Solving “LEGACY” from Hack The Box | Hacking “Legacy”.
This is just another walk-through for solving a retried Machine from HacktheBox. So if you are a Newbie and a VIP member of HacktheBox and want to get started by hacking some easier machines, this would be a nice read. Prerequisites are : Knowing basics of Kali Linux, enumeration and scanning tools like nmap, knowing Metasploit etc.
IF you find yourself not having the prerequisite and feel like it would be great if you had similar article/ live session for Basics of Kali linux, Setting up the environment etc, feel free to mail me at prafulworkspace@gmail.com
So let’s get into it, shall we? The machine we are talking about in this article is a retried machine called ‘Legacy’ ; perhaps one of the easier shades of machines you’ll hack in your journey as a Pentester/HacktheBox member. There are primarily two flags, which we need to submit in order to solve this or in a cool word “Hack this System” completely.
First thing first. If you are completely unaware of how HacktheBox works, you’ll be surprised to find that in order to make an account (even the free one) you have to crack their puzzle. Somewhere in their front page they have embedded clues of flag or codes that you need to submit in order to gain access to their website as a member. I wont be explaining how to solve that, and in all honesty it’s not that hard. If you have some basic knowledge about websites, source codes, scripts used in it and so on, you will easily solve this task.
Or you can just google the Walk-through (Or watch it on YouTube)
Once you have gained access and purchased the VIP membership, you will have access to the retired machines. Now retired machines are very resourceful if you are actually in the learning path when it comes to breaking down a system or playing around CTFs. It’s totally worth the bucks you pay. Moreover you can just easily sort the machines according to difficulties and try to solve the easier one, and then gradually make your progress into it.
Make sure you re-download your connection pack after getting VIP access.
This is the access Tab of your homepage. From here you can download your connection pack. Simply open up the terminal after you have downloaded it and type without quotes ‘sudo openvpn filename.ovpn’
Finally we can get started with Legacy. Make sure you are connected to the vpn network and started the Legacy machine ( which is in the machines tab under retired machines). Once you do that, you are good to go. So lets start with Nmap Scanning.
Now for me, a normal Nmap scan didn't work. I wanted to initially just ping the machine and see if the host is up but that didn’t work for me so I went for more aggressive options, since we aren’t really concerned about being quite anyway.
Nmap isn’t really stealthy, Its very loud in fact.
The command I used here to do the reconnaissance via Nmap is :
nmap -Pn -A -T4 -p- 10.10.10.4
Double check what’s the machine’s IP. Now this took me around 4 to 5 minutes but gave me plethora of information about the system. Legacy is a Windows machine (That’s not a new info) and that’s why it’s easier to exploit. The Nmap result stated its a Windows XP machine.
As we can see, Ports 139 and 445 are open and providing certain services : ‘netbios-ssn’ and ‘microsoft-ds’. Further we can make use of the information on SMB services. If we can figure out what kind of SMB service is being used, we can easily exploit this machine. I am pretty sure there are some exploit available that can render a reverse shell and give us a meterpreter.
Again we need two precise details regarding this machine.
- Which Service Pack of Windows is there
- The SMB version or some other version details.
Without these, we are making a wild goose chase (considering pursuing this lead, obviously there are other ways to exploit a given system).
So we have something called as enum4linux, which could help us solve both these aforementioned questions. But, unfortunately, that didn’t work for me. It’s basically a tool that’s used for enumeration on windows and samba systems. Instead I decided we can use smb_version scanner from msfconsole. So let’s open metasploit. Enter :
sudo msfconsole
This would open up the metasploit framework. Here let’s search for this auxiliary scanner called
search smb_version
This would bring out one result; the auxiliary scanner. Copy the script path and further enter
use auxiliary/scanner/smb/smb_version
Now you are ready to use the scanner. Set Rhost to your target IP address. For me it was 10.10.10.4
show options
This would show all the parameters you can set. For this we just need to set the target.
set rhost 10.10.10.4
Recheck your Rhost value and when you are ready, type run to execute .
Just look at what kind of information does this bring. I would say you have hit a gold mine. Now we know the system runs a Windows XP SP3. That’s adequate. We now need to just find exploit for smb Windows XP SP3. You can do this either manually searching the exploitdb or Rapid 7.
I JUST GOOGLED
Yep. And I got two or three possible exploits. I tried the first two and it didn’t really work. But for the sake of keeping this article precise I will only mention the one that worked for me. And that’s MS08–067 Microsoft Server Service Relative Path Stack Corruption. Got this from the Rapid7 Website. There are clear instruction for this particular exploit that I would suggest you to read. But now we are ready to do the final or more like the penultimate step of Cracking this old Machine Legacy.
You can find exploit/windows/smb/ms08_067_netapi in the msfconsole. Enter the following on msfconsole
use exploit/windows/smb/ms08_067_netapi
As you can see, you would need to set the RHOST value again to the Target IP. I have set it as 10.10.10.4 by typing ‘set rhost 10.10.10.4’. Further, if you wish to play around, you can manually set the target. I have set it to 0 for automatic targeting.
Note : I found that the shell was not getting created and I kinda double checked everything. After snooping around for a bit I Found that my Kali machine was running some service on the port 4444. This is the port we are trying to listen to the reply and get a shell. So I had to change that to 4442.
So if you get an error on the listening port type
set lport 4442 or any other port which is free
finally recheck your parameters and options ( only Rhost in our case) and type run.
AND I GOT A METERPRETER
I typed getuid and sysinfo to get information, to see if I have root access and other System info
Apparently we do have highest access privilege. That’s good news. Now to finally solve this CTF, we need to submit the flags. So i suggest you to pause your read here and go try find this on your own. Trust me, its not that hard. Kinda there on plain sight. Moreover the hard part is done already.
But if you didn’t find a flag or just found one, no issues. Here we go. We will deploy a shell so that we get cmd like access in our terminal. That way it would be easy to traverse the target directories. So go ahead type ‘shell’ on the meterpreter. You will get something like this
Now go to C:\Document and Settings\John\Desktop. There you find your first flag.
if you see the file user.txt , that’s your flag. Go ahead and type this :
type user.txt
This would give you the flag. Just copy it, go back to HacktheBox and click on that flag icon for legacy and submit your flag. Similarly the second flag is in C:\Documents and Settings\Administrator\Desktop. Follow the same step for the previous flag. Copy the content of root.txt file and submit it.
VIOLA>YOU HAVE COMPLETED . YOU SOLVED IT. <BRAVO
Now please do note that there are multiple ways to solve an issue. I am not only just talking about hacking a system or solving a CTF. In your life you will find problems and there is not one hard and fast rule or way to approach and solve it. Similarly, here, there might be some other ways to solve LEGACY. This article was mainly targeted at the newcomers. I have tried to keep it simple and straightforward. But please do check other walkthrough available on the internet. Some are directly mentioned in the page of Legacy in Hackthebox website.
