Welcome to Legacy write up! If you have not done the box Blue, I would recommend you do that box first.
This box, is very similar to blue and you can most likely get this box on your own following the same methods as blue.
To start off this box, I run a couple of nmap scan to figure out whats on this box, and which ports are open.
Starting of with a basic -sV scan just so we can see whats running while our other scans or working.
Next I add the flag -sC to run a few default scripts and further fingerprint this box. A good way of thinking of fingerprinting is taking all the useful information and throwing it into a file. Things such as services, what version they are, the pc name, the os running on the host, and any other useful information.
Running the –script vuln, will check if these services have a known CVE, and give you a snippet of information about it. From the box blue we utilized the exploit ms17-010, but this box isn’t set up the same. This box is using windows XP not windows 7 or 8 so from that we know that this exploit most likely will not work. But this does tell us that there is another vulnerability ms08-067. I advice reading up on this before going further which you can view here.
Now lets search for this ms08-067 within metasploit to see if there is a usable metasploit exploit.
As we can see, there is only 1, but it is exactly what we need! Let’s use this and configure it.
As we can see all it needs is the rhosts, so lets set that to the IP of our target machine. set rhosts 10.10.10.4.
And now to run it!
Woot! The exploit worked and now we have a meterpreter shell on this box. So now to enumerate and get our flags!
Going back all the way to the home directory, we can see there is a lot of directories but for this box, the important one is Documents and settings, which you can figure out just by looking at each of these directories and looking for any user account.
as you can see the user flag is easy enough to find, and all you need to do is cat the file to get your code! Getting the root.txt is just as easy!
Go back a few directories into the administrator directory and its practically laying there for us to take!
If you look at the commands I use, I specifically used dir and ls, which is the same command but meterpreter doesn’t really care if your running windows or linux commands, as long as it knows what your trying to do it will work. But now you have both user and root and have pwned this box!
This is the last of the “easy boxes” so don’t think every box will be this easy.
Congrats on pwning legacy!