repo.
The exploit here was written in an earlier version of python. Since I am using python3 I had to convert it to python3 syntax. It was not too difficult, all you had to do really was add parenthesis around the print statements and remove the characters after the “except ImportError.” It should be “except ImportError:” Afterwards, simply follow the instructions in the repo to generate your reverse shell code, replace the code in the script with yours and boom you should have a working exploit.
From here you can navigate to the Documents and Settings folder to find the user directories for the respective flags to complete the challenge. Notice that we have system level privileges.
Conclusion
This was an easy box. What made it difficult for me was spending too much time on an exploit (eternal blue) I could not get to work on my system because of version issues. Also, I used the wrong port a few times running the ms-08–067 exploit. I kept using port 445 instead of 139. Remember, when I tried to connect to the open ports using netcat, only 139 allowed me to connect. I forgot about that and kept following the instructions in the repo instead of using the port that allowed a connection (139). Hopefully, you enjoyed my transparency reading this post. Here is a video walkthrough for this same Legacy box. Thanks for reading.
