Disassembly of Julio Ureña’s youtube video HackTheBox - Legacy. Windows box includes enumeration of system to an exploitable SMB server. Modifying a public exploit and inserting custom shellcode with msfvenom both meterpreter and shell_reverse_tcp.
Legal Usage: The information provided by execute@will is to be used for educational purposes only. The website creator and/or editor is in no way responsible for any misuse of the information provided. All the information on this website is meant to help the reader develop penetration testing and vulnerability aptitude to prevent attacks discussed. In no way should you use the information to cause any kind of damage directly or indirectly. Information provided by this website is to be regarded from an “ethical hacker” standpoint. Only preform testing on systems you OWN and/or have expressed written permission. Use information at your own risk.
By continued reading, you acknowledge the aforementioned user risks/responsibilities.
This series of write-up will contain comprehensive write-ups of hackthebox machines. In an effort to sharpen reporting techniques and help solidify the understand and methodologies used during penetration testing.
Enumeration
Quick Masscan Script:
1 |
|
(results)
we know we are dealing with a windows xp box and will next run the smb nmap script
1 |
|
discovered vulnerable SMB services.
ms08-067 exploit
based off the exploit database: https://www.exploit-db.com/exploits/40279
exploit in a nutshell:
1 |
|
creating msfvenom (meterpreter) shellcode
1 |
|
-v = change the variable of the output
at this point our instructions stated we need to have a file size of 380bytes and the current payload is 380 bytes.
creating msfvenom (shell_reverse_tcp) shellcode
1 |
|
created with 348 bytes to which we will need to fill the rest of the space (32 bytes) with nops *\x90*
.
adding the nops via msfvenom:
1 |
|
32 bytes of nops have been added to the final shellcode.
setup metasploit listener
1 |
|
1 |
|
1 |
|
Download exploit locally
1 |
|
edit MS8-067.py
the shell code section:
calculate bytes of shellcode with python
open python:
1 |
|
enter variable shellcode:
1 |
|
without the nops we have value of 380 bytes
paste generated shellcode into exploit
add the shellcode generated into the exploit and remove x1 nop of \x90
as we had 381 bytes of shellcode in our original msfvenom.
quick test of length with python:
410 bytes was the exact number of bytes in the original shellcode.
enumerating OS type with nmap
1 |
|
we already enumerated that the system is windows xp but to verify that before launching our exploit perform this verification. This is needed because if we send the wrong set of exploit data to the target we could crash it.
Exploiting
We are going to use using the option “7” for “Windows XP SP3 English (AlwaysON NX)” based off the exploit.
testing functionality
Run the script to see if we have functionality:
1 |
|
we have functionality.
send exploit
1 |
|
listener return
Root&Loot
send meterpreter getuid
NT AUTHORITY/SYSTEM!
If you want to accomplish the task of learning Spanish and Pentesting I recommending checking out Julio at his YouTube page. Link: https://www.youtube.com/channel/UC2o1vzpUIvgf0VMJIMKZ_rQ