HTB - Legacy
HTBRetired Machines

Retired Machine: Legacy Walkthrough

Posted on

Step 1: Enumeration

  1. Connect to the Machine: Connect to the HackTheBox VPN and obtain the IP address of the Legacy machine.
  2. Port Scanning: Run an initial Nmap scan to identify open ports and services. Use the following command:
   nmap -sC -sV -oN scan.txt <IP>

This command performs default script scanning (-sC), version detection (-sV), and saves the output to a file (-oN scan.txt).

  1. Service Enumeration: Analyze the Nmap results to identify the running services and their versions. Pay special attention to ports 139 and 445, which typically indicate the presence of SMB.

Step 2: Exploitation

  1. SMB Enumeration: Since ports 139 and 445 are open, start by enumerating the SMB service using tools like enum4linux or smbclient:
   enum4linux -a <IP>

This command will enumerate shares, users, groups, and other information from the SMB service.

  1. Exploit Research: Search for known vulnerabilities associated with the SMB service version. One common vulnerability is MS08-067.
  2. Exploit with Metasploit: If MS08-067 is applicable, use Metasploit to exploit it. Run the following commands:
   msfconsole
   use exploit/windows/smb/ms08_067_netapi
   set RHOSTS <IP>
   exploit

Follow the on-screen instructions to execute the exploit and gain access to the system.

Step 3: Post-Exploitation

  1. Shell Access: After successful exploitation, you should have a shell. If not, try different payloads or manual exploitation techniques.
  2. Enumeration: Enumerate the system for valuable information. Check for sensitive files, such as passwords.txt or shadow, and explore the filesystem for additional footholds.

Step 4: Privilege Escalation

  1. Privilege Escalation: Enumerate the system for privilege escalation opportunities. Look for misconfigured permissions, outdated software versions, or vulnerable services.
  2. Exploit Weaknesses: Common privilege escalation methods include checking for writable files or directories that can be used for privilege escalation, searching for SUID binaries, and examining cron jobs for misconfigurations.

Step 5: Capture the Flag

  1. Retrieve the Flags: Once you’ve escalated privileges, locate the flag files. They are typically named user.txt and root.txt and are located in directories accessible to the current user and root, respectively.
  2. Submit Flags: Submit the flags on the HackTheBox website to mark the machine as “owned” and earn points.

Conclusion

The Legacy machine provides an excellent opportunity to practice enumeration, vulnerability exploitation, and privilege escalation techniques commonly encountered in real-world scenarios. By following this detailed walkthrough and experimenting with different approaches, you’ll enhance your skills and become more proficient in penetration testing and cybersecurity. Remember to document your steps, share your findings with the community, and keep exploring new challenges on HackTheBox to further your knowledge and expertise.