Post

Hackthebox Legacy Walkthrough

Hackthebox Machine Walkthrough

Posted Updated
Preview Image
By Hitesh Sharma
2 min read
Hackthebox Legacy Walkthrough

Legacy is a fairly straightforward beginner-level machine which demonstrates the potential security risks of SMB on Windows. Only one publicly available exploit is required to obtain administrator access.

Image1

  • Let’s Spawn the Machine

Image2

# Enumeration

  • Let’s Start with nmap scan
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28

┌──(kali㉿kali)-[~/Desktop/HTB/legacy]
└─$ nmap -sC -sV -p- 10.10.10.4 --min-rate=1500 
Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-08 06:01 EDT
Nmap scan report for 10.10.10.4
Host is up (0.27s latency).
Not shown: 65532 closed tcp ports (reset)
PORT    STATE SERVICE      VERSION
135/tcp open  msrpc        Microsoft Windows RPC
139/tcp open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp open  microsoft-ds Windows XP microsoft-ds
Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp

Host script results:
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)
| smb-os-discovery: 
|   OS: Windows XP (Windows 2000 LAN Manager)
|   OS CPE: cpe:/o:microsoft:windows_xp::-
|   Computer name: legacy
|   NetBIOS computer name: LEGACY\x00
|   Workgroup: HTB\x00
|_  System time: 2025-06-13T15:00:26+03:00
|_nbstat: NetBIOS name: LEGACY, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:b0:7e:61 (VMware)
|_clock-skew: mean: 5d00h27m39s, deviation: 2h07m16s, median: 4d22h57m39s

it shows SMB ports Microsoft Windows RPC (TCP 135), along with SMB/NetBIOS ports (TCP 139, 445), suggesting the system is running Windows and Windows XP.

  • on quick google search about the identified system-os , i had found a related vulnerability ( MS08-067 )

Image3

# Exploitation

  • next we will sarch for the metasploit module , for this vulnerability and found one !!

Image4

  • let’s use and set the options ( like rhots , lhost , lport) etc …
  • on exploit we got shell as NT AUTHORITY\SYSTEM , which means we have highest level permission on the system .

Image

  • now we can grab drop a shell through meterpreter session and then we can get the user flag .

Image5

  • similarly we can now get the root flag ….

Image6

we can also go the manual way if we want …


# Final Thoughts

I hope this blog continues to be helpful in your learning journey!. If you find this blog helpful, I’d love to hear your thoughts — my inbox is always open for feedback. Please excuse any typos, and feel free to point them out so I can correct them. Thanks for understanding and happy learning!. You can contact me on Linkedin and Twitter
linkdin
Twitter

Walkthrough
hackthebox Legacy Walkthrough windows
This post is licensed under CC BY 4.0 by the author.