Hack The Box: Legacy


Enumeration

box legacy

The nmap scan reveals three open ports: 135, 139 and 445.

PORT    STATE SERVICE      VERSION
135/tcp open  msrpc        Microsoft Windows RPC
139/tcp open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp open  microsoft-ds Windows XP microsoft-ds
Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp

Host script results:
|_clock-skew: mean: 5d00h57m38s, deviation: 1h24m51s, median: 4d23h57m38s
|_smb2-time: Protocol negotiation failed (SMB2)
|_nbstat: NetBIOS name: LEGACY, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:96:6f:82 (VMware)
| smb-security-mode: 
|   account_used: <blank>
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb-os-discovery: 
|   OS: Windows XP (Windows 2000 LAN Manager)
|   OS CPE: cpe:/o:microsoft:windows_xp::-
|   Computer name: legacy
|   NetBIOS computer name: LEGACY\x00
|   Workgroup: HTB\x00
|_  System time: 2022-11-13T14:16:37+02:00

As we can see from the smb-os-discovery script, the machine seems to be running Windows XP, which is not supported anymore. After a quick google search, I found a blogpost on how to exploit Windows XP with help of metasploit.


Initial Foothold

The msfconsole-module is called windows/smb/ms08_067_netapi. After setting the parameters and running the exploit, we get a shell:

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

And with this, we can download user and root flag.