Ethical Hacking Lessons — Legacy Writeup
This is my write-up for the hackthebox Legacy machine. This box highlights the risk associated with the famous EternalBlue vulnerability associated with Windows SMB protocol implementation. Its WannaCry exploit has infected over 200,000 systems across the globe causing financial losses estimated to be around 4 billion dollars.
As always, let’ take a look at the info card.
A windows machine with an IP address of 10.10.10.4. Its radar graph shows a strong inclination of CVEs presence.
Recon
Let’s start active recon with the Nmap TCP scan.
nmap -A -T4 -p- -oX tcp_scan_result.xml 10.10.10.4Below are the results produced by the scan.
The TCP scan showing SMB related ports open. Also, the smb-os-discovery script results are showing that the target machine is possibly a Windows XP.
Furthermore, UDP scan results are also showing port 137 open with NetBios-Named Service (ns) running there.
Recon Results Analysis
The scan results are showing SMB related ports/services available on this box.
Enumeration
A quick google search for SMB related vulnerabilities on windows platform reveals the possibility of famous EternalBlue/WannaCry aka MS17–010. NMap provides a script called smb-vuln-ms170010 to verify the vulnerability. Running the script against port 139 and 445 confirmed that the target machine is vulnerable.
In fact, if we look for all the smb-vuln related scripts in the NMap library, there are quite a few available.
We can try to run all the smb-vuln scripts against the same two ports as follows.
The results reveal the existence of the following two CVEs on this target device.
CVE-2008–4250 — Microsoft has issued a bulletin MS08–067
CVE-2017–0143 - Microsoft has issued a bulletin MS17–010
Both of these vulnerabilities are capable of exploiting Remote Code Execution (RCE) which his what we need.
Enumeration Results Analysis
Recon led us to well-know EternalBlue vulnerability that we can look into exploit next.
Exploitation
During the search for exploits, I came across this page that provides python scripts to exploit various flavors of Windows OS. The python script for our interest is send_and_execute.py. This script could be used to upload and execute a reverse shell on the target device. First, we create an executable payload using msfvenom as follows.
Let’s launch a listener on our Kali Linux machine.
We can not download the send_and_execute.py script and run it against the target machine.
That immediately gave us a reverse shell. I was not able to execute whoami on it though to determine if any priv escalation is needed.
However, I was able to browse through the file system.
It must be root-level access because I was also able to grab the user and root flags.
I was able to run the systeminfo command that was showing the necessary patch was not applied.
Root Cause Analysis
The machine was not patched for the critical security bug.
