The gMan nixWiki

Because the mind is made of Teflon...

User Tools

Site Tools

You are here: start » hack_htb_legacy
hack_htb_legacy

This is an old revision of the document!

Table of Contents

HTB: Legacy

IP: 10.10.10.4 Me: 10.10.14.25

Scan

Note: masscan found a udp port that nmap did not. Remember to scan UDP!

  • I later ran nmap to scan UDP (-sU) and found it (it just take forever).
  • Syntax: nmap -sU -p137 10.10.10.4

masscan

Scan Syntax: 

masscan 10.10.10.4 -p1-65535,U:1-65535 --rate=1000 -e tun0
# -p1-65535,U:1-65535 # scan all TCP/UDP ports
# --rate=1000         # scan rate = 1000 packets per second
# -e tun0             # listen on the VPN network interface for responses

Results: 

Starting masscan 1.0.5 (http://bit.ly/14GZzcT) at 2020-09-20 23:05:00 GMT
 -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 1 hosts [131070 ports/host]
Discovered open port 445/tcp on 10.10.10.4
Discovered open port 137/udp on 10.10.10.4
Discovered open port 139/tcp on 10.10.10.4
rate:  0.00-kpps, 100.00% done, waiting -308-secs, found=2

nmap

First: 

root@kali:~# nmap -T4 -p- 10.10.10.4
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-20 17:51 CDT
Nmap scan report for 10.10.10.4
Host is up (0.037s latency).
Not shown: 65532 filtered ports

PORT     STATE  SERVICE
139/tcp  open   netbios-ssn
445/tcp  open   microsoft-ds
3389/tcp closed ms-wbt-server

Second: 

root@kali:~# nmap -T4 -A -p139,445,3389 10.10.10.4
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-20 17:54 CDT
Nmap scan report for 10.10.10.4
Host is up (0.037s latency).

PORT     STATE  SERVICE       VERSION
139/tcp  open   netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open   microsoft-ds  Windows XP microsoft-ds
3389/tcp closed ms-wbt-server
Device type: general purpose|specialized
Running (JUST GUESSING): Microsoft Windows 2000|XP|2003|2008 (92%), General Dynamics embedded (87%)
OS CPE: cpe:/o:microsoft:windows_2000::sp4 cpe:/o:microsoft:windows_xp::sp2 cpe:/o:microsoft:windows_xp::sp3 cpe:/o:microsoft:windows_server_2003 cpe:/o:microsoft:windows_server_2008::sp2
Aggressive OS guesses: Microsoft Windows 2000 SP4 or Windows XP SP2 or SP3 (92%), Microsoft Windows XP SP2 (92%), Microsoft Windows XP SP2 or Windows Small Business Server 2003 (91%), Microsoft Windows Server 2003 (90%), Microsoft Windows 2000 SP4 (90%), Microsoft Windows XP Professional SP3 (90%), Microsoft Windows XP SP2 or SP3 (90%), Microsoft Windows XP SP3 (90%), Microsoft Windows XP SP2 or Windows Server 2003 (90%), Microsoft Windows 2000 Server (89%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp

Host script results:
|_clock-skew: mean: -4h27m04s, deviation: 2h07m16s, median: -5h57m04s
|_nbstat: NetBIOS name: LEGACY, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:b9:6c:76 (VMware)
| smb-os-discovery: 
|   OS: Windows XP (Windows 2000 LAN Manager)
|   OS CPE: cpe:/o:microsoft:windows_xp::-
|   Computer name: legacy
|   NetBIOS computer name: LEGACY\x00
|   Workgroup: HTB\x00
|_  System time: 2020-09-20T22:57:48+03:00
| smb-security-mode: 
|   account_used: <blank>
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)

TRACEROUTE (using port 3389/tcp)
HOP RTT      ADDRESS
1   36.83 ms 10.10.14.1
2   37.15 ms 10.10.10.4

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 61.96 seconds

MetaSploit

This took forever but I let it run anyway…

  • I actually finished hacking into the box by the time this finished.
Module options (auxiliary/scanner/portscan/syn):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   BATCHSIZE  256              yes       The number of hosts to scan per set
   DELAY      0                yes       The delay between connections, per thread, in milliseconds
   INTERFACE                   no        The name of the interface
   JITTER     0                yes       The delay jitter factor (maximum value by which to +/- DELAY) in milliseconds.
   PORTS      1-65535          yes       Ports to scan (e.g. 22-25,80,110-900)
   RHOSTS     10.10.10.4       yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   SNAPLEN    65535            yes       The number of bytes to capture
   THREADS    100              yes       The number of concurrent threads (max one per host)
   TIMEOUT    500              yes       The reply read timeout in milliseconds

msf5 auxiliary(scanner/portscan/syn) > run

Enumerate

Exploit

Post-Ex Enum

hack_htb_legacy.1604708631.txt.gz · Last modified: by gman