Hack The Box (HTB) is an online platform allowing you to test your penetration testing skills. Legacy is the second machine published on Hack the Box and is for beginners, requiring only one exploit to obtain root access. We will use the following tools to pawn the box on a Kali Linux box
Step 1 – Scanning the network
As an initial step, before the machine is exploited, it needs to be scanned and investigated.
This is important to determine what can be exploited afterwards. It is always better to spend time on this phase to extract maximum information.
Nmap (Network Mapper). Nmap is a free and open source utility for network discovery and security auditing. Raw IP packets are used to determine hosts available on the network, services offered by those hosts, operating systems running, packet filters, firewalls in use, and many other characteristics.
Use the following command to get a basic idea of what we are scanning
nmap -sC -sV -A 10.10.10.4
-sV: Probe open ports to determine service/version info
-sC: Default script sets
-A: Aggressive scan. Enable OS detection, version detection, script scanning, and traceroute
10.10.10.4: IP address of the Legacy box
We can see that there 2 open ports:
We find that the OS is Windows XP so we look for Vulnerabilities in it.
Step 2 – The Vulnerability MS08-067
“In November of 2003 Microsoft standardized its patch release cycle. By releasing its patches on the second Tuesday of every month Microsoft hoped to address issues that were the result of patches being release in a non-uniform fashion. This effort has become known as Patch-Tuesday. From the implementation of Patch-Tuesday (November, 2003) until December, 2008 Microsoft released a total of 10 patches that were not release on a Patch-Tuesday also known as “out-of-band” patches. The 10th out-of-band patch released by Microsoft is outlined in the MS08-067 security bulletin.”
On the msfconsole we search for the vulnerability MS08-067.
It is found that there is a vulnerability, let’s try to exploit it.
Following command is used for the exploit:
This will launch the exploit. This command displays the available options.
You can see that the remote host (RHOSTS) is not yet set. RHOSTS will be the victim.
Following command sets the remote host using the IP address of HTB Legacy box
set RHOSTS 10.10.10.4
The exploit can be run now.
Bingo! A metapreter session opened. 🙂
From the Offensive Security website, we get this definition for Meterpreter:
“Meterpreter is an advanced, dynamically extensible payload that uses in-memory DLL injection stagers and is extended over the network at runtime. It communicates over the stager socket and provides a comprehensive client-side Ruby API. It features command history, tab completion, channels, and more.”
Let’s see what can be found 🙂
Step 3 – Looking for the root.txt flag
Following command is used to know about the machine.
We use the following command to get access as administrator.
To use the interactive python shell we use the following command.
Shell is opened. We find the root directory in the Documents and Settings>Administrator>Desktop directory.
To read the content of the file the following command is used.
Step 4 – Looking for the user.txt flag
Now look for flag user.txt
Get back to the root directory.
We found the user.txt file in Documents and Settings>john>Desktop directory.To read the content of the file following command is used.
Congrats! You found both flags! 😀