Legacy
https://www.hackthebox.eu/home/machines/profile/2
Scanning & Enumeration
Nmap
Starting off with a quick all port SYN scan we see we have SMB and RDP open.
We run a service version scan with -sV
on the open ports. I slowed down the probe speed to -T3
as we are dealing with so few ports. From the results this looks like the machine is Windows XP.
We can confirm our results using the --script smb-os-discovery
script.
Since we have SMB open and is likely the attack vector lets check the exact version before researching exploits.
We can take the information we now have and use Google to search for any relevant exploits.
As you can see we have a few potential exploits in which we could try. Also looking at the related searches at the bottom of the page will give us results from other peoples searches which I find is a great way to find relevant information.
MS08-067 is of interest.
Exploitation
MS08-067
We can start metasploit
with msfconsole
command and search for MS08-067 to see if we have any modules for it.
We have a module and select it with use 0
. Once selected we can use show options
command to show what options we need to set.
RHOSTS - Remote host IP
LHOST - Attacking machine IP (You can set the interface name instead)
LPORT - Local port to use. Select any port you like. The default 4444 is usually good enough.
We can then execute the exploit with the run
command.
Once connected we can get the session GUID to confirm completed. From here we can drop into a system shell using the shell
command.
Once in we can check if we can access the Administrator Desktop and can view the root.txt flag. We can also browse the Documents and Settings folder for the other user on the system to grab the user.txt flag from the desktop.
MS17-010
When we was looking for exploits earlier we come across a fair few mentions for MS17_010.
Under the first paragraph we see the follow mentioned.
As we are running SMBv1 as discovered by nmap
earlier using the smb-protocols
script. Lets look further into this.
Again we start msfconsole
and search for MS17_10. We can start with using the auxiliary scanner first to determine if the host is vulnerable.
We can also use the show info command on the auxiliary scanner module to see more information regarding what this checks for and references for further reading.
We can also check if the host is vulnerable to this exploit using nmap
.
As we have determined the host is likely vulnerable we can now attempt to exploit it. From our search results I am going to use the module "exploit/windows/smb/ms17_010_psexec". We set the relevant options again and run the exploit.
Last updated