Hack The Box: Legacy Walkthrough



@17 Dec 2019


The game cannot be completed without the support of our friends of CTF Playgroup Hong Kong & Macau        


Penetrating Methodology:

Service Scanning



Getting Less Privilege Shell

Captured the flag


Target machine:

Attacking (Hacker) machine:

Hacking Process Part 0 – Service Scanning

The target machine IP is Get a basic understanding the available services of the target machine using nmap aggressive scanning to all available ports.

0.1) Quick Pre-searching

nmap -p-

0.2) Details Analysis

nmap -sV -p 139,445,3389 -A -oN nmap-htb-legacy-detail.txt


139/tcp  open   netbios-ssn   Microsoft Windows netbios-ssn

445/tcp  open   microsoft-ds  Windows XP microsoft-ds

3389/tcp closed ms-wbt-server

Device type: general purpose|specialized

Running (JUST GUESSING): Microsoft Windows XP|2003|2000 (92%), General Dynamics embedded (88%)

OS CPE: cpe:/o:microsoft:windows_xp cpe:/o:microsoft:windows_server_2003 cpe:/o:microsoft:windows_2000::sp4

Aggressive OS guesses: Microsoft Windows XP SP2 or Windows Small Business Server 2003 (92%), Microsoft Windows 2000 SP4 or Windows XP SP2 or SP3 (90%), Microsoft Windows XP SP2 (90%), Microsoft Windows XP SP3 (89%), Microsoft Windows XP SP2 or SP3 (89%), Microsoft Windows XP Professional SP2 (89%), Microsoft Windows Server 2003 SP1 - SP2 (88%), Microsoft Windows Server 2003 (88%), Microsoft Windows 2000 SP4 (88%), Microsoft Windows XP Professional SP3 (88%)

No exact OS matches for host (test conditions non-ideal).

Network Distance: 2 hops

Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp

Host script results:

|_clock-skew: mean: -3h59m37s, deviation: 1h24m50s, median: -4h59m37s

|_nbstat: NetBIOS name: LEGACY, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:b9:64:78 (VMware)

| smb-os-discovery:

|   OS: Windows XP (Windows 2000 LAN Manager)

|   OS CPE: cpe:/o:microsoft:windows_xp::-

|   Computer name: legacy

|   NetBIOS computer name: LEGACY\x00

|   Workgroup: HTB\x00

|_  System time: 2019-12-17T01:19:02+02:00

| smb-security-mode:

|   account_used: guest

|   authentication_level: user

|   challenge_response: supported

|_  message_signing: disabled (dangerous, but default)

|_smb2-time: Protocol negotiation failed (SMB2)

Enumeration Strategy

  1. Checking vulnerability for Window XP on SMB

Hacking Process Part 1 – Enumeration

1.1) Strategy 1 Check Vulnerability

nmap --script vuln --script-args unsafe=1

Two smb vulnerabilities were identified

  1. MS08-067
  2. MS17-010

Hacking Process Part 2 – Exploitation

2.1) Using Metalsploit Windows SMB MS17-010



|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)

|     State: VULNERABLE

|     IDs:  CVE:CVE-2017-0143

Searching the CVE-2017-0143

Check it is exploitable, preparing the exploitation using the payload windows/smb/ms17_010_psexec.

It can be explotabled  and get a user account access.


Reference Link

Guide to SMB Enumeration