This is a walkthrough for HackTheBox’s Legacy. I actually pwned this machine some time ago, so this walkthrough is based on my old notes. No pictures this time, but I’m debating myself wether I should include them at all from this point on. But yeah, let’s get to it!
1. Let’s scan the machine with nmap: nmap -A -T4 -p- 10.10.10.4
2. Two ports are found open: 139 and 445. This suggests that there’s SMB running. We also find out that the box is most likely running Windows XP.
3. Let’s open Metasploit by typing msfconsole. Once it’s open, we’ll punch in search smb_versions. It should give us a module auxiliary/scanner/smb/smb_version. Let’s go ahead and type use auxiliary/scanner/smb/smb_version into the console.
4. At this point you can write options to view required options, but I’m gonna spoil it for you and tell you that the only thing you need to set at this point is RHOSTS. So write set rhosts 10.10.10.4 and after that you can run it with command exploit.
5. We’ve now successfully identified that the box is running Windows XP SP3. Now we can go to Google and search for “smb windows xp sp3 exploit” to find a way to exploit the SMB running on open ports. As it turns out, there is an old exploit that allows us to gain root rather easily by using Metasploit. This is the page I found https://www.rapid7.com/db/modules/exploit/windows/smb/ms08_067_netapi/, you can scroll down to view the step-by-step guide on how to use this exploit. So, let’s do it!
6. Write use exploit/windows/smb/ms08_067_netapi into the console. Then we need to check the options again to ensure everything is alright. We need to set rhosts again, let’s do that just like we did before with set rhosts 10.10.10.4. After you’ve done that, you can just write exploit or run to run the exploit.
7. Meterpreter session should open, type in getuid and it should display NT AUTHORITY\SYSTEM to confirm that we got the root! Yay! Now it is up to you to navigate and find the root.txt and user.txt. You can do that by yourself, can’t you? 😉