Welcome! It is time to look at the Legacy machine on HackTheBox. This machine is running a Windows 2000 vulnerability, specifically ms08–67.
I am making these walkthroughs to keep myself motivated to learn cyber security, and ensure that I remember the knowledge gained by playing HTB machines.
Join me on learning cyber security. I will try and explain concepts as I go, to differentiate myself from other walkthroughs.
Machine URL: https://app.hackthebox.com/machines/Legacy
Enumeration
Let’s get started. Let’s do a simple ICMP ping to see that the machine is running and that we have a connection:
ping 10.10.10.4
We get a response back!
Now let’s continue by running nmap.
nmap -sV -sC --open 10.10.10.4
The -sV flag provides version detection, while the –sC flag runs some basic scripts.
There are a three open ports. We see SMB running, as well as Windows RPC.
Let’s run a nmap script to enumerate more on the SMB shares, as this seems to be the most likely attack vector.
nmap --script smb-enum-shares.se -p 445 10.10.10.4
This runs a nmap enumeration script. This results in the following:
We did not get any smarter. If we look back at the original nmap result we can see what kind of system is running:
Windows 2000 seems pretty old. I googled “vulnerability windows 2000” and found the following:
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2008/ms08-067
Vulnerability MS08–067, let’s see if we can use Metasploit!
Exploitation
Enter search ms08–67 and you can find a module:
Select it by entering use 0.
Running show options shows us the options we have to set:
In this case the only empty required option is RHOSTS, which is the target host. We set this by running set RHOSTS 10.10.10.4. Finally, run exploit to run the module.
We got a meterpreter shell. Now, enter shell to enter a regular shell.
We can find the user flag at C:\Documents and Settings\john\Desktop:
The root flag is also located on the Desktop, but this time on the administrators account: C:\Documents and Settings\Administrator\Desktop.
We are done! This machine was quite easy, and I had to admit I focused to much on the SMB service from the start. Sometimes the OS itself has major vulnerabilities! I hope you found this walkthrough useful.
Like my articles?
You are welcome to give my article a clap or two 🙂
I would be so grateful if you support me by buying me a cup of coffee:
I learned a lot through HackTheBox’s Academy. If you want to sign up, you can get extra cubes, and support me in the process, if you use the following link: