HackTheBox: Legacy – Walkthrough

January 4, 2025
January 4, 2025 Jasper

Welcome! It is time to look at the Legacy machine on HackTheBox. This machine is running a Windows 2000 vulnerability, specifically ms08–67.

I am making these walkthroughs to keep myself motivated to learn cyber security, and ensure that I remember the knowledge gained by playing HTB machines.
Join me on learning cyber security. I will try and explain concepts as I go, to differentiate myself from other walkthroughs.

Machine URL: https://app.hackthebox.com/machines/Legacy


Enumeration

Let’s get started. Let’s do a simple ICMP ping to see that the machine is running and that we have a connection:

ping 10.10.10.4
Pinging the machine

We get a response back!

Now let’s continue by running nmap.

nmap -sV -sC --open 10.10.10.4

The -sV flag provides version detection, while the –sC flag runs some basic scripts.

Nmap results

There are a three open ports. We see SMB running, as well as Windows RPC.

Let’s run a nmap script to enumerate more on the SMB shares, as this seems to be the most likely attack vector.

nmap --script smb-enum-shares.se -p 445 10.10.10.4

This runs a nmap enumeration script. This results in the following:

Running smb-enum-shares.nse

We did not get any smarter. If we look back at the original nmap result we can see what kind of system is running:

smb-os-discovery results

Windows 2000 seems pretty old. I googled “vulnerability windows 2000” and found the following:

https://docs.microsoft.com/en-us/security-updates/securitybulletins/2008/ms08-067

Vulnerability MS08–067, let’s see if we can use Metasploit!

Exploitation

Enter search ms08–67 and you can find a module:

Finding the ms08_67 module

Select it by entering use 0.

Running show options shows us the options we have to set:

Showing module options

In this case the only empty required option is RHOSTS, which is the target host. We set this by running set RHOSTS 10.10.10.4. Finally, run exploit to run the module.

Running the exploit

We got a meterpreter shell. Now, enter shell to enter a regular shell.

We can find the user flag at C:\Documents and Settings\john\Desktop:

Finding the user flag

The root flag is also located on the Desktop, but this time on the administrators account: C:\Documents and Settings\Administrator\Desktop.

We are done! This machine was quite easy, and I had to admit I focused to much on the SMB service from the start. Sometimes the OS itself has major vulnerabilities! I hope you found this walkthrough useful.


Like my articles?

You are welcome to give my article a clap or two 🙂
I would be so grateful if you support me by buying me a cup of coffee:

I learned a lot through HackTheBox’s Academy. If you want to sign up, you can get extra cubes, and support me in the process, if you use the following link:

Leave a Reply

Your email address will not be published. Required fields are marked *