Lukej2680 Tech Blog

Legacy

20 Sep 2020

Legacy is an older box on HTB and has an easily exploited vulnerability through Metasploit. In the spirit of the OSCP exam I will be manually be exploiting the vulnerability.

This is my initial Nmap scan

First I scan the target using nmap.

I like using the command $ sudo nmap -p- –min-rate 1000 -T4 \ Now this does scan every port on the target IP which is generally advised against as it slows the scan down. This is why I specify the --min-rate 1000 meaning nmap will send at least 1000 packets per second. Furthermore I specify the -T4 flag which increases nmaps aggressivness in the scan.\ This has the trade off of not always being entirely accurate but for an initial quick scan it works well to catch the ports outside of the top 1000 ports.

Test

After running the initial quick scan I can see the ports 139 and 445 are open.
Using this info I’ll run my next two nmap scans
$ sudo nmap -p139,445 -sC -sV \ $ sudo nmap -p139,445 --script vulns \ The first scan runs the basic nmap scripts against the specified ports and returns basic info on the services running.\ The second scan runs nmaps vulnerability scripts against the specified ports returning common vulnerabilities.

Usually I don't use the vuln scan but since this box is named "Legacy" I figured it could find some vulnerabilities

Looking at the results of the vuln scan I see the machine is vulnerable to ms-08-067.
If you search for this on searchsploit you’ll see that there is a metasploit module and several poc scripts. However by googling the exploit I found a more stable script that will help me get on the machine. The script on github.
In order to use the script I needed to generate my own shellcode and replace the defualt already in the script.

Reading further into the script reveals it uses different ret addresses depending on the specific OS the machine is running. Reffering back to our nmap scan I used the 6 flag to specify the OS as “Windows XP SP3 English”.

Checking my netcat listener on port 1234 I see it caught a reverse shell from 10.10.10.4 running as system.

Related posts