Disassembly of Julio Ureña’s youtube video HackTheBox - Legacy. Windows box includes enumeration of system to an exploitable SMB server. Modifying a public exploit and inserting custom shellcode with msfvenom both meterpreter and shell_reverse_tcp.
Legal Usage: The information provided by [email protected] is to be used for educational purposes only. The website creator and/or editor is in no way responsible for any misuse of the information provided. All the information on this website is meant to help the reader develop penetration testing and vulnerability aptitude to prevent attacks discussed. In no way should you use the information to cause any kind of damage directly or indirectly. Information provided by this website is to be regarded from an “ethical hacker” standpoint. Only preform testing on systems you OWN and/or have expressed written permission. Use information at your own risk.
By continued reading, you acknowledge the aforementioned user risks/responsibilities.
This series of write-up will contain comprehensive write-ups of hackthebox machines. In an effort to sharpen reporting techniques and help solidify the understand and methodologies used during penetration testing.
Quick Masscan Script:
we know we are dealing with a windows xp box and will next run the smb nmap script
discovered vulnerable SMB services.
based off the exploit database: https://www.exploit-db.com/exploits/40279
exploit in a nutshell:
creating msfvenom (meterpreter) shellcode
-v = change the variable of the output
at this point our instructions stated we need to have a file size of 380bytes and the current payload is 380 bytes.
creating msfvenom (shell_reverse_tcp) shellcode
created with 348 bytes to which we will need to fill the rest of the space (32 bytes) with nops
adding the nops via msfvenom:
32 bytes of nops have been added to the final shellcode.
setup metasploit listener
Download exploit locally
MS8-067.py the shell code section:
calculate bytes of shellcode with python
enter variable shellcode:
without the nops we have value of 380 bytes
paste generated shellcode into exploit
add the shellcode generated into the exploit and remove x1 nop of
\x90 as we had 381 bytes of shellcode in our original msfvenom.
quick test of length with python:
410 bytes was the exact number of bytes in the original shellcode.
enumerating OS type with nmap
we already enumerated that the system is windows xp but to verify that before launching our exploit perform this verification. This is needed because if we send the wrong set of exploit data to the target we could crash it.
We are going to use using the option “7” for “Windows XP SP3 English (AlwaysON NX)” based off the exploit.
Run the script to see if we have functionality:
we have functionality.
If you want to accomplish the task of learning Spanish and Pentesting I recommending checking out Julio at his YouTube page. Link: https://www.youtube.com/channel/UC2o1vzpUIvgf0VMJIMKZ_rQ