In this article our Prof. Herbert Fernandez Tamayo, will start the Second part of the series “Hack The Box Series” (Getting started in HTB).
This will be a beginner friendly and very detailed Tutorial of: ¿What skills do you need to complete the Legacy machine? & ¿How to complete the machine?, with a ton of Hands-on tutorials.
¡Without further to say, enjoy the article!
When you are landing in infosec almost everything is confusing, one of those facts are the tools
we should use; at the beginning I thought hacking was about tools, the more tools you have
more opportunities to became successful, well it’s not like that, actually, it’s nothing related to
collect tools, cheat or secrets formulas.
In this writeup we will solve a machine called Legacy using metasploit, yes, that infamous tool,
after finding the flags we will figure out our own conclusion about it, so let’s get started.
Connect to HackTheBox network, for this you need an active HtB profile and ideally a Linux
based operating system such as Kali Linux or Parrot Os, after that, from your profile download
your VPN Server connect pack. It is recommended that you create a directory to store
screenshots and files that will be created in the different phases, finally it is a good idea to take
your own notes, you may use a word processor or software like CherryTree, Obsidian and other
ones of that kind.
For this machine, you need to have a VIP or VIP+ active subscription because the machine’s
status is retired.
Phase 1: reconnaisance
Once we are logged in HTB’s network, take note of the ip address of the Legacy machine, after
that, let’s scan what ports are open, to accomplish this task let’s use nmap:
nmap -A -T4 -p- <legacy_ip_address>
- -A: <please complete this parameter definition>.
- -T4: speed of the scan test.
- -p-: scan all ports.
- Comments about the result:
- It seems the port on “listening mode”, AKA “open ports”, are 139, 445, 3389. Take in count all these ports are using the TCP Protocol, moreover, we got the OS version where these ports are implemented
- Research about the service’s name related to each open port we found, also, take notes about the characteristics and utility of each service.
- After that, research about common vulnerabilities related to each service you found.
Based on the available ports we found, we should start to enumerate the Samba Service, as a part of your research in the above “hint” section, I’m sure you found we can try to connect to Samba using anonymous credentials, let’s try this:
smbclient -L <target_ip>
- -smbclient: linuxs client to execute operations using the SMB protocol.
- -L: target IP with a SMB Protocol in listening mode.
As we can see, anonymous credentials are not enabled in the box, let’s try a different approach.
At least we need to obtain what is the version of the Samba Server deployed in this box, to accomplish this task, we will use metasploit, go to your terminal and type this command:
If this is the first you are running this tool, it will take some time to load, metasploit use a database which needs to update. When you get in the prompt, please type:
If everything is OK, you should see a prompt like this:
- -scanner/smb/smb_version: it’s the name of the module we loaded
- -auxiliary: metasploit has a classification to deal with its modules, in this case, we are using an auxiliary module, but it doesn’t mean it’s less effective.
Cool, each module needs to set parameters, to get details about what parameters do we need to set just type:
In this case, we only need to set the parameter RHOSTS with the IP Address of our target server, in this case, the box, so let’s type:
set RHOSTS <legacy’s IP address>
Just in case, let’s type again options to check if the IP Address was set correctly:
All right, we are ready to go, please type exploit and let’s compare the results:
- Comments about the result:
- why did we get the expected result? Please research about the accurate of metasploit’s results, moreover, ask you this: do I have the control of the test using metasploit?
- Although we didn’t get the Samba’s version, we got a confirmation of the OS version, with this hint we can try to enumerate this protocol.
Phase 2: enumeration
Go to your browser, open a new tab y type the next criteria:
“SMB Windows XP SP3 exploit”
As you can see, there’s a lot good result, also, a lot of information related to something called: “CVE”
Please follow the next instructions:
- Open another tab and search about CVE, what are their purpose? how to report them?
- Go back to the results about SMB Windows XP, click on some of them and read the content, take in count facts like details, “proof of concepts”, and technical details about the CVE.
- Search about what are the most respected websites related to CVE, this is the idea: when you are researching about vulnerabilities: what should be your first 3 options?
- Finally choose a CVE that can be used in this machine, ask yourself: why do you think your option should be useful? What do you expect to obtain using it?
Phase 3: Gaining Access
In my case, I will use the CVE MS08-67, please do your research about what’s about it; I will run these commands:
- use exploit/windows/smb/ms08_067_netapi
- RHOSTS: it refers to the box’s IP Address
- LHOST: it refers to your IP Address
- Please take a look to the below option, specifically the LHOST parameter, by the way, it has a default value
- Go to your terminal: how many active network interfaces do you have?
- After run the module it doesn’t work, so please try to answer these two questions:
- why did not working?
- Most important: why are we trying to get?
As a matter of fact, the last question is the most important: why are we trying to get?, from my point of view this is a key fact for hate or love metasploit: hacking is not about to execute a recipe, it’s not about to type commands, hacking is about analysis of vulnerabilities known in a target and demonstrate if those are exploitable, but maybe that’s a talk for another day, from now I would like to ask you to research about two concepts: bind shell and reverse shell.
After solve some misconfigured parameter let’s run again the exploit:
It seems we are inside the machine, wonderful, isn’t it?, let’s try some commands just to be sure:
- Get information about what is powershell, how and why can we use it, also research about: can we use powershell in a Linux distro?
Phase 4: Privilage Escalation
Well, let’s try to get the admin and user’s flags, please follow these commands:
- cd ..
- cd ..
- cd “Documents and Settings”
- cd john
- cd Desktop
can you see the user’s flag? Take a look to the next 2 images:
- Take a look to the filesystem and try to find the admin’s flag, don’t forget that you have all privileges so you don’t need to escalate nothing more than dig into the filesystem.
- Do you think it’s necessary to feel comfortable working with consolebased OS environment?
- Final words:
- This machine is very helpful to understand the impact of a tool in our analysis.
- Every ethical hacker/pentester needs to have their own conclusion about use “x” or “y” tool.
- From my point of view the best way to compare is to use a product, a tool in this case, and then accomplish the same task without using it.
- Any questions or comments do not hesitate to DM me at @heftamayo
Thank you for your time (Prof. Herbert Tamayo).
Contact Prof. Herbert Tamayo