Open in app

Sign in

Write

Sign in

HTB : Legacy

rarpunzel
3 min readSep 2, 2020

1. Executive Summary

Legacy is the second machine in hack the box which is beginner friendly. Given IP address is 10.10.10.4 and has SMB as services. As I previously mentioned in HTB : Lame, SMB is a network protocol for communication on a Windows-based system. SMB attacks are the best known remote code execution attacks for Windows systems.

2. Description

2.1 Enumeration

Let’s do fresh start with a line code of nmap scanning in your terminal. Nmap is used to check what port is open in the machine. A service need port to be able to run on a machine. So logically speaking you can know all service used by the host by doing nmap scan.

Here are the nmap command I used :

nmap -sV -Pn -T4 -A 10.10.10.4

From the screenshot above, it is discovered there is two ports open. And both of them is running SMB services.

nmap -sV -Pn -T4 -A — script vuln 10.10.10.4

Next, I added script on my nmap to configure vulnerability in the host. And walaaa! vulnerable instances of MS08–067 is found in the host.

2.2 Exploitation

According to nmap scan result, host is vulnerable to MS08–067.

So what exactly is MS08–067?

MS08–067 is vulnerability that could allow remote code execution if an affected system received a specially crafted RPC request.

In 2008, Microsoft released 78 Security Bulletins dealing with security patches. Of those 78 security patches only 45 of them were categorized as “Critical”. However all these patches were still released on patch Tuesday with the exception of two. MS08–067 was the later of the two patches released and it was rated Critical for all supported editions of Microsoft Windows 2000, Windows XP, Windows Server 2003, and rated Important for all supported editions of Windows Vista and Windows Server 2008. At the time of release the Conficker worm was taking advantage of MS08–067 in the wild and exploiting every vulnerable system it came across.

Now we know what is MS08–067!

With metasploit, I used module exploit/windows/smb/ms_08_067_netapi to exploit the vulnerability.

And as easy as it sounds, I manage to get into shell and I used command in bellow to search for user and root flag.

locate user.txt

locate root.txt

Another wait.. that’s it? moment….

3. Reference

Microsoft Security Bulletin MS08-067 - Critical

Security Bulletin Published: October 23, 2008 Version: 1.0 Executive Summary This security update resolves a privately…

docs.microsoft.com

Exploitable vulnerabilities #1 (MS08-067)

Description In November of 2003 Microsoft standardized its patch release cycle. By releasing its patches on the second…

blog.rapid7.com

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

Hackthebox
Htb
Writeup
Walkthrough
rarpunzel
rarpunzel

Written by rarpunzel

7 Followers
2 Following

purple enthusiast

No responses yet

Write a response

What are your thoughts?

More from rarpunzel

See all from rarpunzel

Recommended from Medium

Lists

Staff picks

827 stories1648 saves

Stories to Help You Level-Up at Work

19 stories948 saves

Self-Improvement 101

20 stories3355 saves

Productivity 101

20 stories2819 saves
See more recommendations

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams