HTB - Legacy Walkthrough

Same start as always, we’re going to run a pretty standard nmap scan with a full port range to try and get some basic enumeration.

Taking a look at this, we don’t have very many options, so we can be pretty rest assured we’re going to be targeting SMB. We can see that we’re running on a Windows machine and that we’re using an older, Windows XP.

A quick Google search “SMB exploit Windows XP” returned a plethora of results:

The first link is a Metasploit walkthrough for MS08-067 and we’re going to replicate that against our target machine.

So we chose to use /exploit/windows/smb/ms08_067_netapi

We’ll run a quick “show options” and see that there’s very little setup required.

We set our rhosts and lhost. All that’s left is to run!

This exploit brought us straight to Admin Privileges too, so all that’s left is to locate our flags and move out. The only real hiccups that you could encounter would just be navigating the Windows File System. Since we have a meterpreter session, we can use regular linux commands, but just be aware of the \ placement.

 User Flag: C:\Documents and Settings\john\Desktop\user.txt

Root Flag: C:\Documents and Settings\Administrator\Desktop\root.txt