# Legacy ## Legacy - 10.10.10.4 ### Target Enumeration: OS: Windows IP: 10.10.10.4 User: e69af0e4f443de7e36876fda4ec7644f Root: 993442d258b0e0ec917cae9e695d5713 ### Ports / Services / Software Versions Running ``` 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Windows XP microsoft-ds 3389/tcp closed ms-wbt-server ``` ### Vulnerability Exploited: MS08-067 This exploits a parsing flaw in the path canonicalization code of NetAPI32.dll through the Server Service. This module is capable of bypassing NX on some operating systems and service packs. The correct target must be used to prevent the Server Service (along with a dozen others in the same process) from crashing. Windows XP targets seem to handle multiple successful exploitation events, but 2003 targets will often crash or hang on subsequent attempts. ### Exploiting the host: Nmap ![](https://lh3.googleusercontent.com/sZJwflKxqvHgDvVfoncNKdISaVZ6YAcNE_y6LEM8frVS2AmT2XYZZatMCOJCwvozyCYqQJoxxhMk2K1wpEOOZPgJw_fJE8o-w3n4_T2uBgRQOhuDB4JfFJATVVDdJtS77FPFRDhy) Nmap SMB-Vuln scan: ![](https://lh4.googleusercontent.com/xHMJHXTRCoc62ihuHzb5y_HW0XzjYqUisLAX2dkAexJXDW4-kyjt1CJdlmj7QHf1vJ8OXXvI7DL1RNhxIJSVIyXeYEIvMCXTkuM8OzOT6mo4Kvh8eGBR2hVxFdIXT4SWjD55cgMU) Set msfconsole as follows: ![](https://lh5.googleusercontent.com/2Mwicz2kVK4yiXwfgI9OhdIJMjwKBxF6HsQuQKejlE9nXRO5_kCbsPpOzb72W7LKCJaxRR4vM4SdzdMOHakHtIngn0nXU86ZxxxM8VOoGOzixOtelymr7EKufOQiMVduAVG9BCYc) Execute the exploit and get meterpreter shell. ![](https://lh6.googleusercontent.com/eLlFxsUaiOfAvRpl5sf4BlgL3Q6K3vQZOnCU6gvPG7keR21uLIt0J5C-ZIX5Z-U30tCEt_Hw9LxxS2Lgyb9RooJRaW0Ay3iQ3gFLbJKudEBq8qzcmSMhTOFX6ezX5GvHO9iyQ8mG) Evidence ![](https://lh4.googleusercontent.com/CbcaThyyMiCwiTq3n7vpDjqQpvYTPSof_yNDZ1y17w3aH48Dri0Gh_m3FfglmryjUKJYwJLF-qZwzKIfeFJLsYrIsSRH89GPadRANZHrWTpRnOi7FqLnLcchkylk1xCcxXMwYTdD) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://www.jdksec.com/hack-the-box/legacy.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.