Post

Hack The Box: Legacy Write-Up

Posted
By slv3rfx 1 min read

Legacy is an easy-rated Windows machine.

Enumeration

Let’s start by using a basic nmap scan.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30

$ nmap -sC -sV 10.10.10.4 -oA scans/basic_scan
# Nmap 7.94SVN scan initiated Thu Dec 21 15:14:39 2023 as: nmap -sC -sV -oA scans/basic_scan 10.10.10.4
Nmap scan report for 10.10.10.4
Host is up (0.22s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT    STATE SERVICE      VERSION
135/tcp open  msrpc        Microsoft Windows RPC
139/tcp open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp open  microsoft-ds Windows XP microsoft-ds
Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp

Host script results:
|_smb2-time: Protocol negotiation failed (SMB2)
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_nbstat: NetBIOS name: LEGACY, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:b9:33:2f (VMware)
|_clock-skew: mean: 5d00h57m39s, deviation: 1h24m50s, median: 4d23h57m39s
| smb-os-discovery: 
|   OS: Windows XP (Windows 2000 LAN Manager)
|   OS CPE: cpe:/o:microsoft:windows_xp::-
|   Computer name: legacy
|   NetBIOS computer name: LEGACY\x00
|   Workgroup: HTB\x00
|_  System time: 2023-12-27T00:12:54+02:00

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Dec 21 15:15:25 2023 -- 1 IP address (1 host up) scanned in 46.25 seconds

We can see that this host is very likely running Windows XP and SMBv1. This makes it very vulnerable to many known exploits.

Exploitation

I decided to open Metasploit and choose the module for the well-known EternalChampion exploit.

Module: exploit/windows/smb/ms17_010_psexec

Metasploit Options

After running the module without authentication, I successfully got a root reverse shell back.

Metasploit Reverse Shell

The module exploit/windows/smb/ms08_067_netapi works just as well.

The flags are in the following directories:

  • C:\Documents and Settings\john\Desktop\user.txt
  • C:\Documents and Settings\Administrator\Desktop\root.txt
Write-ups
htb lab windows metasploit nmap smb
This post is licensed under CC BY 4.0 by the author.