LEGACY ON HTB (EASY)

The IP ADDRESSES OF THE MACHINE ARE SHOWN IF YOU HOVER THE NAME OF THE MACHINE. 10.10.10.4 IS THE LEGACY MACHINE IP ADDRESS. WE SEE 139 AND 445 ARE OPEN SO WE CAN LOOK FOR SHARES IN THOSE
UNABLE TO GENERATE SHELL WITH SMBCLIENT
WENT TO METASPLOIT AND CHECKED OUT THE SMB VERSION.
ONCE WE FOUND OUT WHAT THE HOST WAS RUNNING. I ENDED UP GOOGLING “ WINDOWS XP SP3 EXPLOIT”
CLICKED THE FIRST LINK FOR RAPID7
FOUND AN EXPLOIT MS08_067. USE THIS EXPLOIT TO GAIN A SHELL
MAKE SURE THE LHOST IS THE VPN CONNECTION ESTABLISHED WITH THE VULNERABLE BOX. TUN0 OR TAP 0
WE ARE ABLE TO GENERATE SHELL
WE ARE ABLE TO FURTHER ENUMERATE WITH GETUID/SYSINFO/HELP
FROM HERE YOU COULD USE HASHDUMP TO GET THE HASHES OF THE PASSWORDS FOR THE SHOWN USERS. JOHN THE RIPPER WOULD BE A GOOD TOOL TO USE
POP A SHELL OR NAVIGATE THROUGH METERPRETER
NAVIGATE THROUGH THE SHELL FOR THE USER/ROOT FLAG
FOUND THE USER FLAG UNDER “JOHN” LOCATED IN THE USER.TXT FILE ON THE DESKTOP
ADMIN FLAG FOUND IN THE DESKTOP ROOT.TXT FILE UNDER THE ADMINISTRATOR USER
COPY AND PASTE THE FLAG. CLICK THE FLAG ICON UNDER ACTIONS. MAKE SURE TO SELECT A DIFFICULTY WHEN PROVIDED OR U WILL GET AN ERROR
SAME THING WITH THE ADMIN FLAG.
In this box we scanned the 10.10.10.4 network and found smb ports 139/445 were open. Once we saw we did’nt have access with smbclient we did further enumeration with metasploit scanner. We discovered the device was running Windows XP SP3 and googled the exploit for a shell.