Hack The Box Walkthrough: Legacy
Hack The Box is an online platform that allows like-minded technology folk to broaden their understanding of security. It’s also an excellent tool for pentesters and ethical hackers to get their skill set sharp.
The objective of Hack The Box machines is to get 2 flags. The user flag and the root flag.
The following write up is for a machine labeled “ Legacy”. Legacy was an easy box to get user and root, and makes use of exploiting the famous “MS08–067”.
Getting ROOT/Exploiting
SMB — Using Metasploit to gain access to the machine.
Tools
NMAP: Network mapping tool that allows you to scan for open ports, services, and operating systems to list a few features. It also has scripts that allow for much more in-depth enumeration.
Metasploit: Metasploit, a tool maintained by Rapid 7, is thought of as a pentesters toolbelt. There are so many uses for Metasploit that BOOKS have been written about the tool.
SPARTA: A python GUI application that simplifies network infrastructure penetration testing by aiding the penetration tester in the scanning and enumeration phase. It saves time by having point-and-click access to their toolkit and by displaying all tool output in a convenient way.
Vulnerabilities/Exploits
MS08–067- This is a remote code execution vulnerability that allows attackers to take complete control of an affected system remotely. On Microsoft Windows 2000-based, Windows XP-based, and Windows Server 2003-based systems, an attacker could exploit this vulnerability over RPC without authentication and could run arbitrary code
Methodology
Scanning the machine is the first step in our ad-hoc methodology. Scanning allows us to see what services are running on the machine. Below is the command that was run against the machine.
Instead of using nmap, this walkthrough changes up the scheme and loads up SPARTA for the initial scan 10.10.10.4.
Looks like SMB is open! Very promising. Let’s enumerate some shares and see what we can find.
Next, we checked for null sessions and tried to enumerate more info with “enum4linux”. However, nothing promising was showing. Moving forward — we enumerate more info using nmap.
I wanted to find some more info, so I moved on to enumerate more info about the windows box.
Given that the SMB service was active on a box with Windows XP, and I checked for MS08–067 using nmap. Once the probe was successful — there was no doubt this machine could be exploited using the Metasploit module.
Load up Metasploit, “search” for ms08–067, set your parameters, and give it a go!
Run “getsystem” to elevate privs.
Drop into a windows shell.
Do some lateral movements and find the two flags.
