Hack The Box Guide: Legacy

Note: If following along, this guide assumes that the reader has set up a Kali Linux installation with all default tools, and is connected to the HTB network with the proper OpenVPN configurations. 

Step by Step

As always, we’ll start with a standard “Widescan”: nmap -p- -o widescan.txt -T5

Ports 139 and 445 are open, which means we’ve got Samba. Not too surprising for a windows machine. Port 3389 is a little less common, being the port for RDP on windows. With this, I’ll take my found ports and run my Deepscan: nmap -p 139,445,3389 -o deepscan.txt -A

There’s a lot of information here: The box is running Windows XP, an old OS with lots of discovered vulns. Our samba version also appears to be 2, which is old. Knowing this, I’ll google “Windows 2000 exploit”, to which the first result is the MS08-067 exploit. Luckily enough, there’s a metasploit module that makes exploitation pretty easy. All we do is look for the exploit, set the options right, and we open a root shell.

The exploit needed to be run twice, for whatever reason- just happens that way sometimes.

Since this exploit just so happens to drop is into a root shell, no further privilege escalation is required, and our work is done. The last thing to do is grab the flags, which can be done with just cd and cat commands.

Thanks for reading my guide! I hope it was helpful. There’s more Hack the Box guides under the “HTB guides” menu (brilliant design on my part, I know), and some other projects / blog posts if you’re interested in learning security like I am.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s