HackTheBox: Legacy Windows XP SP3 SMB Walkthrough
The Hack Walkthroughs are back! The plan is to hack 40 boxes before I sign up for Offensive Security's PWK 60-day training. I need to prepare before I prepare. I need to train before I train! I read online people were regretful they started with PWK first. I paid for VIP on hackthebox.eu which was $10.
I'm taking a very long Udemy course and the guy gets into legacy HTB boxes. I'm going to hack them before he shows the answers. I appreciate he put them in order so I have a map on where to go next.
The first problem I encountered was switching my openvpn file once I paid for VPN. The answer was to reboot.
The first thing I do is nmap the host. I had to use -Pn because nmap thought the host was down. I also couldn't use -A -p- because it took forever. I relied on the top 1000 ports instead.
I mean, its an easy box so this is a good start. I tried to smbclient connect and it failed. I got into msfconsole and used the smb_version scanner to see what I was dealing with.
This result makes me happy. Windows XP sounds great to me. I then googled to see if an SMB exploit existed and got this:
Rapid7 shows up who make the tool metaspoit. It also shows the module path. I copied the module path. Now LHOST is automatically set up to my NAT IP address. This is wrong. I need to use the openvpn IP address I got from HTB. I changed it to 10.10.14.27 instead of my 192.168.154.153. Kali has multiple network adapters. Routing can't get to me on 192.x but it can on 10.x.
Psss: So glad my CCNA is helpful.
That's it. Once you set the LHOST and RHOST, hit run. The default payload worked for me. I'm glad it did, because there were 87 different payload options.
The commands "ls", "pwd", and "cat" worked. I'm going to assume the payload is translating those commands into Windows commands. That is a nice feature.
More Research
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2008/ms08-067
I heard about ms08-067 in 2016. I wonder what the atmosphere was like when it was first released. I didn't know it effected Windows 2008 and Vista too (although it looks to a lesser extent than Server 2003 and XP).
Ending
Its nice to see my CCNA paying off. I knew the /32 (one host only) syntax and how routing works enough to jump past these hurdles. Old me would've been stuck for hours and hours, totally unaware of what the problem was because I didn't have a networking background. OSINT can get me far too. I didn't have to engage in Google-Foo for this box but I may for future boxes.
Comments
Post a Comment