Jasper Alblas
HackTheBox: Legacy – Walkthrough
This retired machine called Legacy, is running Windows XP (not Windows 2000), and it’s vulnerable to a well-known exploit: MS08-067, a critical vulnerability in the Server service that allows for remote code execution.
In this guide, we’ll walk through the steps to exploit this vulnerability and gain a foothold on the box — a classic example of how outdated systems can still be incredibly useful for learning core pentesting techniques.
Machine URL: https://app.hackthebox.com/machines/Legacy
I am making these walkthroughs to keep myself motivated to learn cyber security, and ensure that I remember the knowledge gained by playing HTB machines.
Join me on learning cyber security. I will try and explain concepts as I go, to differentiate myself from other walkthroughs.
Table of Contents
Enumeration of Legacy machine
Let’s get started. Let’s do a simple ICMP ping to see that the machine is running and that we have a connection:
ping 10.10.10.4
We get a response!
Now let’s continue by running nmap.
nmap -sV -sC --open 10.10.10.4The -sV flag provides version detection, while the –sC flag runs some basic scripts.
There are a three open ports. We see SMB running, as well as Windows RPC.
Let’s run a nmap script to enumerate more on the SMB shares, as this seems to be the most likely attack vector.
nmap --script smb-enum-shares.se -p 445 10.10.10.4This runs a NMap enumeration script. This results in the following:
We did not get any smarter. If we look back at the original nmap result we can see what kind of system is running:
Windows 2000 seems pretty old. I googled “vulnerability windows 2000” and found the following:
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2008/ms08-067
Vulnerability MS08–067, let’s see if we can use Metasploit!
Exploitation of Legacy Machine
Enter search ms08–67 and you can find a module:
Select it by entering use 0.
Running show options shows us the options we have to set:
In this case the only empty required option is RHOSTS, which is the target host. We set this by running set RHOSTS 10.10.10.4. Finally, run exploit to run the module.
We got a meterpreter shell. Now, enter shell to enter a regular shell.
We can find the user flag at C:\Documents and Settings\john\Desktop:
The root flag is also located on the Desktop, but this time on the administrators account: C:\Documents and Settings\Administrator\Desktop.
We are done! This machine was quite easy, and I had to admit I focused to much on the SMB service from the start. Sometimes the OS itself has major vulnerabilities! I hope you found this walkthrough useful.
Conclusion
Congratulations on finishing this machine along with me. I hope you enjoyed! Find more of my walkthroughs here.
Like my articles?
You are welcome to comment on this article, and please share with friends.
I would be so grateful if you support me by buying me a cup of coffee:
I learned a lot through HackTheBox’s Academy. If you want to sign up, you can get extra cubes, and support me in the process, if you use the following link:
