HackTheBox: Legacy & Lame Walkthroughs

Legacy

nmap -A -p- 10.10.10.4

Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-23 12:41 CDT

Nmap scan report for 10.10.10.4
Host is up (0.30s latency).
Not shown: 65532 filtered ports
PORT     STATE  SERVICE       VERSION
139/tcp  open   netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open   microsoft-ds  Windows XP microsoft-ds
3389/tcp closed ms-wbt-server
Device type: general purpose|specialized
Running (JUST GUESSING): Microsoft Windows XP|2003|2000|2008 (94%), General Dynamics embedded (87%)
OS CPE: cpe:/o:microsoft:windows_xp::sp3 cpe:/o:microsoft:windows_server_2003::sp1 cpe:/o:microsoft:windows_server_2003::sp2 cpe:/o:microsoft:windows_2000::sp4 cpe:/o:microsoft:windows_server_2008::sp2
Aggressive OS guesses: Microsoft Windows XP SP3 (94%), Microsoft Windows Server 2003 SP1 or SP2 (92%), Microsoft Windows XP (92%), Microsoft Windows Server 2003 SP2 (92%), Microsoft Windows 2003 SP2 (91%), Microsoft Windows 2000 SP4 (91%), Microsoft Windows XP SP2 or Windows Server 2003 (91%), Microsoft Windows Server 2003 (90%), Microsoft Windows XP Professional SP3 (90%), Microsoft Windows XP SP2 (90%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp

Host script results:
|_clock-skew: mean: 5d00h31m24s, deviation: 2h07m16s, median: 4d23h01m24s
|_nbstat: NetBIOS name: LEGACY, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:b9:1d:1d (VMware)
| smb-os-discovery: 
|   OS: Windows XP (Windows 2000 LAN Manager)
|   OS CPE: cpe:/o:microsoft:windows_xp::-
|   Computer name: legacy
|   NetBIOS computer name: LEGACY\x00
|   Workgroup: HTB\x00
|_  System time: 2020-08-28T22:45:39+03:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)

TRACEROUTE (using port 3389/tcp)
HOP RTT       ADDRESS
1   238.78 ms 10.10.16.1
2   414.74 ms 10.10.10.4

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 227.98 seconds

We see 2 ports that show up as open: 139 & 445. Both of these are SMB related (note: 139 on Linux is Samba).

These are file shares that are accessible by users. It is very common to see this service in a Windows environment. So, we have two ports but one service.

We can first try to see if we can use metasploit to try and determine the SMB version we see:

Nope.

Next we will run an nmap against the specific port 445.

nmap -p445 –script vuln 10.10.10.4 -Pn

Here we see two high vulnerabilities: CVE-2008-2450 & CVE-2017-0143.

So, let’s fire up msfconsole again and search for the first CVE:

Looks like a match here. Also, with a quick Google search we see Rapid7’s post of this same exploit. Seems like a solid option.

Let’s set the necessary parameters (RHOST and LHOST) and go ahead and run the exploit:

Right away we see a Meterpreter session established and a session is opened.

Here we see that the x86 matches the meterpreter shell.

From here, we can either use the meterpreter shell or a remote command prompt to begin navigating around the system, looking for the flags:

Poking around user “John” — the user flag was found on their Desktop.

Owning root (Administrator):

Similar to the user flag, the root flag was found on Administrator’s desktop.

Lame

nmap -A -p- 10.10.10.3

Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-23 15:16 CDT
Nmap scan report for 10.10.10.3
Host is up (0.052s latency).
Not shown: 65530 filtered ports
PORT     STATE SERVICE     VERSION
21/tcp   open  ftp         vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to 10.10.14.17
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      vsFTPd 2.3.4 - secure, fast, stable
|_End of status
22/tcp   open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey: 
|   1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_  2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
3632/tcp open  distccd     distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: broadband router|remote management|WAP|printer|general purpose|power-device
Running (JUST GUESSING): Arris embedded (92%), Dell embedded (92%), Linksys embedded (92%), Tranzeo embedded (92%), Xerox embedded (92%), Linux 2.4.X|2.6.X (92%), Dell iDRAC 6 (92%), Raritan embedded (92%)
OS CPE: cpe:/h:dell:remote_access_card:6 cpe:/h:linksys:wet54gs5 cpe:/h:tranzeo:tr-cpq-19f cpe:/h:xerox:workcentre_pro_265 cpe:/o:linux:linux_kernel:2.4 cpe:/o:linux:linux_kernel:2.6 cpe:/o:dell:idrac6_firmware
Aggressive OS guesses: Arris TG862G/CT cable modem (92%), Dell Integrated Remote Access Controller (iDRAC6) (92%), Linksys WET54GS5 WAP, Tranzeo TR-CPQ-19f WAP, or Xerox WorkCentre Pro 265 printer (92%), Linux 2.4.21 - 2.4.31 (likely embedded) (92%), Linux 2.4.27 (92%), Linux 2.6.8 - 2.6.30 (92%), Dell iDRAC 6 remote access controller (Linux 2.6) (92%), Raritan Dominion PX DPXR20-20L power control unit (92%), LifeSize video conferencing system (Linux 2.4.21) (92%), DD-WRT v24-sp1 (Linux 2.4.36) (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: 2h02m48s, deviation: 2h49m45s, median: 2m46s
| smb-os-discovery: 
|   OS: Unix (Samba 3.0.20-Debian)
|   Computer name: lame
|   NetBIOS computer name: 
|   Domain name: hackthebox.gr
|   FQDN: lame.hackthebox.gr
|_  System time: 2020-08-23T16:21:21-04:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)

TRACEROUTE (using port 139/tcp)
HOP RTT      ADDRESS
1   59.35 ms 10.10.14.1
2   57.93 ms 10.10.10.3

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 145.90 seconds

We see a few ports open here:

Port 21 (FTP) is open. It is worth looking into the specific service & version (vsftpd 2.3.4) to see if there is an exploit.

Port 22 (SSH) is open. This is not totally what we’re looking for when trying to run exploits, but can be used if we cop some credentials, or if we want to brute force and make a lot of noise.

Port 139 & 445 are open. As seen in the Legacy box, these are Samba ports (SMB) used for file shares. This is the obvious option to once again look for relevant exploits.

Port 3632 is open. The service, distccd v1, is unknown to me. I may need to google this later to see what it is and poke around to look for an associated exploit.

First, let’s start by looking for an SMB exploit since we just found one in the above box. With a quick Google search (“Samba smbd 3.0.20-Debian exploit”) we find another Rapid7 exploit.

Let’s give it a shot:

Shell popped.

Right away we see we’ve successfully established a remote shell.

Owning root.
Owning user.

Closing thoughts

These are really nice and simple boxes to begin experimenting with automated exploits through the metasploit console. I suspect there aren’t many CTF’s as simple and straightforward as these, but this is definitely a fun starting place and I’ll take any small victories I can. 🙂