LEGACY ON HTB (EASY)Allen·FollowJan 17, 2021--ShareThe IP ADDRESSES OF THE MACHINE ARE SHOWN IF YOU HOVER THE NAME OF THE MACHINE. 10.10.10.4 IS THE LEGACY MACHINE IP ADDRESS. WE SEE 139 AND 445 ARE OPEN SO WE CAN LOOK FOR SHARES IN THOSEUNABLE TO GENERATE SHELL WITH SMBCLIENTWENT TO METASPLOIT AND CHECKED OUT THE SMB VERSION.ONCE WE FOUND OUT WHAT THE HOST WAS RUNNING. I ENDED UP GOOGLING “ WINDOWS XP SP3 EXPLOIT”CLICKED THE FIRST LINK FOR RAPID7FOUND AN EXPLOIT MS08_067. USE THIS EXPLOIT TO GAIN A SHELLMAKE SURE THE LHOST IS THE VPN CONNECTION ESTABLISHED WITH THE VULNERABLE BOX. TUN0 OR TAP 0WE ARE ABLE TO GENERATE SHELLWE ARE ABLE TO FURTHER ENUMERATE WITH GETUID/SYSINFO/HELPFROM HERE YOU COULD USE HASHDUMP TO GET THE HASHES OF THE PASSWORDS FOR THE SHOWN USERS. JOHN THE RIPPER WOULD BE A GOOD TOOL TO USEPOP A SHELL OR NAVIGATE THROUGH METERPRETERNAVIGATE THROUGH THE SHELL FOR THE USER/ROOT FLAGFOUND THE USER FLAG UNDER “JOHN” LOCATED IN THE USER.TXT FILE ON THE DESKTOPADMIN FLAG FOUND IN THE DESKTOP ROOT.TXT FILE UNDER THE ADMINISTRATOR USERCOPY AND PASTE THE FLAG. CLICK THE FLAG ICON UNDER ACTIONS. MAKE SURE TO SELECT A DIFFICULTY WHEN PROVIDED OR U WILL GET AN ERRORSAME THING WITH THE ADMIN FLAG.In this box we scanned the 10.10.10.4 network and found smb ports 139/445 were open. Once we saw we did’nt have access with smbclient we did further enumeration with metasploit scanner. We discovered the device was running Windows XP SP3 and googled the exploit for a shell.