Walkthrough — HTB Windows machine “Legacy”

Rich Amies
2 min readNov 23, 2020

--

Quick enumeration of the machine with nmap revealed the following information:

As I’m looking at an older machine, given the obvious clue in the machine name, and because the only open service identified is SMB I’ll assume SMB is the likely point of entry. I scanned further using nmap:

As expected, two SMB vulnerabilities are identified. I took a quick look online and found most exploits are biased towards Metasploit, which I’ve tended to avoid as use is limited during the OSCP exam. But these days, I’ve found Metasploit to work quickly and easily, as many of the exploits from this era were based on Python2, and associated external utilities. I’ll go with the easy option here, as it’s a low-point box and I’m not under any exam restrictions.

Result 6 is rated as great, which is a good sign. I’ll go with that and configure it to work with my current IP address, then check that the target appears exploitable to Metasploit:

Upon running the exploit, I was presented with a shell with ‘NT AUTHORITY\SYSTEM’ privileges:

--

--

Rich Amies

Documenting some of what I’ve learnt whilst becoming a cybergeek! Mostly HTB and OffSec Proving Grounds. Extremely human, full of imposter syndrome.